GDPR myths and misconceptions

Starting with May 25th a lot of misinformation regarding GDPR has been spread, so getting compliant proved to be overwhelming.

This is especially for marketers that have to deal with a plethora of new applications and technologies whose data processing terms and standards are not very transparent and/ or easy to understand.

Let's try to demystify some oh these myths and misconceptions.

“Personal data” = personally identifiable information

A tracking cookie is also personal data. Now, how many apps you use that track users?

Under GDPR, personal data has a wide definition, encompassing a variety of data that refers to: any information relating to an identified personal (name, surname, ID number etc.) or any information relating to someone who could be identified based on a series of identifiers (e.g. online identifiers such as IP address, geolocation, cookies etc.)

“Personally identifiable information” (PII) is only limited to name, address, passport number, driver’s license number, social security number etc. and it refers to identified individuals, whilst “personal data” under GDPR is significantly broader and includes identifiers that, combined, can lead to the identification of an individual (it can be a cookie - one of many forms of online identifiers, an email address, a person’s location, occupation, gender, a physical factor etc.)

Consent should be given for the use of cookies.

Yes, most of those "we use cookies" and "by continuing to visit our site you agree..." are not about GDPR.

The common misbelief is that compliance on digital properties equals cookie consent. Even though popular, cookies are simply a storage mechanism and they do nothing.

All the processing that happens during a user’s visit on a website implies that cookies are caught, but so are many other bits of data that can be processed (for each external resource loaded on a webpage the browser passes information to third parties’ servers including the user’s IP address, currently visited page, browser type, device type, operating system, language settings, all the cookies set by that respective domain in the user’s browser etc.)

If the processing relies on consent as a legal ground, remember it should not be given for the use of cookies on a website, but for the purposes for which personal data is being processed on that website (click here for more details on how to seek valid informed consent from your users).

Asking consent from your users will ensure GDPR compliance

Wrong. First of all, asking for appropriate consent will ensure your lawful basis for processing, not make you GDPR compliant.

Secondly, if you use certain technologies that do profiling and automated decision-making, that notice cannot be perceived as valid consent, leaving you out of legal grounds (read more about these technologies and applications here).

EDPB (The European Data Protection Board) states that “merely continuing the ordinary use of a website is not conduct from which one can infer an indication of wishes by the data subject to signify his or her agreement to a proposed processing operation.” So continuing the use of a website does not equal valid consent and this notice solely will definitely not make your website GDPR compliant.

Click here for more details on: how to seek valid consent from your users, how to get your website GDPR ready.

GDPR only applies to companies based in EU

GDPR affects any company, no matter where they are located, if they offer goods or services to consumers in the EU. Although it concerns the personal data of people living in the EU, it actually regulates the gathering and processing of this data, regardless of where it takes place.

GDPR compliance is just the data controller’s responsibility

It’s true that data controllers have the primary responsibility of processing the personal data in conformance with the law. However, this does not fully exempt the processor’s liabilities.

Under the GDPR, processors now have direct statutory obligations and are required to provide certain technical or organizational measures (including keeping records of processing activities, reporting data breaches to controllers etc.) More details about controllers’ and processors’ responsibilities here.

Remember that roles and responsibilities often change, especially in digital marketing and complex processing chaining. A data processor exceeding the controller’s mandate will become a joint-controller (also known as “co-controller”). And joint controllers must enter into an arrangement reflecting their responsibilities for complying with the GDPR.

If you have a question, feedback or suggestion, let us know

we'll try to provide you with an answer and if it's something of interest for more people, we'll probably publish an article too.

get in touch →

Meanwhile, do check out our GDPR compliance solution as well as our other articles on the topic.

Avandor Consent solution → GDPR vendor database →

Georgiana Bedivan

Head of Compliance

We've struggled to understand GDPR so you won't have to. Learn from our experience →

We've asked a Data Protection Authority for answers on digital processing...

Since everyone is scared by penalties, we wrote and asked the Romanian Data Protection Authority (ANSPDCP) some questions about how GDPR will apply to the online processing. Here's what they had to say...

read more

What's wrong with cookie consent?

The common misbelief is that compliance on digital properties equals cookie consent. But the truth is that GDPR is not about cookies, but about who set those cookies and what for.

read more

10 steps to make your site compliant

Some have tried with cookie consent, others with implicit consent like "by continuing to use this website...", and others simply closed their sites to European citizens.

read more

What makes valid consent under GDPR?

Consent is just one of six lawful bases to process personal data, as listed in the GDPR. It may not always be necessary, but when it is, you have to make sure it is properly obtained and stored.

read more

Data controller vs. processor? Who's who

Although GDPR’s definition of the two may seem simple and concise, marketers are still having a hard time trying to figure out who’s what, especially when it comes to automated processing technologies.

read more

Profiling and automated decisions under GDPR

As site owners’ challenge these days is to ensure compliance on digital assets, you should know that most of the apps and technologies you use for marketing purposes do profiling.

read more

GDPR myths and misconceptions

Starting with May 25th, a lot of misinformation regarding GDPR has been spread so understanding the basic principles of this new regulation and how to get compliant proved to be overwhelming.

read more

Using Facebook pixel on your site?

As per today’s practices you can’t really help but using Facebook as part of your marketing strategy. However, the question that arises since the 25th of May is who is responsible for obtaining consent.

read more

Looking for the right consent solution?

Discover Avandor Consent

see features & benefits →

Need help navigating GDPR compliance?

We're happy to assist you with free advice

get in touch →

Your details:

Your interest:

Your Message:

by submitting this form you consent to our use of your data

For more information or a demo call +4072 893-9780 or get in touch.