GDPR Uskladjenost — Kompletni vodic
Sve o GDPR-u: kolacici, privatnost, trackeri, prava korisnika, kazne i 5 detaljnih vodicaa
1. Sta je GDPR i koga se tice?
GDPR (General Data Protection Regulation) je regulativa Evropske unije o zastiti licnih podataka, na snazi od maja 2018. godine. Ovo nije samo EU zakon — tice se svakog sajta koji prikuplja podatke od posetilaca iz EU, bez obzira gde se sajt nalazi.
Za Srbiju je ovo posebno relevantno jer Zakon o zastiti podataka o licnosti (ZZPL), usvojen 2018. godine, u velikoj meri prati principe GDPR-a. Ako imate posetioce iz EU ili planirate poslovanje na evropskom trzistu, GDPR uskladjenost je obavezna.
2. Kljucni zahtevi GDPR-a
GDPR postavlja jasna pravila za obradu licnih podataka:
- Saglasnost (Consent) — morate dobiti jasnu, informisanu i slobodnu saglasnost korisnika pre prikupljanja njihovih podataka. Unapred cekirani checkbox-ovi nisu validna saglasnost.
- Politika privatnosti — svaki sajt mora imati jasnu i razumljivu politiku privatnosti koja objasnjava koje podatke prikupljate, zasto, kako ih koristite i koliko dugo ih cuvate.
- Pravo na pristup — korisnici imaju pravo da zatraze kopiju svih podataka koje imate o njima, u razumnom roku (obicno 30 dana).
- Pravo na brisanje — poznato kao "pravo na zaborav". Korisnici mogu zatraziti brisanje svih svojih podataka, a vi ste obavezni da to ucinite osim ako ne postoji zakonski razlog za cuvanje.
- Minimizacija podataka — prikupljajte samo podatke koji su zaista neophodni za pruzanje usluge. Ne trazite vise informacija nego sto vam treba.
- Obavestavnje o krsenju — u slucaju curenja podataka, morate obavestiti nadlezni organ u roku od 72 sata, a pogodnjene korisnike bez nepotrebnog odlaganja.
3. Kolacici i trackeri
Kolacici su jedna od najcescih oblasti neuskladjenosti sa GDPR-om. Evo sta morate znati:
- Cookie banner je obavezan — ako koristite bilo kakve kolacice osim strogo neophodnih (za funkcionalnost sajta), morate traziti saglasnost pre njihovog postavljanja.
- Opcija odbijanja — korisnici moraju imati mogucnost da odbiju kolacice jednako lako kao sto ih prihvataju. Dugme "Odbij sve" mora biti jednako vidljivo kao "Prihvati sve".
- Tipovi kolacica — razlikujte neophoidne (sesija, korpa), analiticke (Google Analytics), marketinske (Facebook Pixel, AdSense) i funkcionalne (jezicke preference) kolacice.
- Google Analytics i GDPR — upotreba Google Analytics zahteva saglasnost korisnika u EU. Razmotrite alternative poput Plausible ili Umami koje su dizajnirane sa privatnoscu na umu.
4. Kazne za nepostovanje
GDPR predvidja ozbiljne kazne za nepostovanje:
- Do 20 miliona evra ili 4% globalnog godisnjeg prometa (sta god je vece) za najozbiljnije prekrsaje poput obrade podataka bez saglasnosti ili krsenja prava korisnika.
- Do 10 miliona evra ili 2% prometa za manje prekrsaje poput nedostatka evidencije o obradi podataka ili neobavestavanja o krsenju.
- Primeri iz prakse — Amazon je kaznjen sa 746 miliona evra, Meta sa 1.2 milijarde evra, a cak i manje kompanije dobijaju kazne od desetina hiljada evra za nedostatak cookie banner-a ili neadekvatnu politiku privatnosti.
Kazne se primenjuju proporcionalno, tako da mali sajtovi nece dobiti milionske kazne, ali regulatorni organi sve cesce kontrolisu i manje kompanije.
5. Nasi detaljni GDPR vodici
Svaki aspekt GDPR uskladjenosti obradjujemo u posebnom vodicu:
Cookie Consent
GDPR zahtevi za kolacice, cookie banner implementacija, CookieConsent, Google Consent Mode.
PrivatnostPrivacy Policy
Kako napisati politiku privatnosti: obavezne informacije, GDPR clan 13-14, template i generatori.
