GDPR introduces the distinction between "Controllers" and "Processors". A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. GDPR places specific legal obligations on processors. For example, processors are required to maintain records of personal data and processing activities, and they have legal liability it they are responsible for a data breach (see ICO GDPR guide
Clickio acts as a processor for our publishers. We undertake to process the personal data from the publisher's website only on behalf of the publisher and only in accordance with the instructions of the publisher. This means serving advertising impressions using advertising exchanges and vendors explicitly approved by the Publisher.