What Is GDPR and Why Does It Matter?
The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data privacy law that went into effect in May 2018. GDPR was designed to give individuals greater control over their personal data while creating a unified privacy framework across EU member states. This landmark legislation fundamentally changed how organizations worldwide approach data collection, processing, and storage (regardless of their physical location) when serving EU residents.
At its core, GDPR establishes a set of data protection principles that govern how organizations must handle personal information. These principles aren’t just bureaucratic checkboxes. Instead, they represent a fundamental shift toward transparency and accountability in how companies process personal data.
For businesses like SSL.com operating in the digital certificate and public key infrastructure (PKI) space, understanding and implementing GDPR compliance is essential to building customer trust while navigating the complex landscape of international data protection laws.
If you have questions about how our data protection practices align with your business’s compliance needs, our team is here to provide the clarity you need to make informed decisions about your digital certificate requirements.
Contact Us For GDPR Questions or Support
The 7 Principles of GDPR: A Framework for Data Protection
The General Data Protection Regulation is built on seven core principles that guide how organizations should approach data processing:
- Lawfulness, fairness, and transparency – Organizations must have legitimate reasons for processing personal data and be upfront about how they use it.
- Purpose limitation – Data should only be collected for specific, explicit purposes, not gathered “just in case” it might be useful later.
- Data minimization – Organizations should collect only what’s actually needed for their stated purposes.
- Accuracy – Personal data must be kept current and correct, with mechanisms to update or remove inaccurate information.
- Storage limitation – There must be boundaries on how long information can be retained, with data deleted when no longer necessary.
- Integrity and confidentiality – Security measures must protect data from unauthorized access, loss, or breaches.
- Accountability – Organizations must demonstrate their compliance through documentation and evidence rather than simply claiming it.
Together, these seven principles of GDPR create a comprehensive framework that balances business needs with individual privacy rights.
SSL.com’s Approach to GDPR Compliance
At SSL.com, we take data protection seriously and strive to comply with GDPR requirements whenever possible. As a global certificate authority serving customers across jurisdictions, we’ve implemented policies and procedures that align with the general data protection rules governing the processing of personal data.
Our commitment to GDPR compliance includes transparent data processing practices, clear privacy policies, and security measures that protect customer information. We limit data collection to what’s necessary for certificate issuance and validation, implement strong access controls, and provide customers with information about how their data is used. When we process personal data, we do so with an appropriate legal basis as required under GDPR data processing guidelines.
We also respect individuals’ rights under GDPR, including the right to access their data, correct inaccuracies, and understand how their information is being used. Our systems are designed to facilitate these rights while maintaining the security and integrity that our customers expect from a trusted certificate authority.
When CABF Baselines and the Law Converge: Transparency About Our Obligations
As a publicly trusted CA, SSL.com is bound by the technical and operational standards established by the CA/Browser Forum (CABF) for internet security and user protection, outlined within the CABF Baseline Requirements. However, these obligations may occasionally conflict with specific GDPR provisions. So what happens in these instances?
The CABF Baseline Requirements exist to maintain the security and integrity of the Internet’s public key infrastructure. They specify the information that must be collected, validated, and, in some cases, publicly disclosed during the certificate issuance process. For example, certain certificate information must be logged in Certificate Transparency (CT) logs, which are publicly accessible databases designed to protect against mis-issued certificates and enhance internet security.
Where requirements under the GDPR and the CABF standards intersect, we apply the GDPR in conjunction with applicable CABF requirements and other legal and contractual obligations. The GDPR expressly permits the retention of personal data where processing is necessary to comply with a legal obligation or to serve vital public interests, including internet security and the integrity of the public trust ecosystem. For example, personal data collected in connection with certificate issuance—such as validation evidence—may be retained for defined periods following certificate expiration or revocation, as required by CABF standards and in alignment with the applicable product Terms and Conditions, our Certificate Policy/Certification Practice Statement, and our Subscriber Agreements. Data subject rights under the GDPR are respected and exercised within these parameters, ensuring both regulatory compliance and the protection of internet users and relying parties.
SSL.com remains committed to data protection and respecting customer privacy to the fullest extent possible within our operational requirements and in accordance with the law. We don’t collect more data than necessary for certificate validation and issuance, we implement robust security measures to protect the information we hold, and we’re transparent about how and why we process personal data.
Still Have Questions About GDPR Compliance?
We encourage open dialogue with our customers about their specific privacy requirements. We can provide detailed information about our data handling practices and help you understand how these considerations might affect your organization’s use of our certificates.
This approach reflects our broader philosophy: being honest with customers, maintaining the highest security standards, and operating with integrity even when that means explaining limitations rather than making oversimplified claims.
If you have questions about how our data protection practices align with your organization’s compliance needs, our team is here to provide the clarity you need to make informed decisions about your digital certificate requirements.
