
Complete guide to GDPR compliance - lainon
https://gdpr.eu/
======
lwyr
Warning: The privacy notice template on this site ([https://gdpr.eu/privacy-
notice/](https://gdpr.eu/privacy-notice/)) omits basic mandatory elements
(e.g. retention periods, right to lodge a complaint). The template's section
on cookies is insufficient and misleading. Cookies are regulated by a
different law (the ePrivacy Directive) and their explanation does not go into
these rules at all.

As frereubu notes elsewhere in this thread, the UK regulator's GDPR guide is
excellent, and is a much better starting point in my opinion:
[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/)

~~~
dpwm
For those like me that hadn't linked Proton Technologies AG and ProtonMail,
it's worth noting that this guide may actually have a service to sell you
(ProtonMail).

The ICO guide linked by the parent doesn't.

------
_rpd
> GDPR.EU is a website operated by Proton Technologies AG, which is co-funded
> by Project REP-791727-1 of the Horizon 2020 Framework Programme of the
> European Union. This is not an official EU Commission or Government
> resource. The europa.eu webpage concerning GDPR can be found here. Nothing
> found in this portal constitutes legal advice.

~~~
dpwm
I'm not sure why you're pointing this out – it could be because it's
interesting or it could be as a warning. If as a warning, nothing here seems
particularly unreasonable.

> GDPR.EU is a website operated by Proton Technologies AG, which is co-funded
> by Project REP-791727-1 of the Horizon 2020 Framework Programme of the
> European Union.

This is probably a requirement of the funding.

> This is not an official EU Commission or Government resource. The europa.eu
> webpage concerning GDPR can be found here.

This seems reasonable. Funded by does not mean endorsed by. Here's the
official page.

> Nothing found in this portal constitutes legal advice.

Realistically it can't be legal advice, even though it's dealing with an area
that could get you into legal trouble. It's referring to a directive which has
been implemented by member states. Each member state has its own enforcing
body, and some will take a more firm approach than others.

As for legal advice, in at least some jurisdictions even paid advice is
treated as just that – advice – and if you get bad advice, there is little to
no realistic prospect of redress.

This appears at first glance to be one of the better resources on the GDPR I
have seen.

~~~
_rpd
It's a warning. The site is authored by a private entity whose only
qualification may be that they registered the gdpr.eu domain most quickly. It
claims to be a "complete guide to GDPR compliance" but is nothing of the sort.
Most pages end with the disclaimer that "nothing found in this portal
constitutes legal advice" and to consult a lawyer.

Legally, it's quite dangerous since it might give you the feeling of being
compliant while still being at risk. "But Proton Technologies AG said ..."
isn't going to hold up in court.

~~~
dpwm
> Legally, it's quite dangerous since it might give you the feeling of being
> compliant while still being at risk.

If you're soliciting free advice online – even from a law firm – it may as
well contain such a disclaimer. Nearly always the terms of service do contain
such a term.

> "But Proton Technologies AG said ..." isn't going to hold up in court.

"But our law firm said…" seems to be the alternative here. I'm not sure how
well that would hold up in court.

I'm all for getting legal advice from professionals. That said, there's a lot
of law firms that will give you advice on the GDPR without really knowing what
they're talking about. Their risk is pretty minimal – as a business client
you're unlikely to be entitled to the same redress as consumers. The bar is
very high for demonstrating negligence.

~~~
xg15
I think it's not paid vs unpaid but official vs private.

I found the warning very useful, as I assumed this was a publication from an
EU institution as well.

If this had been the case, you could have assumed that the page had been
produced with the primary goal of informing the public and clearing up
confusion - and that the page were likely to have input from people close to
who actually drafted the regulation. All that would put my trust in the
accuracy of the information way higher than that in a random law firm, no
matter how much legal weight that would have in either case.

Additionally, it would be some news if an EU body published an "official"
guide how to implement the GDPR, whereas there are likely many such guides by
private advisors.

~~~
dpwm
On deeper inspection it seems the whole thing is a bit of a plug for Proton
Mail. For some reason my disengaged brain hadn't linked Proton Technologies AG
with ProtonMail, which was plugged frequently enough for me to notice on first
glance but not quite enough to make me suspicious.

------
frereubu
If you want to read an excellent guide on GDPR from a regulatory authority
(i.e. an organisation that is actually tasked with implementing the
legislation) the UK's ICO website is the best place. It uses plain English as
far as possible while not oversimplifying things to the point of uselessness.

[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/guide-to-the-general-data-protection-regulation-gdpr/)

------
bad_user
They have Google Analytics enables without consent and in the privacy policy
they claim this:

>> “ _Google Analytics does not identify individual users or associate your IP
address with any other data held by Google._ ”

This is wrong, GA may anonymize IPs, however they drop a tracking cookie in
order to identify unique visitors.

Tracking cookies under the GDPR fall under “personal data”, even if they are
pseudo-anonymous. Also note that usage of Google Analytics cannot be a
“legitimate purpose”.

