The purpose of this FAQ is to set out for customers of the Brandwatch group of companies, including Crimson Hexagon (“Brandwatch Group”), how the Brandwatch Group approaches data privacy compliance. If you have any questions that are not answered by this FAQ, please get in touch with your sales representative or customer success manager.
Q: Does the Brandwatch Group comply with the General Data Protection Regulation (“GDPR”)?
Q: Does the GDPR apply to any of the Brandwatch Group’s services?
A: The GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. The Brandwatch Group offers a variety of services, each of which require a different analysis under the GDPR.
HelioSight, ForSight, Analytics/Images, Audiences, and BuzzSumo (“Analytics Services”)
Analytics Services are personal data agnostic. These Analytics Services are based on analyzing large sets of unstructured text data/images. This means that, while processing personal data is not the core point of the Analytics Services, it is likely that there is personal data in data that forms part of the Analytics Services. For example, some users on Twitter verify their account. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing on a post-by-post basis whether information is personal data, the Brandwatch Group chooses to treat its entire database for its Analytics Services as if it contained all personal data.
For Vizia, the GDPR applies where the data within Vizia is personal data.
The Brandwatch Group allows certain customers to use its APIs to upload their own data for analysis. Where the data that a customer uploads has personal data in it, the GDPR applies.
Q: Is the Brandwatch Group a data controller or a data processor?
A: The Brandwatch Group acts as a data controller and/or a data processor, depending on the services that it provides:
For its Analytics Services, the Brandwatch Group makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Analytics Services that contain personal data, Brandwatch is a data controller under the GDPR.
Historically, Vizia only displayed data from the Analytics Services. Where only data from the Analytics Services is displayed, the Brandwatch Group is still a data controller. This is because the data that Vizia is processing is the Brandwatch Group’s own data source (for which the Brandwatch Group is a data controller). However, the Brandwatch Group has expanded Vizia to allow customers to build their own software applications to sit on top of Vizia, as well as to allow customers to visualize and distribute reports that contain non-Brandwatch Group data. Where a customer displays their own data sources in Vizia and that data contains personal data, the Brandwatch Group is a data processor and the customer is a data controller of that personal data. This is because the Brandwatch Group is only processing this personal data on the customer’s behalf (i.e. to display and visualise the customer’s data and to distribute reports throughout the customer’s organisation).
When customers upload their own data via the Brandwatch Group’s APIs, the Brandwatch Group is a data processor. This is because the Brandwatch Group is only processing this personal data on the customer’s behalf (i.e. to allow the customer to use Brandwatch’s technology to analyse the customer’s own data).
Q: If the Brandwatch Group is a data controller for the Analytics Services, what are customers?
A: For the Analytics Services, Brandwatch’s customers are also data controllers in respect of the personal data which customers process through the use of the Analytics Services. The reason is that, under the GDPR, a person must be a data processor or a data controller. A data processor processes data on behalf of the data controller. Since Brandwatch’s customers do not process personal data on Brandwatch’s behalf, and Brandwatch does not process personal data on the customer’s behalf, Brandwatch’s customers must be data controllers under the GDPR for the Analytics Services.
Q: What is the legal basis on which the Brandwatch Group processes personal data for its Analytics Services?
A: The primary legal basis on which the Brandwatch Group processes personal data when performing the Analytics Services is the legitimate interests of the data controller. This legal basis requires a balancing of the legitimate interests of the data controller with the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The data that the Brandwatch Group processes from the Analytics Services is all publicly available – and made available – by the particular social media author him or herself. The Brandwatch Group therefore believes that the interests, fundamental rights and freedoms of data subjects are not prejudiced or overridden in the context of its processing of social media data that is (1) publicly available and (2) can be made private at anytime by the social media author him or herself. The social media authors have significant levels of control over the availability of their personal data on the underlying websites, including (e.g.) setting their Twitter account to private.
Q: Where does the Brandwatch Group store the personal data that it processes?
A: Where personal data is stored depends on the services that the Brandwatch Group provides.
For Brandwatch Analytics, including personal data that the customer uploads using the Analytics API, the personal data is stored on servers that the Brandwatch Group owns and manages, hosted with colocation providers in the UK. Brandwatch Group policy requires the use of Tier 3 rated data centres with suitable physical and environment security. The Brandwatch Group’s data centre providers maintain their own ISO27001 accreditation, along with other relevant physical security, environmental and quality certification.
The Audiences and BuzzSumo services are hosted by third party cloud providers, in Ireland and Canada respectively. The Analytics’s Image Analysis service is hosted both within the Analytics database and by a third party provider in Ireland.
The HelioSight and ForSight services are hosted by third party cloud providers in the USA, including any personal data that the customer uploads using the ForSight Content Upload API.
The personal data in Vizia is hosted by a third party cloud provider in the UK.
Q: Does Brandwatch export any personal data outside of the European Economic Area?
A: As set out above, the BuzzSumo servers are in Canada and the HelioSight/ForSight servers are in the USA. Besides that, none of the Brandwatch Group’s services currently export any personal data outside of the European Economic Area. However, via the API or the export functionality of Analytics,Audiences, HelioSight, and ForSight, customers can technically export data from the Brandwatch Group’s servers to whatever country the user is located in.
Q: Are the Brandwatch Group’s systems that process personal data secure?
A: Yes. The Brandwatch Group has ISO27001 and SOC2 Type 1 certifications that cover the hosting, development and support for some of its applications and data. The information security management systems and servers that host the personal data within Analytics and Vizia are covered by an ISO27001 certification that is audited twice annually. The processes, policies, and infrastructure that support ForSight, HelioSight, and related APIs have been reviewed as part of a SOC2 Type 1 certification. The Brandwatch Group has technical and organisational measures in place to protect against the unauthorised or unlawful processing of data and against accidental loss, destruction or damage of that data. Where the Brandwatch Group uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, the Brandwatch Group applies its own security policies and processes to the management and provision of any third party systems and services.
Q: How does the Brandwatch Group ensure its services comply with the GDPR?
A: The Brandwatch Group has a data protection officer responsible for privacy globally across all group companies. The Brandwatch Group has also distributed privacy compliance throughout the company, appointing privacy champions on its engineering, product, and people teams. These individuals are tasked with incorporating privacy by design principles when developing services for the Brandwatch Group. The Brandwatch Group also implements Privacy Impact Assessments, where required, in accordance with the GDPR.