Technical Audit of Personal Data Processing
Independent audit of websites against GDPR. HAR analysis, documented violations, open methodology.
Why this site exists
“One individual does not constitute public interest.”
This is how Andmekaitse Inspektsioon (AKI) — the Estonian GDPR regulator — justified closing my case against an advertising broker. In the official decision the wording was: “The complaint contains extensive technical argumentation, but at its centre is the individual access request of a specific data subject.” On the same day, 15 May 2026, AKI also closed my second case — against LiveRamp Holdings, Inc. — with identical reasoning.
Legally, this means the regulator is not obliged to investigate systematic GDPR violations as long as the complaint comes from a single individual. Practically, it allows the advertising industry to operate outside the law, because “mass complaints” cannot arise where the public has no information about the violations.
This site is my response to that logic. If protecting a citizen’s personal data is not recognised as public interest, I document the violations myself — openly and reproducibly. Every publication is available to anyone who wants to verify it, use it in their own complaint, or cite it in research. One person stops being “not a public interest” the moment their work becomes public.
See the Cases section for details on the case.
What this is technically
The site publishes technical audits of real websites — governmental and commercial — examining their processing of personal data under GDPR.
Each audit is a reproducible measurement: a HAR file of network traffic, request classification, comparison against the stated privacy policy, and legal qualification under specific GDPR articles.
What you should know
- All materials are published under CC BY 4.0 — they may be cited, used in journalism, research, or legal proceedings.
- This site is built on the same principles applied to audited sites: zero external trackers, zero cookies, strict Content-Security-Policy, all content served from its own domain within the EU.
- Evidence files (HAR) are published with SHA-256 cryptographic hashes.
How to use this
- The Countries section groups audits by country. Each country has its own GDPR regulator and list of audited sites.
- The Categories section groups sites by functional type (defence, healthcare, regulators, etc.). Useful for comparing sites of the same type across countries.
- The Audits section contains the full corpus in a single filterable list.
- The Methodology section describes how each audit is conducted.
- The Cases section is correspondence with regulators: complaints, responses, appeals.
Latest audits
View all →Audits will appear here as they are published.