If you don’t belong to any of these categories, here’s a recap: GDPR is a new EU privacy regulation which applies to any organisation that collects or processes data from EU residents, aiming to protect the privacy and the personal data of all individuals within the European Union (and the European Economic Area).
According to GDPR Article 4 ‘personal data’ means:
“‘…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
GDPR sets principles relating to processing of such personal data, with the goal of limiting personal data collection and processing to the minimum necessary, and to make it as secure and transparent as possible, giving data subjects the power to ask data collectors and processors to modify or delete the personal data they have in their possession. GDPR also sets out a list of cases where the processing of personal data is considered lawful. The cases on this list vary from public interest and necessity to the case where the data subject has provided explicit consent. Those cases, which often lack specificity and are somewhat vague at times, have made legal and marketing teams around the world work overtime on ensuring the compliance of their EU customer database.
While for many companies GDPR mostly concerns the sales, marketing and HR functions, an interesting question we’re often asked is whether our product is GDPR compliant, and rightfully so: Streamroot Distributed Network Architecture, like most internet-based technologies, is naturally exposed to viewers’ IP addresses, and even though we have no means to identify any person behind an IP address, stringent interpretation of GDPR might consider those IP addresses as personal information.
When GDPR was first introduced, ensuring that our product is compliant was our top priority. As a peer-assisted delivery service, Streamroot DNATM handles millions of video sessions – and therefore millions of IP addresses – on a daily basis. Thankfully, France has already implemented strict privacy legislation laws so as a France-based company our workflow was already designed according to GDPR-like principles from day one.
Personal Data Handling by Streamroot DNATM
To connect to online services, Streamroot included, viewers use their IP addresses. this data is not retained anywhere, apart from our log files: As most web servers, we keep connections logs for the purpose of technical debugging. These logs are kept for up to 30 days before being permanently deleted.
Each viewer is attributed a random key – userId– used to identify the viewer, generate the appropriate matching with other viewers watching the same content, and enable peer-to-peer connections. The list of userIds is not stored on hard-disks and the userId identifier is removed from the list approximately 1 minute after the viewer ends the video session. No data connecting viewers and content is recorded or retained in any way. A log file containing userId and websocket connections is kept for 30 days for debugging purposes before being deleted permanently.
During the playback of a video, statistics payloads are sent to Streamroot’s back-end to allow the R&D team to monitor and analyse the behavior of the peer-to-peer connections. This data is kept for 6 hours, allowing other services to pull the data for further analysis: All of those services strip IP information when ingesting the data, and aggregate the data along various dimensions, guaranteeing anonymity. Those aggregated, anonymized data which no longer constitute personal information, are kept for up to one year before being permanently deleted.
Evidently, in the processes described above, Streamroot handles what can be considered Personal Information: IP addresses and userIds. This information is lawfully collected and processed: it is collected for specified, explicit and legitimate purposes. Not only it is necessary for the purposes of the legitimate interests of Streamroot and its customers, it is inevitably necessary for the delivery of video – and therefore necessary for the performance of a contract to which the data subject is party, i.e. the content-owner’s terms & conditions to which the viewer has agreed in order to watch the video. The personal data we process is adequate, relevant and limited in scope and time to what’s required in order to achieve the purpose for which it is required. Our treatment of such personal data is fair and transparent: personal data is kept on secure servers with very limited access; userIds are kept for up to one minute after the end of a video session, IP addresses are kept for up to 6 hours only.
For certain processes, we use third-party providers which may be considered as sub-processors. We have verified that all relevant providers are GDPR compliant and either entered into a Data Processing Agreement, or validated a new Terms of Services agreements.
Our GDPR project has proved to be a great opportunity to review our processes and data workflow. We take pride in being able to confidently assure our customers and leads that Streamroot, and Streamroot DNATM are 100% GDPR-compliant. We’re happy to address any concern you might have and to share the knowledge we gained throughout the process. For additional questions, don’t hesitate to contact our Data Protection Officer at firstname.lastname@example.org.