If the cookies and trackers on your website (both your own and those of third-parties) send personal user data to a third country or an international organization outside of the EU, you need to check if the third country (or organization) ensures an adequate level of protection of the user data (GDPR Article 45.1). The European Commission decides which countries outside the EU are deemed adequate.
How can I check where my users' data is being sent?
In the monthly scan report, all cookies and other tracking technology in use are listed. Included in the scan report is information about each cookie and (if applicable) what country the cookie sends data to and whether that country is deemed adequate or not by the European Commission. An example of this is shown below.
Cookies sending data to adequate countries will be marked with (adequate).
Cookies sending data to inadequate countries will be marked with (not adequate) highlighted in red.
Please note that it is not possible to determine - in a technically reliable way - if a cookie contains personal data or not. Therefore, and because Cookiebot also helps you be compliant with the EU ePrivacy Directive (ePR), which is much stricter about cookies even if they do not contain personal data, all cookies are listed in the scan report and not just those that contain personal data. If you see a cookie listed as sending data to an 'inadequate' third country, do check if this is a marketing cookie or not. If it is a marketing cookie, it is fair to assume that it contains personal data.
Your latest scan report has been sent to the email address(es) listed in the backend Manager and is also available here:
1. Log in to your account https://manage.cookiebot.com/goto/login
2. Go to the menu point ‘Reports’
3. From here you can access your latest scan report
What should I do if I want to stop sending data to inadequate countries?
If you want to stop the cookies/trackers from sending your users' (personal) data to inadequate countries, you should delete that particular cookie. In the scan report you will find information about what type of cookie it is, where it was first found and in what line of the source code it can be found (where applicable). That way you can detect it and delete it.
What should I do if I want to continue sending data to inadequate countries?
If you want to continue allowing your users’ personal data to be sent to ‘inadequate’ countries outside the EU, then you must ask your users for an 'explicit consent' and inform them about the possible risks (see GDPR Article 49(1) a.). For this you can make use of the 'Explicit consent' method available in the backend Manager see What type of cookie consent banner should I use (to be GDPR compliant)? and and adjust the text in the cookie consent banner to include information about the possible risks. See How can I customize the content in the cookie consent banner?.
Last updated: 18 May 2018