DEISTLER FAMILY OFFICE

Contact Now
Contact Now

COOKIE AND TRACKING POLICY

OF DEISTLER FAMILY OFFICE
(“Deistler”, “we”, “us”, “our”)

Effective date: January 2025
Applies to: All digital properties under the domain deistler.family and any successors or associated domains operated or controlled by Deistler Family Office.

I. PURPOSE, SCOPE AND REGULATORY CONTEXT

  1. This Global Cookie and Tracking Policy (“Policy”) sets out the principles, rules and technical frameworks governing the deployment and use of cookies and other tracking technologies (“Tracking Technologies”) across all digital properties operated or controlled by Deistler Family Office.
  2. This Policy applies to:
    • the public website athttps://deistler.family;
    • any associated subdomains;
    • secure portals for professional and institutional users;
    • investor and client reporting platforms;
    • due diligence and data room environments;
    • web-based and mobile applications offered by Deistler;
    • APIs and machine-to-machine interfaces exposed by Deistler;
    • embedded content and integrations hosted by Deistler or its service providers.
  3. This Policy is designed to comply with, and where appropriate exceed, the requirements of applicable data protection and electronic communications laws, including, without limitation:
    • Regulation (EU) 2016/679 (General Data Protection Regulation – “EU GDPR”);
    • UK GDPR and the UK Data Protection Act 2018;
    • Swiss Federal Act on Data Protection (“nFADP”);
    • Directive 2002/58/EC (ePrivacy Directive) and national implementations (including the German Telecommunications-Telemedia Data Protection Act – “TTDSG”);
    • California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA);
    • Virginia Consumer Data Protection Act (VCDPA);
    • Colorado Privacy Act (CPA);
    • Connecticut Data Privacy Act (CTDPA);
    • Utah Consumer Privacy Act (UCPA);
    • Brazilian Lei Geral de Proteção de Dados (LGPD);
    • Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial legislation;
    • Australian Privacy Act 1988;
    • Singapore Personal Data Protection Act (PDPA);
    • Hong Kong Personal Data (Privacy) Ordinance (PDPO);
    • Japan Act on the Protection of Personal Information (APPI);
    • South Africa Protection of Personal Information Act (POPIA);
    • New Zealand Privacy Act 2020;
    • Thailand Personal Data Protection Act;
    • Republic of Korea Personal Information Protection Act (PIPA);
    • India Digital Personal Data Protection Act;
    • Dubai International Financial Centre Data Protection Law;
    • Abu Dhabi Global Market Data Protection Regulations;
    • applicable sectoral regimes (including requirements and guidance from BaFin, FCA, FINMA, CSSF, SEC, CFTC, ESMA, DFSA, FSRA, MAS, SFC, ASIC and other financial regulators where relevant).
  4. This Policy forms an integral part of Deistler’s overarching Privacy Framework and must be read together with:
    • the Global Privacy Policy;
    • the Information Security Policy;
    • the Records Retention Policy;
    • the Data Governance and Classification Policy;
    • the Incident Response and Breach Notification Policy.
  5. In the event of any conflict between this Policy and local mandatory law, the more protective standard for data subjects shall apply.

II. DEFINITIONS

For purposes of this Policy:

  1. “Cookie”means a small text file that is placed on a user’s device (such as a computer, smartphone, or tablet) by a website or application and that can be read on subsequent visits.
  2. “Tracking Technologies”means any technology that stores or accesses information on a user’s device or otherwise monitors user interactions, including but not limited to:
    • HTTP cookies (session and persistent);
    • secure and HttpOnly cookies;
    • HTML5 local storage and session storage;
    • web beacons, pixel tags, clear GIFs;
    • JavaScript tags and SDKs;
    • device identification and fingerprinting technologies;
    • server-side and API-level event tracking;
    • telemetry agents and observability tools;
    • log-file analysis;
    • behavioural analytics and anomaly detection modules.
  3. “Personal Data”has the meaning given in the relevant applicable law and includes any information relating to an identified or identifiable natural person, including where identification is possible through cookies or identifiers.
  4. “Processing”has the meaning given under the applicable law and includes any operation performed on Personal Data, such as collection, storage, use, disclosure, transfer, or deletion.
  5. “Strictly Necessary Cookies”means cookies required to enable core website functionality, ensure security and integrity, fulfil user requests or comply with legal or regulatory obligations.
  6. “Analytics Cookies”means cookies and similar technologies used to perform aggregated measurement, performance monitoring, diagnostics and statistical analysis of how the Website and related services are used.
  7. “Functional Cookies”means cookies that enable enhanced functionality and personalisation not strictly required for the basic operation of the services.
  8. “Consent”means any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which they signify agreement to the processing of Personal Data, in accordance with applicable law.
  9. “Third-Party Service Provider”means any external entity engaged by Deistler to provide infrastructure, hosting, analytics, cybersecurity, content delivery, portal services, communication, or other technical functionalities supporting the Website or related services.

