On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect. The GDPR was designed to protect the data and privacy of EU citizens, and dailymotion strongly supports this purpose. We are fully compliant with GDPR and require the same from our business partners. This page provides information regarding dailymotion’s approach towards GDPR.
General questions:
Is Dailymotion compliant with the European General Data Protection Regulation (GDPR) that came into force in May 2018?
Yes, Dailymotion has elaborated a compliance plan and undertook and completed several actions. Indeed, Dailymotion has dedicated important resources to ensure data security and protection. Consequently, our company has put together a team dedicated to data security that is managed by a Chief Information Security Officer (CISO). Additionally, a Data Protection Officer (DPO) has been appointed, who can be contacted by email at this e-mail address. In addition, in anticipation of the increased workload, Dailymotion made the decision to strengthen its legal and data security teams by creating new positions. Finally, the following steps are part of the ongoing Dailymotion’s GDPR compliance plan:
- Adapting dailymotion service, procedures and contracts to the new requirements introduced by the GDPR
- The development of a personal data questionnaire addressed to dailymotion’s business partners
- The update of the existing consent collection mechanism
- Comprehensive review of the existing processing of personal data
- The establishment of a complete and up-to-date register of the personal data processing
- The update of the security incident reporting procedure
- The implementation of on-line tools allowing end-users to exercise their rights related to the processing of their personal data.
Where can Dailymotion's legal policy on personal data collection be found?
Dailymotion’s policies regarding the protection of personal data are available on the following sections of our website:
Are clauses aiming at ensuring compliance with the GDPR part of contracts that Dailymotion concludes with its business partners?
Dailymotion has elaborated an Annex on the Protection of Personal Data. This document modifies the existing contracts and forms part of any new contract applicable to business cooperation that may involve personal data processing.
Questions relating to the collection of personal data:
Dailymotion's video player may be exported by Dailymotion partners to their sites and/or applications. What data is collected by Dailymotion from users of such sites and/or applications?
Dailymotion does collect data, including personal data, from users of the Dailymotion service that is accessible through the Dailymotion’s player installed on its partners’ site(s)and/or application(s).This collection is carried out via the Dailymotion player that a partner installed on its site(s)and/or application(s).The only personal data collected is that of the common users; i.e. persons that access Dailymotion’s service as available on a partner’s site(s)/ application(s). By integrating the Dailymotion player on its site(s) and/or application(s), a partner enables Dailymotion to collect personal data from the common users of Dailymotion’s and partner’s services. The personal data thus collected is: the video history (i.e. What was watched and for how long), the IP address (including the geo location information; the details of the geo location being limited at the city level), the "user agent" (connected device, browser used, language selected, etc.), the type of connection, and the device ID (UDID). The collection of the latest category of information depends on the operating system used (currently collected for the iOS, Android and Windows users; Smart TV apps and PS4 coming soon).
For what purpose(s) is this personal data collected by Dailymotion?
The main purposes of collecting personal data are:
- A better understanding of the use of the service made by the end-users (elaboration of audience measurement)
- Improvement of the performance of Dailymotion service
- Execution of the contract between Dailymotion and its contracting partners (calculation of remuneration, respect of the territorial field of application, reporting, etc.)
- Fraud detection / prevention
- Incident detection, security of Dailymotion service
- Personalization of user experience: adaptation of advertisements and content to users' interests
- Compliance with the legal obligations incumbent on any information service provider
Regarding the IP addresses of the end-user device, why does Dailymotion collect users’ IP addresses? How detailed is the information collected? Does Dailymotion store these IP addresses?
Dailymotion collects IP addresses to ensure the respect of territorial restrictions related to the content availability (geolocation), to detect fraudulent uses, and to respect its legal obligations pertaining to the history of user connection logs. It is important to point out that Dailymotion limits geo location precision to the city level. The use and storage of IP addresses depend on the purpose of the processing.
How is the advertising capping done? How does Dailymotion ensure that the capping is done securely?
The capping feature is managed by a third-party cookie (Freewheel, the Dailymotion SSP). The settings used for capping are chosen by Dailymotion and implemented on the Freewheel platform at the time when advertising campaigns are being defined. Freewheel cookie is stored and managed by a user’s browser. Dailymotion does not intervene in this process. This only occurs between Freewheel and a user’s browser. The applicable Freewheel contractual warranties and policies are available at: http://freewheel.tv/privacy-policy/.
What are the retention periods applicable to the personal data collected by Dailymotion?
The applicable retention periods depend on the purpose of data processing. For example, user connection logs are stored for the entire time the account is active and365 days following such account’s deletion. Upon expiry of this retention period the logs are deleted. In conformity with the applicable laws, the retention period for cookies does not exceed 13 months.
What is the Dailymotion's policy regarding the storage and backup of personal data?
Collected data is stored in secured locations that benefit from physical and logical security measures (e.g., data stored on servers installed in certified data centers). As mentioned above, the applicable retention periods depend on the purpose of data processing. The same personal data may be stored for a different period depending on the purpose for which it has been collected. Moreover, within the same personal data processing different retention and access rules may be applicable depending on the exact reason necessitating such retention (e.g. data may be transferred from an active database to an archives database (created to comply with legal obligations) and be subject to enforced access restriction). Access to databases is restricted and protected. For more details please refer to question 13 below.
Is Dailymotion capable to reply to a request addressed by its users wishing to exercise their statutory rights pertaining to personal data processing (access, rectification, erasure, restriction, objection and portability)?
Yes, Dailymotion enables its users to exercise their statutory rights. Various on-line tools are accessible to both, registered and non-registered users of the Dailymotion service.
What are the statistics that Dailymotion generates based on the data collected from or about the users of the Dailymotion service including the users accessing this service via the Dailymotion player installed on partners’ site(s)and/or our application(s)? What are these statistics used for and who you are they shared with? What are the security measures taken when generating these statistics?
Dailymotion may generate internal statistics to better understand how Dailymotion service is used and ultimately improve the services being offered. The development of some of these statistics (e.g. audience measurement) may be entrusted to subcontractors such as Médiamétrie. These subcontractors may have access to personal data while generating the statistics for Dailymotion. Dailymotion’s subcontractors are contractually committed to protect any and all personal data they may have access to. To increase the protection of the personal data used to generate these statistics, Dailymotion pseudonymizes the data by using such techniques as tokenization or aggregation. It is Dailymotion’s general policy to limit access to information that may be directly linked to users. Finally, the statistics, which do not contain any directly identifiable data, are likely to be communicated to Dailymotion’s partners and advertisers for reporting purposes.
Does Dailymotion have a list of its staff members and subcontractors (publishers, hosting providers, operators, etc.) with access to personal data?
How does Dailymotion deal with the new responsibilities that the GDPR places on subcontractors (partners involved in collection of personal data, broadcasters, publishers, etc.)? What decisions have been made to deal with this co-responsibility? Following the audit of our personal data processing, Dailymotion has identified internal teams and external subcontractors involved in the personal data processing. To better understand the data flow, a questionnaire has been developed for existing and future co-contractors. In addition, a data protection addendum has been drafted for existing contracts involving personal data processing. Both documents serve to strengthen the contractual guarantees applicable to the protection of the personal data by Dailymotion’s subcontractors. The acceptance the GDPR compliance commitment has become Dailymotion’s prerequisite for any of its business collaboration. As part of Dailymotion’s in-house training program, all staff members have been made aware of the existence of this prerequisite and instructed to include it in their project management best practices.
What security measures are implemented by Dailymotion to guarantee the protection of the personal data? How are the personal data access and credentials managed?
The main protection measures used or implemented by Dailymotion are:
- Network segmentation and filtering between zones
- Multi-factor authentication
- Event log; collection and centralization of logs
- Anti-virus
- Management of security patches
- Security / encryption of flows (SSL)
- Internal PKI
- Encryption of data in transit and at rest
- Bug-bounty program
- Application of anonymization and pseudonymization techniques; ex. tokenization, aggregation, hashing, etc.
- Periodic re-certification of accounts (periodic review of access rights)
- Application of the principle of the least privilege (in the context of the access rights management)
- Peer-to-peer code review (software development rules)
- Periodic security audits (architecture, configuration, codes, intrusion tests, etc.)
- Application of the principle of the least collection of the personal data
- Application of the principle of the least retention of the personal data. The principles applicable to the management of the access and use privileges are:
- Centralized management within the IT team
- Existence of different levels of access and use rights
- Periodic reviews
- Prompt and systematic removal of access rights following the departure of an employee (semi-automatic account deactivation procedure)
Is Dailymotion able to promptly notify a personal data / security violation?
Yes, Dailymotion has put in place internal procedures to identify and assess potential security incidents and, if necessary, to comply with the legal notification requirements. These procedures are managed by the Dailymotion CISO in cooperation with the legal department.
Questions relating to the applications:
With regard to mobile application(s), which measures does Dailymotion implement to ensure that the embedded SDK code is developed securely?
The Dailymotion SDK available to partners (for integration into partner’s application) includes the following security measures:
- Code audit (peer-to-peer review)
- Bug-bounty program
- Notification procedure for security incidents or vulnerabilities
- Vulnerability monitoring in the libraries used
- Corrective maintenance
- No storage of the personal data on the end-users’ devices