PRIVACY NOTICE FOR THE GLOMEX MEDIA EXCHANGE SERVICE (MES)

The privacy notice informs about the data processing during the usage of the glomex Media Exchange Service (“MES”). This includes the user’s data processing of content owners (“Content Owners”) and publishers (“Publishers”), who have concluded to the terms and conditions (“T&Cs”) with glomex GmbH or publisher who have concluded a Partner-Involvement with glomex GmbH (“Partner Publishers”), and certified glomex-partners (“Partners”) (together “MES Users”).

1. Data Controller and Contact Person

1.1. Data Controller

Data Controller within the meaning of the General Data Protection Regulation (GDPR) for the processing activities described below is glomex GmbH („glomex“), Dieselstrasse 1, 85774 Unterföhring, Germany.

1.2. Contact Point for Data Protection Enquiries

MES Users can contact the glomex data protection team at any time with data protection enquiries by sending a message to the postal address provided above or by email to privacy@glomex.com. At the request of the MES Users, confidential information can be forwarded to the data protection officer of glomex and answered by this data protection officer. In such cases, the words “Attn: Data Protection Officer” should be added to postal enquiries or, in the case of enquiries by e-mail, direct contact with the data protection officer should be requested.

2. Data Processing in the course of the Business Relationship

As part of the T&Cs with Publishers and Content Owners as well as the business relationship with the Partner Publishers and Partners, glomex also processes personal data of the MES Users for the following purposes:

2.1. Customer Management

In order to manage the business contacts, glomex processes information about the Content Owners, Publishers, Partner Publishers and Partners (in particular company name, address, branch offices, finance data, if applicable, authorized representatives and their contact data, each „Business Data“) as well as information about the respective MES User (in particular name, position, business contact information like e-mail address and phone number, each „User Data“).glomex uses this data in order to be able to reach out to the right contact person when contacting the MES Users to process their requests and orders properly and to maintain the business relationship. In case of conducting customer management of Partner Publishers, also the Partner undertakes the customer management, and the Partner Publishers’ data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to provide the MES for MES Users and to conduct a functioning customer management.

2.2. Order Management and Billing

As part of order processing and billing, glomex collects information on offers, orders and invoice items as well as payment details of Content Owners, Publishers and Partners. MES User Data may also be processed in this context. In case of conducting order management and billing for Partner Publishers, the Partner undertakes the order management and billing, and the Partner Publisher’s data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to fulfill the order management and billing.

2.3. Controlling and Reporting

glomex also processes information of MES Users on orders and invoice items for internal cost and performance accounting, controlling and internal reporting, which glomex use for corporate management and forecasting. In case of conducting controlling and reporting for Partner Publishers, the Partner undertakes the controlling and reporting, and the Partner Publisher’s data will be shared with and processed by Partner.The legal basis is Art. 6 para. 1 lit. f GDPR. The legitimate interest is to perform the controlling and reporting for the business relationship.

2.4. Service Information

As an integral part of the MES related to the glomex Player, glomex send information by e-mail to MES Users, which contain e. g. T&Cs updates, Global Vendor List (“GVL”) updates, ads.txt updates and information about the takedown of a video.The legal basis is Art. 6 para. 1 lit. f GDPR based on the legitimate interest to provide the services according to the glomex T&Cs.

3. Direct Marketing

3.1. Product Information

glomex also send product related information by e-mail to MES Users, which contain e. g. editorial news, video recommendations and new features. To contact MES Users, glomex processes the MES User Data.

The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. f GDPR in conjunction with Section 7 para. 3 of the German Act Against Unfair Competition (German: Gesetz gegen den unlauteren Wettbewerb, or UWG) for e-mail based on the legitimate interest to promote glomex products to MES Users. MES Users can object to the use of their User Data for direct marketing purposes at any time by sending glomex an e-mail or postal message or by using an opt-out link directly in the e-mail pursuant to Art. 21 para. 3 GDPR (see contact details under „Data Controller“).

3.1. Newsletter

MES Users may also subscribe to the newsletter, which contains e. g. invitations to marketing events and panels. glomex will only send newsletter by e-mail if MES Users confirm their email address during the registration process or if a user profile has been created by glomex at the request of the MES Users. This information is necessary to send newsletter to MES Users and to be able to prove their subscription.

