CASE STUDIES

Privacy

General Information

Privacy is an essential part of nugg.ad’s corporate culture. nugg.ad was the first targeting company to have its product certified with the ULD seal of approval from the Independent Centre for Data Privacy in Germany (Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein) in 2007. It was recertified in 2009.

nugg.ad has been granted further certification with the EuroPrise European Privacy seal. nugg.ad guarantees the highest degree of data protection, because neither nugg.ad nor its clients have access at any time to users’ personal data.

Privacy for the nugg.ad System

This Privacy Policy is intended to provide you with information on our privacy and data protection policies over and above the legal requirement. 

For nugg.ad AG predictive behavioral targeting (nugg.ad), the protection of all forms of data is of utmost importance. nugg.ad lives with and from the use of data, but above all from the trust given to us by our customers and our sensitive handling of their data. Our inviolable principles on data protection include the uncompromising respect for the right of informational self-determination of each citizen. 

nugg.ad is uncompromisingly committed to the legal regulations on privacy and data protection in Germany and Europe and, moreover, to perceived privacy requirements. This is why we would like to take this opportunity to inform you about how we handle data at nugg.ad, and the importance of data to our technology.

1. What data do we record and process?

nugg.ad offers website providers a technology that enables them to deliver interest-based advertising. nugg.ad’s interest-based advertising is useful to advertisers because it increases the effectiveness of advertising. It reduces the number of adverts placed, so that you as a user benefit from being shown less advertising, and what you do see is more likely to be relevant to your areas of interest as opposed to random insertion of advertising.

nugg.ad achieves this by using general information based on your internet use. To do this nugg.ad’s technology monitors the usage pattern of internet users by storing a cookie in the browser of your user device with a lifespan of 26 weeks: this means the number of website hits in various subject areas is counted. nugg.ad stores aggregated information about usage patterns with a hashed ID in the nugg.ad system. In other words the specific internet addresses you have visited are not recorded, but nugg.ad stores the frequency of use for various subject areas based on web pages accessed in a cookie (more information about this below under Point 3.). This general information about your internet use can be used by nugg.ad’s technology comprehensively across websites.

Sensitive areas such as religion, health or sexuality are not monitored. Furthermore no other data is recorded. In particular nugg.ad never stores information relating to your name, postal address, email or IP address. We use data protection-friendly technology and a sophisticated anonymisation system, which means that we have no way of finding out who the user viewing a particular page actually is. Data is never passed on to third parties, such as to the local authorities or other companies.

Furthermore nugg.ad carries out surveys of customers on the websites. These surveys are voluntary, unpaid and the user questioned can stop at any point. The information gathered through this means is stored in the nugg.ad system together with a hashed ID.

We will never ask you questions about your ethnic origin, your political opinion, your religious/philosophical views, your trade union activities, your health or your sexual habits. We will also never include these categories when analysing your user behaviour.

Special precautions are taken in the nugg.ad system to comply with the principle of data economy. In particular it is ensured, through an anonymising service operated by an independent party, that no user IP addresses enter the nugg.ad system. Specific technical and contractual arrangements also ensure that this anonymising protection service cannot be circumvented by nugg.ad staff.

2. Target groups and campaign management

nugg.ad identifies relevant target groups for advertising, according to socio-demographic criteria and product interests. We make use of statistical patterns only, which are created by the behaviour of users towards online advertising and editorial content published on websites. To ensure that you are not constantly bombarded with the same advertisements or even feel that they are too intrusive, we count how frequently you are shown an advert in various campaigns. Once you reach a certain level of exposure, you will not be shown any more adverts from that campaign.

3. The use of “cookies”

nugg.ad uses cookies. Of course our cookies do not contain spy, adware, spam or viruses. Our cookies are stored in the browser of your device (for example PC, laptop, smartphone etc.) and have a lifespan of 26 weeks. Both the d-cookie and the dp-cookie are used to analyse target groups and contain the number of page hits in particular subject areas. The ci-cookie is used to store information telling us how often you have been shown a particular advert. The cookies only contain general information about your internet use.

It is not possible for us to trace any information in the cookies back to individual users. In particular we cannot identify a person by name, address or any other data that is directly identifying.

However, of course you have the option of refusing to accept cookies by choosing the relevant setting in your browser, or simply deleting them. There is a short guide to deleting cookies in various browsers on pages 6 & 7.

4. Opt-In/Opt-Out function and Topic Monitor

If you are interested in having advertising even more relevant to your interests displayed on web pages, then you can select an Opt-In here to continue theme-based analysis of your usage habits. If you opt in, the cookie will also be stored on your device’s browser. It will be stored for 1 year. If previously collected nugg.ad cookies (detailed under Point 3) are present in the browser of your device, by setting the Opt-In cookie the following will happen: With your permission the nugg.ad cookie lifespan is lengthened to 1 year (calculated from the moment the cookie is set). Information stored on nugg.ad cookies prior to Opting-In is retained and will be deleted upon the expiration of cookie (maximum 1 year).

You have the right to prevent the recording of information by the nugg.ad system at any time by exercising your right to opt out. If you have already given your consent, you can also cancel it at any time, effective there after. An opt-out will also be stored in a cookie in your browser's device with a lifespan of 10 years, it will be named "nuggstopp", and will be set by "nuggad.net".

Please note that it is not technically possible to detect the Opt-Out if you delete the cookies from your browser.

You can accept or decline online on the nugg.ad homepage or the “My Topic Monitor” page. Click the corresponding button.

The “My Topic Monitor” shows you how nugg.ad has categorised your surfing habits. To do this, the aggregated frequencies of your usage behaviour is read from the cookie, where it is encoded, and displayed in generalised categories. You can find more information on the “My Topic Monitor” page.

5. Data protection

All employees of nugg.ad AG who deal with the data mentioned above sign a secrecy agreement in accordance with paragraph §5 of the Federal German Data Protection Law when they are recruited.

In addition, nugg.ad applies technical and organisational security measures in order to protect data from being manipulated, destroyed or lost. 

6. Contact

If you have any questions on the subject of privacy and data protection, you can contact us at any time by sending an email to privacy@nugg.ad. You are also welcome to contact our data protection officer, Christian Pfeiffer, directly (christian.pfeiffer@nugg.ad). 

It may become necessary to update this Privacy Policy in the future, as a result of further developments in our services or the implementation of new technologies. nugg.ad reserves the right to be able to change this Privacy Policy at any time with immediate effect. We therefore recommend you to read the current version of the Privacy Policy again from time to time.

Privacy for this website

This Privacy Policy is intended to provide you with information on our privacy and data protection policies over and above the legal requirement.

For nugg.ad AG predictive behavioral targeting (nugg.ad), the protection of all forms of data is of utmost importance. nugg.ad lives with and from the use of data, but above all from the trust given to us by our customers and our sensitive handling of their data. Our inviolable principles on data protection include the uncompromising respect for the right of informational self-determination of each citizen.

nugg.ad is uncompromisingly committed to the legal regulations on privacy and data protection in Germany and Europe and, moreover, to perceived privacy requirements. This is why we would like to take this opportunity to inform you about how we handle data at nugg.ad, and the importance of data to our technology. 

1. What data do we record and process?

We do not store any data directly or indirectly relating to your person when you visit our website. We do not store or process your IP address. We do not store or process your browser properties either – such as the browser manufacturer, operating system or enabled/disabled add-ons. However we do use your browser’s preferred language and encoding defaults – both character set and compression settings. The reason for this is so that the page loads more quickly in the required language. These technical parameters are not stored. We do not know which website you came from to access our website. 

2. The use of “cookies”

No cookie will be stored in the browser on your device (for example PC, laptop, smartphone etc.) as a result of your visit to our website. 

3. Data protection

All employees of nugg.ad AG who deal with data directly or indirectly relating to persons sign a secrecy agreement in accordance with paragraph §5 of the Federal German Data Protection Law when they are recruited.

