14 April 2016 the European Commission adopted the General Data Protection Regulation (“GDPR”), which applies from 25 May 2018. It aims at replacing the 1995 Data Protection Directive (“Directive”), and, essentially, serves as an upgrade from the Directive. The primary purpose of this FAQ is to set out for SoMin customers how our company approach the GDPR and data privacy generally. Please feel free to contact your sales representative, customer success or account manager if you need any further assistance beyond the scope of this FAQ.

Q: Does SoMin comply with the GDPR?

A: Yes.

Q: Does the GDPR apply to SoMin’s products?

A: The GDPR mainly applies to the processing of personal data, which is any information relating to an identified or identifiable human being. “Social Media Analytics API” and “Social Marketing AI Platform” (SoMin Analytics Services) are personal data agnostic set of analytics services. These services are based on AI models which were built upon analyzing large sets of free multi-modal data (free texts/images/locations). The latter means that, even though personal data processing is not the backbone of SoMin Analytics Services, it is likely that there is anonymized personal data stored in SoMin database. For example, some Instagram users choose to verify their account. In such cases, the username and the corresponding Instagram posts are personal data. Since it is difficult to check whether the information in each post is personal data, we chose to treat our entire database of posts as if it contained all personal data. For Social Media Analytics API, SoMin acts as a data processor and the GDPR applies where the data within Social Media Analytics API is personal data.

Q: Is SoMin a data controller or data processor with respect to Social Marketing AI Platform?

A: SoMin Social Marketing AI Platform makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. Every decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Social Marketing AI Platform that contain personal data, SoMin considers itself a data controller under the GDPR.

Q: Is SoMin a data controller or data processor with respect to Social Media Analytics API?

A: SoMin has built a developer ecosystem that allows its customers to build their own software applications powered by Social Media Analytics API, via making predictions based on customers’ own data. Where a customer has built their own software application, and that application has personal data in it, SoMin is a data processor and the customer is a data controller of that personal data. This is because SoMin is only processing personal data on the customer’s behalf (i.e. run and operate at the backend of customer’s application).

Q: If SoMin is a data controller for its Social Marketing AI Platform, what are its customers?

A: For Social Marketing AI Platform, SoMin's customers are also data controllers in respect of the personal data which customers process through the use of the Social Marketing AI Platform. Under the GDPR, a person must be a data processor or a data controller, where data processor processes data on behalf of the data controller. Considering that SoMin’s customers do not process personal data on behalf of SoMin, they must be data controllers under the GDPR for the Social Marketing AI Platform.

Q: What is the legal basis on which SoMin processes personal data for its Social Marketing AI Platform?

A: The primary legal basis on which SoMin processes personal data when performing its services is the legitimate interests of the data controller. This legal basis requires a balancing of the legitimate interests of the data controller with the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The data that SoMin processes from the Analytics Services are all publicly available – and made available – by the particular social media author him or herself. Thus, SoMin believes that the interests, fundamental rights and freedoms of data subjects are not prejudiced or overridden in the context of its processing of social media data that is (1) publicly available and (2) can be made private at any time by the social media author him or herself. The social media authors have significant levels of control over the availability of their personal data on the underlying websites, including (e.g.) setting their Instagram account to private.

Q: Where does SoMin store the personal data that it processes?

A: The personal data that forms part of the Analytics database is stored on servers that SoMin owns and manages, hosted with colocation providers in Singapore. SoMin policy requires the use of Tier 2 rated data centers with the corresponding physical and environmental security. SoMin’s data center providers maintain their own ISO27018 accreditation, along with other relevant physical security, environmental and quality certification. SoMin’s Image Recognition services (e.g. Image Concept Detection API) are hosted both with colocation providers in Singapore and by a third party provider in Southeast Asia. The personal data related to all SoMin Analytics Services is hosted by the cloud provider in Southeast Asia.

Q: Are SoMin’s systems that process personal data secure?

A: Yes. SoMin has technical and organizational measures in place to protect against unauthorized or unlawful processing of data and against accidental loss, destruction or damage. In cases when SoMin uses third-party cloud providers, those providers are industry-leading, including AWS and Microsoft Azure. In addition, we apply our own security policy and process to the management and provision of any third party systems and services.

Q: How does SoMin ensure its services comply with the GDPR?

A: We've appointed privacy specialists on our engineering and product teams, who are tasked with incorporating privacy by design principles when developing our services. Additionally, we implement Privacy Impact Assessments, where required, in accordance with the GDPR. Finally, SoMin has appointed legal counsel that oversee privacy-related matters.