How to make a website compliant with privacy laws in the EU and the UK?

Who is responsible for the processing on a website?

Under the GDPR (General Data Protection Regulation), website owners and operators are legally responsible for making sure that personal data is collected and processed lawfully. A website outside of the EU is also required to comply with the GDPR and other EU privacy laws, if it collects and processes data from users inside the EU. For instance, a U.S. company offering goods or services to EU citizens via an online shop must consider EU privacy laws. Indicators for that can be if the online shop is available in a relevant language and if prices are (also) displayed in Euros.

If your company hosts a website and determines the purposes and means of the data processing taking place, you are responsible for complying with the respective GDPR obligations.

Are personal data processed on the website?

A website collects and stores personal data of its users by various means. Sometimes the user provides personal data voluntarily, for instance, by filling out a contact form, signing up to a newsletter, via a chat or comment function. Often however, the collection of personal data by a website provider happens without the data subject’s awareness. For instance, the activation of cookies or even log files can already contain personally identifiable information, which is any information that can be used to identify an individual, such as an IP address or login details.

Please note that even if a website does not process personally identifiable information, it doesn’t mean that a privacy policy or cookie policy is not necessary. In the context of placing cookies, EU law actually requires website (or app) providers to disclose any cookies or similar tracking technologies, regardless of whether or not they collect and process personal data. This approach has been confirmed recently by the European Court of Justice in the Planet49 decision.

Example: Contact forms

Many websites have contact forms for various purposes. To make sure your contact form is GDPR compliant, you should justify why you are asking for any details. You should make sure you adhere to the principles of data minimisation and purpose limitation. For instance, you can ask users for their phone number or e-mail address and inform them that you will contact them via one of these means. It is not justified to require the full name, postal address, phone number, e-mail address, workplace, etc. if the purpose is to contact the user. Either an e-mail address or phone number should suffice.

You are required to add to the contact form a tick box for users to confirm that they accept the terms of using your website by providing a link to the privacy policy and that they agree to be contacted by you. If you wish to send further marketing communications to the user, you must obtain specific consent for that purpose via an unchecked box. Therefore, you must sufficiently inform your website users of the data that is processed, for what purpose and on what legal basis.

Which websites need a privacy policy?

First of all, every website complying with EU privacy laws needs to publish a privacy policy. A privacy policy is a document that states what personal data you collect from users, why and how you keep the data secure. The purpose is to inform users about how their data is being handled, thus fulfilling your obligation under Art. 13 and 14 GDPR to inform your website users about any processing activities.

Please note that one of the main functions of a privacy policy is to inform website users of the types of personal data being collected and how the company uses that information. Therefore, even if the company itself does not collect personal data, a third party may do so on their behalf. Thus, any company website should always have a privacy policy in place.

The principle of fairness and transparency under the GDPR requires that the data subject is informed of the existence of any data processing operations and of the following details:

• The identity of the controller and his contact details.

The contact details of the Data Protection Officer (DPO), if applicable. Under the GDPR, appointing a DPO is mandatory under three circumstances: (1) The organisation is a public authority or body. (2) The organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale. (3) The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.

• The purposes of the processing and its legal basis.
• If the legal basis is a legitimate interest, you must inform the data subject who (you or a third party) follows which legitimate interests.
• Other recipients of the personal data. Categories of recipients suffice.
• If you also transfer the personal data to a third country or an international organisation.

In addition, the controller must provide the data subject with the following information, as required by Article 13 (2) GDPR:

• The retention period for the personal data.
• The data subject’s rights under Art. 15 – 23 GDPR: the right to access, rectify, delete, restrict the processing of, data portability, and object and complain to a supervisory authority.
• Where processing is based on consent, you must inform the data subject of the right to withdraw that consent. This must be possible as easily as the consent was given.
• Where data is collected directly from data subjects pursuant to Art. 13 GDPR, data controllers must indicate whether individuals are legally or contractually obliged to provide their personal data or whether the data is necessary for the conclusion of a contract. This information must always be supplemented by the possible consequences for the individual of not providing their data.
• The existence of automated decision-making, such as profiling.

See this article for more guidance on how controllers can fulfil their information duties. Plus: You can create a privacy policy for your website with our free generator.

Information on Cookies

Cookie consent is a cornerstone of compliance with the GDPR and the ePrivacy Directive for websites with users from the EU. Placing cookies on a website is the most common way for personal data to be collected and shared online. To legally place cookies, the EU privacy laws require you to obtain consent from the data subject and only collect personal data from users after they have given their explicit consent to the specific purposes of its use.

Please make sure you fulfil these requirements when setting cookies on your website:

• Controllers must obtain prior and explicit consent before any activation of cookies (apart from ‘strictly necessary cookies’, which are essential for the technical functioning of the website).
• Consent must be granular. That means users must have a real choice to activate some cookies and not be forced to consent to either all or none.
• Users must consent freely.
• Users must be able to withdraw their consent as easily as they gave it.
• Controllers must securely store consent as legal documentation.
• Users must be asked to renew their consent once a year.

Please note: Cookie consent is a highly discussed topic of European data protection law. The European Data Protection Board (EDPB) provided guidelines on consent under the GDPR. It emphasised that a “cookie wall” or “continuing to swipe through or scroll a website” does not contain valid consent. The Court of Justice of the European Union (CJEU) decided in a far-reaching judgement that “pre-ticked” consent boxes to not constitute valid consent. Therefore, please make sure that your consent box fulfils the requirements to enable users to give valid and free consent.

Cookie usage in the UK

The ICO provided guidance for UK companies on the use of cookies (see our guide on how to comply with the rules for cookies in the UK). Accordingly, there are two circumstances for companies to be exempt from obtaining the user’s explicit consent and where a legitimate interest suffices as a legal basis:

1. For the technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic network. That is the case if communication between two “endpoints” is not possible without cookies.
2. Where the storage or access is strictly necessary for the provision of a service requested by the user, i.e., “strictly necessary” cookies that are essential for the technical functioning of a website. For instance, a cookie is used to remember the goods a user wishes to buy when they go to the checkout or add goods to the shopping basket. In this case, the use of cookies is considered strictly necessary from the user’s perspective.

Information on the processing of personal data via the placing of cookies must be provided in the privacy policy on the website, as explained above.

Recommendations for website controllers

As this article shows, it is not too difficult to design and operate simple websites in compliance with data protection regulations. However, as soon as personal data is processed in diverse or complex ways on the website, individual solutions are usually necessary. For this purpose, it is worthwhile to seek a data protection expert.

This solution could be in the form of a data protection review of your company’s website, regular pen tests for the information security of your website, or even a data protection impact assessment workshop. All these services can help you produce and configure complex data protection documents and contracts for your company as well as provide you with more in-depth legal advice and suggestions to make sure your company is compliant.