Summary of Rokt Transfer Impact Assessment

To provide our services set out in our client contracts, Rokt will process personal data governed by European data protection laws as a data processor. Rokt and its subprocessors will process your personal data in the following non-EEA/UK countries – see https://www.rokt.com/rokt-subprocessors/.

Where Rokt processes personal data it will do so in accordance with the applicable Rokt European Data Processing Agreement entered into with you as a Partner or Advertiser respectively. 

Certain of the following countries (listed in the link below) to which Rokt transfers data have not currently been declared adequate by the European Commission and/or UK Secretary of State, and Rokt and its subprocessors (see https://www.rokt.com/rokt-subprocessors/) will rely on SCCs (and UK Addendum as applicable) to transfer data to the countries listed therein ("Non-Adequate Countries").

The SCCs and UK Addendum are incorporated by reference into the Partner and Advertiser Data Processing Agreements. 

Where personal data subject to European data protection laws is transferred between Rokt Group companies or transferred by Rokt to third party subprocessors, Rokt enters into SCCs (and UK Addendum) with those parties.

In each of the Non-Adequate Countries, there is a potential risk of government access to data under national security or law enforcement rules.

In particular, Rokt is headquartered in the U.S and therefore personal data is transferred to and processed in the U.S.  

U.S surveillance laws

The U.S. has broad surveillance powers over many U.S.-based technology providers under FISA 702. However, Rokt does not process personal data that is likely to be of interest to U.S. intelligence agencies.

In addition, EO 12333 contains no authorisation to compel private companies (such as Rokt) to disclose personal data to U.S. authorities and FISA 702 requires an independent court to authorise a specific type of foreign intelligence data acquisition which is generally unrelated to commercial information. In the event that US intelligence agencies were interested in the type of data processed by Rokt, safeguards such as the requirement for authorisation by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance. 

Further, EO 14086 imposes new requirements on the collection and handling of personal data by U.S. intelligence authorities and has appropriate address mechanisms for data subjects.

Other laws

Rokt also transfers data to other countries, including Australia and Singapore. Rokt has carried out an assessment with respect to such transfers and as with the above, does not process personal data that is likely to be of interest to Singapore or Australia intelligence agencies. 

Accordingly, Rokt takes the measures identified in Step 4 to protect your data. In practice to date, Rokt has never received any requests from law enforcement authorities or government authorities outside of the EU and UK for access to its customers' data. In the event that Rokt receives such a request it has in place a Government Data Access Policy which sets out how Rokt would handle such a request. 

Further details of Rokt’s compliance programs and requirements are available at its Trust Center and Compliance Portal.

Rokt implements the technical and organizational measures set forth at https://www.rokt.com/rokt-security-measures/.

In addition, Rokt's contractual measures are set out within Rokt's Data Processing Agreements which incorporate the SCCs. In particular, these Data Processing Agreements set out:

• The technical and organisational measures provided for at the link above, and are incorporated into the DPAs.
• Unless legally prohibited from doing so, Rokt is required under the SCCs to notify its Partners and Advertisers respectively, where it processes personal data as a processor and such data is the subject of a government access request. Under the SCCs, Rokt is obligated to review the legality of requests from a government authority and challenge such requests where they are considered unlawful. 

When Rokt is a controller, Rokt must take steps to comply with the GDPR and review the legality of requests from government authorities.

Rokt has concluded SCCs (and UK Addendum as applicable) with its group companies, customers and with its vendors, including supplementary measures that do not contradict the SCCs/UK Addendum. No further procedural steps (e.g. regulatory authorisation) are required. Rokt considers the risks involved in transferring and processing European personal data in/to the U.S. do not impinge on Rokt's ability to comply with its obligations under the SCCs as a data importer or to ensure that individuals remain protected.

Rokt reviews and, where necessary, adapts the supplementary measures it has implemented at least once per annum to address changing data protection regulatory and risk environments.