The General Data Protection Regulation (GDPR) is an EU-wide regulation that controls how companies and other organizations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organization in the world, serving individuals from the European Union.
To give people control over how their data is used and to protect "fundamental rights and freedoms of natural persons", the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
Any organization must keep record of and monitor personal data processing activities.
As data controller, any organization must keep record of and monitor personal data processing activities. This includes personal data handled within the organization, but also by third parties - so called data processors.
Data processors can be anything from Software-as-a-Service providers to embedded third party services, tracking and profiling visitors on the organization’s website.
Both data controllers and processors must be able to account for what kind of data is being processed, the purpose of the processing and to which countries and third parties the data is transmitted.
If personal data is being sent to organizations or jurisdictions beyond the reach of the GDPR or that are not deemed 'adequate' by the GDPR, one must inform the user specifically about this and the risks involved.
All consents must be recorded as evidence that consent has been given.
On May 4, 2020, the European Data Protection Board (EDPB) adopted guidelines on valid consent under GDPR.
Valid consent must be a freely given, specific, informed and unambiguous indication of the user’s wishes, i.e. a clear and affirmative action by the user.
The EDPB guidelines make it clear that scrolling or continued browsing on a website does not constitute valid consent and that cookie banners are not allowed to have pre-ticked checkboxes.
Cookie walls (forced consent) are also ruled non-compliant.
EDPB is the highest supervisory authority in charge of the application of the GDPR across the EU and is comprised of representatives from the data protection authorities of each EU member state. Their guidelines and decisions form the bases of enforcement of the GDPR on a national level.
Learn more about EDPB guidelines on valid consent.