LeadRebel

GDPR-Compliant Use of LeadRebel in accordance with the GDPR and § 25 TTDSG

As of: August 2023

A. What is LeadRebel?

Numerous companies create comprehensive statistics about the visitors to their website. In the B2B sector, there is an increased interest in determining which companies, and consequently potential business partners or customers, are among the visitors to the website.

LeadRebel is a B2B analytics tool that is employed on company websites and serves the purpose of generating business leads. For this purpose, LeadRebel captures IP addresses as well as additional usage data from website visitors and enhances this information with publicly available company data. As a result, website operators are empowered to understand which companies have visited their own website and therefore may have an interest in the product, service, or collaboration.

To enjoy these benefits, the integration of a JavaScript-based code into the source code of the respective website is necessary.

B. How LeadRebel Works

For LeadRebel customers to use the tool with their accounts and manage settings, a necessary login and authentication cookie ("auth") is stored on the end devices of the customers' employees. LeadRebel follows the following modular structure within the tool:

Module 1 identifies, based on IP addresses, which company a website visitor can be attributed to. This is a passive standard procedure where information is automatically transmitted from the browser, similar to an HTTP request. This module is carried out entirely without the use of cookies. The use of this module is mandatory. Fingerprinting or other methods for recognizing website visitors do not take place. It only determines whether a visitor is new or has previously been on the website. Entries in the browser's Web Storage are created for the core functions of LeadRebel, accompanied by measures to protect the end user (see section E).

Module 1 is also the core of LeadRebel. Using the IP address, LeadRebel identifies the company name of the visiting company through a Whois query, the so-called reverse DNS lookup process, and a database comparison in the backend. If a match is found, the entry is enriched with additional company data and made available to LeadRebel customers in a dashboard. The IP address is stored for 3 months after the company information has been determined, in order to reduce Whois queries and enhance performance.

Upon the request of LeadRebel customers, publicly available contact information of employees from the visiting company can also be automatically compiled. This data is not stored but generated anew with each request.

IP addresses that cannot be attributed or those that belong to a private connection owner are sorted out and transferred to a blacklist.

Module 2 serves the optional capturing of mouse cursor movements to determine which areas of the website the visitor has viewed or clicked on. These movements are assigned to a session ID and recorded in a video. All input fields are hidden during these recordings. This module is activated by default but can be deactivated by customers at any time and with ease. The videos are stored for two weeks and then deleted. No cookies are stored on the end device, nor are elements stored in the Web Storage. Due to a lack of identifiers, it is not possible to associate the recording with a specific individual. No profiling of the same visitor occurs.

Modules 1 and 2 can be made dependent on the consent of website visitors through a setting by the customer. The modules are only used if the visitor has given consent, which results in an opt-in cookie ("allow tracking") being set. This signals the tool that data can be processed, and access and storage can take place. To prevent the use of the modules, it is also possible to set an opt-out cookie ("optout").

Module 3 consists of two parts: Part 1 allows you to search for employees of the companies identified by LeadRebel. For this purpose, LeadRebel takes the list of companies recognized by LeadRebel for a specific customer within a certain period, queries a Google API and Hunter.io API, and generates a list of employees for the companies, possibly including their job titles, using public data from LinkedIn or XING, for example. This employee list is automatically sent to you as an Excel file. Neither the company data nor the employee data is stored by LeadRebel. There is a direct automatic transfer of employee data to you. Part 2 allows you to search for employees from an Excel list. You can upload an Excel list with any companies and receive a corresponding employee list for that list. Here again, LeadRebel directly and automatically forwards the employee data to you without storing it.

C. Technical and Organizational Measures

LeadRebel has naturally implemented numerous technical and organizational measures in accordance with Article 32 of the GDPR to ensure an appropriate level of data protection for its systems and processed data.

In particular, LeadRebel has implemented the following technical and organizational measures:

• Use of encrypted passwords.
• Safeguarding confidentiality, including access controls, entry control, access controls, and the separation of test and production systems.
• Ensuring data integrity, including the implementation of new releases and patches based on a release/patch management process, as well as conducting functional tests during installation and releases.
• Ensuring availability and resilience, including the implementation of data backup procedures.
• Utilization of servers located in Germany.
• Regular evaluation of data protection requirements.

D. GDPR-Compliant Use of LeadRebel According to the GDPR

LeadRebel adheres to the principles of Privacy by Design and Privacy by Default as per Article 25 of the GDPR and is designed for GDPR-compliant use. In this context, website operators act as the data controllers as defined in Article 4(7) of the GDPR, while the operator of LeadRebel functions as the data processor according to Article 4(8) of the GDPR. The following outlines the data protection requirements that, in the assessment of LeadRebel, need to be considered when using the product.

