Let us help YOU get to the inbox like we've helped these others!

With the UK adopting their own UK GDPR following Brexit, it’s important to understand that you can’t just block from your website people coming in from the EU or the UK. As we have mentioned in other articles on GDPR compliance, GDPR specifically prohibits the automated profiling of individuals, including of their online identifiers or locations, which means that it is a violation of GDPR to note, in an automated fashion, from what region in the world they are surfing over to your website.

Many of you have asked for the actual language of GDPR which prohibits automated profiling and, by extension, prohibits a site from excluding traffic from the EU and UK. So here it is. (You can read the full text of GDPR here.)

GDPR Text That Prohibits Blocking by Location Data (from the prefatory language)

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes “profiling” that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child.

GDPR Text that Prohibits Blocking by Location Data (from the actual law)

Article 4 (1): “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Article 4 (4): “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Article 35 provides for a “Data protection impact assessment” which must be carried out before implementing profiling by automated means, and this includes that “A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of…a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;”

And before such implementation a supervisory authority has to sign off on it, and even the data subjects themselves may need to agree to it.

So, basically, automated profiling of personal data is prohibited unless you jump through all of these hoops.

And that’s how GDPR prohibits the automated detection of IP addresses in order to geolocate and exclude UK and EU visitors and traffic.

Why You Can't Just Block UK & EU Visitors, Customers, or Any EU or UK Traffic Under GDPR


2 Responses

  1. You people are delusional if you think the EU can suddenly start making up global law.

    The rest of the world laughs at the EU for making crap up.

Leave a Reply

Your email address will not be published. Required fields are marked *


We are ISIPP SuretyMail, the original certified sender program and email deliverability service. Learn more here
Search
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Filter by Categories
Blocklists and Blacklists
Content Issues
Deliverability
Email Authentication
Email List Building
Feedback Loops
Mailing List Hygiene
Monitoring and Tracking
Opt-in Practices
Our News
Privacy & Email Laws
Sending Practices
SMS Marketing
Spam Complaints
Technical Stuff
The Industry
Topics
Need Help Getting to the Inbox?
If you need help getting out of the spam folder and into the inbox, we're here for you. Our deliverability services come with a personal touch, and we get results. That combination has created customer loyalty that's nearly unheard of. (testimonials)
Read what we'll do for you here.

Join our email community and get
How to Stay Out of the Spam Folder 
& How to Grow Your Email List free!


 Get to the Inbox by SuretyMail
The Original Email Deliverability Company

Free stuff!
Close
Skip to content