A website is an advanced marketing tool, indispensable nowadays, to every professional and entrepreneurial activity. Through each website, it is therefore possible to develop digital marketing strategies that inevitably involve personal data processing activities.
For this reason, it is important to make sure that your website complies with national privacy regulations and the GDPR.
In this post we explain what the basics of privacy compliance for websites are.
Who is required to adapt the website to GDPR?
Privacy regulations regulate the manner in which the processing of personal data of users (so-called “data subjects”) by Data Controllers, i.e., the natural or legal person who decides to initiate data processing, must take place.
For example, in the case of the website the Data Controller is that person, natural or legal, who owns the website, the interested are the users who browse the website and the Data Processors are all those individuals to whom the Owner delegates part of the activities related to the site. Examples of Responsible Parties are website developers, the hosting service provider, chat bots, any platforms for sending email marketing, etc.
What are the main privacy-GDPR compliances that those who decide to make a website must realize?
First, the Owner will have to take into account personal data protection obligations already at the design stage of the site itself, according to the privacy by design and privacy by default obligations contained in the GDPR. In practice, this translates, for example, into trying to minimize the data processed, i.e., by asking users, for example within forms, for the minimum amount of data to achieve the purpose, or by avoiding using tracking and profiling cookies that are too invasive.
Another aspect to consider in planning stages is the choice of hosting. The Data Controller is required to rely on service providers (Data Processors) that present high guarantees in the processing of data, so it will be useful to request the security measures guaranteed by the provider, do an online search to check for any previous violations of privacy regulations by the provider, on the Privacy Guarantor’s website the sanctioning measures are public, and verify that the service provider is, preferably located in Europe. In fact, using service providers with non-EU locations involves the transfer of data to those countries, a transfer that is subject to a number of complex rules, which we will look at specifically in a future article.
The Data Controller is required to sign a Data Processing Agreement or Appointment as External Data Processor with all service providers that process data on its behalf. Recall that not signing this type of agreement/nomination results in the possibility of penalties for both the Website Owner (who without nomination transfers data to a third party without a basis of legitimacy) and the service provider (who in turn processes the data illegitimately).
In addition to external parties, if the Owner has employees or contractors in his organization who work under his direct authority, he will have to appoint, in order not to incur penalties in this case as well, each of them as an authorized person for data processing and provide privacy training.
Once the site has been designed according to data protection principles and privacy relationships with external vendors and employees have been formalized, the Owner should draft privacy documentation to be placed on the website.
- What data are collected through the website;
- By what means the data are processed;
- for what purposes the data are collected and what are the legal bases that legitimize the processing itself;
- How long the data are kept;
- whether there are data transfers to non-EU countries and what legitimacy basis is used (e.g., entering WhatsApp web involves a transfer of personal data to Whatsapp servers in the US);
- What categories of individuals may have to the data;
- The data of the Owner and the Data Protection Officer, if appointed.
It is also very important to include the famous boxes to request consent for processing purposes that rely on this legal basis, such as sending newsletters. Beware of requiring consent if this is not the correct legal basis; it may, in fact, seem like greater security to always require consent, but in reality when processing finds legitimacy in another legal basis, requiring consent may result in sanction by the Authority.
Requests for consent must be as many as the number of treatments that require it, and it will be necessary to keep the log, the proof, of the consent given by the user.
What other privacy-GDPR documents must be posted on the website?
Who to turn to in order to bring a website in line with the privacy-GDPR regulations?
As it is easy to deduce from this brief excursus, the privacy requirements for those who decide to set up a website are numerous, to which are then added the more general ones related to the Owner’s business itself (by way of example, the Register of Personal Data Processing Activities, procedures for handling requests from data subjects to exercise their privacy rights..), and require specific knowledge of privacy regulations.
Uniquely Digital’s team specializes in providing expert advice in privacy compliance for websites, from drafting documentation to implementing the cookie banner in line with the GDPR.
Contact us now for a free initial consultation on privacy compliance for your website!