Last updated: 04/04/2022

Brandwatch Group Data Privacy FAQs

Print
Sections
Q1: Who are we? Q2: Questions regarding the new Brandwatch services Q3: Is there a Customer Data Processing Addendum?  Q4: Where will my personal data be stored? Q5: Who are Brandwatch’s sub-processors? Q6: How will Brandwatch inform customers of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Processor? Q7: Does Brandwatch comply with the General Data Protection Regulation (“GDPR”) and other data privacy laws? Q8: Do the GDPR and other privacy laws apply to any of the Brandwatch Group’s services? Q9: Can customers upload special category or sensitive personal data to Brandwatch? Q10: Is the Brandwatch Group a data controller or a data processor? Q11: Is Vizia a data controller or data processor with respect to data uploaded by customers? Q12: Is Brandwatch a data controller or data processor with respect to data uploaded by customers? Q13: Is Brandwatch a data controller or data processor with respect to Benchmark? Q14: Is Brandwatch a data controller or data processor with respect to Benchmark, Publish, Engage, Measure, Audience and Advertise? Q15: Is Brandwatch a data controller or data processor with respect to Influence? Q16: If Brandwatch is a data controller for the Analytics Services, what are customers? Q17: What is the legal basis on which the Brandwatch Group processes personal data for its Analytics, Listen, Benchmark and Influence Services? Q18: Where does the Brandwatch Group store or export the personal data that it processes? Q19: Are Brandwatch’s systems that process personal data secure? Q20: How does Brandwatch ensure its services comply with the GDPR and CCPA? Q21: What are SCCs? Q22: How does the Schrems II ruling impact Brandwatch? Q23: Does the Brandwatch Group also comply with the California Consumer Protection Act (CCPA)? Q24: How do you provide notice to CA consumers as required by the CCPA? Q25: Does the Brandwatch Group also comply with the General Personal Data Protection Law in Bazil (LGPD)?

Human readable summary

The purpose of this FAQ is to set out for customers of the Brandwatch group of companies, including Crimson Hexagon, and Buzzsumo (“Brandwatch Group”), how the Brandwatch Group approaches data privacy compliance. If you have any questions that are not answered by this FAQ, please get in touch with your sales representative or customer success manager.

Q1: Who are we?

For reference, we are Runtime Collective Limited, and we trade as Brandwatch (“we”, “us” or “Brandwatch”). Our registered office address is at Sovereign House, Church Street, 1st Floor, Brighton, BN1 1UJ, United Kingdom. Our company number is 03898053 and our VAT number is 754 7507 10. Our subsidiaries, such as Crimson Hexagon, Inc. and Paladin Software, LLC, and our affiliates such as Falcon.io ApS and Falcon.io US Inc may also act as a data controller from time to time. We act as the data controller of the Personal Data that we process about you.

Q2: Questions regarding the new Brandwatch services

As a Brandwatch or Falcon customer, I’ve heard that there will be a new services. What are they?

 

We have combined our two best-in-class companies (Brandwatch and Falcon.io) to create a superior offering that maintains the same privacy standards that you have come to expect from us. 

The Brandwatch services are: 

Publish

In this module you can plan and schedule your content on all available networks – Facebook, Instagram, LinkedIn, Twitter You can also connect your ad accounts and create promoted posts for Facebook and Instagram.

Engage

This is your social media inbox – any messages and comments that sent to a customer’s social channels will be displayed here. Customers can comment, reply, assign for somebody else to reply, create automation rules etc.

Measure

This is where we gather all the data and show you how a customer’s social channels and posts are performing. They can create custom dashboards to better fit their needs on how they would like for the data to be displayed. You can export the data that you see.

Listen 

Listen allows customers to search and see all public instances in which their brand (or products or competitors) have been mentioned so that they can see what is said about them, how often it is said and what the general sentiment around their brand is. It provides customers with real-time and actionable data so they plan and execute their social media strategies. 

BCR 

BCR gathers millions of conversations from the public web relevant to our customers’ businesses, industries or products.   By using BCR helps customers to discover trends and sense their customers’ sentiment. Read more here: https://www.brandwatch.com/products/consumer-research/

Audience

Audience is our small CRM system within Brandwatch. Customers can see the historical conversations they have had with people on their social channels 

Advertise

Advertise simplifies advertisement management and reporting for all our customers’ channels and audiences.

Benchmark

Customers can compare their brands to competitors and industry leaders’ social media activity and can also look at their own social media results and find out what works 

Vizia

Vizia is a tool which lets customers  produce marketing reporting by integrating key marketing data sources (e.g. Google or Salesforce) and creating  visualisations  which best presents their data. 

Influence 

Brandwatch influence is a comprehensive influencer marketing platform with three core components:

‘Discover’ allows our customers to search for new influencers and generate influencer reports. 

‘Influencers’ allows users to manage their influencer contacts in a dedicated CRM. 

‘Campaigns’ allows users to manage their campaign workflow, track influencer posts, and aggregate performance data.

Q3: Is there a Customer Data Processing Addendum? 

You can find our  Customer Data Processing Addendum, which covers any service you may obtain from Brandwatch here: https://www.cision.com/legal/customerdpa/.

Q4: Where will my personal data be stored?

The different components of the Brandwatch product suite are hosted in the USA, Belgium and the UK.


We use Amazon Web Services (AWS) in North Virginia USA for BCR (Brandwatch Consumer Research) – Amazon’s compliance and security standards can be viewed here.


We use Google Cloud Platform (GCP) in Belgium for other BCR parts and Vizia  – Google’s compliance and security standards can be viewed here.


We use data centres in the UK to store some analysis results and metadata 

For more information on how Brandwatch has assessed the transfer data to the USA, please see our International Data Transfer page. 

Q5: Who are Brandwatch’s sub-processors?

Please see here for information on our sub-processors. 

Q6: How will Brandwatch inform customers of any intended changes concerning the addition to or replacement of any permitted Sub-Processor with a new Sub-Processor?

Customers can sign up to be notified using the email submission box at the bottom of https://www.brandwatch.com/legal/sub-processors/.

Q7: Does Brandwatch comply with the General Data Protection Regulation (“GDPR”) and other data privacy laws?

Yes

Q8: Do the GDPR and other privacy laws apply to any of the Brandwatch Group’s services?

Yes. Privacy laws apply to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. Brandwatch offers a variety of services, each of which require a different analysis under the GDPR and other privacy laws.

Analytics Services

Brandwatch Consumer Research, HelioSight, ForSight, Analytics/Images, Audiences,  (“Analytics Services”)

Analytics Services are personal data agnostic. These Analytics Services are based on analyzing large sets of unstructured text data/images. However, while processing personal data is not the core point of the Analytics Services, it is likely that there is personal data in data that forms part of the Analytics Services. For example, some users on Twitter verify their account. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing whether information is personal data on a post-by-post basis, the Brandwatch Group chooses to treat its entire database for its Analytics Services as if it contains all personal data.

Vizia

For Vizia, the GDPR applies where the data within Vizia is personal data.

Content Upload APIs

The Brandwatch Group allows customers to use APIs to upload the customers’ own data for analysis. Where the data that a customer uploads has personal data in it, the GDPR applies.

Q9: Can customers upload special category or sensitive personal data to Brandwatch?

No. This is not the purpose of Brandwatch’s services, which are media monitoring, social listening and media outreach.

Q10: Is the Brandwatch Group a data controller or a data processor?

The Brandwatch Group acts as a data controller and/or a data processor, depending on the services that it provides:

Analytics Services

For its Analytics Services, Brandwatch makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Analytics Services that contain personal data, Brandwatch considers itself an Independent Data Controller under the GDPR. 

Our customers then decide how to use this personal data independently, making them also Independent Data Controllers. 

Our Listen service provides serves up the same search results to different customers who enter the same search terms and therefore also Brandwatch considers itself an Independent Data Controller (along with its customers) for Listen.

Q11: Is Vizia a data controller or data processor with respect to data uploaded by customers?

Historically, Vizia only displayed data from Analytics (another Brandwatch service). Where only data from Analytics is displayed, Brandwatch is still a data controller. This is because the data that Vizia is processing is Brandwatch’s own data source (for which Brandwatch is a data controller). However, Brandwatch has built a developer ecosystem that allows its customers to build their own software applications to sit on top of Vizia, displaying customers’ own data. Where a customer has built their own software application, and that application has personal data in it, Brandwatch is a Data Processor and the customer is a data controller of that personal data. This is because Brandwatch is only processing personal data on the customer’s behalf (i.e. to run and operate the customer’s application).

Q12: Is Brandwatch a data controller or data processor with respect to data uploaded by customers?

When customers upload their own personal data to Brandwatch, Brandwatch is a Data Processor because Brandwatch is only processing this personal data on the customer’s behalf. The customer is only using Brandwatch’s technology to analyse their own data.  

Q13: Is Brandwatch a data controller or data processor with respect to Benchmark?

For these services, Brandwatch is an Independent Data Controller along with our customers. This is because it proactively ingests content from monitored pages/accounts prior to any customer searches and serves it up to customers when they input searches. 

Q14: Is Brandwatch a data controller or data processor with respect to Benchmark, Publish, Engage, Measure, Audience and Advertise?

For these services, the customer decides that they want to process personal data for their own purposes and uses Brandwatch’s technology to do this. merely provides the tools for them to do this. For this reason, Brandwatch is a Data Processor. Our customers are Data Controllers.

Q15: Is Brandwatch a data controller or data processor with respect to Influence?

Brandwatch is an Independent Data Controller for the personal data it decides to add to the platform and for personal data added by a customer that Brandwatch then provides to other customers. Customers are Independent Data Controllers if they decide to do anything with the personal data Brandwatch has provided. Brandwatch is a Data Processor for any personal data a customer adds to the platform which only that customer uses. 

Q16: If Brandwatch is a data controller for the Analytics Services, what are customers?

Brandwatch’s customers are also Independent Data Controllers in respect of the personal data which they process through the use of the Analytics Services. The reason is that, under the GDPR, a person must be a Data Processor or a Data Controller. A data processor processes data on behalf of the data controller. Since Brandwatch’s customers decide what to do with the personal data and do not process personal data on Brandwatch’s behalf, Brandwatch’s customers must be Independent Data Controllers under the GDPR for the Analytics Services.

