Use of Web Analytical Tools under the GDPR and ePrivacy Directive

Nowadays, most organisations and businesses use web analytics tools. And in fact, the concern is not the use of these tools, is how they work, since they use cookies or similar technologies require consent before any processing takes place.

Useful? Embed this infographic on your website.


“A web analytical tool refers to a combination of (a) measuring, (b) acquisition, (c) analyzing and (d) reporting of data collected from the Internet with the aim of understanding and optimizing web experience” – Web Analytics Association (2008). 

A web analytics tool provides the ability to analyze sales, track revenue generated by the site, identify exit pages, monitored visitor’s traffic, detect website errors, etc. In other words, it detects what it works, what it is not and what can be improved to maximize results.


Until 25 May 2018, the principal EU legal instrument on data protection is Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).

As from 25 May 2018, the Data Protection Directive was superseded by the Regulation (EU) 2016/679 General Data Protection Regulation (GDPR).

Additionally, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, translated the principles set out in Directive 95/46/EC into specific rules for this sector (ePrivacy Directive).

On the 10 of January 2017, a proposed regulation has been published to update the above-mentioned Regulation which aims among other things, alignment with the rules set on the GDPR (ePrivacy Draft Proposal Regulation )


The business or organisations providing a web analytical tool – as Data Processors; and, the entities taking the service – as Data Controllers. In case of transfer of data to third parties, you may be in front of joint controllers.


  1. Start by reviewing how you are obtaining consent. See:
  2. Ensure compliance with the Principles for Processing Personal Data. See:
  3. Ensure compliance with the Data Subject’s Rights. See:
  4. Special attention to transborder data flow e.g. where the data is stored? See:
  5. Review the legal obligations of data controllers, data processors and if needed the contractual relationship between joint controllers. See: and,
  6. Check and update or if necessary as for an update of the relevant Privacy Policies.
Jessica Lam

Jessica Lam

Lawyer and Entrepreneur.
Jessica Lam

Latest posts by Jessica Lam (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *