Social Media Data Activation DPIA

We have a direct relationship with individuals from the start. Our systems show that we maintain direct relationships with multiple categories of data subjects: **Customers**: We use Salesforce CRM to manage customer relationships, storing contact details, interactions, purchase history, and transaction details. These are individuals who have directly engaged with our services. **Prospects**: We maintain prospect lists in Salesforce of individuals who have expressed interest in our services through direct engagement. **Website Visitors**: We directly collect behavioral data from individuals who visit our website through Google Analytics 4, tracking their browsing patterns and interactions. **Direct Data Collection**: According to our Social Media Campaign Brief, we collect and maintain customer and prospect lists directly in our systems, then enrich this data with behavioral information from our own analytics. We are not receiving this data from intermediaries - we are collecting it directly from individuals who interact with our website, services, and business operations. Our business model involves direct service delivery to customers, with processing activities including Customer Relationship Management, Sales Operations, Customer Support, Customer Onboarding, and Email Marketing Campaigns - all of which require direct interaction with individuals. We act as the data controller for this information, establishing the relationship from the initial point of contact.

While our documentation does not specify the exact number of individuals in the customer and prospect lists being uploaded for this social media campaign, the scale of the activity suggests a significant volume. The campaign involves uploading lists from Salesforce enriched with Google Analytics 4 behavioral data to three major advertising platforms (Meta, LinkedIn, and TikTok) for retargeting and lookalike audience targeting. This level of sophisticated, multi-platform marketing activity typically indicates an enterprise-scale operation with a substantial customer and prospect database, likely in the hundreds of thousands range. To confirm the exact number, we would need to consult with the marketing team or review the actual list sizes in Salesforce.

Yes, multiple inventoried systems will serve as data sources for this AI-powered social media advertising campaign. According to the assessment context documentation, the marketing team plans to upload customer and prospect lists from **Salesforce** (our CRM system), enriched with behavioral data from **Google Analytics 4**, to the advertising platforms **Meta**, **LinkedIn Campaign Manager Ads**, and **TikTok**. All five of these systems are part of our System Inventory: - **Salesforce**: Contains customer and prospect contact information, purchase history, and CRM data - **Google Analytics 4**: Provides behavioral data and website analytics - **Meta, LinkedIn, TikTok**: Will receive the uploaded data for retargeting and lookalike audience targeting The system metadata confirms that all these platforms are inventoried systems with documented processing activities, AI usage characteristics, and personal data categories. Salesforce and the three advertising platforms all use AI capabilities, with Meta and TikTok classified as high-risk AI systems.

Based on our Social Media Campaign Brief and assessment context, we are conducting a paid social media campaign that uploads customer and prospect lists from Salesforce, enriched with behavioral data from Google Analytics 4, to Meta, LinkedIn, and TikTok for retargeting and lookalike audience targeting purposes. The intended effect on individuals includes: **What they will experience:** - Individuals will encounter targeted advertisements on their social media feeds across Meta (Facebook/Instagram), LinkedIn, and TikTok platforms - Existing customers will see retargeting ads based on their previous interactions with our brand - Prospects and lookalike audiences will see ads designed to attract similar profiles to our existing customers **What they will be expected to do:** - View and potentially engage with advertising content - Click through to our website or specific landing pages - Consider our products or services based on the targeted messaging **What kinds of decisions they would need to make:** - Whether to engage with the advertisement (click, like, share, comment) - Whether to visit our website or landing pages - Whether to take conversion actions such as signing up for our services, requesting information, or making purchases - Whether to adjust their privacy settings or opt out of targeted advertising on these platforms Source: Social Media Campaign Brief and Privacy Risk Assessment for Paid Social Media Campaign documentation.