1. Data Processing When Using the Modules

In relation to the use of Module 1, there is generally no need for a legal basis under the GDPR, as company-related IP addresses are not considered, in convincing estimation, to be personal or personally identifiable data. Consequently, the scope of application of the GDPR is not triggered. Additionally, refer to Section E regarding the legality from the perspective of § 25 TTDSG.

However, if it is not possible to (clearly) assign an IP address to a company, and there is a possibility that it could belong to a private individual, IP addresses can indirectly become personally identifiable according to jurisprudence. In such cases, since these IP addresses are immediately sorted out by LeadRebel and not further processed, the processing can be justified based on the legitimate interests of the website operator according to Article 6(1)(f) of the GDPR. The required balancing of interests usually falls in favor of the website operator's legitimate interests. These interests particularly include measuring reach and commercial analysis and use of visitor data related to companies.

The following aspects should be considered:

• There is no comprehensive analysis of personally identifiable data or cross-website aggregation of data that would make your visitors identifiable.
• The "reasonable expectations of the data subjects" must be taken into account during the assessment. Given today's technological standard, the extraction of IP addresses and browser information for the purpose of data transmission during website visits is necessary. Your website visitors not only expect this but also intend for it to happen.
• The sorting process mentioned above aims to process data in a data-minimizing manner, as per Article 5(1)(c) of the GDPR. Additionally, the risks for individuals behind the IP addresses are minimized to an absolute minimum.
• Security measures concerning the availability and resilience of LeadRebel's systems minimize the risk of data breaches.

Module 2 involves data processing as cursor movements and video recordings pertain to a specific website visit and are therefore, at least temporarily, personally identifiable due to the associated (usually transmitted) IP address of the visitor. However, this personal connection is lifted once video recordings are stored without being linked to an identifier. Moreover, the recordings are deleted after two weeks, and recognition of the same visitor does not occur. LeadRebel therefore takes measures within the framework of Privacy by Design and Default to limit data processing. Before customers implement Module 2, a data protection evaluation is required to determine whether the processing falls within the customer's legitimate interests and whether the visitors' interests in avoiding the processing do not outweigh this. Given the measures taken, it is reasonable to justify the data processing based on legitimate interests according to Article 6(1)(f) of the GDPR. However, if the customer has doubts, it is recommended to refrain from using Module 2 or to use it only with the consent of website visitors. Refer to Section E regarding the legality from the perspective of § 25 TTDSG.

Module 3 involves temporary data processing of employee data by LeadRebel, including data forwarding with theoretical access possibility. This concerns the processing of publicly available data of employees of the companies, which are identified through the Google API or Hunter.io API from the company lists. While the GDPR does not establish a privilege for processing public data, the public nature of the data is significantly considered in the balancing of interests within the legal basis of legitimate interests. Considering the implemented technical and organizational measures and the fact that LeadRebel does not store employee data, the processing using Module 3 can regularly be justified based on the legitimate interests of the website operator according to Article 6(1)(f) of the GDPR.

2. Data Processing in the Backend

The data processing carried out in the backend of LeadRebel, involving personal or personally identifiable data, can also be justified by relevant legal bases.

Regarding the comparison of non-company-related IP addresses with company databases, Article 6(1)(f) of the GDPR is also a valid legal basis here. The fact that LeadRebel consistently sorts out IP addresses that may be personally identifiable results in the balancing of interests favoring data processing.

Likewise, the determination of contact details of employees from the identified company is regularly in the legitimate interest of the website operators according to Article 6(1)(f) of the GDPR. The following reasons support this:

• LinkedIn and XING inform their users in their privacy policies that data may be searchable in search engines and viewable by third parties (assuming appropriate profile settings).
• By voluntarily making their professional profiles publicly accessible, employees make their company affiliation easily discoverable by anyone. LeadRebel merely streamlines the search process and provides the information in a consolidated manner.
• There is no storage of the identified contact information in LeadRebel's systems.
• The functionality is optional and is available to your customers only upon request.

3. Data Protection Roles and Responsibilities

The use of LeadRebel is classified as "processing on behalf of a data controller" in accordance with Article 4(8), 28 of the GDPR. Therefore, it is necessary to conclude a data processing agreement, which Pulserio AG provides to its customers. Pulserio AG acts as a data processor bound by instructions. They retain full decision-making authority over the purposes and means of data processing. LeadRebel also does not process data from the contractual relationship for its own purposes.

