GDPR - Processing of personal data
The GDPR is the centerpiece of EU privacy law. It applies to the processing of all personal data, i.e. data, which can be attributed to a specific person.
Given that there is no renewed access to the end user device after the initial deployment of cookies or other web trackers, all of your subsequent processing, e.g. forwarding usage data for reach measurement or targeted advertising, is no longer covered by the ePrivacy Directive and is to be measured solely against the standard of the GDPR.
Here are points to consider in relation to compliance of processing of personal data:
Controller & Processor
If you operate a website, under the GDPR you are considered a controller regarding the processes you have influence on, namely the collection and transmission of personal data through your website. Therefore, you must inform your visitors in detail about the scope, purpose and legal basis of your data processing.
If you let another (natural or legal) person process the personal data on your website for you, this person is considered a processor under GDPR. In such cases, you must conclude a data processing agreement with your processors, which guarantees compliance with the GDPR level of data protection through sufficient technical and organizational measures.
Joint Controllership
According to the current case-law (ECJ decision Fashion ID, EDPB guidelines 08/2020 on the targeting of social media users, the DSK decision on Google Analytics) website operators are considered a joint controller with the providers of third-party tools, e.g. Google.
Joint controllership makes you potentially liable for the non-compliance of your tracking provider. You are also required to conclude a contract with your fellow joint controller and inform your users about the essence of the contract - something that many third party providers do not currently provide. This results in significant liability risks.
Legal basis of data processing activities
The GDPR gives you more flexibility regarding the justification of your data processing than the ePrivacy Directive as there are multiple legal bases available. Commonly, data processing is based either on user consent, performance of contract or a legitimate interest.
User consent
If you are granted permission by the user, you can process their data. However, there are strict conditions for the validity of a user’s consent.
It must be well informed - you must inform the user about the scope (e.g. data types) and purposes of the data processing (e.g. audience measurement) in a clear language
It must be granular - if you want to conduct data processing activities for multiple purposes, you must obtain the user’s consent for each and every purpose.
It must be voluntary - you must provide the user with the free choice to reject consent and with an option to withdraw it (e.g. via email) after granting it
Performance of contract
Data processing can be based on the performance of a contract, if it is necessary to conclude a contract or provide a service under a contract with the data subject. For example, if you have an online shop, you need to process the user's contact details in order to execute the user’s order
Legitimate interest
To rely on legitimate interest as the legal basis for your data processing, you need to conduct a detailed balancing of interests (Legitimate Interest Assessment). The assessment is done in three stages:
identify a pursued legitimate interest by the data controller or by a third party;
assess the need to process personal data for the purposes of the legitimate interests pursued;
make sure that the interests or freedoms and fundamental rights of the person concerned by the data processing do not take precedence over the claimed legitimate interest