EFFECTIVE AS OF December 1, 2020
We're committed to partnering with customers and users to help them understand and comply with the General Data Protection Regulation (GDPR). The GDPR went into effect on May 25, 2018 and sees significant changes to the EU privacy law.
Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
The GDPR’s updated requirements are significant and Piano Software products are in line with required GDPR compliance commitments, either through automated product features or by requesting changes from Piano.
We work to:
Ensure that the appropriate contractual terms are in place with relevant customers;
Continue to support international data transfers by executing EU Standard Contractual Clauses (SCC) through our updated Data Processing Addendum while at the same time accepting GDPR’s application on us;
Build any new features and functionality with the requirements of GDPR in mind and ensure we include features that address Data subject rights wherever possible;
After the May deadline we continue to monitor GDPR related guidance and will make the necessary changes. We also continue to invest heavily toward security infrastructure and security processes;
Have binding corporate rules (BCRs) approved for controller and processors transfers both intragroup as well as against Publishers.
The question of international cross-border transfer of personal data is naturally very important to Piano. Being a US company, we have historically relied on EU-US Privacy Shield and Swiss-US Privacy Shield as well as EU Standard Contractual Clauses (SCC) to lawfully transfer personal data outside EEA. Due to Schrems II judgement of the CJEU (C-311/18) we no longer can rely on EU-US Privacy Shield and Swiss-US Privacy Shield and have withdrawn our certification from the Privacy Shield. However, we understand there are number of legal uncertainties surrounding the cross-border transfer of personal data under the GDPR and we want to be fair about these to our customers.
Firstly, in Google v Spain, the CJEU held that EU privacy laws (Directive 95/46/EC) applies directly to Google, Inc. (US company) by virtue of having an establishment in the EU (Google Spain, S.p.A.) in the context of which activities the personal data is processed. We too have an establishment in the EU (subsidiary in Slovakia) which is directly involved in supporting Piano Software, Inc. (US company) in processing personal data on behalf of the Publishers. Commission Decision on EU-U.S.
The abolished Commission’s decision EU-US Privacy Shield also referred to this problem in paragraph no. 15:
“The Principles apply solely to the processing of personal data by the U.S. organisation in as far as processing by such organisations does not fall within the scope of Union legislation. (15) The Privacy Shield does not affect the application of Union legislation governing the processing of personal data in the Member States (16).
(16) This applies also to processing that takes place through the use of equipment situated in the Union but used by an organisation established outside the Union (see Article 4(1)(c) of Directive 95/46/EC). As of 25 May 2018, the General Data Protection Regulation (GDPR) will apply to the processing of personal data (i) in the context of the activities of an establishment of a controller or processor in the Union (even where the processing takes place in the United States), or (ii) of data subjects who are in the Union by a controller or processor not established in the Union where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. See Article 3(1), (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).”
However, there is no mention of this extraterritorial application of the GDPR to non-EU companies in Articles 44-50 GDPR where it deals with cross-border transfer of personal data outside EU. Therefore, although it seems the GDPR will apply directly to Piano Software, Inc., non-EU Piano affiliated companies will remain persons from 3rd countries where the additional safeguards need to be adopted (like SCC or BCRs).
The way we decided to deal with the above is as follows:
Piano Software, Inc. being a US company concludes with EU Publishers SCC as part of the Data Processing Agreement where we act as processors and data importers to EU Publishers;
Piano Software, Inc. and all its subsidiaries (Piano Affiliates) concluded Intra-Group Processing Agreement pursuant to the Article 28(3) of the GDPR which also includes SCC.
To sum up, we have tried to ensure both contractually and technically that we comply with the GDPR regardless of whether and how the GDPR applies to us.
In the future, we aim to streamline this process and adopt BCRs instead of SCC since we believe BCRs provide higher safeguards than SCC due to their individual regulatory approval. We are currently in the approval process for BCRs with the Slovak Data Protection Authority acting as our lead data protection authority under Article 56 GDPR (the “Lead DPA”). The reason for this is that our main establishment in the EU is actually in Slovakia, where historically the first subsidiary of Piano Software, Inc. is located (Piano Software, s.r.o., Bratislava, Slovakia). As part of these proceedings there has been so-called “one-stop shop” process (cooperation mechanism under Article 60 GDPR) to confirm the role of our Lead DPA and none of other EU data protection authorities concerned objected. We hope to adopt BCRs by the end of 2020.
Compliance-related tools include the following:
Export Tools. Businesses and organizations may access, import, and export all their Customer Data;
My Account Widget. Help customers respond to user requests to delete personal information, such as names and email addresses;
For all other requests. Piano provides a dedicated team to info provide this information within a timely period to ensure compliance with GDPR. Contact us at firstname.lastname@example.org.
|Audience experience – the core purpose||Data processor||Performance of contract (Art. 6(1)(b) GDPR) and “cookie” consent (Art. 5(3) of e-Privacy directive)|
|Billing & Accounting||Data processor||Compliance with legal obligation (Art. 6(1)(c) GDPR)|
The above overview of purposes of processing is a default (expected) overview by the template data processing agreement (“DPA”) Piano Software, Inc. concludes (as a processor) with the Publisher. As a data processor, it is not our responsibility to determine the purpose and legal basis of processing via Piano Software. However, given the fact that the core functionality and business purpose of Piano Software is generally the same throughout different Publishers, we came up with the above default legal setting so that both us and the Publishers can more efficiently manage compliance with the GDPR in respect to Piano Software.