So is this legal what they are doing? Or what am I missing?

~~~
protonmail
In the sense of art. 6 §1 (f) GDPR, there is nothing preventing analytics to
be justified by a legitimate interest. Recital 47 also says the processing of
personal data for direct marketing purposes can be carried out for legitimate
interests. Per the e-privacy directive, we provide notice that there is a
cookie.

The updated Privacy notice is now supplemented with extra information.

------
russley
Ironic that a site about GDPR compliance has 6 potential trackers according to
Privacy Badger.

~~~
lmkg
Which might be fine, depending on their privacy policy. Let's take a look...

Their privacy policy indicates they are claiming Legitimate Interest as the
legal basis for using Google Analytics. My network tab also sees hits form
ShareThis and Facebook, which are not mentioned in the Privacy Policy. There's
a section on Embedded Content, but I don't see any content embedded in the
privacy policy itself.

[https://gdpr.eu/privacy-policy/](https://gdpr.eu/privacy-policy/)

I will say this does a good job of being straightforward and readable, and
covering what a privacy policy needs to cover. But it's still incomplete with
regards to what data is being sent where.

~~~
bad_user
Except Google Analytics cannot be a "legitimate interest".

A legitimate interest is one that prevents the service from operating. E.g. if
you're a pizza delivery service, you need to use the customer's address, since
it's implicit in what the service does and the customer expects you to use
their address for the purpose of home delivery.

If you block Google Analytics however, in what way will the service be
impacted from the perspective of the user experience? There is no impact, even
if this costs the business optimization opportunities or money. You can argue
that the inability to use Google Analytics can have a long term impact on user
experience, but that's not how legitimate interests work.

In general, "making more money" or "becoming more popular" are invalid reasons
for stating a legitimate interest.

------
TotempaaltJ
The checklist especially is a great resource IMO:
[https://gdpr.eu/checklist/](https://gdpr.eu/checklist/)

Also shows how much of this is truly just sensible privacy protections.

~~~
smartbit
A GDPR checklist goes against the basics of GDPR: privacy is a _human right_
not a consumer right. Any site that provides a GDPR checklist should beter be
discarded and not given attention.

------
pitaj
Are IP addresses personally identifiable information under GDPR?

~~~
pierrefar
Yes, and also cookie IDs. Both are called out as examples in recital 30:

“Natural persons may be associated with online identifiers provided by their
devices, applications, tools and protocols, such as internet protocol
addresses, cookie identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular when combined
with unique identifiers and other information received by the servers, may be
used to create profiles of the natural persons and identify them.”

Source: [https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A...](https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=celex%3A32016R0679)

~~~
pitaj
I should have been more clear that I meant IP addresses alone.

It seems like this only addresses when IP addresses are combined with other
data.

~~~
kasey_junk
That particular guidance has provided a lot of gnashing of teeth because some
readings of it have an implicit “because” before the final sentence. That is
IP addresses are personal data as sometimes they uniquely identify people.

The guidance my firm received was to treat them, by themselves, as an ID.
YMMV.

------
grantlmiller
if you're running a SaaS or software company, we compiled an abridged version
of the full GDPR text that is only 34 pages in this format, very easy to
consume: [https://www.enterpriseready.io/GDPR-abridged-text-for-
SaaS-C...](https://www.enterpriseready.io/GDPR-abridged-text-for-SaaS-Cos.pdf)

if you want to read the full thing, we created a quick guide for understanding
which sections you might want to skim:
[https://www.enterpriseready.io/gdpr/how-to-read-
gdpr/](https://www.enterpriseready.io/gdpr/how-to-read-gdpr/)

------
oytis
Oh, so now strangers can claim their rights on my mailbox, good times. I'm
happy I'm a private person (and that lawgivers decided to spare ordinary
people for now).

------
ghego1
A much better and complete checklist tool is available at
[https://autoprivacy.eu](https://autoprivacy.eu)

------
zorga
Simple, block the EU, problem solved.

~~~
jakeogh
There is no reason to block them. If you are not in the EU, you are not
subject to it's laws.

~~~
tomhoward
Sadly it's not that simple.

If you're seen (by EU courts) to be soliciting business from the EU (which
could just mean running advertising that appears in the EU), you're subject to
the laws.

So, blocking EU traffic to avoid being seen as doing business there may be a
prudent step in some cases.

[https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-
af...](https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-
european-companies/)

~~~
zorga
Yes, it is that simple; the GDPR can claim whatever it wants, that doesn't
make it true. The EU has no jurisdiction over me in the US period. And
referencing the GDPR as a source isn't valid, just because it's written
doesn't make it enforceable. China doesn't get to tell me what to do, nor does
the EU.

~~~
M2Ys4U
1\. You violate the GDPR

2\. One of the Supervisory Authorities fines you

3\. The SA applies to a court in the EU for an order compelling payment of the
fine

4\. The SA applies to a US court for enforcement of the EU judgment

5\. You have to pay up

~~~
ionised
6\. Don't even think about travelling to the EU if you've ignored the fines.

~~~
JAlexoid
That's a bit harsh, but you really have to be an egregious offender to get
banned from EU.

Debt jail is illegal in Europe.

------
simplysimple
My guide to being GDPR compliant: don't do business in the EU.

Much simpler.

