PII is defined as any information/data that can be used to uniquely identify a Data Subject within a database or data collection. Legally, this process is often referred to as “singling out” and specifically describes using PII to pinpoint any individual Data Subject within a dataset. Data that cannot be used to single out a Data Subject is, therefore, not considered PII.
PII is made up of “hard data points” such as (personal) names, email addresses, physical addresses, IP addresses, social security numbers, mugshots, avatars, and so forth. This type of data reveals the underlying Data Subject using a one-to-one relation.
It is important to note that while PII is not being explicitly processed, Crobox does work with Universally Unique Identifiers (UUIDs), which are computer-generated sequences of random characters that connect sessions to corresponding visitors. While UUIDs can theoretically be used to single out Data Subjects, it is often not considered PII because:
The UUID uses complex logic to randomly generate a sequence of characters and numbers, making it very difficult to connect a specific Data Subject to a UUID.
The UUID is never exposed to a visitor as it is stored in cookies. Without knowing a UUID, one can never pinpoint his or her own data.
The UUID doesn't have any interpretation, meaning there is no distinction between any two given UUIDs.
Based on the above explanation of PII and UUID, no, Crobox does not store any PII information on our platform. No database or other persistent data storage contains data that is directly attributable to any Data Subject.
Crobox does store UUIDs. Depending on the legal definition that an organization adopts, and as stated above (see FAQ 1), UUIDs can be considered PII, but this is rarely the case. Crobox requires UUIDs to process events. These UUIDs are stored in our platform and in the cookies within the browser of a visitor.
The only PII that is temporarily processed and transformed (anonymized) is the IP address belonging to a web or HTTP session. Whenever a visitor enters the website of the Data Controller, Crobox creates a new session that holds information belonging to that specific visitor as long as (s)he is active on the website.
Specifically, Crobox uses the IP address to determine the city/country/region of the respective visitor. Whether this mapping is successful or not, the IP address is immediately discarded, thus, it is not persisted.
Crobox’s platform logs all communication that takes place on our platform, as we need this data for system and security purposes. For example, this log is used to detect and protect against Distributed Denial of Service (DDOS) attacks.
This log data is raw system data that doesn’t have any correlation, interpretation, or other enrichment processes involved. However, system logging does include IP addresses, as these are required for security and system logging and thus can’t be excluded. To further minimize any impact, this system data is only stored in the logging infrastructure and is automatically removed after 14 days.
A DPA is not required to use Crobox’s platform, as PII is not stored. Therefore, the impact of a data breach is low. However, organizations that wish to have this in place can request Crobox’s DPA.