Q18: Where does the Brandwatch Group store or export the personal data that it processes?

Brandwatch sources much of its personal data from public sources which are hosted in the USA.  

The different components of the Brandwatch product suite are hosted in the USA, Belgium and the UK.


We use Amazon Web Services (AWS) in North Virginia USA for BCR (Brandwatch Consumer Research) – Amazon’s compliance and security standards can be viewed here.

We use Google Cloud Platform (GCP) in Belgium for other BCR parts and Vizia  – Google’s compliance and security standards can be viewed here.


We use data centres in the UK to store some analysis results and customer metadata.  

If you decide to upload your own personal data to Brandwatch it will be exported to the USA.

 For more information on how Brandwatch has assessed the transfer data to the USA, please see our International Data Transfer page.

Q19: Are Brandwatch’s systems that process personal data secure?

Yes. The Brandwatch Group has the ISO27001 and SOC 2 certifications that cover the hosting, development and support for some of its applications and data. The information security management systems and servers that host the personal data within Analytics and Vizia are covered by an ISO27001 certification that is audited annually. The Brandwatch Group has technical and organisational measures in place to protect against the unauthorised or unlawful processing of data and against accidental loss, destruction or damage of that data. Where the Brandwatch Group uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, the Brandwatch Group applies its own security policies and processes to the management and provision of any third party systems and services. Customers can find further information about the Brandwatch Group’s information security standards at https://www.brandwatch.com/legal/information-security/.

Q20: How does Brandwatch ensure its services comply with the GDPR and CCPA?

The Brandwatch Group has a data protection officer responsible for privacy globally across all group companies. The Brandwatch Group has also distributed privacy compliance throughout the company, appointing privacy champions on its engineering, product, and people teams. These individuals are tasked with incorporating data protection by design and by default when developing services for the Brandwatch Group. The Brandwatch Group also implements Privacy Impact Assessments, where required, in accordance with the GDPR.

Q21: What are SCCs?

Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending it to. These  are published by the European Commission and are therefore the same for all organisations.

Cision has these SCCs in place with its customers and vendors.

On 4th June 2021 a new set of SCCs was published by the European Commission. These new SCCs require organisations to consider if and what additional technical safeguards will be prudent/necessary for the continued safe transfer their various personal data sets. Please see our International Data Transfer page.

The existing 2010 SCCs can continue to be used for existing data transfers for until 27th December 2022. .

Q22: How does the Schrems II ruling impact Brandwatch?

When the CJEU struck down the validity of the Privacy Shield (the Schrems II ruling) in July of 2020, many companies became concerned about data transfers between the EU and the US. However, for Brandwatch, not much has changed. We have never relied on Privacy Shield as our legal transfer mechanism. Instead, we have always incorporated Standard Contractual Clauses (SCCs) into our contracts. SCCs or “model clauses” have been determined by the European Commission as a sufficient safeguard for cross-border transfers of personal data. The Schrems II ruling has also called into question the strength of SCCs and while they are still legal, the European Data Protection Board (EDPB) has given some initial guidance recommending that organisations undertake a risk assessment to determine if any supplemental measures need to be put in place to further protect transfers that rely on SCCs. 

For more information on how Brandwatch has assessed the transfer data to the USA, please see our International Data Transfer page.

Q23: Does the Brandwatch Group also comply with the California Consumer Protection Act (CCPA)?

Yes, the Brandwatch Group is compliant with the CCPA. The Brandwatch Group is headquartered in England and has centralized its global privacy compliance with the GDPR. Given that the GDPR is a more comprehensive privacy framework than the CCPA, the Brandwatch Group is already compliant with much of the CCPA by nature of its GDPR compliance. Furthermore, any new requirements of the CCPA will not directly impact the Brandwatch Group’s customers’ use of the services. For ease of review, this FAQ has maintained the terminology for GDPR. However, for clarity, whenever you see a reference in these FAQs to “Data Controller”, that is equivalent to “Business” under CCPA; and whenever you see a reference to “Data Processor”, that is equivalent to “Service Provider” under CCPA.

Q24: How do you provide notice to CA consumers as required by the CCPA?

Brandwatch does not have a direct relationship with the authors of the public online content that makes up our database. As such, the CCPA requires that CA consumers be given notice that we sell their personal information. We provide this notice directly to CA consumers via our Author Privacy Statement on our website. We have also registered as a data broker with the California State Attorney General’s office. All of our contact information and relevant details are available in that listing.

Q25: Does the Brandwatch Group also comply with the General Personal Data Protection Law in Bazil (LGPD)?

For information on the LGPD, please see Cision’s stance at https://gdpr.cision.com/Brasil-LGPD.

Falcon.io is now part of Brandwatch.
You're in the right place!

Existing customer?Log in to access your existing Falcon products and data via the login menu on the top right of the page.New customer?You'll find the former Falcon products under 'Social Media Management' if you go to 'Our Suite' in the navigation.