The legal basis for data processing is the consent of MES Users pursuant to Art. 6 para. 1 lit. a GDPR. MES Users may withdraw their consent at any time with effect for the future by unsubscribing from newsletter. A corresponding unsubscribe link can be found in each newsletter. MES Users can also send a message to the contact details provided above in section 1 or in the newsletter (e.g., by e-mail or postal message) to unsubscribe.

3.2. Usage measurement

glomex want to share relevant content with MES Users and better understand what they are interested in. For this reason, glomex uses conventional technologies in the newsletter and product information that can allow to measure the interactions of MES Users with e-mails (e.g., opening of the e-mails, links clicked on). glomex uses this data for statistical evaluations and for further optimizing and developing the content and customer communications. Only the summarized open rates and click rates of the emails sent are evaluated by glomex. This is performed with the help of small graphics that are embedded in e-mails (so-called pixel) and establish a connection to the server of the images when the e-mail is opened. Furthermore, glomex uses links where it first registers MES Users’ clicks before redirecting MES Users to the desired target page. The usage data collected is not used to send personalized newsletters or product information to MES users.

The legal basis, depending on the kind of e-mail, is the consent of MES Users in accordance with Art. 6 para. 1 lit. a GDPR or the above-mentioned legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. MES Users may deactivate the usage measurement at any time with effect for the future by unsubscribing from newsletter, using an opt-out link directly in the e-mail or by sending glomex an e-mail or postal message (see contact details under section 1.1 „Data Controller“). MES Users may also prevent the measurement of the e-mail openings by deactivating graphics or the output of HTML content in their e-mail program by default. 

4. Data Processing on glomex Website

For the data processing on the glomex website (www.glomex.com), including the usage of tools that access or store information on the terminal device, please see the privacy notice for the glomex-website: https://www.glomex.com/en/privacy-policy/privacy-notice-for-the-glomex-website/

5. Categories of Recipients

The Business Data as well as the User Data will generally be processed by glomex. In case of Partner Publishers, the Partner Publisher’s data will also be shared with and processed by Partner.Exceptionally, data may be passed on to third parties in the following cases:

a. MES Users have given their explicit consent– Art. 6 para. 1 lit. a GDPR;

b. if it is required or stipulated by law, in particular if this is necessary for legal prosecution or enforcement due to official inquiries, court orders and legal proceedings (e.g., as part of a tax audit by the tax authorities or as part of money laundering prevention) – Art. 6 para. 1 lit. c GDPR;

c. if it is necessary to protect MES Users’ or glomex’ interests for the assertion, exercise or defense of legal claims and there is no reason to assume that MES Users have an overriding interest worthy of protection in not having the data disclosed – Art. 6 para. 1 lit. f GDPR.

d. or if it is necessary to fulfil the contractual obligations of glomex or to perform pre-contractual measures (e.g. to reimburse the business partners for their services via glomex partners) – Art. 6 para. 1 lit. b GDPR.

Such disclosure also occurs when glomex involve external service providers in their internal processes. This may include, in particular, data centers, software providers, IT service providers that maintain glomex’ systems, agencies, market research companies, and group companies. In these cases, the service provider is bound by instructions and receives data only to the extent and for the period necessary for the provision of the services. In addition, glomex may employ external consultants and auditors. Agreements are always concluded with them to ensure the confidentiality of all information.

6. Third Country Transfer

glomex may transfer personal data outside of the European Economic Area (“EEA”) (so-called third countries), especially by using providers which are located in third countries or process the data there. Third countries do not have a level of data protection which corresponds to that of the European Union (“EU”). Insofar as this is the case and the European Commission has not issued an adequacy decision (Art. 45 GDPR) for these countries, glomex have taken appropriate safeguards to ensure an adequate level of protection for the transfer in third countries. These include, among others, the Standard Contractual Clauses of the European Union (“SCC”) or Binding Corporate Rules (“BCR”).Where this is not possible, glomex base the data transfer on exceptions of Art. 49 GDPR, in particular MES Users’ explicit consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures. Where a third country transfer is intended and no adequacy decision or appropriate safeguards are in place, it is possible and there is a risk that authorities in the respective third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyze it, and that enforceability of MES Users’ data subject rights cannot be guaranteed. So far that glomex request MES Users’ explicit consent, they will be informed about this.