III. LEGAL BASIS AND PRINCIPLES

  1. The placement and use of Tracking Technologies are governed by two interlinked legal layers:
  2. Storage and access on the device: Under the ePrivacy framework and national law (including TTDSG in Germany), the storage of and access to information on a user’s device is permitted only:
    • if strictly necessary for the provision of a service explicitly requested by the user; or
    • where the user has given prior consent.
  1. Subsequent processing of Personal Data: Once Personal Data are collected through Tracking Technologies, their processing is governed by applicable data protection laws (e.g. EU GDPR), which require an appropriate legal basis, such as:
  • consent;
  • performance of a contract;
  • compliance with a legal obligation;
  • legitimate interests, balanced against the rights and freedoms of the data subject.
  1. Deistler applies the following principles:
    • Lawfulness, fairness and transparency;
    • Purpose limitation;
    • Data minimisation;
    • Accuracy;
    • Storage limitation;
    • Integrity and confidentiality;
    • Accountability.
  2. Strictly Necessary Cookies can be used without Consent where permitted by law. All other categories are only used based on valid Consent or an alternative legal basis clearly identified in Annex C (Legal Basis and Transfer Matrix).

IV. CATEGORIES OF TRACKING TECHNOLOGIES DEPLOYED

1. Strictly Necessary Cookies

  1. Strictly Necessary Cookies are essential for:
    • establishing and maintaining user sessions;
    • enabling login mechanisms for professional investor portals;
    • supporting multi-factor authentication workflows;
    • enforcing access control lists;
    • protecting against Cross-Site Request Forgery (CSRF) and other web attacks;
    • ensuring load balancing and high availability;
    • fulfilling obligations relating to investor classification (e.g. professional vs retail access gating).
  2. These cookies do not capture more data than is required for these purposes and are configured to expire as soon as reasonably possible.
  3. A non-exhaustive inventory of Strictly Necessary Cookies is set out inAnnex A (Global Cookie Inventory).

2. Functional Cookies

  1. Functional Cookies support an enhanced and more tailored user experience, including:
    • storing language preferences and regional settings;
    • remembering the user’s confirmation of professional investor status;
    • preserving display and layout preferences;
    • ensuring continuity in the use of secure document viewers;
    • providing pre-filled forms for logged-in institutional users.
  2. Functional Cookies may require Consent under certain laws. Specific legal bases, retention periods and affected jurisdictions are specified in Annex A and Annex C.

3. Performance and Analytics Technologies

  1. Performance and Analytics Technologies enable Deistler to:
    • measure page load times and application performance;
    • monitor navigation patterns and flows across secure portals;
    • understand usage trends by region, device type and institutional segment;
    • identify and remediate errors or service disruptions;
    • optimise content allocation and caching strategies.
  2. Data are primarily processed in aggregated or pseudonymised form. Where Personal Data are processed, they are subject to strict access controls and minimisation.
  3. Examples of such technologies include, without limitation:
    • Aurelius Metrics Suite (hosted analytics service);
    • Stratiform Performance Insights;
    • Quantitech Telemetry Cloud;
    • Meridian Insight Analytics;
    • internal observability tools operated by Deistler or its group.
  4. Detailed descriptions and parameters are provided in Annex A and Annex B.

