Right to know
What data they hold about you, why, who they share it with, how long they keep it, where they got it, and whether it feeds automated decisions.
GDPR gives you rights. To know what's collected. To say no. To change your mind. To be forgotten. Most sites bury all that in a 4,000-word policy nobody reads, then ignore it when you click reject.
The Vakteye badge sits on sites where we've tested whether what they say matches what the code does. The site pays us. The law decides the result, not us. If a site fails the test, the badge comes off.
This page is for visitors, not site operators.
GDPR rights
Six GDPR rights, short. Click any article link for the original text.
What data they hold about you, why, who they share it with, how long they keep it, where they got it, and whether it feeds automated decisions.
Saying no can't be harder than saying yes. Consent has to be freely given and a real choice.
You can change your mind anytime. Withdrawal stops future processing. Anything done before, based on the consent you'd given, stays lawful.
You can ask them to delete your data, unless they have a legal reason to keep it.
Direct marketing — they have to stop. Other legitimate-interest processing — you can object, controller may refuse on compelling grounds.
You can get the data you actively provided in a standard format and move it elsewhere. Applies when you consented or signed a contract, and the data is processed automatically. Inferred or derived data isn't covered.
Assurance boundary
The reviewed automated assessment scope had no open findings at the reviewed time. If a monitored finding remains unresolved, the badge comes off this page.
That the site is perfect, or that anyone at Vakteye personally vouches for them. We test against the law. That's not the whole picture of a company.
The site does. But the result is decided by the law, not by us. If we softened findings to keep customers happy, the badge wouldn't be worth anything.
Behavioural test surface
Eight things. Click any item for how we test it.
We click reject as a regular visitor and watch whether tracking cookies and pixels stop loading. If they don't, the site broke your choice.
Many sites load third-party trackers right at page-load, before you've said yes or no. We measure what's sent in the first half-second.
Google Consent Mode and Meta Pixel can be configured to report rejection but still send pseudonymised data. We decode the signals.
TLS, secure cookie flags, CSP, HSTS, X-Frame-Options.
We fill test values and watch whether the content is sent to third parties before the form was submitted.
Hardcoded API keys and similar secrets in client code are a common leak. We scan with two detectors.
We map key accessibility checks to WCAG 2.1 AA and applicable EU/national accessibility obligations where they apply.
We read the policy and compare against network traffic. A gap becomes a reviewable legal and operational risk, not an automatic legal conclusion.
An automated scanner can't reach everything. Logged-in flows, payments, and manually configured privacy features are out of scope. If a WAF or browser challenge blocks us, we flag it.
Certificate lookup
Enter a domain or a certificate number.
Escalation paths
Report it to us. We'll re-scan within 24 hours.
File with IMY (the Swedish Data Protection Authority).
noyb files regulatory complaints with data protection authorities on your behalf, free.
EDPB: how cookie banners hide the Reject button (2023).
Why it matters
EU law says your personal data is yours. But the gap between what privacy policies promise and what code actually does is too large. Annual audits catch it too late. A badge that can't be revoked says nothing. We measure what the law requires, every week, and publish the result.