7. Storage Period

glomex store personal data only for as long as necessary to fulfill the purposes for which glomex collected the data (e.g., the data will be stored for the duration of this business relationship). Thereafter, glomex delete the data immediately, unless glomex still need the data until the expiry of the statutory limitation period for evidence purposes for claims under civil law, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of the data in the specific individual case.For evidentiary purposes, glomex must retain contractual data in particular for three years from the end of the year in which the business relationship ends. Any claims become statute-barred at this point at the earliest in accordance with the standard statutory limitation period. Even after this, glomex still have to store some of the Business Data or User Data for accounting reasons (e.g., at least for the duration of the statutory accounting obligations). glomex is obliged to do so because of legal documentation obligations that may arise from the German Commercial Code, the German Fiscal Code, the German Banking Act, the German Money Laundering Act (Geldwäschegesetz) and the German Securities Trading Act (Wertpapierhandelsgesetz). The periods specified there for the retention of documents are two to ten years.

8. Data Subjects Rights

  8.1 Overview and Exercise of Data Subject Rights

MES Users (“Data Subjects”) are entitled to the data subjects rights at any time if the respective legal requirements are met

a. Right to withdraw the consent (Art. 7 para. 3 GDPR)

More information on withdrawal is available to Data Subjects under section 8.2.

b. Right to object (Art. 21 GDPR)

More information on objection is available to Data Subjects under section 8.3

c. Right of access by the Data Subject (Art. 15 GDPR)

Data Subjects have the right to request a copy of any personal data which glomex hold about them.

d. Right to rectification (Art. 16 GDPR)

Data Subjects have the right to rectify their personal data, if they consider that the information glomex is holding is inaccurate.

e. Right to erasure (Art. 17 GDPR)

Data Subjects have the right to ask glomex to delete their personal data, if they consider that glomex do not have the right to hold it.

f.Right to restriction (Art. 18 GDPR)

Data Subjects have the right to restrict processing of their personal data.

g. Right to data portability (Art. 20 GDPR)

Data Subjects have the right to receive their personal data which glomex hold about them and to transmit those data to another controller.

To exercise the Data Subjects rights, Data Subjects can contact glomex at any time using the contact details above in section 1. This also applies if Data Subjects wish to receive copies of the legal safeguards demonstrating an adequate level of data protection in case of data transfer to third countries. Provided that the respective legal requirements are met, glomex will comply with the data subject request.

The data subject requests and the responses of glomex to them will be stored for the documentation purposes for a period of up to three years and, in individual cases, for longer if this is necessary for asserting, exercising or defending legal claims. The legal basis is Art. 6 para. 1 lit. f GDPR, based on the interest of glomex in defending against any civil claims under Art. 82 GDPR, avoiding fines under Art. 83 GDPR and fulfilling the accountability obligations under Art. 5 para. 2 GDPR.

8.2 Right to withdraw the consent (Art. 7 para. 3 GDPR)

Data Subjects have the right to withdraw their consent for the processing of their personal data (to the extent such processing is based on previously obtained consent) at any time. This has the consequence that glomex no longer continue the data processing based on this consent with the future effect. The withdrawal of consent does not affect the lawfulness of the processing based on the consent until the withdrawal. If Data Subjects wish to exercise their right of withdrawal, an informal message using the contact details above in section 1 will suffice.

8.3 Right to object (Art. 21 GDPR)

Data Subjects have the right to object to the processing of their data, if glomex process Data Subjects data on the basis of legitimate interests, at any time on grounds relating to their particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, Data Subjects have a general right of objection, which will also be implemented by glomex without giving reasons. If Data Subjects wish to exercise their right of withdrawal, an informal message using the contact details above in section 1 will suffice.

8.4 Right to lodge (Art. 77 GDPR)

Data Subjects have the right to lodge a complaint with any data protection authority in the EU, for example, a supervisory authority in the member state of their residence, workplace or the location of the alleged violation. For glomex, the competent supervisory authority is the Data Protection Authority of Bavaria for the Private Sector / Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany. E-mail: poststelle@lda.bayern.de.

9. Changes to this Privacy Notice

As glomex’ services evolve, changes to this privacy notice may become necessary. This website always contains the current version of the privacy notice.

Version: 1.0 | Last amended: June 23