TrackeriThird-Party Trackeri
Google Analytics, Facebook Pixel i GDPR. Schrems II, GDPR-compliant alternative, Consent Mode v2.
PravaPrava korisnika
8 prava po GDPR-u: pristup, brisanje, prenosivost, prigovor. Rokovi i tehnicka implementacija.
KazneGDPR Kazne
Top 10 najvecih kazni, struktura penala, kako ih izbeci. Srpski ZZPL i Poverenik.
6. Sta nas skener proverava
Nas Web Security Scanner proverava 7 GDPR aspekata:
- Privacy policy stranica
- Cookie consent mehanizam
- Kolacici pre saglasnosti
- HTTPS enkripcija podataka
- Bezbednosni headeri
- Third-party trackeri i analitika
- Forme i prikupljanje podataka
GDPR Compliance — Complete Guide
Everything about GDPR: cookies, privacy, trackers, user rights, fines and 5 detailed guides
1. What is GDPR and who does it affect?
GDPR (General Data Protection Regulation) is the European Union's regulation on personal data protection, in effect since May 2018. This is not just an EU law — it applies to every website that collects data from EU visitors, regardless of where the site is located.
For Serbia, this is particularly relevant as the Law on Personal Data Protection (ZZPL), adopted in 2018, largely follows GDPR principles. If you have visitors from the EU or plan to do business in the European market, GDPR compliance is mandatory.
2. Key GDPR requirements
GDPR establishes clear rules for processing personal data:
- Consent — you must obtain clear, informed, and freely given consent from users before collecting their data. Pre-checked checkboxes are not valid consent.
- Privacy policy — every website must have a clear and understandable privacy policy explaining what data you collect, why, how you use it, and how long you store it.
- Right of access — users have the right to request a copy of all data you hold about them, within a reasonable timeframe (usually 30 days).
- Right to erasure — known as the "right to be forgotten." Users can request deletion of all their data, and you are obligated to do so unless there is a legal reason to retain it.
- Data minimization — collect only data that is truly necessary for providing the service. Do not request more information than you need.
- Breach notification — in case of a data breach, you must notify the supervisory authority within 72 hours and affected users without undue delay.
3. Cookies and trackers
Cookies are one of the most common areas of GDPR non-compliance. Here is what you need to know:
- Cookie banner is mandatory — if you use any cookies beyond strictly necessary ones (for site functionality), you must request consent before setting them.
- Reject option — users must be able to reject cookies as easily as they accept them. The "Reject all" button must be as visible as "Accept all."
- Cookie types — distinguish between necessary (session, cart), analytical (Google Analytics), marketing (Facebook Pixel, AdSense), and functional (language preferences) cookies.
- Google Analytics and GDPR — using Google Analytics requires user consent in the EU. Consider alternatives like Plausible or Umami that are designed with privacy in mind.
4. Penalties for non-compliance
GDPR provides for serious penalties for non-compliance:
- Up to 20 million euros or 4% of global annual turnover (whichever is greater) for the most serious violations such as processing data without consent or violating user rights.
- Up to 10 million euros or 2% of turnover for lesser violations such as lack of processing records or failure to report breaches.
- Real-world examples — Amazon was fined 746 million euros, Meta 1.2 billion euros, and even smaller companies receive fines of tens of thousands of euros for missing cookie banners or inadequate privacy policies.
Penalties are applied proportionally, so small websites will not receive million-euro fines, but regulatory bodies are increasingly auditing smaller companies as well.
5. Our detailed GDPR guides
Cookie Consent
GDPR cookie requirements, banner implementation, CookieConsent, Google Consent Mode.
PrivacyPrivacy Policy
How to write a privacy policy: required info, GDPR Articles 13-14, templates.
TrackersThird-Party Trackers
Google Analytics, Facebook Pixel and GDPR. Schrems II, compliant alternatives.
RightsUser Rights
8 GDPR rights: access, erasure, portability, objection. Deadlines and implementation.
FinesGDPR Fines
Top 10 largest fines, penalty structure, how to avoid them.
6. What our scanner checks
Our Web Security Scanner checks 7 GDPR aspects:
- Privacy policy, cookie consent, pre-consent cookies
- HTTPS encryption, security headers
- Third-party trackers, data collection forms