In addition, nugg.ad applies technical and organisational security measures in order to protect data from being manipulated, destroyed or lost.

4. Contact

If you have any questions on the subject of privacy and data protection, you can contact us at any time by sending an email to privacy@nugg.ad. You are also welcome to contact our data protection officer, Christian Pfeiffer, directly (christian.pfeiffer@nugg.ad).

It may become necessary to update this Privacy Policy in the future, as a result of further developments in our services or the implementation of new technologies. nugg.ad reserves the right to be able to change this Privacy Policy at any time with immediate effect. We therefore recommend you to read the current version of the Privacy Policy again from time to time.

DDOW Self-regulation Codex

Protecting your data is essential for us. The whole idea of nugg.ad is based on data and we rely on your trust in handling your data carefully. Beyond our legal obligation, we act in accordance with the self-regulation codex of the German DDOW (Deutscher Datenschutzrat Online-Werbung) and the guidelines of the Online Behavioural Advertising Framework of the IAB Europe regarding interest based online-advertising. The valid self-regulation codex is available through the following link:

 http://www.youronlinechoices.com/de/nutzungsbasierte-online-werbung/ 

Europrise

Product/Version

Predictive Targeting Networking
(PTN)
Version 2.1

View the nugg.ad PTN v2.1 Certificate

 

Cert. No.

DE-090007


Validity

29/02/2012 until 28/02/2014

Initial Certification on September 10, 2009

Monitoring

10/2012 - 06/2013

 

Public report

nugg.ad
PTN v2.0 Short Public Report

 

Manufacturer/Provider

nugg.ad
AG
Rotherstraße 16
10245 Berlin

Germany

 

BEST

 

Data minimisation:

IP addresses of Internet users visiting a website that makes use of PTN 2.1 technology are anonymised by an independent third party who serves as a proxy.

 

Transparency:

nugg.ad provides its customers with guidance on how to implement PTN 2.1 in line with data protection requirements.

 

Data Subjects' Rights:

nugg.ad offers a so-called topic monitor to Internet users. By means of this new feature, users can learn about the categories they have been classified in by PTN as well as to opt-out from / opt-in to being tracked by means of PTN 2.1. The topic monitor is available at https://mtm.nuggad.net/en.

 

ATTENTION:

Recertification 02/2012:

The results of the re-evaluation demonstrated that PTN 2.1 meets the EuroPriSe interim requirements for OBA (Online Behavioural Advertising) services as stipulated in the EuroPriSe position paper on the impact of the new “Cookie Law” on certifiability of behavioural advertising systems according to EuroPriSe and the follow-up paper on this. Both documents are available at  www.european-privacy-seal.eu/results/Position-Papers.

The new "Cookie Law", Article 5(3) of the amended ePrivacy Directive, requires prior informed consent to be collected from users as a precondition for the legitimate storage of OBA tracking cookies on users' devices. EuroPriSe's interim requirements that take account of the announcement of a "discussion period" by the Article 29 Working Party only call for first steps towards prior opt-in (amongst others). Consequently, the recertification does not confirm compliance of PTN 2.1 with the prior opt-in requirement of Article 5(3). 

 

Summary

 

PTN v2.0 is a service that offers predictive behavioural targeting to publishers and advertisers in the area of online marketing. The purpose of PTN 2.0 is to support customers in optimising effectiveness of advertisements.

Predictive behavioural targeting as offered by nugg.ad is based on a method that links web-browsing behaviour and survey results with algorithms derived from the field of machine learning. With the implementation of PTN-technology into a website, the click behaviour of a website visitor is analysed by means of http cookies and tracking pixels.

Detailed Information on PTN 2.1's mode of operation is provided via the topic monitor (https://mtm.nuggad.net/en) and the privacy policy for the nugg.ad system on nugg.ad's website (www.nugg.ad).

