Skip to main content
Skip table of contents

GDPR - Processing of personal data

The GDPR is the centerpiece of EU privacy law. It applies to the processing of all personal data, i.e. data, which can be attributed to a specific person.
Given that there is no renewed access to the end user device after the initial deployment of cookies or other web trackers, all of your subsequent processing, e.g. forwarding usage data for reach measurement or targeted advertising, is no longer covered by the ePrivacy Directive and is to be measured solely against the standard of the GDPR.

Here are points to consider in relation to compliance of processing of personal data:

  • Controller & Processor 

If you operate a website, under the GDPR you are considered a controller regarding the processes you have influence on, namely the collection and transmission of personal data through your website. Therefore, you must inform your visitors in detail about the scope, purpose  and legal basis of your data processing. 

If you let another (natural or legal) person process the personal data on your website for you, this person is considered a processor under GDPR. In such cases, you must conclude a data processing agreement with your processors, which guarantees compliance with the GDPR level of data protection through sufficient technical and organizational measures. 

  • Joint Controllership

According to the current case-law (ECJ decision Fashion ID, EDPB guidelines 08/2020 on the targeting of social media users, the DSK decision on Google Analytics) website operators are considered a joint controller with the providers of third-party tools, e.g. Google.

Joint controllership makes you potentially liable for the non-compliance of your tracking provider. You are also required to conclude a contract with your fellow joint controller and inform your users about the essence of the contract - something that many third party providers do not currently provide. This results in significant liability risks.

  • Legal basis of data processing activities

The GDPR gives you more flexibility regarding the justification of your data processing than the ePrivacy Directive as there are multiple legal bases available. Commonly, data processing is based either on user consent, performance of contract or a legitimate interest. 

User consent

If you are granted permission by the user, you can process their data. However, there are strict conditions for the validity of a user’s consent.

  • It must be well informed - you must inform the user about the scope (e.g. data types) and purposes of the data processing (e.g. audience measurement) in a clear language

  • It must be granular - if you want to conduct data processing activities for multiple purposes, you must obtain the user’s consent for each and every purpose.

  • It must be voluntary - you must provide the user with the free choice to reject consent and with an option to withdraw it (e.g. via email) after granting it

Performance of contract
Data processing can be based on the performance of a contract, if it is necessary to conclude a contract or provide a service under a contract with the data subject. For example, if you have an online shop, you need to process the user's contact details in order to execute the user’s order

Legitimate interest

To rely on legitimate interest as the legal basis for your data processing, you need to conduct a detailed balancing of interests (Legitimate Interest Assessment). The assessment is done in three stages:

  1. identify a pursued legitimate interest by the data controller or by a third party;

  2. assess the need to process personal data for the purposes of the legitimate interests pursued; 

  3. make sure that the interests or freedoms and fundamental rights of the person concerned by the data processing do not take precedence over the claimed legitimate interest

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.