The document outlines the roles and responsibilities of data controllers, data processors, and data subjects under GDPR. It emphasizes the need for clear consent requests from data subjects, which must be specific, understandable, and reviewable. Additionally, it details that data controllers must keep records of consent, while data processors must act according to the instructions provided by data controllers and implement security measures.

1. The Data Subject gives his data
to the Data Controller.
The Data Controller has to
keep record of the consent.
WHO’S WHO OF THE DATA COLLECTION PROCESS
The Data Controller passes the
data to the Data Processor.
The Data Processor can only use
data as instructerd by the Data
Controller.
The Data Controller must reach the
Data Subject and let him review new
consent request and correct his
decision if he’d like to.
Resources:
The Final Text of the GDPR Including Recitals https://gdpr-info.eu/
How Will GDPR Affect Your Web Analytics Tracking? https://goo.gl/EHy3f7
5 GDPR Rights With Serious Technical Consequences https://goo.gl/9HfHRa
How to Make Digital Analytics Processing Lawful Under GDPR and ePrivacy? https://goo.gl/5H3nZ6
Bird & Bird: Guide to the General Data Protection Regulation https://goo.gl/kwwNqH
The Data Processor has to keep
a record of the processing
activities and implement
adequate security measures.
The Data Controller asks the Data Subject for consent.
Be easy to understand, prominent and concise,
Include the name of your organisation and any third parties,
Explain why you want the data,
Explain what you will do with it,
Remind Data Subject that he can withdraw consent at any time,
Be specific wherever possible,
Be kept under periodic reviews,
Explain how long will you keep the data,
Explain what data are you collecting.
And the consent request should NOT:
Use pre-ticked boxes, opt-out boxes or default settings.
The consent request should:
The Data Subject gives Data Processing consent.
The Data Controller can analyze
the data and use it for the
purposes specified earlier in the
consent request.
Learn the key differences between Data Controllers, Data Processors and Data Subjects.
Find out how to safely collect and analyze data while respecting
Data Subject Rights and adhering to General Data Protection Regulations.
The Data Subject is using Data
Controllers service
(e.g. visiting a website).
If the Data
Controller wants to
use the data for a
new purpose, he
needs to receive
another consent for
processing for this
new purpose.
INSERT DATA
HERE
ANALYTICS
Your company, the actual
beneficiary of data from web
analytics. You are
controlling, reviewing,
comparing and aggregating
web analytics data.
The company delivering
the tools that you are
using to collect the data.
The division between Data
Controller and Data Processor takes
place if you actually use software
supplied by a vendor which you
don’t maintain.
In case of on-premise software your
company becomes both the
Controller and Processor.
Data SubjectData ControllerData Processor
Every person is considered a
Data Subject and is entitled
to access and correct their
data, along with the ability to
disallow processing of their
data.
EXAMPLE.COM
A Cat