The policy states that for EEA users, Medium processes personal data on the legal bases of consent, contract performance, legitimate interests, or legal obligation under GDPR, without specifying in the policy text which legal basis applies to each individual processing activity.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the claimed legal bases for EEA data processing, but the absence of a processing activity-level mapping to specific legal bases may present a compliance gap relative to GDPR accountability and transparency requirements enforced by EU supervisory authorities.
Interpretive note: The policy asserts legitimate interests as a legal basis without specifying which processing activities it covers, creating ambiguity about the scope of EEA users' right to object under GDPR Article 21.
Shifted focus from user rights (access, rectify, erase, restrict, portability, object) to Medium's legal bases for processing data, fundamentally changing the provision's perspective.
View full change record →Under this clause, EEA users' personal data is processed under one of four stated legal bases; however, the policy does not specify which basis applies to each processing activity such as behavioral tracking or marketing, which affects EEA users' ability to identify and exercise relevant data subject rights such as the right to object or withdraw consent.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may disclose your information if we believe that disclosure is in accordance with, or required by, any applicable law or legal process, including lawful requests by public authorities to meet national security or law enforcement requirements. We may also disclose your information if we believe it...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are in the European Economic Area (EEA), we only process your personal data when we have a valid legal basis to do so, including when: (a) you have consented to the processing; (b) the processing is necessary to perform a contract with you; (c) we have a legitimate interest in processing your data; or (d) we are required to process your data to comply with a legal obligation.— Excerpt from Medium's Medium Privacy Policy
1. REGULATORY LANDSCAPE: GDPR Article 6 requires a lawful basis for each processing activity, and Article 13/14 requires that the specific legal basis be disclosed to data subjects. Article 21 provides a right to object to processing based on legitimate interests. EU supervisory authorities, including the Irish Data Protection Commission, have jurisdiction over Medium as a likely EU establishment. 2. GOVERNANCE EXPOSURE: Medium. The policy asserts legitimate interests as a legal basis without specifying which activities it covers or providing a summary of the balancing test conducted, which is a recognized gap in GDPR transparency compliance and has been the subject of enforcement actions by EU supervisory authorities. 3. JURISDICTION FLAGS: EEA users have primary exposure. The UK Information Commissioner's Office applies equivalent requirements under the UK GDPR post-Brexit. Swiss users are subject to nFADP requirements with similar legal basis disclosure obligations. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations operating under GDPR that rely on Medium as a data processor should verify that Medium's legal basis claims are compatible with their own processing purposes and that data processing agreements are in place as required by GDPR Article 28. 5. COMPLIANCE CONSIDERATIONS: EU data protection officers should assess whether Medium's legitimate interests processing is accompanied by a documented Legitimate Interests Assessment (LIA) and whether the processing activity mapping required by GDPR Articles 13 and 14 is reflected in Medium's full privacy disclosures beyond the policy text.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the claimed legal bases for EEA data processing, but the absence of a processing activity-level mapping to specific legal bases may present a compliance gap relative to GDPR accountability and transparency requirements enforced by EU supervisory authorities.
Under this clause, EEA users' personal data is processed under one of four stated legal bases; however, the policy does not specify which basis applies to each processing activity such as behavioral tracking or marketing, which affects EEA users' ability to identify and exercise relevant data subject rights such as the right to object or withdraw consent.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.