Data Recipients and Third Party Data Processors – Full Details

Introduction

This document is part of the Schibsted Privacy and Cookie Policy. Users have the legal right to be informed about how their data is processed. This listing of third parties, alongside the Privacy and Cookie Policy and its related documents, is part of Schibsted’s effort to deliver that right to our users.

How Schibsted engages with third parties that need access to your data

When Schibsted processes personal data, personal data is sometimes shared with other parties. These other parties are either

  • Data processors, which mean companies operating under a binding legal agreement with Schibsted Norge and who can only process data for the specific purposes that Schibsted Norge allows them to and only using any other third parties in that processing as allowed by Schibsted Norge. Examples would include VG, Aftenposten, Amazon Web Services, Zuora and similar companies.

or

  • Data controllers, which mean companies who in their own right have full responsibility towards the user for the purposes to which their personal data is put and full responsibility for any third parties that may be involved in the processing of user personal data. In Schibsted, such disclosure could take place because it’s necessary to deliver a product or service to you (for instance providing your address to a distribution service in order to deliver a product). On our sites showing advertising, a selected list of companies and vendors are also allowed to buy ad inventory from us, which in some cases means that the companies and/or vendors act as separate data controller for the data being processed. More information about what happens when you are shown targeted advertising can be found here.  

Schibsted is a group of companies, which means that it is comprised by several different legal entities. Schibsted Norge AS is data controller for the processing of personal data described in this document and in the privacy and cookie policy. Schibsted Norge decides the purposes and the means of the processing of personal data described. To the extent other companies in the Schibsted group of companies process personal data that Schibsted Norge AS is controller for, they are in legal terms acting as data processors on behalf of Schibsted Norge AS. This means, in the same way as is generally described above, that such companies cannot process this data for other purposes than those defined by Schibsted Norge AS. 

Schibsted’s services are in most cases delivered via the Internet in the form of websites and apps. Schibsted uses third parties to process user personal data in order to support our technical delivery of these services and the specific purposes outlined in this document.

In the list below you can find information about the data processors we use, categorised under the main purposes for which we use them. Further below, you will find information about data controllers we disclose data to or which we allow to collect data about our users on our sites.

DATA PROCESSORS

Purpose 1: Data Analysis, Personalisation and Customer Service Tools

These are tools used by our business, product and development teams to analyse user behaviours and to use that information to prioritise the most useful product and service enhancements for our users and for our business. They are also to deliver and improve our customer service for users.

When a user operates the controls available on the settings pages of a given Schibsted service to change the permissions to use data for service improvement and for personalisation purposes, it similarly changes the permission of those specific Schibsted service teams to use your data in those third party tools for those purposes.

Processors in this category and in use by Schibsted Norge are:

Amplitude, Google Analytics, Google Firebase, Google Forms, Hotjar, JW Statistics, Linkpulse, OBIEE, Snowflake, Tableau, Xiti and Youbora.

Purpose 2: Data Logging

Data logging systems capture the actions of users in our products and the resultant technical system activities so as to help with making our services reliable and fast. They are also used for security purposes, helping us to monitor and investigate potentially malicious activity on our systems so as to better protect our users.

To the extent that log data is used for product improvement purposes, log data is subject to similar controls as described in the section above. However we typically do not allow users to opt out of log-related processing for security purposes, as to do so would compromise security for all users of our services.

Processors in this category and in use by Schibsted Norge are:

Datadog, Librato, Logentries, New Relic, Quotaguard, Rollbar, Sentry, Sumologic and HockeyApp.

Purpose 3: Underlying Data Storage and Transmission

Schibsted works with third party companies to perform basic technical operations on data, e.g. the hosting of the computers om which databases operate, the operation of the databases themselves and the transmission of data securely across networks to reach other Schibsted systems or to reach the user’s device. This data includes personal data of our users. These processing activities are strictly necessary, (i.e. unavoidable) parts of delivering online services to our users. As a result, we typically do not allow users to opt out of their data being processed for these purposes.

