ceaksan - E-commerce & User Behavior Analytics

What is the General Data Protection Regulation (GDPR)?

GDPR empowers individuals with control over their personal data and sets strict guidelines for how companies must handle it. Learn more

Ceyhun Enki Aksan
Ceyhun Enki Aksan Entrepreneur, Maker

Previously, I had made various notes on personal data protection and its usage within different articles.

In the article titled Re-targeting and Personalization, I discussed the target audience, the management of the re-targeting feature, available data scopes, and user consent. As a continuation of that article, I would actually have addressed the topic of Consent. However, it would be more appropriate to first discuss the General Data Protection Regulation (GDPR), which is a crucial part of this process.

General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a binding and enforceable regulation established within the European Union (EU) to protect the personal data of EU citizens1. Since May 25, 20182, the GDPR has become applicable across all countries that are members of the European Union. Individuals residing in EU member states, individuals who are not EU citizens but reside in these countries as EU nationals, and organizations and institutions that have commercial relationships with EU member states are all included within the scope of the GDPR. Therefore, personal data obtained must be acquired with the individual’s explicit consent in accordance with the rules specified in the regulation, and such personal data must be processed and stored in accordance with the same rules. The GDPR also applies to historical data; even if the data was collected prior to May 25, 2018, it must still be handled in accordance with the rules established in the regulation3.

Play

By regulation, if you are marketing to, or processing the personal data of, individuals residing in the European Union, including end-users, customers, and employees, you must comply with the GDPR and obtain consent from those individuals in order to continue your activities. Personal data obtained must be stored in accordance with the provisions set out in the Regulation. Individuals have the right to withdraw their consent at any time regarding the processing of personal data that identifies them. Organizations and entities that fail to comply with the GDPR may face serious penalties and legal consequences if data-related issues arise3.

Play

Definition of Personal Data

Under the Regulation, the following are considered personal data (data subject):

  • Identity information: name, identification number
  • Bank account details
  • Address (residential, business, etc.), location (geolocation)
  • IP address, cookie data, and other internet-related data
  • Physical appearance descriptors and biometric data
  • Ethnic or national origin information
  • Political opinions, ideologies
  • Medical data (health status, medications used, etc.)

Taking these elements into account, tracking tools, social media and forum websites that maintain user profiles, e-commerce websites that store address and identity information, content websites (such as WordPress) that offer comment or feedback features (e.g., Disqus, Gravatar), and websites or apps that use various tags for retargeting, as well as email marketing services, fall within the scope of the GDPR.

GDPR requires that, whenever personal data is processed and/or used, the purpose of data collection and processing, the legal basis for such processing, the duration for which the data is retained, and whether the data is shared with any third party or outside the European Economic Area (EEA) must be clearly specified. Personal data subjects have the right to request, at any time, a copy of their personal data and/or to have it erased. If an organization is confronted with a breach that negatively affects the confidentiality of personal data (for example, unauthorized access or data theft), it must notify the affected individuals within 72 hours1 2 3.

  • All businesses processing the personal data of citizens of countries belonging to the European Union are subject to GDPR, regardless of their location.
  • Organizations or entities that fail to comply with the GDPR may be subject to fines of up to 20 million euros or up to 4% of the annual global revenue of the organization or entity (whichever is higher).
  • When personal data is collected, the purpose for which the data is stored and processed must be clearly defined, and the right to withdraw consent must be easily accessible.
  • Breach notifications are mandatory.
  • It must be clearly specified which personal data is collected, for what purpose the collected data is used, and for how long it is retained.

Processing of Data

Personal data must be processed under at least one valid legal basis; otherwise, such data cannot be processed. According to Article 6 of the Regulation, the valid legal grounds for processing are as follows1:

a. If the relevant person has given consent for the processing of personal data;
b. If the obligations arising from the contract concluded with the relevant person are being fulfilled;
c. For the purpose of complying with legal obligations of the data processor;
d. If the vital interests of the relevant person or another citizen are at stake;
e. If the processing is carried out in the public interest or for the fulfillment of a task carried out by public authority;
f. For the purpose of legitimate interests of a data controller or a third party, as provided in the European Union’s Charter of Fundamental Rights, which does not render such interests invalid.

Under the GDPR framework, your visitors / users / customers have the right to eight specific rights4. If you receive any request relating to these rights, you must respond within 30 days.

Information:
Individuals have the right to know which personal data is being collected and for which purpose the collected data is being used. Therefore, clear information must be provided regarding the reasons for collecting personal data, how and for how long it is stored, and who else may access such data.

Access:
Individuals have the right to access personal data held by the data controller upon request. The data controller is the entity that holds the data.

Correction:
Individuals have the right to request correction or updating of inaccurate or incomplete personal data. If the data controller receives a request to correct the data, it is obliged to verify the accuracy of the data and take the necessary steps to update it, if required.

Erasure (or Oblivion):
Individuals have the right to request the complete deletion of their personal data and to prevent any further collection of data relating to them. In response to such a request, the data controller shall effectively withdraw any prior consents given for the processing of the individual’s data.

Restriction
: Under certain conditions, individuals may impose restrictions on the processing and use of their personal data. In such cases, personal data may be stored, but may not be used for any purpose.

Portability
: Individuals have the right to request that their personal data be made available in a machine-readable and/or human-readable format. Individuals may use the data in any manner they deem appropriate and/or transfer the data to another data controller.

Object
: Individuals have the right to object to the processing of personal data relating to their personal circumstances. They may also object to the processing of their personal data for a specific purpose. Data controllers must be fully aware of how personal data will be processed.

No Automated Decision-Making
: Individuals have the right to withdraw their consent at any time when an adverse legal effect or similar situation arises, thus opting out of automated decision-making processes.

Actions to Take

I will publish additional articles regarding the monitoring of user activities and the use of personal data. Within the context of these articles, I will remind you of the following steps:

  • Inform your visitors about their identity, the content of the data you collect, the purpose for which the data is collected, where and how it is stored, and with whom it is shared.
  • Obtain explicit and clear consent from your visitors whenever any data is collected.
  • Allow your visitors to access the data you collect and download it.
  • Allow your visitors to request the deletion of their data or to have it deleted, although if there is a legal obligation (for example, for invoice data), you may refuse to delete the data.
  • Notify your visitors of any data breach within 72 hours of its occurrence.

In general, we can summarize the notes related to GDPR as follows. For a more detailed analysis, please refer to the content of [var]The general data protection regulation[/var] shared by the [var]European CouncilCouncil of the European Union[/var] 2 5. Additionally, I recommend reviewing the article titled GDPR: How Do We Manage the GDPR Process? shared by Netsparker.

*[GDPR]: General Data Protection Regulation
*[General Data Protection Regulation]: General Data Protection Regulation
*[European Economic Area]: European Economic Area

Footnotes

  1. General Data Protection Regulation 2 3
  2. The general data protection regulation. European CouncilCouncil of the European Union 2 3
  3. A Detailed Insight Into GDPR (General Data Protection Regulation) 2 3
  4. What is GDPR? Rights, Responsibilities, and What Needs to Be Done
  5. Data protection reform. European CouncilCouncil of the European Union
afaik terms