How important is it for your customers’ websites to comply with the GDPR, ePrivacy, etc.?
General lack of knowledge about GDPR compliance
Having come into force on 25 May 2018, the GDPR is applicable to all organisations required to collect, process or host personal data in an EU territory. It is also applicable to all non-EU organisations that are required to process data from EU residents.
However, many organisations (businesses, web agencies, local authorities, etc.) are still unaware of the real issues behind the regulation: the protection of individuals’ personal data.
With Admeet’s GDPR tool for web agencies, you can simplify the GDPR compliance of your customers’ websites.
The risk of penalties for non-compliance with the GDPR
The Commission Nationale de l’Informatique et des Libertés (CNIL) is the national authority responsible for data protection in France. It is responsible for informing and protecting the rights of individuals, supporting the compliance of public and private organisations, and monitoring and penalising organisations that do not comply with the GDPR and the Data Protection Act.
These penalties range from calls to order to fines of up to €20 million or 4% of annual worldwide turnover, as well as suspensions, injunctions under penalty payment or even the publication of decisions.
In January 2023, the Grenoble Court of Appeal confirmed that one of the essential qualities of a website is that it does not illegally collect personal data. Websites that fail to comply with the obligation to provide information and manage consent are therefore guilty of a criminal offence with penalties of up to 3 years’ imprisonment and €45,000. Web agencies that fail to advise their clients on this compliance risk their client invoking nullity of the contract on the grounds that the website produced is not GDPR compliant.
The main points of the GDPR that a web agency must respect
The 4 main steps taken by the CNIL (French supervisory authority) in this article to begin GDPR compliance are as follows:
- Drawing up a register of your personal data processing operations; to help you, the Belgian supervisory authority (APD) publishes simplified processing register templates;
- Sorting your data (paper or digital);
- Respecting the rights of the people affected by your data processing;
- Securing your personal data.
The responsibilities of those involved in processing for a web agency
The operational procedures for data processing have consequences for the legal status of a web agency with regard to its customers.
Definition of personal data processing
Personal data is defined as any information relating to an identified or identifiable natural person (data subject), either directly (surname, first name, etc.) or indirectly (IP address, registration number, customer, etc.).
The processing of personal data is one or more operations involving personal data, regardless of the process used (automated or otherwise).
The role of the controller and processor
A data controller is the organisation that determines:
- The purposes of the processing, i.e. the purpose for which the personal data will be used;
- The means of processing, i.e. the type of data, storage periods, data subjects, etc.
The role of the processor is to process personal data on behalf of the controller. It is a separate entity from the controller, carrying out the processing according to its instructions and not for its own purposes.
As such, a web agency qualifies as a processor when it carries out a service requiring the processing of personal data on behalf of their client. For example, when it stores the data collected on their server.
The web agency also has its own sub-contractors. As data controller, it must ensure the compliance of its subcontractors by putting in place a compliant personal data processing agreement.
This control involves adopting the right reflexes, by asking the following questions:
- Does the contract provide for the exchange or provision of personal data?
- Is the purpose of the contract to organise processing on the instructions and on behalf of the customer?
If the answer to the second question is yes, then it will be necessary to include clauses governing subcontracting in the contract.
Mandatory legal documentation on your customers’ websites
This notice must contain:
- The identity of the data controller;
- The purpose of the processing;
Differentiating between privacy policies and General Terms and Conditions
It is important to distinguish between these two documents. A common mistake is to combine them into a single text, which makes them less readable for users.
The purpose of the General Terms and Conditions is to inform customers of the conditions of sale of a product or service. They constitute the contract and provide a legal framework for the commercial relationship. They are mandatory when services are offered to consumers as part of a BtoC relationship.
- The categories of data and their sources (in the case of indirect collection);
- The contact details and identity of the data controller and DPO, if applicable;
- The data processed, its purposes and the legal basis for the processing. It is vital to indicate the purposes for which personal data is processed and to be able to justify them. Data can only be collected and processed for a legitimate, legal and specific purpose;
- The existence of an automated decision, if any;
- The retention periods and/or criteria for each processing purpose;
- The recipients;
- Possible transfers outside the European Economic Area (EEA);
- The rights of individuals with regard to their personal data and how to exercise these rights;
- The right to lodge a complaint with the supervisory authority.
