GDPR and web agencies: how can you make your clients’ websites compliant?

How important is it for your customers’ websites to comply with the GDPR, ePrivacy, etc.?

General lack of knowledge about GDPR compliance

Having come into force on 25 May 2018, the GDPR is applicable to all organisations required to collect, process or host personal data in an EU territory. It is also applicable to all non-EU organisations that are required to process data from EU residents.

However, many organisations (businesses, web agencies, local authorities, etc.) are still unaware of the real issues behind the regulation: the protection of individuals’ personal data.

With Admeet’s GDPR tool for web agencies, you can simplify the GDPR compliance of your customers’ websites.

The risk of penalties for non-compliance with the GDPR

The Commission Nationale de l’Informatique et des Libertés (CNIL) is the national authority responsible for data protection in France. It is responsible for informing and protecting the rights of individuals, supporting the compliance of public and private organisations, and monitoring and penalising organisations that do not comply with the GDPR and the Data Protection Act.

These penalties range from calls to order to fines of up to €20 million or 4% of annual worldwide turnover, as well as suspensions, injunctions under penalty payment or even the publication of decisions.

In January 2023, the Grenoble Court of Appeal confirmed that one of the essential qualities of a website is that it does not illegally collect personal data. Websites that fail to comply with the obligation to provide information and manage consent are therefore guilty of a criminal offence with penalties of up to 3 years’ imprisonment and €45,000. Web agencies that fail to advise their clients on this compliance risk their client invoking nullity of the contract on the grounds that the website produced is not GDPR compliant.

Web agencies that develop a website for a client must be aware at all times of the complete list of cookies and other tracers that they place on the site. They must pay particular attention to the use of plug-ins on Content Management Platforms such as WordPress or others. In particular, web agencies are obliged to know the names of the cookies, their owners, their purposes and their lifespan. In fact, all information relating to cookies and trackers on their clients’ sites must be included in the website’s cookie policy if it is to be compliant. As the case law above indicates, a web agency that is not rigorous about the cookies and other trackers on its clients’ websites may incur liability in the event of a dispute with its client.

The main points of the GDPR that a web agency must respect

The 4 main steps taken by the CNIL (French supervisory authority) in this article to begin GDPR compliance are as follows:

• Drawing up a register of your personal data processing operations; to help you, the Belgian supervisory authority (APD) publishes simplified processing register templates;
• Sorting your data (paper or digital);
• Respecting the rights of the people affected by your data processing;
• Securing your personal data.

It is essential for organisations to set up a GDPR compliance programme. As a web agency, you must make your website compliant, in order to inform your customers about data processing, in particular via a privacy policy, a cookie policy and a cookie banner that complies with the ePrivacy Directive. In addition, the privacy policy must cover all data processing carried out by your web agency, and not just that carried out by your website.

The responsibilities of those involved in processing for a web agency

The operational procedures for data processing have consequences for the legal status of a web agency with regard to its customers.

Definition of personal data processing

Personal data is defined as any information relating to an identified or identifiable natural person (data subject), either directly (surname, first name, etc.) or indirectly (IP address, registration number, customer, etc.).

The processing of personal data is one or more operations involving personal data, regardless of the process used (automated or otherwise).

The role of the controller and processor

A data controller is the organisation that determines:

• The purposes of the processing, i.e. the purpose for which the personal data will be used;
• The means of processing, i.e. the type of data, storage periods, data subjects, etc.

The role of the processor is to process personal data on behalf of the controller. It is a separate entity from the controller, carrying out the processing according to its instructions and not for its own purposes.

As such, a web agency qualifies as a processor when it carries out a service requiring the processing of personal data on behalf of their client. For example, when it stores the data collected on their server.

The web agency also has its own sub-contractors. As data controller, it must ensure the compliance of its subcontractors by putting in place a compliant personal data processing agreement.

This control involves adopting the right reflexes, by asking the following questions:

• Does the contract provide for the exchange or provision of personal data?
• Is the purpose of the contract to organise processing on the instructions and on behalf of the customer?

If the answer to the second question is yes, then it will be necessary to include clauses governing subcontracting in the contract.

Mandatory legal documentation on your customers’ websites

Privacy policy

Privacy policy as a guarantee of the right to information

A privacy policy must be accessible from your customers’ website (link at the bottom of the page and accessible on collection forms such as contact forms, competition forms, etc.) to meet the information obligations of the people concerned. Forms should identify whether or not personal data is compulsory and explain the consequences of not providing it. The privacy policies of customer websites should cover all of the organisation’s external data processing, not just that carried out via the website.

Information notices make it possible to inform data subjects and ensure the principle of transparency. They must be placed in each data collection area. These notices, which are shorter than the full privacy policy, are acceptable only if they provide a link to the full policy.

This notice must contain:

• The identity of the data controller;
• The purpose of the processing;
• The link to the privacy policy.

Differentiating between privacy policies and General Terms and Conditions

It is important to distinguish between these two documents. A common mistake is to combine them into a single text, which makes them less readable for users.

The purpose of the General Terms and Conditions is to inform customers of the conditions of sale of a product or service. They constitute the contract and provide a legal framework for the commercial relationship. They are mandatory when services are offered to consumers as part of a BtoC relationship.

The privacy policy, a mandatory document, aims to meet the obligation to inform the person whose data is being processed. The data subject must be able to obtain information on this subject in a simple and accessible manner. Even if the privacy policy forms an integral part of the General Terms and Conditions, it is compulsory to present the privacy policy in a separate document on your website.