Processors in this category and in use by Schibsted Norge and Schibseare:

Akamai, Amazon Web Services, Dynamo DB, Heroku, IBM Softlayer, Mulesoft and NGINX. 

Purpose 4: User Interface Functions

In some cases Schibsted uses functions delivered via third parties to make specific functions available to users.

These functions either

  • have their own built-in information and controls for users to make data processing choices (e.g. our e-avis services), or
  • are controlled for privacy choices via the same settings screens as generally presented that Schibsted service.

Processors in this category and that are in use by Schibsted Norge are:

Visiolink, Google Search, Hoopla, JW Player, JW Recommendations, Shopify

Purpose 5: Account and Subscription Management, Including Payment, Customer Service and Marketing Communications Systems

Schibsted uses a variety of third party systems providers to help us to manage the user authentication and subscription accounts. We also use third party tools for marketing towards our users and customers. These marketing activities happen as part of the communications to users within our online services, via email and via advertising for Schibsted services as shown in other online services, e.g. Facebook. Finally, we use tools from third parties to help run and deliver our customer service function

The user can control their permissions for Schibsted to carry out marketing activities on behalf of any Schibsted service via the settings pages of that service.

Processors in this category and which Schibsted Norge uses are:

Arvato, Bisnode, Braze, Adobe Campaign Manager, ediEX, Eloqua, Fortumo, Google Ad Manager, Intrum, Lindorff, LinkMobility, Mailchimp, Puzzel, Sendgrid, Siebel CRM, Zendesk, Zuora.

Purpose 6: Advertising B2B-related Data Processors

Schibsted Norge uses the processors in the list below to manage the sales and support process of advertising for our advertising customers in a business to business context. Individuals can access all the data subject rights for this processing by using the contact details in these B2B privacy policies.

Schibsted Norge

Schibsted Sverige

Only the personal data of business contacts from advertisers or advertising-industry-related companies are handled in this way.

Purpose 7: Advertising-related Processors of User Personal Data

Schibsted uses these processors to deliver, personalise and measure the effectiveness of advertisements shown through Schibsted services:

Adform, AppNexus, Delta Projects, Seenthis, Sizmek, Nordic Factory Solutions AB, New Relic, Bid Theatre, Meetrics, DoubleVerify, Google, Kobler, Audience Project, Madington, MediaMath, ArtWorx, Norstat, Tactic, Impact

DATA CONTROLLERS

Purpose 8: Advertising-related Controllers

The advertising industry uses a sophisticated set of technologies to facilitate multiple market participants in delivering specific elements of the advertising process to advertising customers. This often results in data being shared across multiple parties, some of which are controllers of that data in their own right.

Schibsted has a strict set of policies describing what data is shared  and what can be done with such data which are applied towards other controllers receiving data collected on Schibsted sites or through advertisement content on Schibsted’s sites. We check that any new controllers of this type, and with whom Schibsted may share user personal data with or that we allow to take part in our advertising business, also apply these standards. 

The full detail, including a list of the partners we share data with, can be found here.

Schibsted is committed to working together with users, regulators and advertising industry partners to ensure the rights of users and the legitimate interests of Schibsted and its partners are respected within data processing related to advertising.

Purpose 9: Schibsted Account as a log-in solution

In certain cases, Schibsted’s identity solution Schibsted Account is also used by companies outside of the Schibsted group as a log in solution, meaning a solution to give users secure access to their services, to create trusted identities and verified contact details for those users. These companies will need the user profile data (for their direct users only) from within Schibsted account, and can access this data as data controller. A full list of such controllers can be found here:

  • Polaris Media
  • VB Bok AS (ebok.no)
  • Finn.no AS

Further Questions

If you have questions about Schibsted’s relationship with these third parties and how your data may be shared with them, contact the Schibsted Privacy team via this contact form. Schibsted is committed to answering questions within 30 days.

Continue reading...