GDPR

GDPR Compliance

Our commitment to protecting EU user data and helping you comply with GDPR

ArtaConsent is built from the ground up for GDPR compliance. As a Cookie Consent Management Platform (CMP), we help you comply with GDPR and ePrivacy Directive while acting as a Data Processor for the consent data you collect from your website visitors.

Our Role Under GDPR

ArtaConsent operates in two distinct capacities under GDPR:

  1. Data Controller - For our dashboard users (you), we are the controller of your account data, organization information, and domain settings.
  2. Data Processor - For your website visitors' consent data, we act as a processor on your behalf. You remain the Data Controller for:
    • Consent records collected via the ArtaConsent SDK
    • Cookie definitions on your domains
    • Banner configuration and display
    • Compliance with GDPR obligations toward your visitors

Data Processing Agreement

We provide a comprehensive Data Processing Agreement (DPA) to all customers that outlines:

  • Subject matter, nature, and purpose of processing
  • Types of personal data and categories of data subjects
  • Our obligations as a data processor (Article 28 GDPR)
  • Security measures and sub-processors
  • Data subject rights assistance
  • Breach notification procedures
  • Data deletion and return upon termination

Contact [email protected] to request a copy of our DPA.

GDPR-Compliant Features

Google Consent Mode v2

Full support for GCM v2 with 7 consent signals (ad_storage, analytics_storage, ad_user_data, ad_personalization, personalization_storage, functionality_storage, security_storage)

IAB TCF 2.2 Support

Transparent Consent Framework 2.2 compliance with TC String generation and vendor management.

GDPR & ePrivacy Detection

Automatic detection of EU visitors based on IP geolocation to show appropriate consent banners.

Consent Proof Storage

Store consent records for 2 years as proof of compliance (GDPR Article 7(1)).

Cookie Scanner

Automatic detection and categorization of cookies on your website (necessary, functional, analytics, marketing).

Data Minimization

We use hashed visitor IDs (not personally identifiable) and only store IP country, not full IP addresses.

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256).

Right to Withdraw

Visitors can change or withdraw consent at any time via the consent banner.

Data Portability

Export all consent data and analytics in JSON/CSV format.

Audit Logs

Complete audit trail of all consent interactions and domain changes.

Data Storage Location

All data is stored on servers located in the European Union. Consent records, cookie definitions, and analytics data never leave the EU. We do not transfer personal data outside the EU/EEA without appropriate safeguards as required by GDPR.

  • Primary data storage: OVH Frankfurt, Germany (PostgreSQL database)
  • Queue management: OVH Frankfurt, Germany (Redis)
  • Cookie scanner: Runs on OVH Frankfurt infrastructure (Playwright)

Sub-processors

We use the following sub-processors to provide our service:

ServicePurposeLocation
OVHDatabase hosting (PostgreSQL), Queue (Redis), Cookie scanner (Playwright)Frankfurt, Germany
CloudflareReverse proxy, DDoS protection, WAF, CDNGlobal (EU edge locations)

Your Obligations as Data Controller

When using ArtaConsent to collect consent from your website visitors, you remain responsible for:

  • Privacy Policy: Provide a clear privacy policy to your visitors explaining what data you collect and how you use it
  • Cookie Information: Accurately categorize cookies and provide descriptions
  • Consent Validity: Ensure consent banners are shown before non-essential cookies are set
  • Data Subject Requests: Respond to access, deletion, and portability requests from your visitors
  • Lawful Basis: Have a valid legal basis for processing personal data
  • Third-Party Processors: Ensure DPAs are in place with all your vendors

ArtaConsent provides the tools and infrastructure for GDPR compliance, but you are responsible for using them correctly and meeting your obligations as a data controller.

Data Subject Rights

We assist you in fulfilling data subject requests from your website visitors:

  • Right of Access (Art. 15) - Export consent records via API or dashboard
  • Right to Rectification (Art. 16) - Update or correct consent choices
  • Right to Erasure (Art. 17) - Delete consent records via API
  • Right to Restrict Processing (Art. 18) - Withdraw or modify consent
  • Right to Data Portability (Art. 20) - Export in JSON/CSV format
  • Right to Object (Art. 21) - Reject non-essential cookies

To exercise these rights on behalf of your visitors, use our API or contact us at [email protected].

Consent Requirements (GDPR Article 7)

ArtaConsent ensures all consent collected meets GDPR requirements:

  • Freely given: No pre-checked boxes, separate consent per category
  • Specific: Clear categorization (necessary, functional, analytics, marketing)
  • Informed: Cookie descriptions and links to privacy policy
  • Unambiguous: Clear accept/reject actions with visual indicators
  • Proof: Consent records stored for 2 years with timestamp and choices
  • Withdrawable: Users can change consent at any time via banner

Security Measures (Article 32)

We implement state-of-the-art technical and organizational measures:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • Hashed visitor identifiers (SHA-256, not reversible)
  • Database row-level security (RLS)
  • Regular security audits and penetration testing
  • Access logging and monitoring
  • Domain validation (Origin/Referer checks) to prevent unauthorized data collection
  • API authentication and rate limiting

Breach Notification (Article 33)

In the event of a personal data breach affecting consent data we process on your behalf, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. We will provide:

  • Nature of the breach and affected data categories
  • Likely consequences of the breach
  • Measures taken to address the breach
  • Contact information for further inquiries

You remain responsible for notifying supervisory authorities and affected individuals as required.

Data Retention and Deletion

We follow strict data retention policies:

  • Consent records: 2 years from collection (proof of consent requirement)
  • Analytics (aggregated): Retained indefinitely (fully anonymized)
  • Cookie definitions: While domain is active
  • Deleted domains: All data deleted within 30 days
  • On request: Individual consent records deleted immediately via API

Upon termination of service, all your data will be returned or deleted within 30 days as per the DPA.

Certifications and Compliance

  • ✅ GDPR compliant (Regulation (EU) 2016/679)
  • ✅ ePrivacy Directive compliant (Directive 2002/58/EC)
  • ✅ Google Consent Mode v2 certified implementation
  • ✅ IAB TCF 2.2 registered CMP
  • ✅ ISO 27001 security standards followed

Contact Our DPO

For any GDPR-related inquiries, DPA requests, or to report a data breach, contact our Data Protection Officer:

Data Protection Officer

Email: [email protected]

Mailing address: Artatol, Prague, Czech Republic

We will respond to your request within 30 days as required by GDPR.

Resources