Elgarde
Regulations

GDPR — General Data Protection Regulation

Regulation (EU) 2016/679 — General Data Protection Regulation

In force since

25 May 2018

Scope

Any processing of personal data of individuals in the EU

Primary source

Official text

Enforcement bodies

NL Autoriteit Persoonsgegevens (AP)
PT CNPD

What this regulation requires

The GDPR requires that any processing of personal data has a lawful basis under Art. 6(1). The six lawful bases are:

  1. Consent — the data subject has given clear, informed, specific consent
  2. Contract — processing is necessary to perform a contract with the data subject
  3. Legal obligation — processing is required by law
  4. Vital interests — processing is necessary to protect someone’s life
  5. Public interest — processing is necessary for a task in the public interest
  6. Legitimate interests — processing is necessary for legitimate interests, unless overridden by the data subject’s rights

Relationship to ePrivacy

The GDPR and ePrivacy Directive work together but have different scopes:

  • ePrivacy (Art. 5(3)) governs storing or accessing information on a device. This is a consent-first regime with narrow exemptions.
  • GDPR (Art. 6) governs processing personal data. This allows multiple lawful bases including legitimate interest.

A legitimate-interest argument under GDPR Art. 6(1)(f) does not override the ePrivacy consent requirement. The ePrivacy Directive is lex specialis. A website must first comply with ePrivacy (consent for cookies), and separately ensure GDPR compliance for the data processing that follows.

How this applies in the Netherlands

UAVG — Uitvoeringswet Algemene verordening gegevensbescherming (Stb. 2018, 144) supplements the GDPR with national specifics: age of consent for minors (16), special-category processing rules, and BSN identifier handling.

Enforcer: Autoriteit Persoonsgegevens (AP).

How this applies in Portugal

Lei n.º 58/2019, de 8 de agosto implements the GDPR in Portugal. It specifies administrative fine scales, public-body processing rules, and the age of consent for minors.

Enforcer: CNPD — Comissao Nacional de Protecao de Dados.

What Elgarde checks

The scanner does not directly audit GDPR compliance (which requires reviewing data processing agreements, privacy policies, and internal processes). However, cookie-consent violations detected by the scanner have direct GDPR implications:

  • Trackers firing pre-consent may process personal data without a lawful basis
  • Cross-site profiling identifiers trigger GDPR obligations (NL Telecommunicatiewet art. 11.7a(4) creates a presumption of personal-data processing)

Sources

Check your website's compliance

Free scan — no registration required. See your compliance grade in 30 seconds.

Scan now
← All regulations