Skip to content

Location data complying with GDRP

It is information about the specific geographic location of a particular device, in which data about any information related to an identified or unidentified natural person is stored.

So let’s clarify what the GDPR on storing personal data says, e.g., phone number, credit card, account details, number plate, appearance, and customer id.

The following text reads: “It is important to consider the content of the data. Information that identifies a person, even without a name attached, may be personal information if you are processing it to learn something about that person or if processing this information will impact that person. Records containing information that is clearly about a specific individual are considered “related to” that individual, such as their medical history or criminal record. Records that have information describing an individual’s activities may also qualify, such as a bank statement. Any data that relates to an identifiable individual is personal data. Data that is used to learn or make decisions about an individual is also personal data. Records on electricity and water usage would be considered personal data, as this information determines how much to charge an individual.

Also information that, when processed, could impact an individual, even if that was not its primary purpose, is also considered personal information. For example, private transport companies track their drivers so that they can find the nearest available car to assign to a request. However, this data could also monitor whether drivers follow traffic rules and measure their productivity rate.” Source: https://gdpr.eu/eu-gdpr-personal-data/

We must also take into account the storing data in cookies, as they are storing user information, whether technical or specific, to third parties with or without consent; they are governed by GDPR, falling headlong into the consent mode banners (link) systems that we have already discussed in previous posts.

What to do to comply with GDPR requirements in terms of Data Storage?

According to GDPR, data can only be processed with the authority of the network, service, or value-added service provider. In addition, that information must be anonymized or you must have consent to use it. That consent must be freely given, it must be specific, and it must be informed. This means that the person from whom data is being collected must have taken positive steps to consent to its collection.

As discussed in another post, the General Data Protection Regulation, or GDPR, created an EU framework for privacy and the management of citizens’ data. The characteristics of this regulation implied, at the time of its application, that consumers had more control over their data and that brands and companies had to be much more transparent about how they managed information.

Well, knowing what data can be and that it is housed on a device (let’s call it that for the moment), in a specific physical location, the question is:

What does the GDPR tell us about storage location?

If the data storage is about users browsing within the EU, the regulation is precise: does GDPR require data to be stored in the EU. The law clearly states that companies must rely on providers with European data centers.

It is explicit and clear about storing data and its legal requirements.

Let us elaborate on this statement:

We know that information collected from users is uploaded to the cloud and that information is stored somewhere. Therefore, we consider that this “cloud” is a tangible place after all and conclude that the servers that provide this service are hosted in physical locations.

Well, knowing then that there are physical servers in geographical spaces behind the storage, their location is crucial; based on the European data protection regulation as mentioned above, such storage servers must be hosted in the EU.

Now, one more question remains for those companies that work with EU user data but store it outside the EU.

What does the GDPR on storing data outside the EU tell us?

“Companies that are not based within the EU and that process data of EU citizens must appoint a representative in the EU.”

When personal data is transferred outside the EU, the protection offered by the GDPR will accompany the data. This means that if the data is exported abroad, the company must ensure that one of the following conditions is met:

  • The data protection of the non-EU country is considered adequate.
  • The company takes the necessary measures to provide adequate safeguards, such as including specific clauses in the contract concluded with the non-EU importer of personal data.
  • The company relies on specific grounds for the transfer (exceptions), such as the data subject’s consent.”

Source: https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_es.htm#shortcut-6

In short, the protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data arrives.

And finally, in October 2022, the EU and the US appear to have reached a data transfer agreement whereby companies can store their data on servers located in the US without violating the rules.

Seal Metrics tells you that our servers are located in the EU.

Practical Implications for E-commerce

Navigating the intricacies of GDPR, especially concerning location data, is paramount for e-commerce businesses. Digital storefronts inherently collect any user data, from browsing habits to purchase history. Adding location data to this mix offers invaluable insights into regional preferences, potential logistics optimizations, and targeted marketing opportunities. However, with GDPR in play, e-commerce platforms must tread carefully. Ensuring that location data is anonymized or collected with explicit consent can be the difference between a successful marketing campaign and a hefty regulatory fine.

Strategies for Compliance

For e-commerce businesses, GDPR compliance doesn’t have to be a daunting task. Start by thoroughly auditing the data you collect, primarily focusing on location-based information. Understand its source, purpose, and storage protocols. Next, ensure that all data collection points, be it sign-up forms, checkout pages, or user profiles, have clear, concise, and accessible privacy policies. These policies should explicitly state the collected data’s nature and intended use. Furthermore, invest in training your team. Everyone, from the IT department to customer service, should have a basic understanding of GDPR mandates. Lastly, consider implementing a robust data management system to automate consent collection, data anonymization, and periodic compliance checks.

Impact on Marketing Campaigns

GDPR’s regulations on location data can significantly influence the trajectory of digital marketing campaigns. On the one hand, respecting user privacy and ensuring compliance can bolster a brand’s reputation, making marketing messages more trustworthy. On the other, the limitations on data usage can restrict hyper-targeted campaigns. However, this isn’t necessarily a drawback. By focusing on broader, value-driven campaigns that resonate with larger audiences, e-commerce businesses can achieve widespread brand recognition. Moreover, the emphasis on obtaining explicit user consent can lead to a more engaged, loyal customer base, which can prove more profitable in the long run than transient, data-driven interactions.

Tools and Technologies:

In the digital age, technology is the cornerstone of compliance. Several tools can aid e-commerce businesses in adhering to GDPR mandates. Data management platforms (DMPs) can centralize user data, making it easier to monitor, manage, and, if necessary, delete. Consent management platforms (CMPs) can automate obtaining and documenting user permissions, ensuring no data is collected without explicit approval. Additionally, investing in encryption tools can safeguard user data, ensuring that the information remains inaccessible even in the event of a breach. Geofencing tools for e-commerce platforms operating globally can prove invaluable, allowing businesses to tailor their data collection practices based on regional regulations.

Updates and Future Predictions:

The digital landscape is ever-evolving, with it, the regulations governing it. While GDPR has set a robust data privacy framework, e-commerce businesses must stay abreast of any updates or amendments. Industry experts predict a global shift towards more stringent data protection regulations inspired by GDPR’s success. For e-commerce platforms, this could mean a more unified approach to data management, reducing the complexities of navigating disparate regional laws. However, it also emphasizes the importance of flexibility and adaptability in data strategies, ensuring that businesses can swiftly pivot their practices in line with regulatory changes.

The Newsletter for Privacy Marketers

Everything a marketer needs to know about privacy