Details


Recertification 02/2012

Since the initial certification of PTN in 2009, important legal changes have taken place: Artikel 5(3) of the ePrivacy Directive (2002/58/ED) was amended to the extent that (inter alia) OBA tracking cookies may only be used on condition that prior informed consent of users has been collected. The Article 29 Working Party provided guidance on how to interpret this legal provision in its opinion 2/2010 on online behavioural advertising. In this opinion, the working party announced a "discussion period" with the OBA industry. In response to this announcement, EuroPriSe defined interim requirements for OBA services that are valid as long as the discussion period lasts (details on these requirements are provided below).

Compared with PTN version 2.0 that was subject to the initial certification version 2.1 comes with some new features (details on these are provided in the Short Public Report):

The (amended) Target of Evaluation includes:

 

- nugg.ad PTN 2.1 services

  • Processing activities on behalf of customers (website owner and publisher): Tracking of users by means of tracking pixels and cookies
  • Processing activities as controller: Conduct of surveys towards Internet users and maintenance + improvement of statistic model (aggregated data) for predictions
  • Provision of privacy functionalities for Internet users on the website www.nugg.ad: Landing page, topic monitor, opt-out + (ex post) opt-in functionality

 

- Technical and legal interfaces with customers, sub-processor (server hosting + operation of IP address anonymiser) and Internet users

- Optional features of PTN 2.1

  • Standard Plus (cross publisher/ad-network use of data for statistical model)
  • Campaign Management
  • Use of special interest categories besides the standard interest category taglist


The ToE does not include:

  • Server hosting + operation of IP address anonymiser
  • Display of ads via the respective ad server
  • Processing of customers' (website owners', publishers' and advertisers') as well as sub-processor's data for the purpose of performance of the respective contract
  • Transmission of data via third-party networks (mobile network, Internet)
  • Customer hardware (servers)
  • Customer services (websites)
  • Internet users' hardware and software

PTN 2.1 meets the EuroPriSe interim requirements for OBA:

  • nugg.ad offers its customers the possibility to display an icon at the edge of an ad. The icon links to a nugg.ad landing page (cf. below). First implementations of this icon solution are already in place. 
  • The landing page (ad-choices.nuggad.net/index.html.en) provides users with the possibility to opt-out from or opt-in to being tracked by PTN 2.1. In addition, it links to the topic monitor as well as to nugg.ad's privacy policy.
  • nugg.ad's privacy policy for the nugg.ad system informs users about relevant aspects of PTN 2.1. It is available at www.nugg.ad/en/company/privacy
  • nugg.ad's customers are contractually pledged to inform users about the utilisation of PTN 2.1 on their websites.
  • Users are provided with the possibility to opt-out on nugg.ad's homepage, on the landing page and by means of the topic monitor. Opting out results in nugg.ad's tracking cookies being deleted.
  • Users are provided with the possibility to opt-in on nugg.ad's homepage, on the landing page and by means of the topic monitor.
  • Life time of tracking cookies is limited to 26 weeks. If a user opts in, s/he is tracked for a maximum of 52 weeks.
  • IP addresses of users are anonymised by means of a third party anonymisation service.
  • nugg.ad dispenses with the use of categories that qualify as sensitive data under Art. 8 of Directive 95/46/EC and with the use of categories that are specifically designed to target children.
  • The topic monitor (https://mtm.nuggad.net/en) allows users to learn about the categories they have been classified in by PTN 2.1 according to their surfing behaviour. The topic monitor is prominently linked on nugg.ad's homepage and the landing page.
  • nugg.ad makes use of controller - processor agreements that comply with the requirements of Art. 17(2) - (4) of Directive 95/46/EC (as well as with the requirements of § 11 Abs. 2 S. 2 BDSG - German Federal Data Protection Act).