Based on our system configuration, we use multiple platforms for this marketing campaign, each with different access patterns: **Internal Access:** - **Marketing Team**: Manages campaigns across Meta, LinkedIn Campaign Manager, and TikTok, including uploading customer/prospect lists and creating retargeting audiences - **Sales Operations**: Uses Salesforce for CRM, customer onboarding, and account management - **Customer Support**: Accesses Salesforce for customer service activities - **Analytics Teams**: Uses Google Analytics 4 for market research and product analytics - **System Administrators**: Configure and maintain access controls across all platforms **Third-Party Platform Access:** - **Salesforce**: Processes data for CRM, sales operations, customer support, and marketing campaigns (uses AI, classified as high-risk) - **Meta**: Processes data for online advertising and internal business communications (uses AI, classified as high-risk) - **LinkedIn**: Processes data for B2B advertising and lead generation (uses AI) - **TikTok**: Processes data for online advertising (uses AI, classified as high-risk) - **Google Analytics 4**: Processes data for website analytics and behavioral tracking Each platform provider has access to the personal data uploaded to their systems as data processors. Our assessment context indicates these systems handle sensitive personal data categories including contact information, browsing behavior, employment information, and device identifiers. While our uploaded documents do not contain specific internal access control policies, the system metadata shows the scope of data processing across these platforms.

Our current documentation does not contain specific information about backup and archival retention periods for the systems involved in this assessment (Salesforce, LinkedIn Campaign Manager Ads, Meta, TikTok, and Google Analytics 4). While we have general business context and system metadata, we lack the specific data retention policy or schedule that would define how long data is archived for long-term storage or backup purposes. To provide an accurate answer, we would need to reference our formal data retention policy, backup procedures documentation, or the specific data processing agreements with these third-party platforms.

Based on our systems and processing activities, multiple internal groups will access the data: **Sales**: Salesforce is used for Sales Operations and CRM, requiring sales team access to customer and prospect data. **Marketing**: The paid social media campaign involves uploading customer and prospect lists to Meta, LinkedIn, and TikTok for advertising. Marketing also uses Salesforce for Email Marketing Campaigns, Online Advertising, and Event Management. **Customer Support**: Salesforce is used for Customer Support, Customer Onboarding, and Customer Feedback & Surveys, requiring support team access. **Product or Project Management**: Salesforce includes Product Analytics and Performance Management capabilities that product/project managers would access. **Product Development**: Google Analytics 4 and Salesforce Product Analytics provide behavioral data that product development teams use for feature development and optimization. **Information Security**: Given the high-risk AI usage in Salesforce, Meta, and TikTok, information security teams must access data for security monitoring, risk assessment, and compliance oversight. **Information Technology**: IT teams require access for system administration, integration management, and technical support across all platforms (Salesforce, Meta, LinkedIn, TikTok, Google Analytics 4).

Based on our available documentation, there is no indication that we operate multiple lines of business, have legal affiliates, or are part of a parent company structure. Our documentation describes us as a privacy management platform without reference to any corporate affiliates, subsidiaries, or separate business divisions that would have access to the data involved in this social media campaign. The assessment context focuses on data sharing with external third-party platforms (Meta, LinkedIn, TikTok) rather than internal corporate entities. Without documentation indicating a multi-entity corporate structure or separate lines of business, the data will remain within our immediate organization.

Based on our documentation, we share data with third-party service providers and vendors. Specifically, for our paid social media campaign, we share customer and prospect data with: - **Meta** - for retargeting and lookalike audience targeting - **LinkedIn** - for retargeting and lookalike audience targeting - **TikTok** - for retargeting and lookalike audience targeting We also integrate with hundreds of third-party business systems including CRMs, marketing platforms, data warehouses, customer support tools, and HR systems to support our core functions. The data shared includes names, email addresses, phone numbers, postal addresses, IP addresses, device identifiers, behavioral and browsing data, and purchase history. Source: Assessment context documentation on paid social media campaign and third-party data sharing practices.

Based on our assessment context and system inventory, all five third-party platforms involved in this social media campaign are inventoried systems: **Data Source Systems:** - **Salesforce**: Our CRM system containing customer and prospect lists, which uses AI and processes extensive personal data categories including names, email addresses, phone numbers, employment information, and browsing history - **Google Analytics 4**: Our web analytics platform providing behavioral data for audience enrichment **Advertising Platform Systems:** - **Meta**: Facebook advertising platform for retargeting and lookalike audiences, which uses AI and is classified as high-risk - **LinkedIn Campaign Manager Ads**: Professional network advertising platform for B2B targeting, which uses AI - **TikTok**: Social media advertising platform for audience targeting, which uses AI and is classified as high-risk All of these systems are documented in our system inventory with detailed metadata about their processing activities, AI usage, data categories processed, and data subjects involved. The campaign involves uploading enriched customer data from Salesforce and Google Analytics 4 to the three advertising platforms (Meta, LinkedIn, and TikTok) for retargeting and lookalike audience creation.