The purpose of this FAQ is to set out for customers of the Brandwatch group of companies (“Brandwatch Group”) how the Brandwatch Group approaches data privacy compliance. If you have any questions that are not answered by this FAQ, please get in touch with your sales representative or customer success manager.
For reference, we are Runtime Collective Limited, and we trade as Brandwatch (“we”, “us” or “Brandwatch”). Our registered office address is at Sovereign House, Church Street, 1st Floor, Brighton, BN1 1UJ, United Kingdom. Our company number is 03898053 and our VAT number is 754 7507 10. Our subsidiaries, such as Crimson Hexagon, Inc. and Paladin Software, LLC, and our affiliates such as Falcon.io ApS and Falcon.io US Inc may also act as a data controller from time to time. We act as the data controller of the Personal Data that we process about you.
As a Brandwatch, Falcon, or Paladin customer, I’ve heard that there will be new services. What are they?
We have combined our three best-in-class companies (Brandwatch, Falcon.io, and Paladin) to create a superior offering that maintains the same privacy standards that customers have come to expect from us.
The new suite of Brandwatch services includes two main product sets – Consumer Intelligence and Social Media Management. Here is a description of each of our products.
Brandwatch Consumer Research (BCR)
BCR gathers millions of conversations from the public web relevant to our customers’ businesses, industries or products. Using BCR helps customers to discover trends and sense their customers’ sentiment. Read more here: https://www.brandwatch.com/products/consumer-research/
Vizia is a tool which lets customers produce marketing reporting by integrating key marketing data sources (e.g. Google or Salesforce) and creating visualizations which best represents their data.
Brandwatch Reviews offers comprehensive coverage and in-depth analysis of all your product reviews. Learn what negative reviewers want, spot opportunities to improve your position and garner a higher product rating.
In this module, customers can plan and schedule content on all available networks – Facebook, Instagram, LinkedIn, Twitter. Customers can also connect ad accounts and create promoted posts for Facebook and Instagram.
This is a customer’s social media inbox – any messages and comments that are sent to a customer’s social channels will be displayed here. Customers can comment, reply, assign, create automation rules etc.
This is where we gather all the data and show customers how their social channels and posts are performing. Customers can create custom dashboards to better fit their needs on how they would like the data to be displayed. Customers can export the data.
Listen allows customers to search and see all public instances in which their brand (or products or competitors) have been mentioned so that they can see what is said about them, how often it is said and what the general sentiment around their brand is. It provides customers with real-time and actionable data so they can plan and execute their social media strategies.
Audience is our small CRM system within Brandwatch. Customers can see the historical conversations they have had with people on their social channels.
Advertise simplifies advertisement management and reporting for all our customers’ channels and audiences.
Customers can compare their brands to competitors and industry leaders’ social media activity and can also look at their own social media results and find out what works.
Brandwatch Influence is a comprehensive influencer marketing platform with three core components:
‘Discover’ allows our customers to search for new influencers and generate influencer reports.
‘Influencers’ allows users to manage their influencer contacts in a dedicated CRM.
‘Campaigns’ allows users to manage their campaign workflow, track influencer posts, and aggregate performance data.
You can find our Customer Data Processing Addendum, which covers any service you may obtain from Brandwatch here: https://www.brandwatch.com/legal/data-protection-addendum/
Please see here for information on our sub-processors.
Customers can sign up to be notified using the email submission box at the bottom of https://www.brandwatch.com/legal/sub-processors/.
Yes. Privacy laws apply to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. Brandwatch offers a variety of products, each of which require a different analysis under the GDPR and other privacy laws.
Many of our products are personal data agnostic. These include Consumer Research, Measure, Listen, Audience, Advertise, Benchmark, and Reviews. These products are based on analyzing large sets of unstructured text data and images. However, while processing personal data is not the core point of these products, it is likely that there is personal data within the data that we collect. For example, some users on Twitter verify their accounts. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing whether information is personal data on a post-by-post basis, the Brandwatch Group chooses to treat its entire database as if it contains personal data.
Several of our products require or allow customers to provide data to us for processing that Brandwatch would not otherwise have access to. These products include Publish, Engage, Vizia, Consumer Research and our Content Upload API. Some of these products allow customers to authenticate their owned accounts to measure or manage their activities. Others allow the customer to directly upload their own data set for analysis or visualization. If the data provided to us by customers includes personally identifiable data, then the GDPR or other privacy laws will apply.
The customer must ensure that its use of Brandwatch services and its instructions regarding the Processing of any Personal Data comply with all Applicable Privacy Laws, and that Brandwatch’s Processing in accordance with the Customer’s instructions will not cause Brandwatch to be in breach of any Applicable Privacy Laws. Brandwatch will inform the Customer if, in Brandwatch’s opinion, the Customer’s instructions infringe Applicable Laws.
Customer will notify Brandwatch if they intend to upload any special categories of data as part of using Brandwatch services. Brandwatch may refuse to process such data or impose any restrictions as are necessary, at the Customer’s expense, to enable Brandwatch to comply with its legal and contractual obligations.
