Last updated: 08/06/2020

Brandwatch Group Data Privacy FAQs


Human readable summary

The purpose of this FAQ is to set out for customers of the Brandwatch group of companies, including Crimson Hexagon, and Buzzsumo (“Brandwatch Group”), how the Brandwatch Group approaches data privacy compliance. If you have any questions that are not answered by this FAQ, please get in touch with your sales representative or customer success manager.

Q1: Questions regarding the acquisition of Brandwatch by Cision

As a Falcon/Cision Customer, I’ve heard that there will be a new app. What will it be called?

Our new integrated offering is Listen | Powered by Brandwatch. It follows the same data processing model as what you are currently using as a Brandwatch or Falcon customer. We have combined our two best-in-class products to create a superior offering that maintains the same privacy standards that you have come to expect from us.

Is there a new Data Processing Addendum? 

You can find our new combined Data Processing Addendum, which covers any service you may obtain from Cision or its affiliates here:

Where will my personal data be stored?

Your personal data will be stored in the EEA, UK, and/or USA. For how Cision and Falcon store and transfer data, please see our International Data Transfer page. For more information on how Brandwatch products store and transfer data, please see question 6 below.

Will there be new subprocessors?

Will Brandwatch and Cision/Falcon be accessing, processing, or storing each other’s data as a result of the acquisition? 

Any data you share with one of our affiliate organisations may be shared with the other Cision affiliate organisations in order to provide our services to you. For example (not exhaustive):

  • platform usage data may be shared in order to improve our services to you.
  • if you are a Brandwatch user, and you choose to connect a channel in Falcon, Falcon will start ingesting data from that channel, which may contain personal information.
  • if you are a Cision/Falcon user, and you begin using Listen | Powered by Brandwatch, personal data will be shared with Brandwatch in order to administer your access to Listen | Powered by Brandwatch.
  • any customer data we have regarding your relationship with one of our affiliate organisations may be shared in order to provide services and support to you.
  • any personal data required for billing/invoicing purposes may be shared as necessary.

Q2: Does the Brandwatch Group comply with the General Data Protection Regulation (“GDPR”)?


Q3: Does the GDPR apply to any of the Brandwatch Group’s services?

The GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. The Brandwatch Group offers a variety of services, each of which require a different analysis under the GDPR.

Brandwatch Consumer Research, HelioSight, ForSight, Analytics/Images, Audiences, and BuzzSumo (“Analytics Services”)

Analytics Services are personal data agnostic. These Analytics Services are based on analyzing large sets of unstructured text data/images. This means that, while processing personal data is not the core point of the Analytics Services, it is likely that there is personal data in data that forms part of the Analytics Services. For example, some users on Twitter verify their account. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing on a post-by-post basis whether information is personal data, the Brandwatch Group chooses to treat its entire database for its Analytics Services as if it contains all personal data.


For Vizia, the GDPR applies where the data within Vizia is personal data.

Content Upload APIs

The Brandwatch Group allows customers to use APIs to upload the customers’ own data for analysis. Where the data that a customer uploads has personal data in it, the GDPR applies.

Q4: Is the Brandwatch Group a data controller or a data processor?

The Brandwatch Group acts as a data controller and/or a data processor, depending on the services that it provides:

Analytics Services

For its Analytics Services, the Brandwatch Group makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Analytics Services that contain personal data, Brandwatch is a data controller under the GDPR.


Historically, Vizia only displayed data from the Analytics Services. Where only data from the Analytics Services is displayed, the Brandwatch Group is still a data controller. This is because the data that Vizia is processing is the Brandwatch Group’s own data source (for which the Brandwatch Group is a data controller). However, the Brandwatch Group has expanded Vizia to allow customers to build their own software applications to sit on top of Vizia, as well as to allow customers to visualize and distribute reports that contain non-Brandwatch Group data. Where a customer displays their own data sources in Vizia and that data contains personal data, the Brandwatch Group is a data processor and the customer is a data controller of that personal data. This is because the Brandwatch Group is only processing this personal data on the customer’s behalf (i.e. to display and visualise the customer’s data and to distribute reports throughout the customer’s organisation).

Content Upload APIs

When customers upload their own data via the Brandwatch Group’s APIs, the Brandwatch Group is a data processor. This is because the Brandwatch Group is only processing this personal data on the customer’s behalf (i.e. to allow the customer to use Brandwatch’s technology to analyse the customer’s own data).

Q5: If the Brandwatch Group is a data controller for the Analytics Services, what are customers?

For the Analytics Services, Brandwatch’s customers are also data controllers in respect of the personal data which customers process through the use of the Analytics Services. The reason is that, under the GDPR, a person must be a data processor or a data controller when personal data is involved. A data processor processes personal data on behalf of the data controller. Since Brandwatch’s customers do not process personal data on Brandwatch’s behalf, Brandwatch’s customers must be data controllers under the GDPR for the Analytics Services.

Q7: Where does the Brandwatch Group store the personal data that it processes?

Where personal data is stored depends on the services that the Brandwatch Group provides.

For Brandwatch Consumer Research, personal data (including any personal data that the customer uploads using our Content Upload API) is hosted by a third party cloud provider in the USA as well as colocation providers in the UK.

For Brandwatch Analytics, the personal data is stored on servers that the Brandwatch Group owns and manages, hosted with colocation providers in the UK. The Analytics’s Image Analysis service is hosted both within the Analytics database and by a third party provider in Ireland.

