GDPR for Personal Websites

Law | . Edited . 16 min read (3802 words).

A short guide to how the European Union’s General Data Protection Regulation (GDPR) affects personal websites such as blogs.

Topics:

Introduction

This text will assume that you are the owner of a small personal website and will explore some ways that EU’s General Data Protection Regulation (GDPR) affects you. The GDPR is large and complicated, so this blog post will by necessity only show you the tip of the iceberg. As we all know, more dangers may lurk below the surface.

Make sure to seek out official information or hire a lawyer if you ever need to comply with the GDPR and please point out any errors that you discover here so that I can correct them. Don’t take my word. For that reason, I will provide plenty of references and links throughout.

Personally, I have an interest in law since long back. I studied to become a Swedish lawyer for a year back in 2007 (before I switched subject area) and I try to stay at least a bit up-to-date, especially as it relates to the software industry. I’ve read a few short books about the GDPR, several books about EU law (including university education), and I have read through the legal text.

What is the GDPR?

The GDPR is the major data privacy protection legislation within the European Union since it went into force1 on 25 May 2018. Few have likely missed the intense media coverage at the time as companies struggled to comply with the new rules.2 The GDPR itself is an EU regulation from 2016 named Regulation (EU) 2016/679.3 See the link for the official source in all EU languages (no language has precedence)4.

The goals of the GDPR are to give EU citizens better control over their personal data and to harmonise rules across the EU to simplify for businesses.5 EU has several types of legislation. As an EU regulation6, the GDPR is directly binding across the EU.

The right to privacy is not a new concept. It’s already expressed as Article 8 in the European Convention on Human Rights and Article 12 in the United Nation’s Universal Declaration of Human Rights. There are similar legislation across the world too, such as PIPEDA in Canada and CCPA in California. One thing to keep in mind here is that it’s far from obvious how legislation interacts across borders.

The European Commission provides an official website about Data protection in the EU with their own overview.

The GDPR is not the only privacy legislation in the EU. There’s also the ePrivacy Directive (Directive 2009/136/EC), which is sometimes called simply the “cookie law”7. The GDPR didn’t repeal this directive and there’s a new proposed regulation to replace it, so it seems to be here to stay in some form too.

This blog post will focus only on the GDPR.

Important definitions

There are a couple of definitions8 that are necessary to know before we continue. Note how some definitions are much wider in the context of the GDPR than in common language use, which provides a potential trap unless we pay close attention to the terms.

Personal data
Information that is related to an identified or identifiable natural person (the data subject).
Natural person
A natural person is the same as a physical person, i.e. an individual human being. Compare to legal person, which can also be a company.9
Identifiable natural person
A natural person who can be identified, directly or indirectly, for example by reference to either:
  1. An identifier such as a name, an identification number, location data, or an online identifier.
  2. One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.
Processing
Anything done with personal data, automatically or manually, such as collecting, storing, retrieving, adapting, using, or similar.
Controller
A natural person or organisation that controls and determines the purpose of processing of personal data.
Processor
A natural person or organisation that processes personal data on behalf of the controller.
Personally identifiable information (PII)
Synonymous to what the GDPR calls personal data.10 Useful and common term used elsewhere, but not within the GDPR itself.

When does the GDPR apply?

To avoid getting bogged down in details, I will simplify the rules here to make them easier to comprehend. I won’t cover all exceptions or special cases, even as it relates to personal websites.

The GDPR applies to:

If the controller or processor is not located in the EU, the GDPR is only applicable for data processing related to:

So far, it’s clear that more or less all processing of personal data within the EU (even by controllers or processors outside of the Union) is within scope.

Processing of personal data

To determine if the GDPR applies, it’s necessary to figure out what activities it considers to be processing of personal data. As we’ve seen above, processing means almost any activity related to data (especially if automated). It’s still important to determine who is responsible for the processing, i.e. the controller.

Identifying personal data requires more consideration. The scope is extensive and almost all websites will process at least some personal data. Note that it’s enough that a natural person related to the data could be identified even indirectly by putting together different pieces of data for it to be personal data.

Examples of personal data include:13

To avoid data being personal data, it needs to be fully anonymised. Pseudonymisation where additional data could be used to identify the data subject is still personal data.14

Since almost all web servers keep access logs with IP addresses, to be able to avoid abuse and deal with outages, even a fully static website typically processes some personal data. This leads me to believe that the GDPR applies to some extent to basically all websites.

Exceptions to the scope

There are some exceptions to the GDPR’s scope:15

The second exception above gives us another important consideration that affects whether, and to what extent, a personal website is within the scope of the GDPR. More on this below. There are also some interesting exceptions to individual rules that will be covered later.

