GDPR Compliance Statement for AdType


On 25 May 2018 the new EU General Data Protection Regulation (GDPR) comes into force (this includes the United Kingdom regardless of its decision to leave the EU) and will impact each and every organisation that holds or processes personal data. It introduces new responsibilities, including the need to demonstrate compliance, more stringent enforcement and a significant increase in penalties compared to the current Data Protection Act (DPA) that it will supersede. Simply put, individuals will now have greater say over how, why, where and when their personal data is gathered, processed and disposed of. Any organisation that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. If you hold and process personal information about clients, staff or suppliers, you are legally obliged to protect that information. You must:

  • Only collect information that you need for a specific purpose
  • Ensure it is relevant and up to date
  • Only hold as much as you need, and only for as long as you need it
  • Allow the subject of the information to see it on request
  • Keep it secure 

AdType places a high priority on protecting and managing data in accordance with the new GDPR standards. As a business, we remain committed to high standards of information security, privacy and transparency.

As such, we aim to comply with all applicable GDPR regulations. We will also work closely with our customers, their customers and potential customers to help them meet their obligations through the provision of professional services.

AdType’s GDPR Preparation:

As part of our GDPR preparation process, we have reviewed and updated all our internal processes, procedures, data systems and documentation in order to help ensure that we are ready when GDPR comes into force in May 2018.

Our GDPR Principles

  • We will process all personal data fairly, confidentially and lawfully.
  • We will only process personal data for specified and lawful purposes.
  • We will endeavour to hold relevant and accurate personal data, and where practical, we will keep it up to date.
  • We will not keep personal data for longer than is necessary.
  • We will keep all personal data secure.
  • We will ensure that personal data is not transferred to countries outside of the European Economic Area (‘EEA’) without adequate protection and consent.

Our GDPR Focus:

  • We aim to introduce and build on our existing security and business continuity systems to help ensure our compliance, including ISO 9001 and ISO 27001 and the ICOs guidelines
  • We will help our customers understand and prepare for GDPR, as well as help support the development of their compliance plans.

Our GDPR Actions:

  • We have reviewed and updated our range of policies, including our Data Breach Policy, Business Continuity Plans and Subject Access Requests.
  • We have an updated privacy policy on our website to incorporate our GDPR obligations.
  • We have undertaken a systematic review of the personal data we store, manage, maintain, collect, process and control.
  • We have provided training to our team and generally raise the awareness and importance of GDPR to our business.
  • We will continually look at ways of improving our systems and procedures to better comply with GDPR best practise.
  • We have conducted and successfully implemented an information audit to map all data flows within Adtype’s systems.
  • We have documented all the personal data we hold and know where it came from, who we share it with for the purposes of conducting our business and can demonstrate user consent to use such data
  • We have appointed Oliver Spark as Adtype’s Data Protection Officer.
  • As a business we have implemented appropriate technical and organisational measures to show all customers that we have considered and integrated data protection into all our processing activities.
  • As a business we only processes data on the documented instructions of a controller and there is a written contract setting out the respective responsibilities and liabilities of the controller and our business.
  • As a business we do not use sub-processors for any of the data we hold
  • We have implemented policies to ensure that your Right of Access, Right to Rectification, Right to Erasure, Right to Restrict Processing and Right to Data Portability are protected and respected.