[fooblat]

I work for a German company and am responsible for GDPR implementation. I would not suggest following the advice in the article. It is full of mistakes and bad advice and would easily put you at risk for a law suit, at least in Germany.

If you are coming at this from any perspective other than "what is the minimum data I need to collect to run my service" then you aren't following the GDPR.

I've noticed that a lot of US based companies claim GDPR compliance but when you read their privacy policy, they clearly aren't compliant. The biggest violations come from what companies try to claim as "legitimate interest." Things such as analytics tracking, that are not tied to service delivery, are not acceptable under legitimate interest. Sharing my visit with Meta will never be legitimate interest. And so on.

[zufallsheld]

Can you explain where the mistakes exactly are?

[fooblat]

I took a look at their privacy policy and the company behind this blog isn't even GDPR compliant, despite their claims. Note the following from their privacy policy:

"Research and analysis - We may process usage data and/or transaction data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our business. The legal basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally."

This for of tracking requires consent. It cannot be justified as legitimate interest. Even this questionable blog post itself says so "Why: Because analytics is not required in order for the site to function."

edit: typos Their site never asked for my consent.