We've asked The Romanian Data Protection Authority about GDPR in online processing...

In the past few months we’ve heard tons of opinions and interpretations of the new European regulation. Everyone seems to have a different view.

We've spoken to countless law firms, the big 4, independent consultants, and also saw lots of “we use cookies” notifications or “cookie consent” tools appearing on websites.

Some chose implicit consent, others went for the soft opt-in, whilst others spent loads of money on consent tools that don’t get the job done (mainly because they don’t reflect the law).

And since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say:


"Consent should cover all processing activities carried out for the same purpose or purposes. […] When the processing has multiple purposes, consent should be given for all of them."

It seems like it’s not about cookies or cookie types, right? Pay attention to all those solutions out there managing cookie consent, as the right approach is towards processing purposes and all the activities corresponding those purposes.


Data subject’s consent means “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

If you use tracking technologies, you might as well forget about implicit consent (also known as “by continuing to use this website you agree…”). It goes the same for soft opt-in (not getting consent explicitly from your users but giving them the possibility to opt-out if they don’t agree), as this implies that you start processing by default and you only give your users the right to object. Get valid consent.


“Controllers seeking to rely upon consent as a basis for profiling will need to show that data subjects understand exactly what they are consenting to.”

So if you process your users’ data for profiling purposes you should make this clear when asking consent. You should also provide relevant and intelligible information regarding the profiling process and how your users will be affected by it.


“In all cases, data subjects should have enough relevant information about the envisaged use and consequences of the processing to ensure that any consent they provide represents an informed choice.”

Not providing enough relevant information could pe perceived as an infringement of the user’s right to be informed. Also, the definition of “valid consent” implies that the user has been previously informed and knows what he/ she is agreeing to. Not providing enough info can make your consent invalid or inappropriate. And there are huge fines for this.


“Fines up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, can be imposed if there has been an infringement of the basic principles for processing, including conditions for consent.”

Seems like not respecting the conditions for consent (including relying on invalid or inappropriate consent) could also lead to these huge fines. It’s not just those Cambridge Analytica type of massive data breaches that can get you penalties. Stay safe and get yourself a true Consent Manager.


“Regarding website owners and entities that implement marketing campaigns using data collected from those websites […], the data controller is the person that, alone or jointly with others, determines the purposes and means of the processing of personal data. Therefore […], it is necessary that you establish the roles of each entity involved in the data processing”.

Again, properly informing your users is a must. They should know, for each processing flow, what data is being processed, who is are the responsible entities, who can access their data and for what purpose, who can benefit of it and for how long etc. Controllers, processors, other recipients/ beneficiaries should all be part of the data processing trail that you should properly describe to your users when asking for consent.


“In the case when the service provider allows third parties to access or store user information, the information […] should include the general purpose for which third parties are processing that data and the means by which the subscriber or the user can […] delete the stored information or refuse third parties’ access to that information.”

Make sure you respect your users’ rights. Give them the possibility to access and delete their personal data, as well as to block third parties from processing their data. For instance, not every consent tool can provide a full list of cookies, the ability to delete them anytime or instantly block different applications from running on a website. We do.


“Controllers who choose to rely on consent must be able to demonstrate that the data subjects have expressed consent for the processing of their personal data.”

When you rely on explicit consent as a legal ground for your processing operations, you should make sure that you safely store all consent records into a safe system (as the controller must always be able to prove that a user has consented). Learn more about how you can store consent logs, so you can be prepared for any control from your local authority.

Georgiana Bedivan

Head of Compliance

We've struggled to understand GDPR so you won't have to. Learn from our experience →

We've asked a Data Protection Authority for answers on digital processing...

Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...

read more

What's wrong with cookie consent?

The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.

read more

10 steps to make your site compliant

Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.

read more

What makes valid consent under GDPR?

Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.

read more

Data controller vs. processor? Who's who

Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.

read more

Profiling and automated decisions under GDPR

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.

read more

GDPR myths and misconceptions

Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.

read more

Using Facebook pixel on your site?

As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.

read more

Looking for the right consent solution?

Discover Avandor Consent

see features & benefits →

Need help navigating GDPR compliance?

We're happy to assist you with free advice

get in touch →

Your details:

Your interest:

Your Message:

by submitting this form you consent to our use of your data

For more information or a demo call +4072 893-9780 or get in touch.