General Data Protection Regulation (GDPR)

At the end of 2015, after several years of ongoing negotiations, the European Commission, the European Parliament and the European Council reached a compromise on the wording of a new regulation intended to reform the existing EU data protection legislation. The EU General Data Protection Regulation, which came into force in May 2016, is now binding on all Member States.

What are the implications of the adoption of the General Data Protection Regulation for the online sector?

This Regulation will, by way of example, result in the following changes for the online advertising sector; these changes may to some extent have a significant impact on the design of products and services:

  • Extension of the concept of "personal data" to encompass online identifiers, such as cookie IDs, advertising IDs, IP addresses or even location data: Thus, all modern forms of online and tracking technology, such as cookie synchronization, cross-device targeting, online behavioral advertising (OBA) and many other targeting technologies, will essentially be subject to data protection legislation in the future.
  • Changes in the evaluation of pseudonymized data from a data protection perspective
  • New regulation of the possible forms of declarations of user consent
  • Introduction of the concept of "legitimate interests" of companies and/or "reasonable expectations" of users being capable, under certain conditions, of also justifying the use of personal data without the users' consent
  • New requirements as a result of the right of objection (opt-out)
  • Obligation to make data breaches public within a short period of time following their occurrence
  • Technology providers and systems operators will be required to carry out standardized data privacy impact assessments
  • The appointment of data protection officers in other European countries in which personal data is regularly and systematically collected, for example, will also be obligatory
  • Amendment of privacy notices

    Sebastian Doerfel

    Co-Founder & COO, adsquare GmbH

    We partner with ePrivacy to increase customer trust and secure our business models.

Side note: ePrivacy Regulation

The ePrivacy Regulation is intended to replace the outdated ePrivacy Directive 2002/58/EC and to accompany the General Data Protection Regulation (GDPR) and to regulate the requirements for consent to the use of cookies and opt-out options. However, associations and players in the online advertising industry have sharply criticised the European Commission's January 2017 draft as it has serious consequences for the Internet industry and the information society: website operators would have to invest a considerable amount of work time and money to adapt their websites. In particular, in the case of website monitoring, companies would have to consider very carefully which data collection requires user consent. Intensive negotiations and a lot of lobbying work are still to be expected until the standard comes into force. 

Side note: The Privacy Shield

The transfer of data from a member state of the European Union to the USA is regulated by the "Privacy Shield" or "Safe Harbor II" agreement. European laws provide that whenever personal data is transferred to a country outside the EU, the data protection level of the recipient country is equivalent to that of the EU. The Convention is not an international treaty, but merely a series of letters.

Since 1 August 2016, US companies wishing to transfer data between the two economic areas have been able to obtain certification that they are complying with the requirements of the "Privacy Shield". The Privacy Shield replaces the previous Safe Harbor Agreement.

Provision of assistance by ePrivacy

ePrivacy will assist you in developing your products and technologies from the outset in compliance with currently applicable data protection legislation.

Examples of the advisory services we provide:

  • Actual status analyses and evaluations  incl. assessment of further necessary course of action for ensuring compliance with the data protection legislation
  • ePrivacyaudit: Online help for the implementation of the GDPR
  • Advice on the creation of technical business process models in compliance with data protection regulations
  • Carrying out of data privacy impact assessments (DPIAs)
  • ePrivacyseal: certification of GDPR compliance of your products
  • Appointment of a data protection officer respectively national representative


Avez-vous des questions ou des recommandations pour nous?

Nous sommes ravis de recevoir vos commentaires.