GDPR / General Data Protection Regulation

GDPR stands for General Data Protection Regulation. It regulates how vendors (companies) can access, process and share personal data of users. One of the main topics here is, that the use of personal data needs conset. With other words: You need to ask the user before processing its data.

Important: Please note that we can not give legal advise; legal aspects of these FAQ may change over time and new restrictions can come into place. Therefore you should always contact your lawyer for any legal advise!

What is it?

GDPR stands for General Data Protection Regulation. It is a regulation of the European Union that regulates how to handle personal data by private companies. The regulation has already come into force on 24.05.2016 and is mandatory from 25.05.2018.

What is the ePrivacy directive?

Also to be mentioned in connection with GDPR is the so-called ePrivacy Directive. In the future, it will regulate the handling of personal data, in particular in electronic communications (internet, e-mail, ...). The guideline is not yet final and therefore can still be changed; it is expected that the previous draft will not be largely come into force on 25.05.2018. Anyhow, the current draft directive for example restricts the use of tracking cookies - if the vendor does not have consent.

How GDPR effects everybody

From 25. of May 2018 GDPR is "active" in the EEA (European Economic Area), meaning every company that is based in this area or deals with customers from this area needs to comply with these rules. This means, even companys from outside of the EEA need to comply with GDPR if dealing with customers from this area.

What is personal data?

Personal data is any information that has a direct or indirect reference to a person and that enables identification of the person concerned. Examples of direct personal data include the name, address, telephone number, e-mail address, bank details, order number or IP address. All other data, such as age, gender, or hair colour, are always personal when combined with the aforementioned data.

How should personal data be handled in the future?

Personal data require a separate protection. In particular, in future, the user explicitly need to give his consent before the data of the user may be processed, stored or shared, unless a contract or legitimate interests make it necessary.

What does GDPR mean for my online marketing?

For online advertising, GDPR has the following meaning in particular:

  1. The setting of cookies is no longer possible without consent. The tracking of actions based on cookies is therefore no longer possible for users who have not given their consent.
  2. The storage of personal data is no longer possible without consent. In the context of online marketing, this particularly concerns the IP address of the visitor.
  3. The transfer of personal data is no longer possible without consent. For example, in the context of OpenRTB or in the form of placeholders, data such as the visitor's IP address may no longer be passed on.
What does this all mean for me?

If you are a publisher/website owner, advertiser, network or any other kind of data processor you need to make sure that you gather consent before using/processing/storing any personal data. In order to obtain consent, you should use a CMP like ours.

History of GDPR
European Parliament releases first proposal
The European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote.
European Parliament, Council and Commission finish negotiations
The European Parliament's LIBE Committee voted for the negotiations between the three parties
Council of the EU adopts the proposal.
European Parliament adopts the proposal
Regulation enters into force.
Its provisions will be directly applicable in all member states.
ePrivacy Regulation expected to become applicable