4. Security and Integrity Technologies

  1. Security and Integrity Tracking Technologies are used exclusively to:
    • protect Deistler’s systems, clients, and counterparties from cyberattacks;
    • detect and prevent bot traffic, credential stuffing, brute-force attempts, and automated scraping;
    • identify suspicious login patterns and high-risk geolocations;
    • enforce zero-trust authentication policies;
    • support investigations and forensic analysis in the event of an incident.
  2. Providers may include:
    • Fortinex Global Security Ltd.;
    • SentinelShield Cyber Defense AG;
    • Apex Threat Intelligence Corporation;
    • Orion Defensive Systems Pte Ltd.
  3. Where such technologies involve Personal Data, they operate on the basis of legitimate interests or, where applicable, Consent. Legal bases per jurisdiction are detailed in Annex C.

5. Behavioural and Preference-Based Technologies (Institutional Context)

  1. Deistler may deploy behavioural and preference-based technologies within a strictly institutional context to:
    • understand engagement with research, thought leadership and investor materials;
    • improve navigation and usability for professional and institutional users;
    • refine portal workflows;
    • assess uptake and completion rates of digital investor onboarding processes.
  2. Deistler does not use such technologies to target or profile retail clients for advertising purposes.
  3. Where required by law, Consent is obtained before such technologies are deployed.

6. Third-Party and Embedded Content Technologies

  1. Where Deistler integrates external components (for example, embedded video players, professional conferencing tools, document viewers or financial data widgets), these components may place their own cookies or use Tracking Technologies.
  2. Deistler requires that embedded providers operate under appropriate contractual safeguards, including data protection agreements and security provisions.
  3. A non-exhaustive list of embedded providers and their categories of Tracking Technologies is provided in Annex B (Third-Party Vendor Registry).

V. IP ADDRESSES, LOG FILES AND SERVER-SIDE TRACKING

  1. When a user accesses Deistler’s digital properties, Deistler may collect and process:
    • IP address (full or truncated);
    • date and time of access;
    • accessed resources and HTTP status codes;
    • volume of data transmitted;
    • referrer URL (where permitted);
    • user-agent string;
    • security-relevant request attributes.
  2. Such data are used to:
    • maintain the security and integrity of Deistler’s services;
    • protect against attacks and abuse;
    • monitor system capacity and performance;
    • comply with legal obligations, including record-keeping and audit duties.
  3. IP addresses may in certain cases be considered Personal Data and are then processed in accordance with the applicable law. Legal bases and retention periods are listed in Annex C.

VI. INTERNATIONAL DATA TRANSFERS

  1. Tracking Technologies may result in the collection and transfer of Personal Data to third countries, including but not limited to:
    • United States of America;
    • United Kingdom;
    • Switzerland;
    • Singapore;
    • Hong Kong;
    • Japan;
    • United Arab Emirates;
    • Brazil;
    • South Africa;
    • Australia;
    • Canada;
    • India;
    • South Korea;
    • other jurisdictions where Deistler or its Third-Party Service Providers maintain operations.
  2. Where Deistler transfers Personal Data outside the EU/EEA, the UK or Switzerland, such transfer is based on:
    • an adequacy decision by the European Commission, the UK Government or the Swiss Federal Council; and/or
    • Standard Contractual Clauses approved by the European Commission; and/or
    • the UK International Data Transfer Agreement or Addendum; and/or
    • Swiss-compliant transfer clauses; and/or
    • equivalent transfer mechanisms required by local laws.
  3. Additional technical and organisational measures are used where appropriate, including encryption, pseudonymisation, and strict access control, as detailed in Annex D.

VII. DATA RETENTION

  1. Deistler retains data collected via Tracking Technologies only for as long as necessary to fulfil the purposes described in this Policy, including:
    • technical operation and maintenance;
    • security and incident response;
    • analytics and service improvement;
    • legal and regulatory obligations (e.g. financial regulation, record-keeping).
  2. Retention periods for individual cookies and Tracking Technologies are set out in Annex A. Where legal or regulatory obligations require longer storage (e.g. for audit trails), this will be clearly documented and controlled through internal retention schedules.

