General Data Protection Regulation (GDPR)

At the end of 2015, after several years of ongoing negotiations, the European Commission, the European Parliament and the European Council reached a compromise on the wording of a new regulation intended to reform the existing EU data protection legislation. It is now clear that the EU General Data Protection Regulation, which came into force in May 2016, will automatically become binding on all Member States as of May 2018.

What are the implications of the adoption of the General Data Protection Regulation for the online sector?

This Regulation will, by way of example, result in the following changes for the online advertising sector; these changes may to some extent have a significant impact on the design of products and services:

  • Extension of the concept of "personal data" to encompass online identifiers, such as cookie IDs, advertising IDs, IP addresses or even location data: Thus, all modern forms of online and tracking technology, such as cookie synchronization, cross-device targeting, online behavioral advertising (OBA) and many other targeting technologies, will essentially be subject to data protection legislation in the future.
  • Changes in the evaluation of pseudonymized data from a data protection perspective
  • New regulation of the possible forms of declarations of user consent
  • Introduction of the concept of "legitimate interests" of companies and/or "reasonable expectations" of users being capable, under certain conditions, of also justifying the use of personal data without the users' consent
  • New requirements as a result of the right of objection (opt-out)
  • Obligation to make data breaches public within a short period of time following their occurrence
  • Technology providers and systems operators will be required to carry out standardized data privacy impact assessments
  • The appointment of data protection officers in other European countries in which personal data is regularly and systematically collected, for example, will also be obligatory
  • Amendment of privacy notices

    Sebastian Doerfel

    Co-Founder & COO, adsquare GmbH

    We partner with ePrivacy to increase customer trust and secure our business models.

Tips, useful overviews and webinar recordings

ePrivacy has been working intensively for one and a half years on the interpretation of the DSGVO and on strategies for how digital companies can implement the regulation quickly and easily. Here you will find the most important documents for free download:

Side note: ePrivacy Regulation

The ePrivacy Regulation is intended to replace the outdated ePrivacy Directive 2002/58/EC and to accompany the General Data Protection Regulation (GDPR) and to regulate the requirements for consent to the use of cookies and opt-out options. However, associations and players in the online advertising industry have sharply criticised the European Commission's January 2017 draft as it has serious consequences for the Internet industry and the information society: website operators would have to invest a considerable amount of work time and money to adapt their websites. In particular, in the case of website monitoring, companies would have to consider very carefully which data collection requires user consent. Intensive negotiations and a lot of lobbying work are still to be expected until the standard comes into force. 

Side note: The Privacy Shield

The transfer of data from a member state of the European Union to the USA is regulated by the "Privacy Shield" or "Safe Harbor II" agreement. European laws provide that whenever personal data is transferred to a country outside the EU, the data protection level of the recipient country is equivalent to that of the EU. The Convention is not an international treaty, but merely a series of letters.

Since 1 August 2016, US companies wishing to transfer data between the two economic areas have been able to obtain certification that they are complying with the requirements of the "Privacy Shield". The Privacy Shield replaces the previous Safe Harbor Agreement.

All players in the online advertising sector should have clarified the following important issues with regard to their own business models by no later than the end of 2017:

  • Have the legal framework conditions applicable to our products and services changed to such an extent that our stored data is in future to be classified as personal data?
  • What form of declaration of user consent will be necessary for our business model in the future?
  • Do the possibilities for opting-out available to our users satisfy the new requirements?
  • What issues must be considered in the case of the dissemination of data to third parties?
  • Have we implemented and documented processes to guarantee the rights of those affected?
  • What adjustments need to be made to our privacy notice?
  • Will we be required to appoint a data protection officer in the future?

Provision of assistance by ePrivacy

ePrivacy will assist you in developing your products and technologies from the outset in compliance with currently applicable and future data protection legislation.

Examples of the advisory services we provide:

  • Actual status analyses and evaluations on the attainment of "GDPR ready" status, incl. assessment of any further necessary course of action for ensuring compliance with the new data protection legislation
  • GDPR online audit: Online help for the implementation of the GDPR
  • Advice on the creation of technical business process models in compliance with data protection regulations
  • Carrying out of data privacy impact assessments (DPIAs)
  • ePrivacyseal "GDPR ready": certification of GDPR compliance of your products

Should you require any assistance in analyzing the future requirements of the GDPR and its ramifications for your company or your company’s business model, please feel free to contact us!

Do you have questions or recommendations for us?

We are glad to receive your comments.