Initial Certification 09/2009

PTN v2.0 is provided to operators or publishers of websites. Customers can implement the service in order to gain a better and user optimised delivery of advertisements on the website.
A customer who wants to use PTN implements a web-bug on his website that is used to track basic user behaviour on the website. Each webpage of the website is classified to a certain category (e.g., sports or culture). If a user visits a webpage, the category the webpage belongs to is counted and stored in in a user cookie. This cookie has a maximum lifetime of 26 weeks.
Click behaviour data of users is enriched with information on demographics, product interests and potential lifestyle. To gain the latter information, a small, random sample of website visitors is presented an online questionnaire containing questions to pinpoint demographics, lifestyle and product interests.
Questionnaire information is stored in the nugg.ad system along with a hash code. Furthermore, the click statistics of the respective user are also stored with this hash code in the nugg.ad system. No personal data such as name or address of users is stored in the system. nugg.ad uses the above-mentioned data to build statistical models about general user behaviour based on interests.


Technical
Evaluator

Andreas Bethke

Papenbergallee 34
25548
Kellinghusen
Germany

andreas@b3-gruppe.de

 

Legal
Evaluator

Stephan Hansen-Oest

Neustadt 56
24939
Flensburg
Germany

sh@datenschutzkontor.de


Formerly Certified Versions

PTN 2.0

 

ULD certified targeting

Legal and technical expert opinion

The IT product’s compliance with data protection requirements

- PTN 2.0 -

by

nugg.ad AG
Rotherstr. 16
10245 Berlin
Germany

prepared by:

Andreas Bethke

Dipl. Inf. (FH)

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited technical expert for IT products

Papenbergallee 34

25548 Kellinghusen

Germany

tel  +49 (0)4822 – 37 89 05

fax  +49 (0)4822 – 37 89 04

mob +49 (0)179 – 321 97 88

email ab@datenschutzkontor.de


Stephan Hansen-Oest

Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited legal expert for IT products

Neustadt 56

24939 Flensburg

Germany

tel +49 (0)461 – 90 91 356

fax +49 (0)461 – 90 91 357

mob +49 (0)171 – 20 44 98 1

email sh@datenschutzkontor.de


Version: 16/09/2009
 

A. Introduction

On 25/09/2007 the product manufacturer received certification for its software “Predictive Targeting Network (PTN)”, version 2.0. The certification was issued for a limited period of time and will therefore expire soon, i.e. as per 16/09/2009. In the meantime, the product manufacturer has made some improvements to the service, which have been implemented in the course of the successful EuroPriSe certification. However, the product still bears the version number 2.0 as otherwise no changes have been made to the method, which could be relevant for an assessment with view to data protection. By providing this expert opinion, the product manufacturer intends to have the IT method PTN 2.0 recertified for the privacy seal for IT products by the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein - ULD).

The expert opinion is based on version 1.2 of the requirements specification.
 

B.  Time of testing

The product was tested on 10/09/2009 and 16/09/2009.
 

C. Changes to the product and innovation

In the course of the certification procedure for EuroPriSe, the product PTN 2.0 underwent changes leading to improvements in the product, which can be rated as meeting the data protection requirements.

The updated version of the product underwent the following changes: 

- the lifetime of cookies has been reduced from 12 months to a maximum of 26 weeks. Also, the lifetime of non-personal data in the nugg.ad database which are processed and used to calculate statistical models have been reduced further (i. e. to 26 weeks as well) 

- the Privacy Policy on the nugg.ad website (http://www.nugg.ad) has been amended so as to take into account the interpretation of the term “personal“ under European law and the related implications as to whether “cookies” can be linked to an identifiable natural person. The Privacy Policy of nugg.ad can be accessed at http://www.nugg.ad/de/produkte/datenschutz.html.

- The list of criteria used for the delivery of advertising material has been revised.  Thus, the categories “reproduction” (sex life + health), “pregnancy fashion”, “doctors”, “opticians” and “man seeks / woman seeks” have been deleted to avoid any supposed reference to sensitive data within the meaning of section 3 subsection 9 of the Federal Data Protection Act (BDSG) in the first place.  

- The model contract used by nugg.ad for the processing of data by contractors has been improved and reworded.

No additional functions were added that would be relevant for the assessment of the product in terms of data protection.
 

D. Assessment regarding the requirements under data protection laws

In the meantime, there have been changes in the Federal Data Protection Act (BDSG) which took effect as of 01/09/2009.  The amendments to sections 28, 29 BDSG are irrelevant for IT method PTN 2.0, as their content does not lead to any new assessment of the legal situation.

