{"id":580,"date":"2022-05-06T12:15:48","date_gmt":"2022-05-06T12:15:48","guid":{"rendered":"https:\/\/www.cookiebot.com\/en\/?page_id=580"},"modified":"2025-09-29T11:58:58","modified_gmt":"2025-09-29T09:58:58","slug":"gdpr","status":"publish","type":"page","link":"https:\/\/www.cookiebot.com\/en\/gdpr\/","title":{"rendered":"What is GDPR?"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"450\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/03\/What-is-gdpr_900x450-1.svg\" alt=\"Magnifying glass analysing the CMP banners from a GDPR point of view on mobile and desktop\" class=\"wp-image-16572\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Why was the GDPR created?<\/h2>\n\n\n\n<p>To give people control over how their data is used and to protect the \u201cfundamental rights and freedoms of natural persons\u201d. The regulation sets out strict requirements on data handling procedures, transparency, documentation and user consent for organizations processing personal data in the European Union.<\/p>\n\n\n\n<p><em>O<em>rganizations must have a valid legal basis for, keep records of, and monitor personal data processing activities<\/em><\/em>.<\/p>\n\n\n\n<p>As the data controller, any organization must have a legal basis for, keep record of, and monitor personal data processing activities. This includes personal data handled within the organization, but also by data processors, third parties processing personal data for the data controller.<br><br>Data processors can be any entity from Software-as-a-Service (SaaS) providers to embedded third-party services that track and profile visitors on the organization\u2019s website.<\/p>\n\n\n\n<p>Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing, and to which countries and third parties the data is transmitted.<\/p>\n\n\n\n<p>If personal data is being sent to organizations or regions beyond the jurisdiction of the GDPR or that are not deemed \u2018adequate\u2019 for data privacy by the GDPR, users must be specifically informed about this and any risks involved.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p><em>All consents must be recorded and securely stored as evidence that consent has been given.<\/em><\/p>\n\n\n\n<p>On May 4, 2020, the <a href=\"https:\/\/edpb.europa.eu\/\" target=\"_blank\" rel=\"noreferrer noopener\">European Data Protection Board (EDPB)<\/a>&nbsp;adopted guidelines on valid consent under GDPR.<\/p>\n\n\n\n<p>Valid consent from an individual must be a freely given, specific, informed and unambiguous indication of the user\u2019s wishes, i.e. a clear and affirmative action by the user.<\/p>\n\n\n\n<p>The <a href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_202005_consent_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">EDPB guidelines<\/a>&nbsp;make it clear that <strong>scrolling or continued browsing on a website does not constitute valid consent<\/strong>&nbsp;and that <strong>cookie banners are not allowed to have pre-ticked checkboxes<\/strong>.<\/p>\n\n\n\n<p><strong>Cookie walls (forced consent) have also been ruled noncompliant.<\/strong><\/p>\n\n\n\n<p>The EDPB is the highest supervisory authority in the application of the GDPR across the EU. It\u2019s comprised of representatives from the data protection authorities of each EU member state. Their guidelines and decisions form the bases of enforcement of the GDPR at national levels.<\/p>\n\n\n\n<p><a href=\"https:\/\/edpb.europa.eu\/sites\/default\/files\/files\/file1\/edpb_guidelines_202005_consent_en.pdf\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Learn more about EDPB guidelines for valid consent<\/strong><\/a><\/p>\n\n\n\n<p>Individuals have a number of rights under the GDPR, including rights to data portability, data access, and the \u201cright to be forgotten, among others. They can withdraw their consent whenever they want, and it must be as easy to do as to grant consent in the first place.. In such cases, the data controller must stop processing personal data once the request is received, and delete the individual\u2019s personal data if it\u2019s no longer necessary to the purpose for which it was collected.<\/p>\n\n\n\n<p>In case of a data breach, an organization must notify data protection authorities and affected individuals within 72 hours.<\/p>\n\n\n\n<p>The GDPR also obligates public authorities, organizations with more than 250 employees, and companies processing sensitive personal data at a large scale to employ or train a data protection officer (DPO). The DPO must take measures to ensure and maintain GDPR compliance throughout the organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-be-gdpr-compliant\">How to be GDPR-compliant?<\/h2>\n\n\n\n<p>If your website has visitors or customers from the EU and you \u2014 or embedded third-party services like Google and Facebook \u2014 are processing any kind of personal data, you need to obtain prior consent from the visitor.<\/p>\n\n\n\n<p>To obtain valid consent, you need to explain the extent and purpose of your data processing in plain language, prior to processing any personal data.<\/p>\n\n\n\n<p>This information must be available to the visitor at all times, e.g. as part of your privacy policy. You must also make it easy for visitors to change or withdraw consent.<\/p>\n\n\n\n<p>All consents must be logged and securely stored, and all tracking of personal data, including by embedded third-party services, must be documented, including to which countries data is transmitted.<\/p>\n\n\n\n<p><a href=\"https:\/\/ec.europa.eu\/justice\/smedataprotect\/index_en.htm\" target=\"_blank\" rel=\"noreferrer noopener\">Data Protection - Better rules for small business<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"450\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/03\/cb_blog_900x450_How-to-be-GDPR-Compliant-1.svg\" alt=\"European Union stars inside a black shield shape surrounded by icons related to GDPR compliance\" class=\"wp-image-16574\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-how-cookiebot-cmp-helps\">How Cookiebot CMP helps<\/h3>\n\n\n\n<p>Using <a href=\"\/\">Cookiebot Consent Management Platform (CMP)<\/a>, you can automate GDPR compliance for your website for cookie and tracker consent requirements.