Data Privacy
Cision's commitment to data privacy
Cision is committed to protecting all the personal data that is used by it, whether that be within the Cision media databases/monitoring/distributions products, sales and marketing, human resources or any other function.
As Cision is a global organisation it has to comply with rules of many jurisdictions, the central theme of which is empowering the individuals whose personal data we process, access to and control over it.
Your privacy resources
This site provides more information on privacy and how it affects customers, prospects, influencers and all subjects in our business domain. If you find you have more specific enquiries not addressed on here, please contact Privacy@cision.com.
Customer FAQs
Q1: Who are we?
Cision Group is a global media intelligence group of companies that enables its customers to understand, influence and amplify their stories.
To do this, we enable customers to identify and connect with journalists, influencers, and online authors to listen to and understand what is being said about their brands, distribute meaningful public relations, corporate, and marketing communications, and measure the impact of those communications.
In these FAQs, when we refer to "Cision", “we” and “us,” we mean the Cision group of companies. Our products and services operate under several different brands, including CisionOne, other legacy cloud-based monitoring platforms, Insights, and PR Newswire.
For Data Privacy FAQs pertaining to our Brandwatch affiliate, please click here.
Q2: Questions regarding Cision services
CisionOne
This provides monitoring of print and broadcast media, analysis and insights, and journalist outreach. Our legacy systems (C3, NGC3, CPNE and Datapresse) also provide similar functionality. These all contain the contact information of professional journalists, media or political professionals or influencers.
Cision Insights
Our comprehensive measurement across global media channels is the foundation for our analysis. Using deep industry expertise, our team surfaces critical insights through reporting and executive briefings that enable data-driven decision-making at the speed and scale of global business. Cision Insights may contain the contact information of professional journalists, influencers, and spokespeople.
PR Newswire
This allows customers to share their news stories over our news distribution network, grow their social media shares, and drive higher engagement and response from journalists, influencers, and target audiences.
Q3: Is there a Customer Data Processing Addendum?
Yes. You can find our Customer Data Processing Addendum, which covers any service you may obtain from Cision here: Customer Data Processing Addendum
Q4: Who are Cision’s sub-processors?
Please see our Sub-Processors Page for information on our sub-processors.
Q5: How will Cision inform customers of any intended changes concerning the addition to or replacement of any Sub-Processor with a new Sub-Processor?
Customers can sign up to be notified using the email submission box at the bottom of our Sub-Processors Page.
Q6: Does Cision comply with the General Data Protection Regulation (“GDPR”) and other relevant data privacy laws?
Yes.
Q7: Do the GDPR and other privacy laws apply to any of the Cision Group’s services?
Yes.
Privacy laws apply to the processing of personal data/personally identifiable information. Personal data means any information relating to an identified or identifiable natural person. As per Q2 above, Cision offers a variety of products, each of which require a different analysis under the GDPR and other privacy laws.
Several of our products require or allow customers to provide data to us for processing that Cision would not otherwise have access to. These products include CisionOne (and other legacy outreach databases) and our PRN distribution products.
Q8: Can customers upload special category or sensitive personal data to Cision?
Customer will notify Cision if they intend to upload any special categories of data as part of using Cision services. Cision may refuse to process such data or impose any restrictions as are necessary, at the Customer’s expense, to enable Cision to comply with its legal and contractual obligations.
The customer must ensure that its use of Cision services and its instructions regarding the processing of any Personal Data comply with all applicable Privacy Laws, and that Cision’s processing in accordance with the Customer’s instructions will not cause Cision to be in breach of any applicable Privacy Laws.
Cision will inform the Customer if, in Cision’s opinion, the Customer’s instructions infringe applicable Privacy Laws.
Q9: Is the Cision Group a data controller or a data processor?
Both.
The Cision Group acts as a data controller and/or a data processor, depending on the services that it provides:
Independent Data Controller
For many of its products, Cision makes decisions about where to obtain personal data, what data it collects, and how and why this data is used in connection with its services. For example the personal data we gather in our CisionOne (and other legacy outreach databases), PR Newswire and Insights services.