The Audiences and BuzzSumo services are hosted by third party cloud providers, in Ireland  and Canada respectively.

The HelioSight and ForSight services are hosted by third party cloud providers in the USA, including any personal data that the customer uploads using the ForSight Content Upload API.

The personal data in Vizia is hosted by a third party cloud provider in the UK.

Q8: Does Brandwatch export any personal data outside of the European Economic Area?

As set out above, the BuzzSumo servers are in Canada and the Brandwatch Consumer Research, HelioSight, and ForSight servers are (at least partly) in the USA. Besides that, none of the Brandwatch Group’s services currently export any personal data outside of the European Economic Area. However, via the API or the export functionality of Brandwatch Consumer Research, Analytics, Audiences, HelioSight, and ForSight, customers can technically export data from the Brandwatch Group’s servers to whatever country the customer is located in.

Q9: Are the Brandwatch Group’s systems that process personal data secure?

Yes. The Brandwatch Group has a ISO27001 certification that cover the hosting, development and support for some of its applications and data. The information security management systems and servers that host the personal data within Analytics and Vizia are covered by an ISO27001 certification that is audited annually. The Brandwatch Group has technical and organisational measures in place to protect against the unauthorised or unlawful processing of data and against accidental loss, destruction or damage of that data. Where the Brandwatch Group uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, the Brandwatch Group applies its own security policies and processes to the management and provision of any third party systems and services. Customers can find further information about the Brandwatch Group’s information security standards at

Q10: How does the Brandwatch Group ensure its services comply with the GDPR and CCPA?

The Brandwatch Group has a data protection officer responsible for privacy globally across all group companies. The Brandwatch Group has also distributed privacy compliance throughout the company, appointing privacy champions on its engineering, product, and people teams. These individuals are tasked with incorporating data protection by design and by default when developing services for the Brandwatch Group. The Brandwatch Group also implements Privacy Impact Assessments, where required, in accordance with the GDPR.

Q11: What are SCCs?

Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending it to. These  are published by the European Commission and are therefore the same for all organisations.

Cision has these SCCs in place with its customers and vendors.

On 4th June 2021 a new set of SCCs was published by the European Commission. These new SCCs allow the existing SCCs to continue to be used for “new” data transfers over a transition period of three months — giving organizations the chance to read into, and make any changes necessary for compliance with, the new SCCs before deploying them in practice. We plan to look into what additional technical safeguards will be prudent/necessary for our various data sets. Once we’ve made those decisions, they will be outlined here.

Similarly, the existing SCCs can continue to be used for existing data transfers for up to 18 months — giving organizations until the very start of 2023.

Q12: How does the Schrems II ruling impact Brandwatch?

When the CJEU struck down the validity of the Privacy Shield (the Schrems II ruling) in July of 2020, many companies became concerned about data transfers between the EU and the US. However, for Brandwatch, not much has changed. We have never relied on Privacy Shield as our legal transfer mechanism. Instead, we have always incorporated Standard Contractual Clauses (SCCs) into our contracts. SCCs or “model clauses” have been determined by the European Commission as a sufficient safeguard for cross-border transfers of personal data. The Schrems II ruling has also called into question the strength of SCCs and while they are still legal, the European Data Protection Board (EDPB) has given some initial guidance recommending that organisations undertake a risk assessment to determine if any supplemental measures need to be put in place to further protect transfers that rely on SCCs. Whilst we are awaiting further, and more detailed, guidance from the EDPB, Brandwatch has already conducted an initial  assessment on our use of SCCs and has determined that no additional supplemental measures are necessary at this stage. This is because we already work to identify ways in which we can anonymize, pseudonymize, and minimize data that we collect and process. We feel prepared to support our customers during this transition away from Privacy Shield.

Q13: Does the Brandwatch Group also comply with the California Consumer Protection Act (CCPA)?

Yes, the Brandwatch Group is compliant with the CCPA. The Brandwatch Group is headquartered in England and has centralized its global privacy compliance with the GDPR. Given that the GDPR is a more comprehensive privacy framework than the CCPA, the Brandwatch Group is already compliant with much of the CCPA by nature of its GDPR compliance. Furthermore, any new requirements of the CCPA will not directly impact the Brandwatch Group’s customers’ use of the services. For ease of review, this FAQ has maintained the terminology for GDPR. However, for clarity, whenever you see a reference in these FAQs to “Data Controller”, that is equivalent to “Business” under CCPA; and whenever you see a reference to “Data Processor”, that is equivalent to “Service Provider” under CCPA.

Q14: How do you provide notice to CA consumers as required by the CCPA?

Brandwatch does not have a direct relationship with the authors of the public online content that makes up our database. As such, the CCPA requires that CA consumers be given notice that we sell their personal information. We provide this notice directly to CA consumers via our Author Privacy Statement on our website. We have also registered as a data broker with the California State Attorney General’s office. All of our contact information and relevant details are available in that listing.

Q15: Does the Brandwatch Group also comply with the General Personal Data Protection Law in Bazil (LGPD)?

For information on the LGPD, please see Cision’s stance at

Crimson Hexagon has merged with Brandwatch. You’re in the right place!

From May 8th, all Crimson Hexagon products are now on the Brandwatch website. You’ll find them under ‘Products’ in the navigation. If you’re an existing customer and you want to know more, your account manager will be happy to help.