How to make sure that a website is GDPR compliant?

The GDPR had an undeniable effect: many European citizens became much more aware of their online privacy. A few years back, internet users paid less attention to all the traces that they were leaving on the internet.

Now, most websites indicate the presence of tracker cookies, companies send information emails whenever they update their privacy policy, and users play an active role by expressly accepting the processing of their personal data or by accepting to receive personalized ads.

At this point of the article, if you still don’t know what the GDPR is all about, I advise you to catch up by reading our previous articles.

Anyway, even though most users don’t necessarily get all the fuss around the GDPR, they are aware that they leave traces on the internet and that their personal data can be used by third parties.

However, this reality check is not enough to protect your personal data. Indeed, some organizations are not totally GDPR compliant, but it’s hard to notice if you don’t know where to look.

Okay, I’ll stop tiptoeing around the topic: I’m going to give you some tools to check a website compliance with the GDPR. With these pieces of information, I hope you’ll be more aware of the GDPR and that you’ll attach more importance to your personal data.

Where can you find these types of information on a website?

The GDPR provides for an obligation of transparency concerning the processing of your personal data. Therefore, you must be clearly informed about what your data are used for. To find the provisions relating to the GDPR, there’s no universal link: organizations can inform the data subjects anywhere on their website. In general, you’ll find this information in:

• The General Terms and Conditions (GTC) or General Conditions of Use (GCU);
• The privacy policy;
• The “GDPR” section;
• The website FAQ.

What kinds of information should you be looking for?

Let’s get to the heart of the matter: what information should you be looking when you’re checking a website compliance with the GDPR? In total, you should be looking for 9 to 10 pieces of information on the website. If you don’t find them all, it’s highly likely that the organization is not fully GDPR compliant.

1 – Identity and contact details of the controller or data protection officer

If you didn’t understand the title of this section, here’s a quick terminological reminder:

• controller: natural or legal person that collects your personal data and processes them.
• data protection officer (DPO): there is no official definition in the GDPR. But to make this simple, the DPO is the mastermind when it comes to making companies compliant. He has a strong expertise in the field of data protection and he’s in charge of informing and advising companies on how to implement the European regulation. If you want to find out more, you can dive back into one of our previous articles on the role of the DPO with the GDPR compliance.

Anyway, the website is supposed to clearly mention the company’s controller or data protection officer. It can be a natural or legal personal, so don’t specifically search for a first and last name!

The contact details of the controller or DPO must also be mentioned on the website. It can be an email, a postal address or a form on the website… In short, any means of contact.

2 – The categories of data collected

Without your knowledge, many of your data are collected on the internet! For instance, by visiting a retail website, the latter can save your IP address (yes, that’s considered a personal data), place a cookie on your computer in order to provide personalized ads, etc.

More clearly, you don’t necessarily need to sign up on a website for it to collect your personal data. Just by going to the homepage, some of your data can be collected.

The GDPR requires companies to clearly mention the kinds of data collected and explain what they will be used for. Legally, it’s called “purpose of the processing”.

3 – Purposes of the processing

“Purposes of the processing”… what the devil is that barbaric expression?

In a simpler language, the website must clearly mention what your personal data will be used for.

For instance, if you place an order on the internet, the retail website can ask for your phone number in order for you to get delivery notifications. Therefore, the purpose is to provide real-time delivery tracking and allow the deliveryman to contact you more easily.

As soon as the purpose is fulfilled, the organization must (in principle) delete the personal data collected. If I stick to the order delivery example, the deliveryman is supposed to delete your phone number from his database as soon as you’ve been delivered.

Nonetheless, don’t disclose any data only because they’re used to fulfill a purpose! Can you imagine a retail website asking for your tax number in order to deliver an order? You would think it’s crazy, and you’d be right. Therefore, you should just remember that an organization can only collect data strictly necessary to fulfill the purpose pursued.

4 – Legal basis of the processing

Another extraterrestrial expression for most non-lawyers…

To make this simple, the GDPR allows organizations to collect and process your personal data in six specific situations. It’s called “the legal basis of the processing”. The collection and processing of your data must come within the scope of at least one of these situations, otherwise, the organization violates the GDPR.

For your information, here’s the list of the six legal bases justifying the processing of your personal data:

• the processing is lawful if you agreed to the collection and processing of your personal data. If you change your mind, you can withdraw your consent at any time;
• the processing is lawful if it’s necessary to perform a contract that you signed;
• the processing is lawful if the law requires organizations to collect your personal data. For instance, the law requires companies to get the social security number of their employees to register them to the appropriate authority;
• the processing is lawful if your personal data are necessary to protect your vital interests;
• the processing is lawful to perform a task carried out in the public interest;
• the processing is lawful if the organization pursues legitimate interests. However, using this legal basis is not enough! An organization must clearly explain why its interests are legitimate.

Of course, these legal bases are usually drafted more formally in a contract, but at least, you know what they’re all about.

5 – Recipient of the data

The website must clearly mention the recipient of your personal data. In this situation, there are two main recipients:

• the organization that collected your data: the data remain in-house and are not shared with any third-party;
• the organization shares your data with third-parties: in that case, things are getting trickier. The organization must tell you about the transfer and the reason of the transfer. If your data are given to third-parties for advertising or commercial purposes, the organization must allow you to refuse that transfer.

6 – Data transfer outside the European Union

To guarantee the security of your data, organizations cannot transfer your personal data to a random country on the map. Transferring data abroad is very supervised to prevent any privacy violation or fraudulent use of your data. Therefore, the organization that collects your data must primarily host them on the territory of the European Union, i.e. where your data are protected and covered by the GDPR. If the data stay within the territory of the EU, organizations are not subjected to any formality: they can process your data in any country of the European Economic Area (including the Member States of the European Union, Norway, Island and Liechtenstein).

