Before the GDPR, the EU operated under the Data Protection Directive of 1995, which was enacted at a time when the digital landscape was vastly different. The advent of social media, cloud computing, and data analytics meant that this older legislation was no longer adequate.
GDPR was introduced to address these technological advancements and to provide a harmonized data protection law that could be applicable across all EU member states.
Under GDPR, personal data is any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, and even online identifiers like IP addresses.
Cookies collect and process personal data of your website’s visitors. Every time a person visits your company website, cookies are stored; cookies are accessed; cookies are changed in the browser of the visitor. These data typically comprise of language settings, screen size, items in the basket, but can also comprise of information about the user’s IP-address, choice of browser, and online behavior. Marketing cookies track the users across the website and internet with the purpose of creating online profiles for direct marketing.
Lawfulness, Fairness, and Transparency
Purpose Limitation
Data Minimization
Accuracy
Storage Limitation
Integrity and Confidentiality
Accountability
The GDPR applies to all organizations and public authorities, regardless of their location, that process the personal data of individuals residing in the EU. This includes not only EU-based businesses but also any business that offers goods or services to or monitors the behavior of, EU residents.
It applies to both data controllers, who determine the purposes and means of processing personal data, and data processors, who process data on behalf of data controllers.
Under the GDPR, organizations must obtain clear and affirmative consent from individuals before processing their personal data.
This means that silence, pre-checked boxes, or inactivity does not constitute consent; instead, individuals must explicitly opt-in to have their data processed. The request for consent must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent.
Moreover, individuals have the right to withdraw their consent at any time, and it must be as easy to withdraw consent as it is to give it. When it comes to processing data, organizations must adhere to the principles of data minimization, accuracy, storage limitation, and integrity and confidentiality.
Data transfers to countries outside the EU are also subject to strict rules. Transfers can only be made to countries that provide an adequate level of data protection or under specific conditions like Standard Contractual Clauses or Binding Corporate Rules.
The GDPR covers the processing of personal data, which is any information relating to an identified or identifiable natural person. This includes name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
It also covers the processing of sensitive personal data, which includes data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person’s sex life or sexual orientation, and criminal convictions or offenses.
Under the GDPR, cookies that can identify an individual via their device are considered personal data. Therefore, the use of such cookies requires the user’s explicit consent. This means that websites must inform users about the cookies they use and their purpose, and obtain their active and explicit consent before setting any non-essential cookies.
Cookies are a widely used tool on a website to store data on a specific user, in which a service can access this data and then create a profile of the individual to target ads and customized content.
As the data controller, you are also responsible for the data collected by third parties on your website, such as first and third-party cookies which process visitors’ personal data (Google, Facebook, YouTube, Addthis, Doubleclick).
Your company website uses Google Analytics to explore website traffic. Google deploys a number of cookies (first-party) in your visitor’s web browser every time the user visits your site. These cookies collect and process personal information about the visitor which may identify the visitor directly or indirectly. The data collected by Google Analytics is used for online profiling and direct marketing, and this requires explicit user consent.
Under the GDPR, organizations must inform individuals about their practices of collecting, using, and disclosing personal information. This includes the use of cookies to collect personal information.
Organizations typically do this through a privacy policy that is readily available and easy to understand. The policy should explain what information the cookies collect, why the organization collects it, how the organization uses it, and who the organization shares it with.
The GDPR gives individuals the right to access their personal data, to object to the processing of their data, and to obtain correction, deletion, or restriction of their data under certain circumstances. This includes personal information collected through cookies. Organizations must provide mechanisms for individuals to exercise these rights.
Making a website GDPR-compliant involves several steps:
Our consent management platform helps you ensure compliance with global privacy laws, including GDPR. Start with a free 30-day trial and become GDPR-compliant today!
PRODUCTS
RESOURCES
COMPARE