GDPR

The General Data Protection Regulation (GDPR) is the European framework governing the collection and processing of personal data. If your site is accessible from the European Union, it applies to you.

What is the GDPR?

The GDPR is a European regulation that came into effect on May 25, 2018. It aims to protect the personal data of European citizens and hold businesses accountable for the data they collect. It applies to any organization, regardless of size, that processes personal data of EU residents.

Personal data includes any information that can directly or indirectly identify a person: name, email, IP address, phone number, postal address, browsing data, and more.

Does the GDPR apply to me?

Yes. As soon as your website is accessible from the European Union and collects personal data, you are subject to the GDPR. This applies to virtually all websites, even the simplest ones.

• Contact form — You collect a name and email: that is personal data.
• Newsletter — You collect email addresses to send communications.
• Analytics — Tools like Google Analytics collect browsing data (IP address, pages visited, session duration).
• Cookies — Third-party cookies (advertising, social media) track your visitors' behavior.
• E-commerce — You collect payment data, delivery addresses, and order histories.

What are the key obligations?

The GDPR imposes several obligations you must comply with as the data controller for your website.

• Explicit consent — You must obtain clear and explicit consent from your visitors before collecting non-essential data. A simple information banner is not enough: the visitor must be able to accept or refuse.
• Right of access — Any person can ask you what data you hold about them. You must respond within one month.
• Right to rectification — Your users can ask you to correct inaccurate data about them.
• Right to erasure — Your users can request the deletion of their personal data, unless a legal obligation requires you to keep it.
• Right to data portability — Your users can request to retrieve their data in a structured, machine-readable format.
• Record of processing activities — You must maintain a record listing all personal data processing activities carried out by your site.
• Breach notification — In the event of a data breach, you must notify the relevant supervisory authority within 72 hours and inform the affected individuals if the risk is high.

What does Madra do for GDPR compliance?

Madra integrates several measures to help you comply with the GDPR from the moment your site is created.

• Compliant hosting — Your site's data is hosted on infrastructure that meets GDPR requirements, with SSL encryption and technical security measures.
• Cookie banner — Madra can integrate a cookie consent banner on your site, allowing your visitors to accept or refuse non-essential cookies. See Cookies.
• Privacy policy page — Madra automatically generates a privacy policy page that you can customize. See Privacy policy.
• Compliant forms — Contact forms only collect necessary data and do not use pre-checked boxes.
• No tracking without consent — No non-essential cookies are placed before the visitor has given their consent.