Web Analytics and GDPR, CNIL’s Position: Website hosts using audience measurement tools may inadvertently transfer personal data to entities or countries non-compliant with GDPR standards. A practical solution to avoid these transfers is the use of a properly configured proxy, a practice recognized for enhancing personal data protection.
These tools, subject to the GDPR and the ePrivacy Directive, often transfer data outside the EEA to countries offering insufficient protection. Since July 10, 2023, thanks to the EU-USA data protection agreement (‘Data Privacy Framework’), transfers to certified American entities have been facilitated. For non-certified entities, proxying remains essential. Merely modifying IP address processing or encrypting identifiers generated by the tools is not enough to preserve privacy, as servers can still obtain information leading to user reidentification. The optimal solution is to prevent any direct contact between the user’s terminal and the data processing servers.
Web Analytics and GDPR Compliance
A proxy server can be used to avoid this contact, but it must meet certain criteria to comply with the EDPB’s recommendations of June 18, 2021. These criteria include pseudonymizing data before exporting it, ensuring no reidentification is possible even by authorities with significant means.
Implementing these measures can be costly and complex, not always meeting operational needs. An alternative is to use a solution that does not involve data transfers outside the EU. For effective proxying, the server must limit transferred data, including no IP address transfer, replacement of the user identifier, removal of information that could lead to reidentification, and ensuring that processed data will not be transferred outside the EU.
DPO PARTAGE, a leading provider in GDPR compliance, offers comprehensive support to businesses across the European territory. With a team of experienced Data Protection Officers (DPOs), DPO PARTAGE specializes in guiding companies through the complexities of GDPR compliance. Their services are designed to ensure that businesses not only understand their obligations under the GDPR but also implement the necessary processes and practices to comply fully. DPO PARTAGE’s approach is tailored to each company’s specific needs, providing personalized solutions that range from data protection impact assessments to staff training and ongoing compliance monitoring. With their expertise, companies can confidently navigate the GDPR landscape, safeguarding their customer’s data while maintaining operational efficiency.