24 MAY 2018

GDPR for websites: how to conform to the new European privacy law

The GDPR is the new European general data protection regulation applicable as of 25 May 2018. From this date on, all penalties anticipated if web sites do not conform to GDPR regulations will be applicable. Regarding the penalties, the new privacy law and changes for companies, we already talked about an initial detailed-study of the GDPR, in this article we will focus on changes for websites, both for the user and for the web designer.


GDPR for websites: how it works

The new privacy law applies to all websites located in the European Union and all those who want to have relationships with users in European Union countries. So it applies to the majority of existing websites.

The accountability principle introduced by the GDPR regulation indicates that the owner of the website is the owner of data processing, it means that the owner is responsible for ensuring that the personal data of users is safe.

If the owner of the website notices violations of personal data on the website, the owner has a maximum of 72 hours to communicate this to the Guarantor. The owner is exonerated, however, from the obligation to communicate it to the people involved (the “interested parties”) if one of the following conditions exists. (Article 34):

  • “the Owner has implemented the appropriate technical and organizational protection measures” (for example, if the data in question of the violation was encrypted);
  • “the Owner has subsequently adopted measures to prevent the occurrence of a high risk to the freedoms and rights of interested parties” involved;
  • “this communication would require disproportionate efforts” (and for this reason the owner can proceed with a public communication).

To collect users’ “personal data”, the owner must provide an explicit and informed agreement. The website, must show a clear Privacy Policy that indicates which data is collected and stored, who collects it, what is done with data (the so-called “data processing”) and how long data will be stored. Naturally, users can refuse the conditions, can end the agreement at any time and can also request a limitation in the use of their data. Privacy, transparency and accountability: these are the keywords of the GDPR privacy law, valid European regulation.


Cookie policy, record of data processing activities: how to make your website conform

“Personal data” means a name, photo, IP address, residence or e-mail address and any other information concerning an individual.

Cookie policy should be reviewed because the cookies currently present on websites collect information about users, but collection techniques, from 25 May 2018 will have to conform to the new European privacy law.

Cookies on a website can be from the owner of the website or from third parties, even in this last case, the owner of the website is responding to the data processing and must therefore insert a policy that explains how these third parties process users’ data.

Therefore, the website must publish a detailed cookie and privacy policy. The latter will explain to users their rights, as contained in the new European privacy law and will illustrate, if present, the list of third party services that collect users’ data. In this case there must be a link to the privacy policy page of the latter to allow users to read it.

The owner must record data processing activities, in this way he will have all information related to the collection of users’ data: why data is collected, which data is collected and what security measures exist to protect data.


User rights according to the GDPR for websites:

Users, therefore, have three specific rights regarding their data:

  • Right of access: the user has the right to request a copy of personal data being “shared” with the website;
  • Right to be forgotten: the user can ask the website to delete personal data. The reasons for this cancellation may vary: the user is no longer interested in the purpose for which access to data was granted, the user does not want data to be used for marketing purposes or believes that this data processing does not conform to GDPR regulations;
  • Data portability: the user can transfer personal data between various electronic processing systems.

The Owner responds “without unjustified delay” to the requests of the interested parties. The owner has one month. In the case of particularly complex requests, this deadline may be extended up to two months; in this case, the owner must inform the interested party of the extension and relative reasons.


GDPR website regulations for users:

Summarizing the GDPR regulations for websites, the user:

  • Must be informed regarding the purposes of collecting personal data;
  • Agreement must be explicit and informed;
  • The user can request access to personal data, change the agreement, revoke it, or request the cancellation and/or portability of personal data;
  • The user must be advised by the owner of the website if the latter has noticed a violation of personal data that could harm the users’ freedoms and fundamental rights.


GDPR regulations for websites for web designer:

For web designers the European privacy regulation requires:

  • Web designers must publish a detailed cookie policy and a page dedicated to the privacy policy and in case there are third-parties cookies, must report the link to view the policy of these third parties;
  • Web designers must ask users to agree with saving and processing of their data;
  • If web designers notice violations of personal data, they have 72 hours to communicate it to the Guarantor and must inform the interested user if this violation could damage the user.


Cookies that profile the user and static websites: what GDPR expects

If a site uses cookies that contain direct personal data or data that could be used to identify people (profiling cookies), it is necessary to review and probably change the agreement about cookies. If you have a static website that does not collect personal data, there is no need to conform with the GDPR regulation and you have to respect the current cookie law. The reason is that not all cookies are used to identify a user and when they do not identify the user, according to the GDPR privacy law, the users’ privacy is not being infringed upon.

In the next article, we will examine in depth other aspects of GDPR by focusing on GDPR for e-mail marketing. If, on the other hand, you are a company and you need advice on how to conform to this new European data protection regulation, Consulthink professionals can help you, thanks to our in-depth knowledge of the regulations.

Elaborated by Lucia D’Adamo, in collaboration with Daniele Paiella, supervised by Marco Pirrone

Latest News