General Data Protection Regulation (GDPR)

At the end of 2015, after several years of ongoing negotiations, the European Commission, the European Parliament and the European Council reached a compromise on the wording of a new regulation intended to reform the existing EU data protection legislation. The EU General Data Protection Regulation, which came into force in May 2016, is now binding on all Member States.

What are the implications of the adoption of the General Data Protection Regulation for the online sector?

This Regulation will, by way of example, result in the following changes for the online advertising sector; these changes may to some extent have a significant impact on the design of products and services:

  • Extension of the concept of "personal data" to encompass online identifiers, such as cookie IDs, advertising IDs, IP addresses or even location data: Thus, all modern forms of online and tracking technology, such as cookie synchronization, cross-device targeting, online behavioral advertising (OBA) and many other targeting technologies, will essentially be subject to data protection legislation in the future.
  • Changes in the evaluation of pseudonymized data from a data protection perspective
  • New regulation of the possible forms of declarations of user consent
  • Introduction of the concept of "legitimate interests" of companies and/or "reasonable expectations" of users being capable, under certain conditions, of also justifying the use of personal data without the users' consent
  • New requirements as a result of the right of objection (opt-out)
  • Obligation to make data breaches public within a short period of time following their occurrence
  • Technology providers and systems operators will be required to carry out standardized data privacy impact assessments
  • The appointment of data protection officers in other European countries in which personal data is regularly and systematically collected, for example, will also be obligatory
  • Amendment of privacy notices

    Christoph Landes

    General Counsel und Sicherheitsbeauftragter, Medi GmbH & Co. KG

    Seit mehreren Jahren unterstützt uns ePrivacy bei Auf- und Ausbau unserer Datenschutz- und Informationssicherheitsstrukturen. Getragen von optimaler Verfügbarkeit und exzellenterFachkompetenz führt uns ePrivacy‘s Betreuung zu ausgezeichneten Lösungsansätzen. Dass die Kommunikation freundschaftlich, unprätentiös und zielgerichtet abläuft ist selbstverständlich. So kann selbst Datenschutz Spaß machen. Vielen Dank!

Side note: ePrivacy Regulation

The ePrivacy Regulation is intended to replace the outdated ePrivacy Directive 2002/58/EC and to accompany the General Data Protection Regulation (GDPR) and to regulate the requirements for consent to the use of cookies and opt-out options. However, associations and players in the online advertising industry have sharply criticised the European Commission's January 2017 draft as it has serious consequences for the Internet industry and the information society: website operators would have to invest a considerable amount of work time and money to adapt their websites. In particular, in the case of website monitoring, companies would have to consider very carefully which data collection requires user consent. Intensive negotiations and a lot of lobbying work are still to be expected until the standard comes into force. 

Side note: "Third-country transfer - Secure data transfer to third countries"

We assist you in transferring your data from a member state of the European Union to third countries in a legally secure manner and thus maintain your compliance.

Provision of assistance by ePrivacy

ePrivacy will assist you in developing your products and technologies from the outset in compliance with currently applicable data protection legislation.

Examples of the advisory services we provide:

  • Actual status analyses and evaluations  incl. assessment of further necessary course of action for ensuring compliance with the data protection legislation
  • ePrivacyaudit: Online help for the implementation of the GDPR
  • Advice on the creation of technical business process models in compliance with data protection regulations
  • Carrying out of data privacy impact assessments (DPIAs)
  • ePrivacyseal: certification of GDPR compliance of your products
  • Appointment of a data protection officer respectively national representative


Do you have questions or recommendations for us?

We are glad to receive your comments.