If the organization wants to process your personal data outside the European Union, things are getting trickier for you and the organization. The GDPR allows data transfers to countries benefiting from an “adequacy decision”. It means that the recipient country of the data signed an agreement with the European institutions to process your data in accordance with the GDPR. In that case, organizations are allowed to transfer your personal data to these adequate countries with no other formality. However, the list of adequate countries can be counted on the fingers of one hand, including for instance Switzerland, New-Zealand, Japan, Andorra, Argentina, Uruguay and Israel. If you want to know the all the countries considered as adequate, the French data protection authority published an interactive map which is very useful! Don’t worry, the map is in English, it’s just that I couldn’t find another one anywhere else.

Except for adequate countries, transfers to third-party countries are not allowed. However, a really motivated organization can benefit from an exception thanks to the GDPR. Indeed, the organization must organize a transfer which is “subject to appropriate safeguards”. To make this is simple, the organization can transfer you data to a non-adequate country by imposing heavy obligations to the data recipient. The GDPR highly recommends to have the other party sign the Standard Contractual Clauses adopted by the European Commission to make sure that the data transfer complies with the European regulation. Nevertheless, if the organization decides to not use these contractual clauses, the supervisory authority’s permission will be required to carry out the data transfer. In short, the procedure is very heavy and difficult in order to protect your personal data.

Lastly, just know that any data transfer to the United States is forbidden in principles, unless the data recipient signed an agreement called “Privacy Shield”. The problem is that this agreement may be invalidated by the Court of Justice of the European Union very soon because it doesn’t comply with all the GDPR requirements. Therefore, it’s likely that transferring data to the US becomes illegal overnight.

Even if you didn’t understand all of these explanations, just remember that an organization must inform you if your data are being transferred outside the European Union. If that’s the case, it must tell you if the recipient country has an adequacy decision or appropriate safeguards approved by the European Commission.

7 – Data storage period

The website you’re visiting must tell you the period for which your personal data are stored. But there’s a hitch: the GDPR doesn’t tell for how long.

In theory, your data must be erased, anonymized or pseudonymized (yes, that’s a real word) once the purpose pursued is fulfilled, i.e. when the organization no longer needs your data.

However, there are a few exceptions, particularly concerning storage for archiving purposes. But I don’t want you to get confused, so I won’t go into details.

Just remember that the website must clearly mention the period for which your personal data is stored.

8 – Exercising your rights

The GDPR was enacted for a noble cause: give people control over their personal data. Translation: your data belong to you and you can (almost) do anything with them.

To exercise that control, the organization must let you exercise the rights conferred by the GDPR. You know, the right to erasure, to rectification, to object to the processing, etc?

The procedures for exercising your rights depend on the procedures implemented by the organization. Some of them decided to create an email address, while other chose mail. In any case, feel free to exercise your rights to the organization that processes your data. Once you sent your request, the organization must reply for free within one month.

9 – The right to lodge a complaint with the supervisory authority

If the controller or the data protection officer does not proceed with your request after one month, the organization must tell you that you can lodge a complaint to the competent supervisory authority. If the website has neglected to give that information (by mistake, of course), here are links to the different English-speaking supervisory authorities:

• For the UK, fill in the form on the ICO website;
• For Ireland, the DPC will help you.

Then, the competent supervisory authority will go over your complaint and carry out investigations against the website.

10 – The cookies

This last part is the first thing you should be seeing when you go to a website. Since it’s a delicate subject for the supervisory authorities at the moment, I wanted to talk about it at the end of this article.

If you don’t know much about web cookies, you can read one of our previous articles to feed your general knowledge.

Anyway, you should pay attention to one thing when you’re visiting a website: the cookie banner. You know, the little banner that no one ever reads? Generally, it lets you know that cookies are placed on your computer, and some of them are used for commercial or advertising purposes. If the cookie banner is GDPR compliant, you should be able to refuse these cookies.

In practice, refusing these cookies on your computer can be like an obstacle course. For your information, I still didn’t find a good method to disable Yahoo! News cookies in less than 15 minutes. If you got any tutorial to share, I’m totally interested!

Many organizations do not play fair since they try to discourage the user from disabling cookies. The reason is simple: advertisement cookies are usually an important source of income, so many companies are reluctant to the idea of us having control over our data.

But don’t worry, things will look up very soon thanks to a miracle solution: the ePrivacy regulation. This regulation is supposed to complete the GDPR by setting up rules for online marketing, particularly regarding the use of cookies on the internet. “That’s great news!”, you’re probably thinking. Indeed, that’s great… except that the regulation doesn’t exist yet.

ePrivacy was supposed to come into force alongside the GDPR in 2018, but it became a taboo subject for the European Union because no one agrees on its content. The former European Parliament ultimately gave up and passed the buck to the new MEP after the 2019 election. Now, we just have to keep our fingers crossed so the situation can change.

Meanwhile, try to pay attention to cookies when you end up on a website homepage. The cookie banner is an excellent way to take stock of a website compliance with the GDPR!

Short recap

Even if you didn’t understand (or read) everything in this article, it’s okay. The most important thing is that you’re interested in your personal data. The GDPR gives you back power over your data, so grab it and use it. Be curious, and over time, you’ll be much more aware about your personal data and your privacy.

Obviously, this article is not a magic bullet to take stock of the GDPR compliance by a company or prevent a data leak, but it can help you be careful and exercise your rights.

And if some of you, dear readers, happen to work for a company which doesn’t fully comply with the GDPR, everything’s going to be fine! Contact us to get some personalized advice by our data protection officers. We will guide you in order to ensure your compliance with the European regulation!