EU General Data Protection Regulation (GDPR)

What to look for when it comes to personal data in 2018

New year, new regulations! We all knew it was coming. 2018 will be all about data privacy and data security and the infamous General Data Protection Regulation (GDPR). The GDPR will apply to all companies and organizations processing and holding personal data or monitoring the behavior of individuals residing in the European Union – whether located within or outside of the EU. We want to give you some useful information and a quick overview of the key changes:


In short

What?General Data Protection Regulation (GDPR)
By whom?European Commission, European Parliament and European Council
Who’s affected?all companies and organizations processing and holding personal data of subjects residing in the European Union – whether located within or outside of the EU
When?May 25th 2018
How?New elements and changes over the current Data Protection Acts and detailed considerations of all the companies that are processing personal data of european individuals (even if they have only one european customer).

In detail

The GDPR was created by the European Commission, the European Parliament and the European Council with the aim to protect all EU citizens’ data. It will change the way how european and global companies deal with topics like data protection, privacy policies and online and mobile marketing.
An offense against the EU GDPR will lead to fines in the amount of up to 20.000.000 € or 4% of the total annual global turnover.


The definition of “personal data”

The GDPR characterises “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.” (1) Identifiable personal data would be:

  • Name
  • Address
  • Contact data (E-Mail und Telephone)
  • identification number
  • one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

That means that all forms of online and offline tracking technologies will be subject to data protection regulations as of May 2018. Also offline marketers, app vendors and location based service providers are subject when realizing cross-device targeting, online to offline behavioral advertising or many more targeting strategies.

Changes for the online and mobile branch

But let’s get to the changes that will affect the online and mobile branch in 2018 the most:

  • Extension of the definition of “personal data”: For online or mobile activities the following identifiers will be added:
    • online identifier (cookie IDs, advertising IDs, IP addresses)
    • location data
  • New possible forms of getting the users’ consents
  • Changes in the evaluation of pseudonymized data
  • New concept that enables companies to use personal data without the users’ consent under certain conditions AND if “legitimate interests” of companies and/or “reasonable expectations” of users are given.
  • Stronger rights on the part of the users, especially for the right of withdrawal (Opt-Out)
  • Companies are bound to communicate data breaches shortly after their occurrence
  • Technology providers and system operator are required to conduct standardized data privacy impact assessments
  • A company has to nominate a data protection officer in other European countries when personal data is regularly and systematically collected
  • new information obligation within the Privacy Policy

Information about you as a provider

Additionally the provider has to state the following information:

  • Name, first name, complete address
  • Contact information (phone, e-mail, fax)
  • Industry register and trade number
  • Company name and form of organization
  • VAT No.

The General Terms & Conditions and the Privacy Policy have to be available at the web page as well as the Cancellation Right, shipping costs, costs for return and additional costs, if you are selling a product or service.


But as always you should keep in mind to take note of further data protection regulations for your individual industry!


Square Metrics & Data Protection

As we announced in a previous blog post, we were awarded with the ePrivacyseal EU by ePrivacy GmbH. The seal covers some special data protection laws and the most important EU Data Protection regulations. And it already covers the new EU General Data Protection Regulation (GDPR) als well.