Privacy Battles
AT Internet
Privacy Score
86
%
⚔️
Abralytics
Privacy Score
28
%

Designated DPO or GDPR correspondent

Compliant
Partially Compliant
Not Compliant

AT Internet has appointed a Data Protection Officer who can be contacted at the following address: dpo@atinternet.com or by post.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention having a DPO or GDPR correspondent and doesn’t display a privacy dedicated contact channel.

Privacy Policy

Compliant
Partially Compliant
Not Compliant

Regarding website and cloud: https://www.abralytics.com/privacy

It is unclear whether the privacy policy available on Abralytics website applies both for the website and cloud service.

Besides, it doesn’t provide sufficient information to data subjects regarding Article 13 and 14 of the GDPR (data retention periods, legal basis, etc.).

Country & Type of Data storage

Compliant
Partially Compliant
Not Compliant

Company Headquarters:
France 🇫🇷  (EU) 🇪🇺

Storage Facilities:
All analytics data is stored in the EU by cloud providers AWS and SFR.

AT Internet however doesn’t specify in which country data is hosted.

Compliant
Partially Compliant
Not Compliant

Company Headquarters:

Ireland (EU)

Storage Facilities:

Data is hosted in the EU but Abralytics doesn’t specify in which country, nor which external cloud provider it uses and what is its nationality.

Data transfers outside the EU

Compliant
Partially Compliant
Not Compliant

AT Internet doesn’t transfer analytics data outside the EU.

Compliant
Partially Compliant
Not Compliant

Data is deemed not transferred outside the EU, but that information needs to be verified (cloud provider and its nationality are unknown).

Legal tools for Subcontractors

Compliant
Partially Compliant
Not Compliant

At Internet commits itself to verify that its subcontractors present sufficient guarantees regarding the implementation of technical and organizational measures.

AT Internet has made public its list of subprocessors: https://www.atinternet.com/en/processor-sub-processor-information-parent-company/

Prior to modifying the list of subprocessors, the controller will be notified and is able to object.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any subcontractors nor its process to contract with them.

Data Breach Notification

Compliant
Partially Compliant
Not Compliant

In case of a data breach, AT Internet will notify the controller without undue delay after becoming aware of the breach, and provide the necessary information to notify Data Protection Authorities.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention directly notifying controllers of a data breach in a determined delay, nor providing assistance to controllers to notify the breach to the Supervisory authority.

Right Requests Process

Compliant
Partially Compliant
Not Compliant

Data request will be forwarded to the controller without delay and assistance will be provided to the controller to answer any request.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention providing assistance to controllers in case of a data subject's right request.

Data Privacy Impact Assessment

Compliant
Partially Compliant
Not Compliant

AT Internet will provide necessary assistance to the controller in case of Data Privacy Impact Assessment on an analytics processing activity.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t specify having conducted DPIAs or providing assistance to controllers if needed.

Employee Trainings

Compliant
Partially Compliant
Not Compliant

Employees are trained on the confidentiality of personal data and subjects to a strict confidentiality obligation.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn't mention employee training or submission to NDAs.

Security Policy

Compliant
Partially Compliant
Not Compliant

AT Internet mentions having a security policy and updating it regularly, but has not made it public.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Organizational and Technical Security Measures

Compliant
Partially Compliant
Not Compliant

Server security:
Cloud security relying on Amazon and SFR.

Other measures:
data pseudonymisation (hash), data anonymisation on demand, disaster recovery plan, penetration testing.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention having a security policy.

Data Encryption

Compliant
Partially Compliant
Not Compliant

AT Internet never mentions data encryption.

Compliant
Partially Compliant
Not Compliant

Data encryption is never mentioned.

Restriction of access

Compliant
Partially Compliant
Not Compliant

AT Internet limits access to data only to persons who need to know and does not share data with third parties without prior demand of the controller.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t mention any specific restrictions of access to personal data.

Reuse of data

Compliant
Partially Compliant
Not Compliant

AT Internet doesn’t pursue its own purposes with this data processing. The controller stays the data owner.

Compliant
Partially Compliant
Not Compliant

Abralytics doesn’t sell any data. Controllers stay owners of personal data.

Exemption of cookie consent

Compliant
Partially Compliant
Not Compliant

YES, if controller masks the following personal data by default (visitor ID, postal code, internet service provider, converted visit) and anonymizes IP addresses.

Compliant
Partially Compliant
Not Compliant

YES, Abralytics doesn’t collect cookies.

Submission to Cloud Act/FISA

Compliant
Partially Compliant
Not Compliant

YES, data hosted on Amazon servers doesn’t appear to be anonymized nor encrypted at rest, therefore can be accessed by an American intelligence agency on demand.

Compliant
Partially Compliant
Not Compliant

NO, data is stored in the EU and anonymized (therefore no more considered personal).