This article explains the concepts and terminology used by the European General Data Protection Regulation (GDPR), and how Adobe Audience Manager, as a Data Processor, addresses various GDPR requirements.
GDPR came into effect on May 25, 2018 with primary objectives of giving individuals in the EU (Data Subjects) more control of their personal data while simplifying the regulatory environment for international businesses by better unifying regulation within the EU. As part of Adobe's GDPR readiness, the Adobe Audience Manager team has enhanced services and processes as necessary to support access and delete requests from Data Subjects, your consumers.
Make sure you also read the Experience Cloud GDPR FAQ. for a better understanding of how GDPR works in Experience Cloud.
Get familiar with key terms used related to GDPR. We’ve highlighted some of the most commonly used terms below.
Data Controller: GDPR defines "Controller" as “the … legal person … which alone or jointly with others determines the purposes and means of the processing of personal data.” Audience Manager customers are Data Controllers. Customers control how data is managed in Audience Manager.
Data Processor: The "Processor" is "the … legal person … which processes personal data on behalf of the controller". In the context of Audience Manager, Adobe, in operating the service, is acting as a “Data Processor” for any personal data it processes on behalf of the Controller, via Audience Manager. Adobe only processes personal data in accordance with the Data Controller’s instructions (as set out in our agreement with the customer or through actions taken in Audience Manager).
Data Subject: The individual to whom the personal data relates. In the context of Audience Manager, Data Subjects are Audience Manager customer’s consumers or end users. If Adobe receives requests directly from Data Subjects, these requests will be forwarded to the respective Audience Manager Customers.
Consent: Consent means "any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". Consent is the responsibility of the Data Controller, not Adobe (through Audience Manager).
Access: Data Subjects have the right to require the Data Controller to confirm whether the Controller processes their personal data. Where the Data Controller does process the Data Subject's personal data, it has to provide access to, and a copy of, the personal data. Data Controllers may ask Adobe to assist with access requests from Data Subjects.
Delete: GDPR outlines the “Right to be forgotten” or “Right to Erasure.” Data Subjects have the right to require Data Controllers to erase their personal data. Data Controllers work with their Processors, including Adobe, to support delete requests from Data Subjects.
Correction: Data Subjects have the right to require Data Controllers to rectify inaccurate personal data. Data Controllers work with Processors, including Adobe, to support Correction requests from Data Subjects.
Audience Manager Identifiers (IDs): Adobe Audience Manager stores various types of IDs. The Audience Manager Identifiers page provides a summary of these IDs, their corresponding data sources, and brief descriptions. When sending requests to the Adobe Experience Platform Privacy Service , reference these IDs to make delete or access requests for your data subjects.
Personal Data: GDPR expands the definition of personal data. Under GDPR, any data in Audience Manager can be classified as personal data depending on customer use case.
Prohibited Data: Audience Manager prohibits customers from ingesting directly identifiable information such as first name and last name, email ID, CRM ID, which can be used to directly identify an individual. Adobe Experience Cloud solutions also prohibit sensitive information. Please refer to your contract with Adobe for details about these requirements. If these types of data points need to be ingested into Audience Manager, consult your Adobe consulting team for recommendations on hashing these IDs before ingestion.