VIII. DATA SUBJECT RIGHTS

  1. Depending on applicable local law, users may have one or more of the following rights in relation to Personal Data collected via Tracking Technologies:
    • right of access;
    • right to rectification;
    • right to erasure;
    • right to restriction of processing;
    • right to data portability;
    • right to object to processing based on legitimate interests;
    • right to withdraw Consent at any time;
    • right not to be subject to decisions based solely on automated processing where such rights are provided;
    • right to lodge a complaint with a competent supervisory authority.
  2. Details on how to exercise these rights are provided in the Global Privacy Policy and may be applied equally in respect of Tracking Technologies.

IX. CONSENT MANAGEMENT AND WITHDRAWAL

  1. Where required by law, Deistler operates a consent management platform (“CMP”) that:
    • presents a clear and prominent cookie banner;
    • provides an option to accept or reject non-essential cookies;
    • allows granular selection of cookie categories;
    • enables the user to change preferences at any time;
    • records Consent status and timestamp for audit and compliance purposes.
  2. Users may:
    • accept all cookies;
    • reject all non-essential cookies;
    • select specific categories;
    • withdraw Consent at any time via the CMP or browser settings.
  3. Withdrawal of Consent shall not affect the lawfulness of processing based on Consent before its withdrawal.

X. SECURITY MEASURES

  1. Deistler implements appropriate technical and organisational measures to safeguard data collected through Tracking Technologies, including, without limitation:
    • transport layer encryption (TLS 1.2 or higher);
    • secure cookie attributes (Secure, HttpOnly, SameSite where applicable);
    • network segmentation and firewalls;
    • endpoint protection and monitoring;
    • intrusion detection and prevention systems;
    • security logging and Security Information and Event Management (SIEM);
    • regular vulnerability assessments and penetration tests;
    • strict access controls and least-privilege principles.
  2. Additional technical and organisational measures are described inAnnex D (Technical and Organisational Measures) and Annex F (Security and Logging Framework).

XI. CHANGES TO THIS POLICY

  1. Deistler may update this Policy to reflect:
    • changes in applicable laws or regulatory guidance;
    • significant changes to Tracking Technologies;
    • modifications of service providers;
    • security enhancements or architectural changes.
  2. Where changes are material, Deistler will provide appropriate notice, for example via updated banners, on-site notifications or direct communication to affected institutional users, as required.

XII. CONTACT

All questions, concerns or requests regarding this Policy or the use of cookies and Tracking Technologies should be addressed to:

Global Data Governance Office
Deistler Family Office
Email: info@deistler.family

 

ANNEX A – GLOBAL COOKIE INVENTORY

This Annex sets out a non-exhaustive inventory of cookies used on deistler.family and associated platforms. Actual deployment may vary depending on the user’s jurisdiction, device, browser settings, and service configuration.

A.1 Strictly Necessary Cookies

Name

Provider

Type

Purpose

Retention

DFO_session

Deistler Family Office

First-party

Maintains secure HTTP session between client and server, including portal navigation and authentication.

Session

DFO_auth

Deistler Family Office

First-party

Stores encrypted token for authenticated access to professional and client portals.

Session

DFO_csrf_token

Deistler Family Office

First-party

Protects forms and post actions against Cross-Site Request Forgery (CSRF) attacks.

Session

DFO_cookie_consent

Deistler Family Office

First-party

Records the user’s cookie consent choices across categories.

12 months

DFO_region

Deistler Family Office

First-party

Stores region/jurisdiction for regulatory gating of content (e.g. EU vs. non-EU).

6 months

DFO_prof_status

Deistler Family Office

First-party

Records confirmation that user is a professional/institutional investor, where required.

12 months

cf_bm

Cloudflare, Inc.

Third-party

Bot management and traffic integrity analysis to protect from automated attacks.

30 minutes

cf_ob_info

Cloudflare, Inc.

Third-party

Supports optimisation and routing to ensure continuity and performance.

