GDPR Compliance

The GDPR came into effect on May 25, 2018.

This page is for informational purposes only. We strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU. The GDPR primarily aims to give control to EU citizens and residents over their personal data and how it is processed.

Who does the GDPR apply to?

The GDPR applies to any organization that processes the personal data of EU data subjects, regardless of whether the organization has a presence in the EU or whether the processing is conducted within the EU.

It is likely that the GDPR affects your organization if you: collect, store, manage, or analyze personal data of any type, including email addresses.

What are the key aspects of GDPR?

As disclaimed at the top, we suggest you perform your own research and get legal advice on how the GDPR will affect your business, however below are key points to consider:


When data is collected, it must be clear as to what is being collected and the purpose for collection and processing.


Data should only be used for the intended purpose, it should not be collected and stored for future possible use. Only the data needed to fulfil the intended purpose should be collected and processed.


Ensure data is stored only as long as is required, without unnecessary replication, and with appropriate controls and restrictions in place.


Organizations must be able to demonstrate to the governing bodies that they have taken the necessary steps appropriate for the risk their data subjects face. To ensure compliance, organizations must ensure that every step within the GDPR strategy is auditable and can be compiled quickly and efficiently.

Managing Consent

The GDPR requires that you use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site and/or app. For the purpose of serving advertisements through AdButler, we require IP address as the only personally identifiable information, so your consent must be appropriate to the data and the purpose for which it’s collected.

AdButler does not track or segment users, and IP addresses are anonymized upon processing, leaving no personally identifiable information available. The risk to the data owner is minimal, and a clear and transparent disclosure in your privacy statement should be appropriate for the data considered.

We will provide details on this page for AdButler specific tools to customize ad serving within the EU when they become available.

How AdButler is Compliant

AdButler has been incorporating “privacy by design” since our inception, which has made our preparation to be GDPR compliant relatively painless. With GDPR having taken effect on May 25, 2018, we want to assure you that we are fully compliant with the regulation.

As part of our “privacy by design” principle, and as mandated by the GDPR, we will continue to process very minimal data that we collect (on your behalf) and only process in order to select, display, and report on your advertisements.

With respect to personal data, your user’s IP address is the only personal data we process on your behalf. We process this data along with several non-personal data to provide our ad serving, reporting, and anti-fraud services.

To better facilitate this compliance, we have implemented both product and non-product- related updates before the GDPR commences. Not only will these updates ensure our compliance, but they will also make it easier for all of our customers to comply. Below is the list of relevant updates we have made:


  • Update reporting process to anonymize IP addresses (complete)
  • Update frequency capping to ensure compliance with cookie regulations (complete)
  • Implement geolocation flags for EU serving rules (complete)


  • Prepare GDPR Data Processing Addendum (DPA) (complete)
  • Send out DPAs to all customers serving in the EU (complete)
  • Update privacy policy to reflect GDPR changes (complete)
  • Add GDPR related content to the help docs (complete)

Legal Basis for Processing Data

The GDPR requires a legal basis for the processing of the personal data of a Data Subject. The GDPR provides a right to process the personal data of Data Subjects to further a company’s own “legitimate interests,” or the legitimate interests of a third party, provided that doing so will not infringe adversely upon the fundamental rights and freedoms of the applicable Data Subjects.

Recital 47 of the GDPR states expressly that the “processing of personal data strictly necessary for the purposes of preventing fraud” constitutes a legitimate interest, and such provision serves as our legal basis for the processing of Data Subjects’ personal data in connection with the operation of our Website and Services.