What are cookies?
Cookies are small files that are deposited on the terminal (computer, smartphone, etc.) of a visitor to a website and enable information about the visitor to be collected. There are different types of cookies:
Cookies that do not require user consent:
- Necessary cookies enable the website to function from the user’s point of view. For example, the recording of choices made by the cookie manager, or cookies relating to the security captcha, etc.
Cookies requiring the explicit consent of users before they are stored:
- Marketing cookies for targeted advertising, in particular for personalising content via social networks;
- Statistical cookies are used to customise and analyse the website audience. If certain conditions are met, these cookies do not require consent if the data is completely anonymised, in which case it is no longer considered to be personal data. The CNIL defines the conditions to be met for these cookies to be exempt from consent;
- Functional cookies provide users with a personalised experience, enhancing their browsing experience on the website (such as the integration of a third-party platform).
Implementation of legal documentation relating to cookies
The cookies banner and consent management
The purpose of the cookies banner is to:
- Comply with the obligation to provide information;
- Manage user consent.
Using Admeet makes it easier to comply with this banner and obtain valid consent. Admeet cookie banners do not contain any dark patterns that could influence user choice.
You must configure the consent and cookie installation scripts. Necessary cookies must be installed on the first visit. On the other hand, so-called unnecessary cookies can only be installed once the user’s consent has been given. It is also important to allow users to change their minds at any time by making the cookies banner accessible on all pages of the site via a “cookie management” button.
To find out more about cookies, see our guide to managing cookies on your website.
- The identity of the controller(s) in relation to the processing of personal data;
- Details of the use of third-party cookies if this is the case;
- The contact details of the organisation if the user wishes to contact it;
- The date of the last update;
- A general introduction to the definition of a cookie;
- The categories of cookies that exist;
- The list of cookies used (name, type, purpose, retention period and technology);
- The possibility of managing user preferences via the consent banner;
- The possibility of managing user preferences via the web browser.
Other compulsory legal information
Information that a site must contain and make accessible to all users:
- Name of the publisher responsible for the site;
- Company name;
- The address of the registered office;
- Contact email address;
- Details of the site host.
The Admeet tool: the solution for making your customers’ websites compliant
The advantages of integrating Admeet for your web agency
The Admeet tool lets you manage the GDPR and ePrivacy compliance of your customers’ websites, with its system for centralising the customer portfolio on the same dashboard. This consolidated view lets you update customer documentation in just a few clicks. There’s no need for technical intervention, as changes are made directly on the dashboard.
In the event of changes being made too quickly, or in the event of an audit, archived versions of the documents are kept in the tool.
Admeet cookie banners store proof of consent, a real guarantee of compliance for your customers’ websites. You can view users’ interactions with cookie banners in real time and analyse all the information at your customers’ request.
By joining Admeet as a preferred partner, your agency’s website will be made compliant free of charge (offer subject to conditions)!
To help you get to grips with the Admeet tool, training courses are available for your web agency teams.
The little extra that makes all the difference: the adaptability of Admeet solutions to your customers’ graphic charter!
Discover the complete All-in one Admeet application
Admeet’s all-in-one application makes your life easier by providing GDPR documentation adapted to your customers’ sectors of activity. Based on Legal Design, the documentation is much easier for users to understand.
As the consent management platform and banners are compliant, they will ensure that your customers’ websites are as compliant as possible – a significant advantage over your competitors.
Securing your web agency website
Analysis of data flow compliance
Regulatory compliance also requires data, and therefore websites, to be secure. The security of URLs, of the connection path and of access to the back office of websites is crucial to data protection.
Points to bear in mind when using a hosting provider
It is important to choose your hosting provider carefully. The main points to bear in mind are as follows:
- Ensure that appropriate and sufficiently transparent security and confidentiality measures are in place;
- Know the geographical location of the servers hosting the data;
- Ensure that the hosting provider is certified or approved for its activity.
Web agency client website hosting rules
Above all, web agencies must not neglect the hosting and security of their clients’ websites. They should pay particular attention and apply the same requirements to their clients’ sites as they would to their own.