GDPR

Straight answers for your DPO.

Written by someone who has actually answered a DPO questionnaire. Here is what TagDrishti processes, on what legal basis, and what stays inside the EEA.

# article_28_processor · eu_data_residency · pseudonymised_sessions · sccs_module_2
# what_this_page_covers

How TagDrishti satisfies GDPR as your Data Processor, and how the service helps you hold up your end as the Data Controller for the visitors landing on your site.

TagDrishti as your data processor.

When you point TagDrishti at your GTM tags, GDPR Article 28 applies. We are your Data Processor. You remain the Data Controller for the visitors on your domains.

In practice that means:

  • We process monitoring data only on your documented instructions
  • We flow the same obligations down to every sub-processor we use
  • We help you answer Data Subject Access Requests
  • We delete or return all data when you leave the service
  • We share whatever you need to evidence compliance to your own auditors
  • We notify you of any personal data breach within 72 hours of discovery

The Data Processing Agreement (DPA) is mandatory before the service activates, and it is signed electronically at dashboard.tagdrishti.com. One click, no printing.

Legal basis for tag monitoring.

A question that comes up in every DPO review: do I need consent to monitor my own GTM tags? The honest answer depends on what the tool actually collects.

TagDrishti’s monitoring script runs on Legitimate Interest (Art. 6(1)(f)), and the balancing test holds up because:

  • Tag monitoring is data integrity and security, not advertising or profiling
  • Session IDs are pseudonymised with a djb2 one-way hash and cannot be walked back to an individual
  • Email, phone, token, and transaction keys are stripped from URLs before anything is written to storage
  • The data is used to detect broken tags and security threats, nothing else

The script still honours your Consent Mode v2 signals. When a visitor declines analytics, the corresponding monitoring features step back accordingly.

Data minimisation.

Data minimisation is baked in. The collection list is narrow on purpose, because anything we do not need is a risk we do not want to carry:

  • Collected: Tag name, type, status, execution time. The core of the monitoring signal.
  • Collected: Page path and domain, required to attribute a tag firing.
  • Collected: Device class and viewport, required for Core Web Vitals attribution.
  • Collected: Consent signals, required for compliance reporting.
  • Not collected: Full URLs with query strings. PII parameters are stripped first.
  • Not collected: IP addresses, held for seconds for rate-limiting, then dropped.
  • Not collected: User identifiers, replaced with a pseudonymous session hash.
  • Not collected: Email, phone, name, any other PII. Actively scrubbed.

Session pseudonymisation.

For visitors identified as EU residents by Cloudflare geo-IP, session IDs are produced with a djb2 one-way hash over a daily rotating salt plus an approximate client fingerprint. The practical effect:

  • Sessions can be counted for statistical and debugging purposes
  • Sessions cannot be tied back to a specific person without the salt
  • The salt rotates daily, so cross-day re-identification is not possible
  • This satisfies the pseudonymisation bar GDPR draws in Recital 26

EU data residency.

You decide where your monitoring data lives. TagDrishti runs four regional ingestion points, each sitting on its own BigQuery dataset inside that region:

  • Europe (europe-west1, Belgium): the right pick for GDPR-scoped traffic. Events hitting the EU endpoint are written to the gtm_monitor_eu dataset in Belgium and are only read by the EU regional service. They do not cross the EEA boundary at rest or in flight.
  • United States (us-central1, Iowa): for US-based customers or anyone who prefers US processing. Dataset: gtm_monitor_us.
  • Asia Pacific (asia-south1, Mumbai): the default, and the lowest-latency option for India and South-East Asia. Dataset: gtm_monitor.
  • Australia (australia-southeast1, Sydney): for Australian and New Zealand customers who need data resident in AU under the Australian Privacy Act and APP-8. Dataset: gtm_monitor_au.

Region is pinned at signup in the dashboard’s Getting Started → Data Residency step, and it locks on the tenant record as soon as the first event lands. Data cannot silently migrate after that. A BigQuery jobs query can show on request that every read from a regional service only ever touched its own dataset.

For EU customers, the Europe region is the straightforward pick. Processing stays inside the EEA and Standard Contractual Clauses are not needed. If an EU customer deliberately chooses APAC or US, SCCs (Module 2, Controller to Processor) are incorporated into the DPA by reference to cover that transfer.

Data subject rights: how we help.

As Data Controller you own the responses to visitor rights requests. TagDrishti gives you the tools to actually fulfil them:

  • Right of Access / DSAR: Dashboard → Settings → Data & Privacy → Export Data produces a GDPR-ready export keyed on a pseudonymous session ID
  • Right to Erasure: DELETE /api/consent/session/{hash} wipes every row for that session hash from BigQuery
  • Right to Object: Monitoring runs on Legitimate Interest, so visitors can object through your existing privacy controls

GDPR compliance for your customers.

The Consent page in the dashboard gives you live consent rates across your domains, which is exactly the evidence your own clients want to see that their CMP is actually doing its job. It covers:

  • Analytics consent rate (analytics_storage signal)
  • Advertising consent rate (ad_storage signal)
  • GPC (Global Privacy Control) signal detection
  • Tags blocked by consent, visible in the Tag Health table
  • EU session percentage
  • Consent trend over 7, 30, and 90 day windows

EU and UK representatives.

TagDrishti is established in India. Where the service is offered to data subjects in the EEA or the UK, we designate representatives under Article 27 GDPR and the equivalent UK GDPR provision. The representatives act as a local point of contact for data subjects and supervisory authorities under Article 27(4):

  • EU representative: [email protected] — designation in progress; until live, mail is routed to TagDrishti staff and forwarded to the named representative on record.
  • UK representative: [email protected] — same arrangement as above.

The named representative, full registered address, and date of designation will be published on this page as soon as the mandates are signed.

Questions & DPA requests.

For GDPR questions, DPA requests, or to exercise your rights, write to [email protected].

Ready to sign the DPA electronically? Head to dashboard.tagdrishti.com.