Few minutes

AWSALB

Amazon Web Services

Third-party

Load balancing cookie mapping session to a specific server instance for high availability.

7 days

DFO_portal_lock

Deistler Family Office

First-party

Ensures single active session per authenticated user to prevent session hijacking.

Session

A.2 Functional Cookies

Name

Provider

Type

Purpose

Retention

DFO_language

Deistler Family Office

First-party

Stores interface language preference.

12 months

DFO_layout

Deistler Family Office

First-party

Remembers selected layout options for dashboards and portal pages.

6 months

DFO_doc_access

Deistler Family Office

First-party

Records that the user has acknowledged disclaimers and conditions for accessing documents.

30 days

DFO_portal_pref

Deistler Family Office

First-party

Stores user preferences in secure areas, such as default report views.

12 months

hubspotutk

HubSpot, Inc.

Third-party

Tracks interaction with forms and content to support institutional relationship management.

13 months

__hstc

HubSpot, Inc.

Third-party

Main tracking cookie for visit timestamps and session counts for professional contacts.

13 months

player

Vimeo.com, Inc.

Third-party

Remembers settings for embedded video players (volume, playback state).

12 months

vuid

Vimeo.com, Inc.

Third-party

Collects analytics for embedded video content used in research and investor communications.

24 months

A.3 Analytics Cookies

Name

Provider

Type

Purpose

Retention

_ga

Aurelius Metrics Corporation

Third-party

Distinguishes visitors via pseudonymous client ID for aggregate usage analysis.

24 months

_ga_DFO

Aurelius Metrics Corporation

Third-party

Provides granular analytics for specific sections of deistler.family and associated portals.

24 months

_gid

Aurelius Metrics Corporation

Third-party

Stores and counts page views for daily visitor statistics.

24 hours

_amp_DFO_id

Stratiform Analytics GmbH

Third-party

Assigns anonymised identifiers per browser for institutional traffic analysis.

12 months

hjUserId

Meridian Insight Analytics

Third-party

Anonymised behavioural analytics identifier for navigation patterns.

12 months

hjSession_*

Meridian Insight Analytics

Third-party

Maintains stateful session information to group user actions during a single visit.

30 minutes

DFO_analytics_opt

Deistler Family Office

First-party

Indicates whether analytics cookies were accepted or rejected.

12 months

A.4 Security and Integrity Cookies

Name

Provider

Type

Purpose

Retention

FX_sec_token

Fortinex Global Security Ltd.

Third-party

Contains cryptographic token for risk-based access and advanced authentication checks.

Session

SS_anomaly_flag

SentinelShield Cyber Defense AG

Third-party

Stores indicators of suspected anomalous or high-risk behaviours.

24 hours

Apex_risk_profile

Apex Threat Intelligence Corp.

Third-party

Supports correlation of multiple events to assess elevated security risk.

7 days

DFO_device_hash

Deistler Family Office

First-party

Pseudonymous device fingerprint used exclusively for fraud prevention and security.

12 months

ANNEX B – THIRD-PARTY VENDOR REGISTRY (TRACKING-RELATED)

This Annex lists key Third-Party Service Providers whose technologies may be involved in Tracking Technologies used by Deistler.

Vendor Name

Jurisdiction

Role / Function

Categories of Technologies

Cloudflare, Inc.

United States

Content delivery, security, DDoS protection

Strictly Necessary, Security

Amazon Web Services EMEA SARL

EU / Global

Cloud hosting, load balancing, infrastructure

Strictly Necessary, Security

Aurelius Metrics Corporation

United States

Web analytics and performance monitoring

Analytics

Stratiform Analytics GmbH

Germany / EU

Enterprise analytics and usage dashboards

Analytics

Meridian Insight Analytics Ltd.

United Kingdom

Behavioural analytics for institutional UX

Analytics

Quantitech Telemetry AG

Switzerland

Telemetry and system performance insights

Analytics, Security

Fortinex Global Security Ltd.

Ireland / EU

Cybersecurity threat detection and prevention

Security

SentinelShield Cyber Defense AG

Switzerland

Threat intelligence and anomaly detection

Security

Apex Threat Intelligence Corp.