This decision is based on the fact that these services and any related processing are not made by any particular customer and could not therefore be said to be only “on the instructions” of any such customer. We decide the purpose and means of processing these personal data sets.
Therefore, for the above products, Cision considers itself an Independent Data Controller under the GDPR.
Our customers then decide how to use this personal data independently, making them also Independent Data Controllers.
Data Processor
When customers upload their own personal data to Cision, Cision is only processing this personal data on the customer’s behalf.
The customer is using Cision’s technology to store, create, access, or analyze their own data. For example, customers can create their own private environment within CisionOne (and other legacy outreach databases) or decide recipients in our PR Newswire service.
As the customer is deciding alone the purpose and means of processing, Cision is a Data Processor.
Q10: What is the legal basis on which the Cision Group processes personal data for journalists, influencers and online content authors?
The primary legal basis on which Cision relies for processing personal data of journalists, influencers, or online content authors is the legitimate interests of the data controller (Cision). Cision has the right to provide a commercial service which assists the efficient flow of information within societies.
In providing such services, Cision does not negatively impact the interests or fundamental rights and freedoms of the data subject, and the data is manifestly made public by the data subjects themselves.
Q11: Where does Cision store or export the personal data that it processes?
Cision sources much of its personal data from public sources which are hosted in the USA.
The different components of the Cision product suite are hosted in the USA, EU, and the UK.
- CisionOne’s data is hosted in the UK and EU on Google Cloud Platform.
- Google’s compliance and security standards can be viewed here.
- C3 and NGC3 are hosted in the USA.
- Insights is hosted in the EU.
- CPNE is hosted in the EU.
Cision’s support teams, some of whom are based in the USA, can access these systems for the purposes of supporting service provision.
Therefore, if you decide to upload your own personal data to Cision it will be exported to and/or accessed from the USA.
For more information on how Cision has assessed the transfer of data to the USA, please see our International Data Transfer page.
Q12: Are Cision’s systems that process personal data secure?
Yes. The Cision Group has technical and organizational measures in place to protect against the unauthorized or unlawful processing of data and against accidental loss, destruction or damage of that data. Further information about the Cision Group’s information security standards can be found at https://www.cision.com/legal/security-statement/
Q13: How does Cision ensure its services comply with the GDPR and other Data Privacy laws?
The Cision Group has a data protection officer (DPO) responsible for data privacy compliance. The ongoing monitoring of changes in the many global privacy laws that apply to the Cision Group is undertaken by the DPO and it also has distributed privacy compliance throughout the company, appointing privacy champions on its engineering, product, and people teams.
These individuals are tasked with raising privacy awareness and incorporating data protection by design and by default when developing services for the Cision Group.
Q14: What are SCCs?
Standard Contractual Clauses (SCCs) are terms and conditions that organisations sending EU personal data from within the EU must have in place with organisations outside the EU that they are sending the personal data to. These are published by the European Commission and are therefore the same for all organisations.
Cision has these SCCs in place with its customers and vendors.
For more information on our assessment of the risks of international personal data transfers please see our International Data Transfer page.
Q15: Does the Cision Group also comply with the California Consumer Protection Act (CCPA) & California Consumer Rights Act (CPRA)?
Yes, the Cision Group is compliant with the CCPA and CPRA.
For ease of review, this FAQ has maintained the terminology for GDPR. However, for clarity, whenever you see a reference in these FAQs to “Data Controller”, that is equivalent to “Business” under CCPA; and whenever you see a reference to “Data Processor”, that is equivalent to “Service Provider” under CCPA.
For more information please see our California Privacy Notice page page.
Q16: Does the Cision Group also comply with other Data Privacy laws?
Yes, we comply with (among others) the China PIPL and Brazil LGPD.
You can find more information on Cision’s overall data privacy stance throughout this website but please do contact us at Privacy@cision.com should you have any questions.
Last updated on 24th April 2024