Introduction and importance of consent in online advertising:
Online advertising is a central part of many websites, but it brings with it specific data protection requirements, particularly with regard to user consent and transparency. Here are the GDPR requirements explained in detail:
Consent of users (Article 6 paragraph 1 letter a GDPR):
- Consent: Websites must obtain explicit consent from users before processing personal data for advertising purposes. This is especially true for personalized advertising based on users’ behavior or preferences. Consent must be clear, informed and voluntary.
- Transparency: Users must be provided with detailed information about what data is collected and processed for advertising purposes, for what purpose and with whom the data is shared. This information should be included in the website’s privacy policy.
Lawfulness of processing (Article 6 GDPR):
- Consent as a legal basis: The processing of personal data for advertising purposes can only be carried out on the basis of users’ consent or other lawful bases, such as the performance of a contract or legitimate interests. In most cases, consent will be the appropriate legal basis.
- Legitimate interests: When processing is based on legitimate interests, the interests and fundamental rights of the data subjects must be balanced. Processing must not be overly invasive and must meet the expectations of the data subjects.
Transparency and information (Articles 13 and 14 GDPR):
- Clarity and comprehensibility: Websites must provide users with clear and understandable information about what personal data is collected for advertising purposes, how this data is used and what rights users have. This information should be easily accessible and written in clear and simple language.
- Privacy Policy: The website’s privacy policy should contain comprehensive information about data processing for advertising purposes, including the type of data collected, the purposes of the processing, the legal basis, the storage period and the recipients of the data.
Opt-out options (Article 21 GDPR):
- Right to object: Users have the right to object to the processing of their personal data for advertising purposes. Websites must provide clear and simple opt-out mechanisms that allow users to withdraw their consent or object to data processing at any time.
- Opt-out mechanisms: Websites may implement various opt-out mechanisms, such as opt-out links in emails, special opt-out forms on the website or settings in the user account.
Security measures (Article 32 GDPR):
- Technical and organizational measures: Websites must implement appropriate technical and organizational measures to ensure the security of the data collected. These include:
- Encryption: Protecting personal data through encryption during transmission and storage.
- Access and access control mechanisms: Implementation of mechanisms to restrict access to personal data to authorized persons.
- Regularly review and update security measures: Ensure that security measures are up to date and reflect current threats and risks.
Data processing agreements (Article 28 GDPR):
- Contractual arrangements: If external service providers process personal data on behalf of the website for advertising purposes, a data processing agreement must be concluded. This agreement must ensure that the external service provider complies with the requirements of the GDPR and implements appropriate security measures.
- Content of the contract: The contract must regulate, among other things, the following points:
- The subject matter and duration of the processing
- The nature and purpose of the processing
- The nature of the personal data and the categories of data subjects
- The obligations and rights of the controller and the processor
Relevant articles of the GDPR:
- Article 6: Lawfulness of processing
- Article 7: Conditions for consent
- Article 13: Obligation to provide information when collecting personal data from the data subject
- Article 14: Obligation to provide information if the personal data were not collected from the data subject
- Article 21: Right to object
- Article 28: Processors
- Article 32: Security of processing
Examples of compliance with the requirements:
- Personalized advertising: If a website displays personalized advertising, users’ consent must be obtained before their data is processed for advertising purposes. Users should be informed about what data is collected, how it is used and with whom it is shared.
- Advertising tracking: If a website uses tracking technologies to analyze user behavior and display targeted advertising, users must be informed and their consent must be obtained. Users should also have the opportunity to object to data processing for advertising purposes.
Summary:
The GDPR sets out clear requirements for the processing of personal data for advertising purposes. Websites must obtain explicit consent from users before using personal data for advertising. Users must be informed in a clear and understandable manner about what data is collected and how it is used. Websites must implement appropriate security measures to ensure the integrity and confidentiality of the data collected. Providing clear opt-out mechanisms and complying with data processing agreements with third-party service providers are also crucial to meeting the requirements of the GDPR. Compliance with these requirements helps to increase user trust and minimize the risks of data breaches.
