About

What this project is

gdpr-audit.eu is an independent technical audit of personal data processing on the web. The project publishes reproducible measurements of websites against GDPR.

How this site came to be

On 17 April 2026, I submitted two complaints to Andmekaitse Inspektsioon (AKI), the Estonian GDPR regulator. The first against The Trade Desk, Inc., the second against LiveRamp Holdings, Inc. Both companies are major advertising brokers processing personal data of millions of EU citizens. Both complaints contained detailed technical analysis and references to specific GDPR articles.

On 15 May 2026, AKI closed both cases. On the same day, with virtually identical wording: “The complaint contains extensive technical argumentation, but at its centre is the individual access request of a specific data subject.” From this, the regulator concluded that there was insufficient “public interest” to warrant intervention.

This position technically contradicts both the text of the GDPR and the case-law of the Court of Justice of the EU. In rulings C-26/22 and C-64/22 (SCHUFA, December 2023) and C-768/21 (Land Hessen, September 2024), the Court directly established that regulators do not have broad discretion to refuse investigation — complaints must be examined with all due diligence, and references to “limited effectiveness” or “resources” are not lawful grounds for inaction.

But the AKI position has a deeper implication. If one person is “not a public interest”, then “public interest” only arises when many people simultaneously file complaints. But those people do not file complaints because they don’t know about the violations. They don’t know about the violations because the regulator doesn’t inform them. The logic closes on itself — which is exactly what suits the advertising industry. A system in which violations are invisible has no violations to address.

This site is a practical way out of that loop. If the regulator does not inform the public, I do. If “one person” is not enough, let there be a publication that the next person can rely on. Each audit published here turns an “individual complaint” into publicly accessible evidence available to anyone — a journalist, lawyer, NGO, or another data subject who wants to file their own complaint.

The AKI story is documented in the Cases section, where both decisions, my appeal regarding the LiveRamp case, and related correspondence are published.

Goals

1. Make visible what is usually invisible. Data transfers to third countries happen in milliseconds and without notifying the user. The audit makes them recordable and discussable.
2. Create a public corpus of evidence. Not “one person’s complaint” but a dataset that journalists, researchers, lawyers, regulators, and data subjects themselves can rely on.
3. Show that clean architecture is achievable. Reference sites (eesti.ee, edpb.europa.eu) demonstrate that GDPR compliance does not require special expense — it is a question of priority.

Authorship and responsibility

The project is run by one person. All audits and publications are made under the author’s personal responsibility.

This is a deliberate choice. One person with a reproducible methodology can record facts. Further work — legal, political, journalistic — is the work of other people and organizations with other skills. The project does not aim to replace regulators, NGOs, or academic research. It provides primary material.

What this project does NOT do

• Does not file complaints on your behalf. If you want to file a complaint, contact your national supervisory authority or a specialized organization (e.g., noyb.eu).
• Does not provide legal advice. The legal qualification in audits is a reasoned opinion based on the text of GDPR and public practice, not a judicial decision.
• Does not accept commissioned audits. All publications are made on the author’s own initiative.

License

All materials are published under Creative Commons Attribution 4.0 International (CC BY 4.0). You may cite, copy, distribute, and use the material for any purpose, including commercial, provided you attribute the source.

HAR files are technical records of public website behavior and do not contain personal data of third parties.

Contact

contact@gdpr-audit.eu

For journalists, researchers, lawyers, regulators: responses within a reasonable time, typically within a week.

About this site

This site is built on the same principles applied to audited sites:

• Zero external trackers. No Google Analytics, Cloudflare Insights, Google Fonts, reCAPTCHA.
• Zero cookies.
• Strict Content-Security-Policy denying any external resources.
• All resources served from this domain inside the EU.
• Fonts are self-hosted, not from a CDN.
• Hosting on EU infrastructure.
• Open source for verification.

If you find a violation of these principles, write — it will be fixed immediately.

«Не в доспехах дело, а в крепости духа»
— Igor Kuzmin