Singapore

Global risk correlation and defence services

Security

Orion Defensive Systems Pte Ltd

Singapore

Zero-trust enforcement and access management

Security

HubSpot, Inc.

United States / EU

Institutional CRM and form processing

Functional, Analytics

Vimeo.com, Inc.

United States / EU

Embedded video hosting and playback

Functional, Analytics

Each vendor is engaged under a data processing or data sharing agreement setting out:

  • purposes and scope of processing;
  • confidentiality obligations;
  • data protection and security standards;
  • international transfer mechanisms;
  • subprocessor controls and audit rights.

ANNEX C – LEGAL BASIS AND INTERNATIONAL TRANSFER MATRIX

This Annex provides an overview of the primary legal bases for the use of Tracking Technologies and associated international transfers.

C.1 Legal Bases for Cookies and Tracking Technologies

Category

Primary Legal Basis (EU/UK/CH)

Additional Considerations

Strictly Necessary

Art. 6(1)(b) or (f) GDPR; §25(2) TTDSG (where applicable)

No Consent required where essential for requested service or security.

Functional

Art. 6(1)(a) GDPR (Consent)

Where truly necessary for requested functionality, Art. 6(1)(b)/(f) may apply.

Analytics

Art. 6(1)(a) GDPR (Consent)

Legitimate interest may apply for fully anonymised analytics.

Security

Art. 6(1)(f) GDPR (legitimate interest); occasionally Art. 6(1)(c) GDPR (legal obligations)

No Consent required; functionality is critical to security and compliance.

Behavioural (Institutional)

Art. 6(1)(a) GDPR (Consent); Art. 6(1)(f) (legitimate interest) as limited institutional optimisation

No use for retail marketing.

C.2 International Transfer Mechanisms

Destination Jurisdiction

Mechanism Applied

EU / EEA

No transfer outside internal market

United Kingdom

Adequacy; or SCCs + UK IDTA where relevant

Switzerland

Adequacy; or SCCs with Swiss-specific provisions

United States

SCCs and additional safeguards as required

Singapore, Hong Kong

SCCs or equivalent contractual safeguards

Switzerland ↔ EU / UK

Mutual adequacy decisions

Other jurisdictions

SCCs and appropriate contractual, technical and organisational measures

ANNEX D – TECHNICAL AND ORGANISATIONAL MEASURES (TOMs)

This Annex summarises key technical and organisational measures applied to data collected via Tracking Technologies.

  1. Governance and Policies
    • Documented data protection and security policies approved by senior management.
    • Clear designation of roles and responsibilities for data governance.
    • Regular policy review cycles.
  2. Access Control
    • Role-based access control (RBAC) to systems processing Personal Data.
    • Principle of least privilege for all user accounts.
    • Strong authentication mechanisms (including MFA for privileged access).
    • Strict segregation of duties in sensitive environments.
  3. Encryption
    • Encryption of data in transit using TLS (v1.2 or higher).
    • Encryption of data at rest in databases and log archives where feasible.
    • Secure key management and rotation policies.
  4. Network and Infrastructure Security
    • Firewalls, intrusion detection and prevention systems.
    • Network segmentation between public-facing and internal zones.
    • Secure configuration baselines and hardening standards.
    • DDoS mitigation and rate-limiting mechanisms.
  5. Application Security
    • Secure development lifecycle and code review processes.
    • Regular vulnerability scanning and penetration testing.
    • Security testing of Tracking Technology integrations and third-party components.
    • Use of Content Security Policy (CSP) and secure headers where feasible.
  6. Logging and Monitoring
    • Centralised logging of security-relevant events (see Annex F).
    • Real-time alerting for critical incidents or anomalies.
    • Regular review of logs for suspicious activities.
    • Integration with SIEM platforms for cross-correlation and incident detection.
  7. Incident Response
    • Documented Incident Response procedures.
    • Defined escalation paths and communication plans.
    • Forensic readiness including preservation of relevant logs.
    • Regular incident response testing and simulations.
  8. Data Minimisation and Retention
    • Limiting Tracking Technologies to what is necessary and proportionate.
    • Enforcing retention periods via automated policies where possible.
    • Controlled disposal and deletion of logs and cookie-derived data after expiry.
  9. Vendor Oversight
    • Due diligence on Third-Party Service Providers.
    • Contractual security and data protection clauses.
    • Periodic review of vendor compliance and performance.
  10. Training and Awareness
    • Staff training on data protection and security obligations.
    • Targeted training for administrators handling logging and analytics data.

