GDPR-compliant websites | In Principle

Go to content
Subscribe to newsletter
In principle newsletter subscription form

GDPR-compliant websites

Ensuring the transparency of websites is vital from the perspective of the GDPR. Persons entering a website must be aware of how their personal data will be processed on the site and for what purpose.

According to the Article 29 Working Party Guidelines on Transparency, “Every organisation that maintains a website should publish a privacy statement/notice on the website. A direct link to this privacy statement/notice should be clearly visible on each page of this website under a commonly used term.”

But inclusion of a privacy policy is just one of several issues undertakings must take care of.

It must be remembered that under Art. 13 GDPR, where personal data relating to a data subject are collected from the data subject, the data controller must provide the data subject certain information at the time when personal data are obtained. In practice this means that the controller, e.g. the operator of an online store, should include an appropriate information notice at the places on the site where personal data are obtained (e.g. under the contact form or registration form). Of course a “first-layer” information clause may also be posted there, containing details identifying the data controller, a notice of data subjects’ rights and the purposes of the data processing, as well as a link to the complete information clause (e.g. the site’s privacy policy).

A classic example of a place where personal data of the user are collected on a website is the form through which the user establishes an account on the site. In this context, the following issues should be borne in mind:

  • Only personal data essential to create the profile may be collected. Otherwise, it may infringe the principle of data minimisation under the GDPR.
  • Consent to processing of personal data is not always required. On registration of an account, the basis for processing in most cases will be a contract.
  • The registration form should include the first-layer information clause.
  • The user should not be forced to open an account if the transaction can be completed without it. Otherwise it may violate the minimisation principle.
  • Information on processing of personal data should be easily accessible from the user level, e.g. upon logging in to the account.

Mechanism for withdrawing consent

Under Art. 7(3) GDPR, persons whose personal data are processed on the basis of consent must be informed of the right to withdraw their consent before they give their consent. Significantly, withdrawal of consent must be just as easy as giving consent. This point was recently addressed by the President of the Personal Data Protection Office in a decision of 16 October 2019. The decision involved a situation where a user clicking on a link for withdrawal of consent was asked to state the reasons for the withdrawal (failure to respond prevented the user from continuing the process of withdrawing consent), and then asked to submit the request to an email address. The supervisory authority found that this model does not meet the criteria for fast and easy withdrawal of consent. Businesses must therefore consider carefully the mechanisms for withdrawal of consent they use on their websites.

Consent and verifiability

Art. 7(1) GDPR provides, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” Thus it is vital from the perspective of demonstrating compliance with the GDPR to implement appropriate technical mechanisms recording who has granted consent, when, and what kind of consent.


If the controller directs information to data subjects using a different language (e.g. operates a website offering services targeted to individual countries), the controller should ensure that users are provided a translation into their language of the notice on data processing.

Social media plugins

The mere display of plugins to social media sites may involve the transfer of certain information to the social media site. The Court of Justice of the European Union has held that a site offering a plugin to a social media site is the joint controller of personal data, along with the provider of the social media site. But this position generates controversy, as it would make it necessary to enter into arrangements on joint control between the operator of the website and the social media service. Nonetheless, a website operator embedding a plugin to social media should include in its privacy policy relevant information on what personal data are processed in this respect and provided to the operator of the social media site. The Court of Justice has also held that the administrator of a fan page on Facebook is the controller of the personal data of users of the fan page. This means that administrators of fan pages should include an information clause on their Facebook page concerning processing of personal data.

Karolina Romanowska, adwokat, Employment practice, Wardyński & Partners