Who is responsible for the processing on a website?
Under the GDPR (General Data Protection Regulation), website owners and operators are legally responsible for making sure that personal data is collected and processed lawfully. A website outside of the EU is also required to comply with the GDPR and other EU privacy laws, if it collects and processes data from users inside the EU. For instance, a U.S. company offering goods or services to EU citizens via an online shop must consider EU privacy laws. Indicators for that can be if the online shop is available in a relevant language and if prices are (also) displayed in Euros.
If your company hosts a website and determines the purposes and means of the data processing taking place, you are responsible for complying with the respective GDPR obligations.
Are personal data processed on the website?
A website collects and stores personal data of its users by various means. Sometimes the user provides personal data voluntarily, for instance, by filling out a contact form, signing up to a newsletter, via a chat or comment function. Often however, the collection of personal data by a website provider happens without the data subject’s awareness. For instance, the activation of cookies or even log files can already contain personally identifiable information, which is any information that can be used to identify an individual, such as an IP address or login details.
Example: Contact forms
Many websites have contact forms for various purposes. To make sure your contact form is GDPR compliant, you should justify why you are asking for any details. You should make sure you adhere to the principles of data minimisation and purpose limitation. For instance, you can ask users for their phone number or e-mail address and inform them that you will contact them via one of these means. It is not justified to require the full name, postal address, phone number, e-mail address, workplace, etc. if the purpose is to contact the user. Either an e-mail address or phone number should suffice.
The principle of fairness and transparency under the GDPR requires that the data subject is informed of the existence of any data processing operations and of the following details:
- The identity of the controller and his contact details.
The contact details of the Data Protection Officer (DPO), if applicable. Under the GDPR, appointing a DPO is mandatory under three circumstances: (1) The organisation is a public authority or body. (2) The organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale. (3) The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.
- The purposes of the processing and its legal basis.
- If the legal basis is a legitimate interest, you must inform the data subject who (you or a third party) follows which legitimate interests.
- Other recipients of the personal data. Categories of recipients suffice.
- If you also transfer the personal data to a third country or an international organisation.
In addition, the controller must provide the data subject with the following information, as required by Article 13 (2) GDPR:
- The retention period for the personal data.
- The data subject’s rights under Art. 15 – 23 GDPR: the right to access, rectify, delete, restrict the processing of, data portability, and object and complain to a supervisory authority.
- Where processing is based on consent, you must inform the data subject of the right to withdraw that consent. This must be possible as easily as the consent was given.
- Where data is collected directly from data subjects pursuant to Art. 13 GDPR, data controllers must indicate whether individuals are legally or contractually obliged to provide their personal data or whether the data is necessary for the conclusion of a contract. This information must always be supplemented by the possible consequences for the individual of not providing their data.
- The existence of automated decision-making, such as profiling.
Information on Cookies
Cookie consent is a cornerstone of compliance with the GDPR and the ePrivacy Directive for websites with users from the EU. Placing cookies on a website is the most common way for personal data to be collected and shared online. To legally place cookies, the EU privacy laws require you to obtain consent from the data subject and only collect personal data from users after they have given their explicit consent to the specific purposes of its use.
Please make sure you fulfil these requirements when setting cookies on your website:
- Controllers must obtain prior and explicit consent before any activation of cookies (apart from ‘strictly necessary cookies’, which are essential for the technical functioning of the website).
- Consent must be granular. That means users must have a real choice to activate some cookies and not be forced to consent to either all or none.
- Users must consent freely.
- Users must be able to withdraw their consent as easily as they gave it.
- Controllers must securely store consent as legal documentation.
- Users must be asked to renew their consent once a year.
Please note: Cookie consent is a highly discussed topic of European data protection law. The European Data Protection Board (EDPB) provided guidelines on consent under the GDPR. It emphasised that a “cookie wall” or “continuing to swipe through or scroll a website” does not contain valid consent. The Court of Justice of the European Union (CJEU) decided in a far-reaching judgement that “pre-ticked” consent boxes to not constitute valid consent. Therefore, please make sure that your consent box fulfils the requirements to enable users to give valid and free consent.
Cookie usage in the UK
- For the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. That is the case if communication between two “endpoints” is not possible without cookies.
Recommendations for website controllers
As this article shows, it is not too difficult to design and operate simple websites in compliance with data protection regulations. However, as soon as personal data is processed in diverse or complex ways on the website, individual solutions are usually necessary. For this purpose, it is worthwhile to seek a data protection expert.
This solution could be in the form of a data protection review of your company’s website, regular pen tests for the information security of your website, or even a data protection impact assessment workshop. All these services can help you produce and configure complex data protection documents and contracts for your company as well as provide you with more in-depth legal advice and suggestions to make sure your company is compliant.
Make data protection your competitive advantage. Our UK data protection support will help you!