<\/p>\n\n\n\n<p>Cookiebot CMP enables you to monitor and document cookies and other tracking technologies in use on your website, display the relevant information to your website visitors, and automatically obtain and securely log all user consents.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-personal-data\">What is personal data?<\/h2>\n\n\n\n<p>The GDPR defines personal data as \"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.\"<\/p>\n\n\n\n<p>Online identifiers such as IP addresses also now qualify as personal data, unless anonymized.<\/p>\n\n\n\n<p>Pseudonymized personal data is also subject to the GDPR if it is possible to re-identify it by reverse engineering.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"450\" src=\"https:\/\/www.cookiebot.com\/en\/wp-content\/uploads\/sites\/7\/2025\/03\/cb_blog_900x450_what-is-personal-data-1.svg\" alt=\"Lady sitting at the desk, surrounded by icons related to\" class=\"wp-image-16573\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-gdpr-enforcement-date-may-25-2018\">GDPR enforcement date: May 25, 2018<\/h2>\n\n\n\n<p>The EU data protection reform was adopted by the European Parliament and the European Council on April 27, 2016. The General Data Protection Regulation has been publicly in effect since May 25, 2018, replacing the Data Protection Directive.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-gdpr-fines-and-penalties\">GDPR Fines and Penalties<\/h2>\n\n\n\n<p>Organizations that do not comply with the GDPR risk heavy fines up to \u20ac20 million, or 4% of the organization\u2019s global yearly turnover, whichever is higher, for severe or repeated violations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-gdpr-checklist-6-things-you-need-to-do\">GDPR checklist: 6 things you need to do<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-1-prepare-your-organization\">1. Prepare your organization<\/h3>\n\n\n\n<p>Introduce stakeholders across your organization to the requirements of GDPR. Conduct employee training in Cybersecurity, Privacy by Design and Privacy by Default principles. Assign a Data Protection Officer (DPO) if required, e.g. if you employ more than 250 people.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-2-audit-your-data\">2. Audit your data<\/h3>\n\n\n\n<p>Make sure you know where all your data lives, who has access and on what devices. Identify where personal data is processed, including by third party processors. Document the grounds for lawful processing and update current privacy policies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-3-audit-service-partners\">3. Audit service partners<\/h3>\n\n\n\n<p>Make sure that service partners, e.g. embedded third-party services on your website, or Software-as-a-Service providers, are also compliant with the GDPR, or in an officially sanctioned \u201cadequate\u201d jurisdiction. Review and map their international data flows.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-4-obtain-consent\">4. Obtain consent<\/h3>\n\n\n\n<p>Implement methods for requesting, obtaining and securely recording consent to achieve and maintain privacy compliance. Keep a clear record of what each individual data subject consented to and provide options for the data subject to revoke or change consent at any time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-5-respond-to-data-subject-rights-requests\">5. Respond to data subject rights requests<\/h3>\n\n\n\n<p>Implement procedures that enable your organization to respond to data subject rights requests, i.e. data access, rectification and erasure, in a timely manner. Document how they will be exercised in both customer and employee contexts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-6-prepare-for-data-breaches\">6. Prepare for data breaches<\/h3>\n\n\n\n<p>Ensure that there are procedures in place to protect against a data breach, but also to detect, investigate and report on any breach affecting personal data to meet the GDPR\u2019s 72-hour deadline for notification.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n\n\n\n<p><a href=\"https:\/\/ico.org.uk\/for-organisations\/data-protection-reform\/\" target=\"_blank\" rel=\"noreferrer noopener\">UK Information Commissioner\u2019s Office (ICO): The UK data protection reform<\/a><br><br><a href=\"https:\/\/iab.org\/wp-content\/IAB-uploads\/2011\/03\/fred_carter.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">Privacy by Design - The 7 Foundational Principles (PDF)<\/a><br><br><a href=\"https:\/\/ec.europa.eu\/justice\/smedataprotect\/index_en.htm\" target=\"_blank\" rel=\"noreferrer noopener\">Infographic: Better rules for small business<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Why was the GDPR created? To give people control over how their data is used and to protect the \u201cfundamental rights and freedoms of natural persons\u201d. The regulation sets out strict requirements on data handling procedures, transparency, documentation and user consent for organizations processing personal data in the European Union. Organizations must have a valid [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"editor_notices":[],"footnotes":""},"tags":[],"class_list":["post-580","page","type-page","status-publish","hentry"],"acf":[],"thumbnail_status":false,"thumbnail_url":null,"_links":{"self":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages\/580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/comments?post=580"}],"version-history":[{"count":0,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/pages\/580\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/media?parent=580"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cookiebot.com\/en\/wp-json\/wp\/v2\/tags?post=580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}