4. Data Processing by Subcontractors

A portion of LeadRebel's service providers are US companies. In the "Schrems II" landmark decision, the European Court of Justice declared the EU-US Privacy Shield ineffective. LeadRebel, when utilizing subcontractors, takes this decision into account. Therefore, LeadRebel generally legitimizes the corresponding data transfers using the so-called Standard Contractual Clauses and also examines whether these are adhered to by the service providers. Furthermore, LeadRebel ensures a reduction of potential risks related to data transfers to the US through the use of technical and organizational measures in line with the state of the art. Additionally, data transfers to the US can be secured through an appropriate consent declaration in the cookie banner of the website operators. If necessary, LeadRebel provides a formulation in line with Article 49(1)(a) of the GDPR that highlights the risks of such data transfers.

With the adequacy decision concerning the EU-US Data Privacy Framework dated July 10, 2023, which US companies can adhere to, data transfers to the US will be secured in the near future. Furthermore, when relying on the Standard Contractual Clauses for transfers, the new processes and policies for limiting data processing by US intelligence agencies, as well as the new redress mechanism for affected individuals from Executive Order 14086, must be duly considered.

E. Legality of Using LeadRebel According to § 25 TTDSG

According to § 25 TTDSG, which implements Article 5(3) of the ePrivacy Directive, accessing or storing information on end devices generally requires informed consent (Paragraph 1). In exceptional cases, consent is not required when access or storage is strictly necessary for the provision of a requested service (Paragraph 2, No. 2). The implementation of § 25 TTDSG's requirements, particularly the exemption from the requirement for consent, is highly controversial in practice and must be assessed on a case-by-case basis regarding the specific functionality.

Firstly, it is worth noting that the automatic (passive) transmission of information from the HTTP header, including IP addresses and the user agent, does not fall within the scope of § 25 TTDSG (also confirmed by the Data Protection Conference (DSK), Telemedia Guidance 2021, V. 1.1, Para. 21 et seq.). However, if information is stored on or accessed from the end device, a specific assessment must be conducted.

Module 1 does not necessarily require obtaining consent under § 25(1) TTDSG. Initially, it is reasonable to consider the use of LeadRebel as explicitly desired by end users, as it is essential for B2B company websites to determine which other companies have visited the site to generate business leads. This is particularly important for companies that operate solely online. Whether the functions of LeadRebel are absolutely necessary must be assessed in a differentiated manner: On one hand, no cookies are stored, and JavaScript merely evaluates the IP address and browser information that is automatically transmitted anyway. On the other hand, there is storage of information in the so-called web storage of the browser, which falls under the scope of § 25 TTDSG.

This involves, on one hand, an entry in the session storage, which serves the immediate functionality of Module 1 and can only be read by LeadRebel, being deleted immediately after the session ends. According to supervisory authorities, the access possibilities and storage duration are crucial criteria for determining whether storage can be considered strictly necessary. Storage for the duration of the session is usually considered as such (see DSK, Telemedia Guidance 2021, V. 1.1, Para. 78).

On the other hand, an entry in the local storage is stored to determine whether a visitor is new or has previously visited the website. However, no tracking occurs, as the session data of returning visitors is not aggregated. Instead, storage solely serves to differentiate the relevance of the visiting company between one-time and repeated visits. To ensure the protection of end users when using local storage, various measures are taken, which should be considered as part of the balancing process: Local storage is not created if the IP address is not related to a company, and otherwise, it is stored for only one week. Additionally, LeadRebel respects the browser's "Do Not Track" (DNT) feature, whereby the entry in local storage is not created if the end user explicitly disables this through a browser setting. DNT can be easily activated in all browsers (such as Chrome, Firefox, Edge, and Opera), usually in the privacy/cookies settings. This gives each end user the control to prevent the use of local storage.

Overall, with regard to Module 1 and considering the measures taken, it is reasonable to not obtain end user consent under § 25(1) TTDSG. However, customers of LeadRebel must always verify whether the specific requirements for their particular website are met.

Module 2 involves reading information from the end device, specifically capturing the position of the mouse cursor in the browser window or on the website. This constitutes an access under § 25 TTDSG and thus falls within the scope of the law. Consent can be dispensed with only if this access is explicitly desired and strictly necessary. The examination of these requirements is the responsibility of the customer. If the customer has doubts about fulfilling the requirements, they should refrain from using the module or use it only with the consent of website visitors. Refer to Section D for the legality from the perspective of the GDPR.

No consent is required for the use of the opt-in and opt-out cookies, as storing the cookies for consenting to the use of Modules 1 and 2 (opt-in) and for withdrawing consent (opt-out) is explicitly desired and strictly necessary to record the end user's decision.

Module 3 does not fall within the scope of § 25 TTDSG, as it only involves forwarding or processing data that has already been collected.

In summary, the requirements of § 25 TTDSG are appropriately considered when using Module 1 of LeadRebel. As for Module 2, a specific assessment of the requirements should be conducted by the customer.