ANNEX E – REGULATORY JURISDICTION MAPPING

This Annex summarises key regime-specific aspects relevant to Tracking Technologies.

  1. EU / EEA (EU GDPR, ePrivacy, TTDSG)
    • Consent required for non-essential cookies.
    • Transparency obligations and easily accessible information.
    • Data Protection Impact Assessment where high risk is identified.
  2. United Kingdom (UK GDPR, DPA 2018)
    • Requirements analogous to EU GDPR.
    • ICO guidance on cookies and similar technologies to be followed.
  3. Switzerland (nFADP)
    • Adequate protections aligned with EU standards.
    • Emphasis on transparency and purpose limitation.
  4. United States (CCPA/CPRA and other state laws)
    • Opt-out mechanisms for “sale” or “sharing” where applicable.
    • Notice at collection and transparency requirements.
    • Special care in relation to cross-site tracking and advertising cookies.
  5. Canada (PIPEDA and provincial laws)
    • Emphasis on meaningful consent.
    • Transparency and safeguards regarding online tracking.
  6. Brazil (LGPD)
    • Legal bases similar to GDPR; emphasis on clear information and rights.
  7. APAC (PDPA, PDPO, APPI, PIPA etc.)
    • Varying consent and notification standards, generally requiring transparency and security.
  8. Middle East (DIFC, ADGM, UAE Federal law)
    • GDPR-like frameworks requiring lawful basis, transparency and adequate safeguards.

Deistler’s global approach is to adopt standards that meet or exceed the most stringent applicable requirements.

ANNEX F – SECURITY AND LOGGING FRAMEWORK (TRACKING-RELATED)

  1. Scope of Logging
    • Authentication events;
    • Access to protected resources;
    • Changes in Consent status;
    • Security alerts generated by Tracking Technologies;
    • Integration activity with third-party analytics/security tools.
  2. Log Content
    • Timestamps;
    • pseudonymised or truncated identifiers;
    • event type and severity;
    • origin system;
    • minimal contextual information needed for security and audit purposes.
  3. Log Retention
    • Security logs retained in line with regulatory and best practice guidelines;
    • limited access to logs to authorised personnel only;
    • periodic review and integrity checks.
  4. Audit and Assurance
    • Logging and monitoring controls subject to internal and, where required, external audits.
    • Alignment with recognised frameworks (e.g. ISAE 3402, SOC 2 Type II, ISO 27001), as applicable.

ANNEX G – DPIA-LEVEL RISK OVERVIEW FOR TRACKING TECHNOLOGIES

This Annex provides a high-level overview of typical risks associated with Tracking Technologies and the mitigations applied.

  1. Risk: Unauthorised Profiling or Excessive Tracking
    • Mitigation: Restriction of Tracking Technologies to strictly necessary or clearly defined purposes; no cross-site behavioural advertising; Consent where legally required.
  2. Risk: Re-identification of Pseudonymised Data
    • Mitigation: Aggregation and minimisation; separation of identifiers; controlled access; limited retention.
  3. Risk: Data Breach Involving Cookie Identifiers or Logs
    • Mitigation: Encryption, access controls, logging, incident response; regular security testing.
  4. Risk: Non-compliance with Consent Requirements
    • Mitigation: CMP with granular options; documented Consent logs; periodic review of banner and CMP configurations.
  5. Risk: Unlawful International Transfers
    • Mitigation: SCCs and equivalent safeguards; transfer assessments; technical measures such as encryption and access limitation.
  6. Risk: Regulatory Sanctions
    • Mitigation: Ongoing monitoring of regulatory developments; policy updates; collaboration with advisors and internal control functions.