Mandatory information contained in the privacy policy

The privacy policy must contain various items of information:

• The categories of data and their sources (in the case of indirect collection);
• The contact details and identity of the data controller and DPO, if applicable;
• The data processed, its purposes and the legal basis for the processing. It is vital to indicate the purposes for which personal data is processed and to be able to justify them. Data can only be collected and processed for a legitimate, legal and specific purpose;
• The existence of an automated decision, if any;
• The retention periods and/or criteria for each processing purpose;
• The recipients;
• Possible transfers outside the European Economic Area (EEA);
• The rights of individuals with regard to their personal data and how to exercise these rights;
• The right to lodge a complaint with the supervisory authority.

Admeet can be used to generate a privacy policy that complies with obligations and is adapted to the expectations of your web agency and those of your customers.

Cookie policy and cookie banner

What are cookies?

Cookies are small files that are deposited on the terminal (computer, smartphone, etc.) of a visitor to a website and enable information about the visitor to be collected. There are different types of cookies:

Cookies that do not require user consent:

• Necessary cookies enable the website to function from the user’s point of view. For example, the recording of choices made by the cookie manager, or cookies relating to the security captcha, etc.

Cookies requiring the explicit consent of users before they are stored:

• Marketing cookies for targeted advertising, in particular for personalising content via social networks;
• Statistical cookies are used to customise and analyse the website audience. If certain conditions are met, these cookies do not require consent if the data is completely anonymised, in which case it is no longer considered to be personal data. The CNIL defines the conditions to be met for these cookies to be exempt from consent;
• Functional cookies provide users with a personalised experience, enhancing their browsing experience on the website (such as the integration of a third-party platform).

Implementation of legal documentation relating to cookies

The cookies banner and consent management

The purpose of the cookies banner is to:

• Comply with the obligation to provide information;
• Manage user consent.

Using Admeet makes it easier to comply with this banner and obtain valid consent. Admeet cookie banners do not contain any dark patterns that could influence user choice.

You must configure the consent and cookie installation scripts. Necessary cookies must be installed on the first visit. On the other hand, so-called unnecessary cookies can only be installed once the user’s consent has been given. It is also important to allow users to change their minds at any time by making the cookies banner accessible on all pages of the site via a “cookie management” button.

To find out more about cookies, see our guide to managing cookies on your website.

Cookie policy

The cookie policy explains to the user how and why the website uses cookies. This policy must contain:

• The purpose of the cookie policy;
• The identity of the controller(s) in relation to the processing of personal data;
• Details of the use of third-party cookies if this is the case;
• The contact details of the organisation if the user wishes to contact it;
• The date of the last update;
• A general introduction to the definition of a cookie;
• The categories of cookies that exist;
• The list of cookies used (name, type, purpose, retention period and technology);
• The possibility of managing user preferences via the consent banner;
• The possibility of managing user preferences via the web browser.

Legally, the cookies policy forms an integral part of the privacy policy. However, it is recommended by certain data protection authorities, in particular the Belgian Data Protection Authority, that this cookie policy be the subject of a separate document for the sake of clarity.

It must be accessible via the cookies banner. Admeet cookie banners include a cookie policy guaranteeing your site’s compliance.

Other compulsory legal information

Information that a site must contain and make accessible to all users:

• Name of the publisher responsible for the site;
• Company name;
• The address of the registered office;
• Contact email address;
• Details of the site host.

The Admeet tool: the solution for making your customers’ websites compliant

The advantages of integrating Admeet for your web agency

The Admeet tool lets you manage the GDPR and ePrivacy compliance of your customers’ websites, with its system for centralising the customer portfolio on the same dashboard. This consolidated view lets you update customer documentation in just a few clicks. There’s no need for technical intervention, as changes are made directly on the dashboard.

In the event of changes being made too quickly, or in the event of an audit, archived versions of the documents are kept in the tool.

Admeet cookie banners store proof of consent, a real guarantee of compliance for your customers’ websites. You can view users’ interactions with cookie banners in real time and analyse all the information at your customers’ request.

By joining Admeet as a preferred partner, your agency’s website will be made compliant free of charge (offer subject to conditions)!

To help you get to grips with the Admeet tool, training courses are available for your web agency teams.

The little extra that makes all the difference: the adaptability of Admeet solutions to your customers’ graphic charter!

Discover the complete All-in one Admeet application

Admeet’s all-in-one application makes your life easier by providing GDPR documentation adapted to your customers’ sectors of activity. Based on Legal Design, the documentation is much easier for users to understand.

As the consent management platform and banners are compliant, they will ensure that your customers’ websites are as compliant as possible – a significant advantage over your competitors.

Securing your web agency website

Analysis of data flow compliance

Regulatory compliance also requires data, and therefore websites, to be secure. The security of URLs, of the connection path and of access to the back office of websites is crucial to data protection.

Points to bear in mind when using a hosting provider

It is important to choose your hosting provider carefully. The main points to bear in mind are as follows:

• Ensure that appropriate and sufficiently transparent security and confidentiality measures are in place;
• Know the geographical location of the servers hosting the data;
• Ensure that the hosting provider is certified or approved for its activity.

Web agency client website hosting rules

Above all, web agencies must not neglect the hosting and security of their clients’ websites. They should pay particular attention and apply the same requirements to their clients’ sites as they would to their own.