The Brandwatch Group acts as a data controller and/or a data processor, depending on the services that it provides:
For its many of its products, including Consumer Research, Measure, Listen, Audience, Benchmark, Influence, Vizia, and Reviews, Brandwatch makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the above products, Brandwatch considers itself an Independent Data Controller under the GDPR.
Our customers then decide how to use this personal data independently, making them also Independent Data Controllers.
When customers upload or grant access to their own personal data to Brandwatch, Brandwatch is a Data Processor because Brandwatch is only processing this personal data on the customer’s behalf. The customer is only using Brandwatch’s technology to create, access, or analyze their own data. Products that involve this Controller to Processor relationship include Consumer Research, Publish, Engage, Measure, Audience, Advertise, Benchmark, Influence, Vizia and the Content Upload API.
Brandwatch’s customers are Independent Data Controllers in respect of the personal data which they process through the use of Brandwatch services. The reason is that, under the GDPR, a person must be a Data Processor or a Data Controller. A data processor processes data on behalf of the data controller. Since Brandwatch’s customers decide what to do with the personal data and do not process personal data on Brandwatch’s behalf, Brandwatch’s customers must be Independent Data Controllers under the GDPR for the Analytics Services.
Brandwatch sources much of its personal data from public sources which are hosted in the USA.
The different components of the Brandwatch product suite are hosted in the USA, Belgium and the UK.
We use Amazon Web Services (AWS) in North Virginia USA for BCR (Brandwatch Consumer Research) – Amazon’s compliance and security standards can be viewed here.
We use Google Cloud Platform (GCP) in Belgium for other BCR parts and Vizia – Google’s compliance and security standards can be viewed here.
We use data centres in the UK to store some analysis results and customer metadata.
If you decide to upload your own personal data to Brandwatch it will be exported to the USA.
For more information on how Brandwatch has assessed the transfer data to the USA, please see our International Data Transfer page.
Yes. The Brandwatch Group has the ISO27001 and SOC 2 certifications that cover the hosting, development and support for some of its applications and data. The information security management systems and servers that host the personal data within Consumer Research, Vizia, and Reviews are covered by an ISO27001 certification that is audited annually. The Brandwatch Group has technical and organizational measures in place to protect against the unauthorized or unlawful processing of data and against accidental loss, destruction or damage of that data. Where the Brandwatch Group uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, the Brandwatch Group applies its own security policies and processes to the management and provision of any third party systems and services. Customers can find further information about the Brandwatch Group’s information security standards at https://www.brandwatch.com/legal/information-security/.
The Brandwatch Group has a data protection officer responsible for privacy and compliance. The Brandwatch Group has also distributed privacy compliance throughout the company, appointing privacy champions on its engineering, product, and people teams. These individuals are tasked with incorporating data protection by design and by default when developing services for the Brandwatch Group. The Brandwatch Group also implements Privacy Impact Assessments, where required, in accordance with the GDPR.
Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending it to. These are published by the European Commission and are therefore the same for all organisations.
Brandwatch has these SCCs in place with its customers and vendors.
On 4th June 2021, a new set of SCCs was published by the European Commission. These new SCCs require organizations to consider if and what additional technical safeguards will be necessary for the continued safe transfer of their various personal data sets. Please see our International Data Transfer page.
The existing 2010 SCCs can continue to be used for existing data transfers for until 27th December 2022. .
When the CJEU struck down the validity of the Privacy Shield (the Schrems II ruling) in July of 2020, many companies became concerned about data transfers between the EU and the US. However, for Brandwatch, not much has changed. We have never relied on Privacy Shield as our legal transfer mechanism. Instead, we have always incorporated Standard Contractual Clauses (SCCs) into our contracts. SCCs or “model clauses” have been determined by the European Commission to be a sufficient safeguard for cross-border transfers of personal data. The Schrems II ruling has also called into question the strength of SCCs and while they are still legal, the European Data Protection Board (EDPB) has given some additional guidance recommending that organizations undertake a risk assessment to determine if any supplemental measures need to be put in place to further protect transfers that rely on SCCs.
For more information on how Brandwatch has assessed the transfer of data to the USA, please see our International Data Transfer page.
Yes, the Brandwatch Group is compliant with the CCPA. The Brandwatch Group is headquartered in England and has centralized its global privacy compliance with the GDPR. Given that the GDPR is a more comprehensive privacy framework than the CCPA, the Brandwatch Group is already compliant with much of the CCPA by nature of its GDPR compliance. Furthermore, any new requirements of the CCPA will not directly impact the Brandwatch Group’s customers’ use of the services. For ease of review, this FAQ has maintained the terminology for GDPR. However, for clarity, whenever you see a reference in these FAQs to “Data Controller”, that is equivalent to “Business” under CCPA; and whenever you see a reference to “Data Processor”, that is equivalent to “Service Provider” under CCPA.
Brandwatch does not have a direct relationship with the authors of the public online content that makes up our database. As such, the CCPA requires that CA consumers be given notice that we sell their personal information. We provide this notice directly to CA consumers via our Author Privacy Statement on our website. We have also registered as a data broker with the California State Attorney General’s office. All of our contact information and relevant details are available in that listing.
For information on the LGPD, please see Cision’s stance (which Brandwatch aligns with) at https://gdpr.cision.com/Brasil-LGPD.