Uniquely digital Blog

What are the privacy-GDPR requirements for websites?

June 22, 2023

A website is an advanced marketing tool, indispensable nowadays, to every professional and entrepreneurial activity. Through each website, it is therefore possible to develop digital marketing strategies that inevitably involve personal data processing activities.

For this reason, it is important to make sure that your website complies with national privacy regulations and the GDPR.

In this post we explain what the basics of privacy compliance for websites are.

Who is required to adapt the website to GDPR?

Privacy regulations regulate the manner in which the processing of personal data of users (so-called “data subjects”) by Data Controllers, i.e., the natural or legal person who decides to initiate data processing, must take place.

For example, in the case of the website the Data Controller is that person, natural or legal, who owns the website, the interested are the users who browse the website and the Data Processors are all those individuals to whom the Owner delegates part of the activities related to the site. Examples of Responsible Parties are website developers, the hosting service provider, chat bots, any platforms for sending email marketing, etc.

What are the main privacy-GDPR compliances that those who decide to make a website must realize?

First, the Owner will have to take into account personal data protection obligations already at the design stage of the site itself, according to the privacy by design and privacy by default obligations contained in the GDPR. In practice, this translates, for example, into trying to minimize the data processed, i.e., by asking users, for example within forms, for the minimum amount of data to achieve the purpose, or by avoiding using tracking and profiling cookies that are too invasive.

Another aspect to consider in planning stages is the choice of hosting. The Data Controller is required to rely on service providers (Data Processors) that present high guarantees in the processing of data, so it will be useful to request the security measures guaranteed by the provider, do an online search to check for any previous violations of privacy regulations by the provider, on the Privacy Guarantor’s website the sanctioning measures are public, and verify that the service provider is, preferably located in Europe. In fact, using service providers with non-EU locations involves the transfer of data to those countries, a transfer that is subject to a number of complex rules, which we will look at specifically in a future article.

The Data Controller is required to sign a Data Processing Agreement or Appointment as External Data Processor with all service providers that process data on its behalf. Recall that not signing this type of agreement/nomination results in the possibility of penalties for both the Website Owner (who without nomination transfers data to a third party without a basis of legitimacy) and the service provider (who in turn processes the data illegitimately).

In addition to external parties, if the Owner has employees or contractors in his organization who work under his direct authority, he will have to appoint, in order not to incur penalties in this case as well, each of them as an authorized person for data processing and provide privacy training.

Once the site has been designed according to data protection principles and privacy relationships with external vendors and employees have been formalized, the Owner should draft privacy documentation to be placed on the website.

What are the main elements of the privacy policy?

Theprivacy policy is, certainly, the prince document of a website’s privacy compliance. Through the notice, the Owner makes itself known and informs users, in particular, it is mandatory to provide the following information:

What data are collected through the website;
By what means the data are processed;
for what purposes the data are collected and what are the legal bases that legitimize the processing itself;
How long the data are kept;
whether there are data transfers to non-EU countries and what legitimacy basis is used (e.g., entering WhatsApp web involves a transfer of personal data to Whatsapp servers in the US);
What categories of individuals may have to the data;
The data of the Owner and the Data Protection Officer, if appointed.

It is also very important to include the famous boxes to request consent for processing purposes that rely on this legal basis, such as sending newsletters. Beware of requiring consent if this is not the correct legal basis; it may, in fact, seem like greater security to always require consent, but in reality when processing finds legitimacy in another legal basis, requiring consent may result in sanction by the Authority.

Requests for consent must be as many as the number of treatments that require it, and it will be necessary to keep the log, the proof, of the consent given by the user.

What other privacy-GDPR documents must be posted on the website?

Another document to be posted on the website is the Cookie Policy, which is that document by which the user is informed about the cookies on the website, their purpose, legal basis, and retention time. Be careful not to underestimate the use of cookies; several companies have already been sanctioned for not providing an adequate cookie policy and for using the so-called. Cookie wall, i.e., a cookie banner asking for a unique consent for all the different cookies installed.

In fact, the cookie banner is an indispensable tool for any website that uses cookies. The cookie banner must comply with specific provisions of the GDPR and the Cookie Law (the e-Privacy Directive), for example, it must be understandable to the user from the outset about the presence of cookies, their different types, the user must be given the opportunity to independently choose which cookies to allow and which not to allow, and a detailed cookie policy must be provided, and ways of recording the consent given by the user must be established.

Who to turn to in order to bring a website in line with the privacy-GDPR regulations?

As it is easy to deduce from this brief excursus, the privacy requirements for those who decide to set up a website are numerous, to which are then added the more general ones related to the Owner’s business itself (by way of example, the Register of Personal Data Processing Activities, procedures for handling requests from data subjects to exercise their privacy rights..), and require specific knowledge of privacy regulations.

Uniquely Digital’s team specializes in providing expert advice in privacy compliance for websites, from drafting documentation to implementing the cookie banner in line with the GDPR.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	No expiration	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
MATOMO_SESSID	session	This cookie is set by Matomo analytics. This cookie is set when Matomo opt-out feature is used. This is a temporary cookie, it is also called as nonce and helps prevent CSRF security issues.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	This cookie is set by linkedin and is used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
bcookie	2 years	This cookie is set by linkedIn and is a Browser Identifier cookie to uniquely identify devices accessing LinkedIn to detect abuse on the platform
bscookie	2 years	This cookie is set by Linkedin and is used for remembering that a logged in user is verified by two factor authentication.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
lang	session	This cookie is set by linkedin and is used to remember a user's language setting to ensure LinkedIn.com displays in the language selected by the user in their settings.
li_gc	2 years	This cookie is set by linkedin and is used to store consent of guests regarding the use of cookies for non-essential purposes
lidc	1 day	This cookie is set by LinkedIn and used for routing.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
UserMatchHistory	1 month	This cookie is set by linkedin and is used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Cookie	Duration	Description
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_pk_id.2.5eeb	1 year 27 days	This cookie is generated by Matomo analytics and is used to store a few details about the user such as the unique visitor ID
_pk_ses.2.5eeb	30 minutes	This cookie is generated by Matomo analytics and is a short lived cookie used to temporarily store data for the visit

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn and is a Browser Identifier cookie to uniquely identify devices accessing LinkedIn to detect abuse on the platform
lang	session	This cookie is set by linkedin and is used to remember a user's language setting to ensure LinkedIn.com displays in the language selected by the user in their settings.
lidc	1 day	This cookie is set by LinkedIn and used for routing.

What are the privacy-GDPR requirements for websites?

Who is required to adapt the website to GDPR?

What are the main privacy-GDPR compliances that those who decide to make a website must realize?

What are the main elements of the privacy policy?

What other privacy-GDPR documents must be posted on the website?

Who to turn to in order to bring a website in line with the privacy-GDPR regulations?

Contact us

Opening hours

Legal Notes