~~~
matthewmacleod
Sounds amazing, to be honest.

I'm quite enjoying the weird interstitial pages from a variety of US-based
sites that block EU users. It's like a massive billboard saying "WE ARE USING
YOUR DATA IN WAYS THAT YOU DON'T CONTROL", and is a reminder to use other
services elsewhere.

GDPR is relatively straightforward to comply with, particularly for the
simpler kind of sites that don't seem to have bothered. It basically codifies
the sort of best practice that should have been in place already, and I'm sure
many of us are happy to see that there is movement towards regulating the
disastrous dumpster fire of personal data in this way.

~~~
kasey_junk
It’s not at all simple for ad supported publishers who are the most prominent
users of the blocking.

It maybe a case where this is the _intended_ consequence of the law but it
wasn’t sold that way ahead of time.

European publications are being even more impacted by this as they can’t
resort to blocking. It will be very interesting how this impacts the
publishers in the next few years.

~~~
JAlexoid
Here's the kicker - most European online publications were already in
compliance. GPDR is only slightly more stringent, than most EU privacy laws on
file.

The biggest complaints come from foreigners, if you haven't noticed.

~~~
kasey_junk
No one knows if they are in compliance or not yet. For instance
[https://www.bankinfosecurity.com/fresh-gdpr-complaints-
take-...](https://www.bankinfosecurity.com/fresh-gdpr-complaints-take-aim-at-
targeted-advertising-a-11487) outlines a complaint that all of real time
bidding that is compliant with the IAB compliance framework is _not_ compliant
with GDPR.

Major publications, for instance Der Spiegel, which are trying to be compliant
by following that standard (and they had to do major work to do so) may find
they are out of compliance [http://www.spiegel.de/extra/what-we-do-with-your-
data-a-1211...](http://www.spiegel.de/extra/what-we-do-with-your-
data-a-1211940.html)

Similar complaints have been brought against publishers that used googles
compliance framework.

------
marcrosoft
I can't believe people would even consider foreign laws apply to US small
businesses that operate solely in the U.S.

Edit: no you don't need a guide on how to comply. No you don't need to pay
some consultant to see if you are compliant. Simply ignore.

Edit 2: to comply means you except all foreign laws and rule.

~~~
robin_reala
You’re welcome to ignore it if you like, but compliance doesn’t mean
‘accepting foreign rule’ if you look at it as a compilation of good practices
for user privacy.

------
Tsubasachan
GDPR is unfortunately a paper tiger I have come to realize. The only thing
that impresses Americans is a bit of good old violence. And the EU simply
doesn't have the balls to drag executives off their private jets and drop them
in a secret prison.

~~~
zorga
No any authority over sites not hosted/run in the EU. I'm a US citizen running
a business in the US; the EU has no legal authority whatsoever over me. If an
EU citizens buys something from my site, as far as I'm concerned they came to
the US virtually to do it, and US laws apply here, not EU laws. They can shove
their GDPR where the sun doesn't shine.

~~~
wglb
Unfortunately unless you are explicitly not soliciting business from EU
residents, you fall under that regulation.

One possible consequence is reputational damage.

~~~
zorga
No I don't, I'm not an EU citizen and have no EU physical presence; they can
claim whatever they want, they have no jurisdiction over me, I am not subject
to EU laws no matter what the GDPR tries to assert. It's toothless, they have
no enforcement mechanism on a US citizen in the US. I'm am not subject to the
laws of every country that asserts it so; I'm subject to the laws of the US
only.

~~~
ghwst
While GDPR is _supposed_ to apply to any controller processing personal data
where the processing activities are related to the offering of goods or
service to data subjects in the Union, I believe it is fair to say that we
have no idea yet how this will exactly be enforced outside of the EU (when it
is enforced) until the first attempts appear.

It's true that this extra-territorial scope is a bold move when it comes to
international law. I see a trend in the latest EU regulations that would
suggest they are not close to abandoning this idea.

~~~
dragonwriter
> It's true that this extra-territorial scope is a bold move when it comes to
> international law

Not really. Foreign opponents (especially American opponents) of the law make
a big deal out of it, but extraterritorial application of laws, especially to
acts occurring outside of but having effect within the territorial boundaries
of the State whose law is concerned, is in no way novel.

~~~
ghwst
You are right. It is something that has been known in criminal law for a long
time. However, the possibilities to enforce have always been submitted to the
rules of legal assistance that most of the time provides the limits of another
national law.

We might end up in a situation where US authorities could accept to apply
GDPR, but with fees limited to what US law allows, for example.

