GDPR & Digital Analytics part 2

In part 1 of this article, we covered what the GDPR means for your digital analytics data, notably in terms of personal data and user rights. This week, we’re defining 3 more crucial questions you must consider and understand regarding your digital analytics solution in preparation for the GDPR.



3. Where is your analytics data stored? Is it transferred outside the EU?

If personal data is transferred outside the European Union, the GDPR requires the country or countries to which you are transferring to have adequate data protection – meaning protective measures that guarantee EU-level standards. The end user must also be informed that his or her data is being transferred or stored outside of the EU.


Again, as digital analytics solutions collect and store personal data (and often store it outside the EU), it’s critical to ask your analytics provider where it stores the personal data collected via its solution, if this data is transferred anywhere, and whether end users are clearly informed of these storage and transfer locations.


How does AT Internet comply?

AT Internet processes and stores all personal data within the European Union, with no personal data being transferred outside the EU. This information is clearly accessible in our privacy policy, and in our customer contracts.


4. What is the scope of your analytics provider’s responsibility?

It’s crucial to ensure your analytics provider (a “data processor”) has clearly defined the scope of its responsibility in your contract. With fines going up to €20 million or 4% of your global annual turnover (whichever is higher!), you don’t want to be left holding the bag if your provider has not clearly defined this scope in the Data Processing Agreement (DPA). (Or worse – if your provider has transferred 100% of responsibility to you!)

As a data controller, you are also expected to take care in choosing a data processor and deciding which types of data processing activities you will engage in. In other words, select your vendors wisely – they must be GDPR-compliant!

Where does AT Internet stand?

AT Internet’s Analytics Suite is GDPR-compliant, as is the AT Internet group as an organisation. We therefore commit  to full transparency for our customers in our Data Processing Agreement (DPA).


We will provide each of our customers with a DPA to precisely define our scope of responsibility as a data processor, and yours as a data controller, regarding the processing of personal data.


If you work with a different digital analytics provider, we strongly recommend you verify the terms of your contract to ensure that responsibility is not automatically transferred to you (via limitations on liability clauses), and to ensure that your provider clearly indicates how it handles and protects personal data.


5. For what purposes is your analytics data used? Do you practice profiling?

Under the GDPR, personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.


In other words, your visitors’ data should only be used to achieve the specific thing(s) you’ve informed them of, such as (in the case of analytics) improving their experience on your site, or providing them with tailored content. Your visitors’ data should NOT be used in other ways for which they have not given consent.


It’s also important to understand the notion of “profiling” as defined in the GDPR: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating
to a natural person, in particular to analyse or predict aspects concerning that natural person’s […] behaviour,
location or movements.” If you use analytics data for profiling activities, you must carry out a Data Protection
Impact Assessment (DPIA) to ensure and demonstrate accountability and compliance.


If you perform any other data processing activities that potentially put the rights and freedoms of users at risk,
you must also carry out a DPIA to evaluate these risks. Should the results of your DPIA indicate high residual
risk, you must consult your local supervisory authority, who can advise you appropriately.

See Guidelines on Data Protection Impact Assessment from the Article 29 Data Protection Working Party

Try the CNIL’s open-source Privacy Impact Assessment tool (available in French and English)

Where does AT Internet stand?

With AT Internet, you always remain the owner of your data. We never use or merge our customers’ analytics data for our own purposes.


Since our digital analytics solution enables profiling activities (as do other digital analytics solutions), we have carried out a DPIA of our service. The results indicate that when our solution is used normally (as defined in our Data Processing Agreement), AT Internet’s data processing presents no elevated risk to the rights and freedoms of data subjects.




We hope these 5 points will help you examine your analytics activities with a critical eye, and identify if and where extra efforts and attention are needed to prepare for the GDPR. If you’re unsure of the answers to any of these questions, don’t hesitate to ask your analytics provider for clear explanations. Your provider should be a true partner in ensuring GDPR-compliant analytics data and processes, and should therefore be able to give you transparent and detailed answers to each of these questions.


Already an AT Internet customer? You can breathe easy: By working with us and using the Analytics Suite, you’ve already chosen a digital analytics solution that’s fully GDPR-compliant! An independent European player from day one, we’ve always adhered to – and been shaped by – strict European policies on data protection and privacy. We’ve developed our tools from the very start with privacy in mind. It’s a core value for us and fundamental to how we approach analytics.

Digital Analytics & GDPR
Want the guarantees of an analytics solution that’s 100% GDPR-compliant and fully transparent? Our teams would be happy to get in touch with you.

A Silicon Valley native, Ashley has 10 years of experience as a marketing writer and previously worked in B2B digital marketing at Google. She joined AT Internet in 2014 to help create and deploy our international communications in 6 languages. She enjoys distilling complex topics from the ever-changing digital universe into clear, actionable ideas.

Comments are closed.