In practice, how does this work for users? For unregistered users/anonymous users: cookies consent based on setting of the web browser “allow cookies”. We recommend that the relationship between the Publisher and the user (unregistered and registered) is defined by contract performance in the publisher’s Terms and conditions. We expect that as soon as the user lands on Publisher’s site, there are certain terms and conditions in place that govern rights and obligations of both the user and the Publisher when using the site. We recommend that the Publisher’s obligation under these terms and conditions is drafted in a way that using Piano Software (and similar technologies) is part of Publisher’s contract performance. If the registered user changes privacy setting of its web browser to “do not allow cookies”, Piano loses the link of the browser to an individual. As such data is in effect erased as the data is no longer personal data but rather anonymised.
|Ref.||Audience experience||Billing and accounting|
|Right of access||Art. 15 GDPR||Yes, based on request|
|Right to rectification||Art. 16 GDPR||Yes, under certain conditions|
|Right to erasure||Art. 17 GDPR||Yes, under certain conditions|
|Right to restriction||Art. 18 GDPR||Yes, under certain conditions|
|Right to data portability||Art. 20 GDPR||Yes, just based on request but only in respect of data provided by the user||No|
|Right to object||Art. 21 GDPR||No||No|
|Right not to be subject to a automated individual decision-making||Art. 22 GDPR||Yes|
|Data protection by design & by default||Art. 25 GDPR||Yes in all cases. This is controller obligation|
|Appropriate security measures (TOMs)||Art. 32 GDPR||Yes in all cases|
|Detection and communication of data breach||Art. 33 GDPR||Yes in all cases|
As a data processor we shall according to the Art. 28(3)(g) GDPR: “taking into account the nature of the processing, assist the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III”. We ensure this as is explained below:
When applicable, Piano will provide the Data Controller with a My Account widget that allows the user to access their private data that Piano processes.
Piano will provide the Data Controller with a My Account widget that allows the user to correct their private data that Piano processes.
An anonymous data subject will be qualified as erased when they delete any Piano cookies. For data subjects where Piano stores registration information, that information shall be erased where possible.
On a case by case basis, Piano will ensure that data is restricted.
Piano provides a My Account widget where the user can access their data in order to download it. This refers to data actively provided by the data subject on registration forms. In addition, the Data Controller has access to the user profile through the user dashboard.
Piano carefully addresses GDPR defined security measures by the pseudonymisation and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Piano to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Piano maintains a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Piano maintain an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Piano and all publishers, in the MSA.
Fulfilling our privacy and data security commitments is important to us. So we’re glad to help you prepare for all the changes the GDPR brings. This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about how Piano Software can help you with compliance, we hope you’ll reach out to us.
To support delivery of our Services, Piano Software, Inc. (or one of its Affiliates listed below) may engage and use data processors with access to certain Customer Data (each, a "Subprocessor"). This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set forth in the Customer Terms of Service or superseding written agreement between Customer and Piano (the "Agreement").
Piano Software currently uses third party Subprocessors to provide infrastructure services, and to help us provide customer support and email notifications. Prior to engaging any third party Subprocessor, Piano Software performs diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.
Piano Software may use the following Subprocessors to host Customer Data or provide other infrastructure that helps with delivery of our Services:
|Entity name||Subprocessing activities||Entity country|
|Amazon Web Services, Inc.||Cloud Service Provider||United States|
|Google Inc.||Cloud Service Provider||United States|
Piano Software may use the following Subprocessors to perform other Service functions:
|Entity name||Subprocessing activities||Entity country|
|Zendesk, Inc.||Cloud-based Customer Support Services||United States|
|MailChimp, Rocket Science Group||Cloud-based Email Notification Services||United States|
|Google Inc.||Cloud Service Provider||United States|
|Braintree||Payment Provider||United States|
|Mode Analytics||Analytics Visualiations||United States|
|Survey Gizmo (Strategy Services Clients Only)||Survey Collection for Strategic Consulting||United States|
Piano Software has offices located around the globe who depending on the service a publisher requires will process that data. These entities are listed below:
|Entity name||Entity country|
|Piano Software, Inc.||United States|
|Piano Media s.r.o.||Slovakia|
|Newzmate Sp. z o.o.||Poland|
As our business grows and evolves, the Subprocessors we engage may also change. We will endeavor to provide the owner of Customer’s account with notice of any new Subprocessors to the extent required under the Agreement, along with posting such updates here. Please check back frequently for updates.
Archive of GDPR
Notifications should be sent to the following:
Attn: Stuart Ashford
One World Trade Center, Suite 46 D
New York NY 10007