However, the amendments made to section 11 BDSG are in fact relevant, as they impose more stringent requirements on written instructions to be given to contractor data processors.  According to section 11 subsection 2 BDSG as amended the written instructions given to such processor must contain the following:

1.  the subject and duration of the work to be carried out,

2.  the extent, type and purpose of the intended collection, processing or use of data, the type of data and category of data subjects,

3.  the technical and organisational measures to be taken under section 9,

4.  the rectification, erasure and blocking of data,

5.  the processor’s obligations under subsection 4, in particular monitoring,

6.  any right to issue subcontracts,

7.  the controller’s rights to monitor and the processor’s corresponding
obligations to accept and cooperate,

8.  violations by the processor or its employees of provisions to protect personal
data or of the terms specified by the controller which are subject to the obligation to notify,

9.  the extent of the controller’s authority to issue instructions to the processor,

10.  the return of data storage media and the erasure of data recorded by the
processor after the work has been completed.

nugg.ad offers to its clients a model processing agreement to be entered into which is annexed to the main contract. This had already contained the provisions now set forth in section 11 BDSG as amended.

Regarding the term, the agreement refers to the main contract which is a permissible procedure. The extent, type and purpose of the processing are set forth in section 2 of the agreement. The controller’s rights to monitor are set forth in section 6 of the agreement. In addition, the agreement provides for the return of data/data storage media and includes the processor’s notification duties in the event of a breach.

In total, the model agreement meets the requirements of section 11 BDSG amended as of 01/09/2009.

Further, section 11 BDSG as amended now contains a concrete duty of the controller to verify compliance with the technical and organisational measures taken by the processor before data processing begins and regularly thereafter, and to document the result. This new requirement can be met by the nugg.ad method as well.

The Telemedia Act (TMG) too has been amended with effect as of 01/09/2009. However, the amendments made therein have been of a mere editorial nature with the exception of section 15a TMG. For the assessment of the method in terms of data protection laws, the new section 15a TMG is irrelevant in the present case.

The changes to the method do not result in a different assessment of the method in terms of data protection laws. Rather, it can be noted that the product through improvements in its application has further improved from a data protection point of view.

E. Summary

The product “PTN 2.0” of nugg.ad AG can still be rated as exemplary overall. There are no concerns with view to recertification.

I hereby confirm that the above-named IT product complies with the legal requirements pertaining to data protection and data security.


Andreas Bethke / Dipl. Inf. (FH) Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited technical expert for IT products

 

Stephan Hansen-Oest / Lawyer

at the independent data protection centre for the state of Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein), accredited legal expert for IT products


Impression Count

Campaign Impression Count

One part of the nugg.ad solution is the measurement of ad impressions (eg with banners) per user (client).

To enable this measurement, a marker (counting pixel) is integrated in the ad creative. Each time the ad is shown on a webpage, it sends a notice to the nugg.ad system. With each notice, nugg.ad writes a cookie named "ci" into the user's browser. The cookie "ci" stores the campaign identification number (campaign-ID), the number of ad impressions, and the date of the last impression.

The cookie will be erased after 26 weeks. No personal data is stored at any time.

What we do with predicted profiles

nugg.ad itself does not post the adverts you see online. We offer website providers a technology that enables them to deliver advertising based on your interests. To achieve this, nugg.ad uses general information based on your internet use.

It works like this: nugg.ad provides a predicted profile of a website visitor who is for instance likely to be male/female, aged between 20 and 30, and interested in travel, sports and consumer electronics. The provider responsible for the selection and display of the ad banner on the web page is then less likely to display advertising for garden accessories. They will tend to insert adverts for a new electronic device that allows sports enthusiasts to record and analyse their sporting activities.

nugg.ad shares these predicted profiles with marketers, advertisers and other providers responsible for online advertising services.  These partners use the predicted profiles for advertising purposes, such as targeting advertisements. They may use third-party service providers, acting on behalf of our partners, to display advertising.