Purely personal activity

To further investigate what is meant by purely personal or household activity, let’s have a look at recital 18 from the preamble of the GDPR:

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

In other words, when you process personal data in your spare time related purely to your personal life or household or talk to your friends, this is outside the reach of the GDPR. Same thing when this is done by posting something on Facebook, Twitter, or YouTube. In this case, these companies are the controllers and they are responsible under the GDPR, but you are not.

If you use a blog service for your personal blogging, the same might apply here. The blogging platform is the controller and the GDPR doesn’t apply to you personally. All the time, this assumes that any processing of personal data by you is strictly within the context of purely personal activities and that the blog service is the controller for any other data processing.

The situation changes if you decide to provide a blog directly to the public, where you control the entire blog. A few aspects are different in this scenario. First, any processing of personal data relating to public blog visitors is no longer in the context of a purely personal or household activity since it involves unsuspecting strangers whose right to privacy the GDPR is meant to protect and who are outside of your personal or household life. Second, there’s no longer another controller for you to point at. You are now clearly the controller who makes the overall decisions about the website and as such the GDPR is fully applicable. Third, if you provide a professional (or commercial) service in any way, you are definitely outside of this exception even if you make no money. These are several ways to reach the same conclusion.

It’s naturally hard to draw the exact line for purely personal activities. Only the Court of Justice of the European Union can decide what the correct interpretation is. There are, luckily, multiple rulings that give precedents for this.

Court rulings, according to the earlier Directive 95/46/EC, show that:

My conclusions: a public personal website is within the scope of the GDPR without exception. When using a blog platform or similar, the GDPR doesn’t apply to you as long as you aren’t in control of the overall website and you only process personal data yourself that is purely related to your personal life.

What is needed to comply?

This is a much bigger topic than whether the GDPR applies and it varies depending on the circumstances and the purpose of the processing. I will give a short overview and then focus on the basics.

There are many aspects to be aware of, such as:

I’ll go into some details for a few of these areas. See the links above for more!

Lawfulness of processing

There are six bases for lawful processing of personal data according to the GDPR (see Article 6):

  1. Consent has been given by the data subject.
  2. Processing is necessary to carry out a contract with, or request by, the data subject.
  3. Processing is necessary for compliance with a legal obligation.
  4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  5. Processing is necessary for the performance of a task carried out in the public interest.
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

For a personal website, the first two and the last bases are most interesting. The full text of the last lawfulness basis is:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For a personal website without cookies that only uses personal data as part of server access logs, to detect fraud and handle outages, and which collects at most anonymous visitor statistics, the second and sixth bases should cover all processing. This is the easiest way to comply with the GDPR. Note that you still need to comply with many of the GDPR rules even in this scenario.

To collect full statistics about your visitors using tracking cookies with Google Analytics, you need to ask for consent before activating data collection. This consent can then be withdrawn at any time.

Processing without identification

One interesting exception from some of the GDPR’s rules can be found in Article 11. If your data processing doesn’t require that you identify the data subject (which will be the case on many personal websites), you are not required to collect or process additional information to identify a data subject for the sole purpose of complying with the GDPR.

If this applies to you, then you no longer need to comply with Article 15-20 and that will be a relief for any owner of a small website. In other words, there are good reasons to avoid being able to identify data subjects both for their privacy and to reduce your burden.

Unfortunately, this exception disappears the moment that a data subject provides you with additional data that is sufficient to identify that data subject in your data. This may not always be practically realistic, on the other hand.

Transparency and privacy policies

One fundamental right under the GDPR is for data subjects to get information about how their personal data is processed. This is usually accomplished by writing a privacy policy, which can nowadays be found on most websites and in most software applications. This also applies to almost all personal websites.

Assuming that data is obtained from the data subject, you need to provide information at least about the following (Article 13):

Keep in mind that whenever you are the controller, your responsibility includes the processing performed by processors on your behalf.

This requirement to inform the data subject does not apply, however, if the data subject already has the information. You don’t need to inform yourself or your own team, for example, and you don’t need to keep re-informing data subjects where it’s clearly unnecessary.

Responsibility as a controller

As with all law, the rules of the GDPR require interpretation and are usually meant to be proportional to the risks and interests of the data subjects. Keeping that in mind, it might be easy or hard depending on the situation to comply with the various responsibilities put on controllers. I won’t go into much detail here.

At a high level, you as a data controller are responsible for protecting the personal data that you process by designing and operating secure systems and by taking sufficient precautions. Similarly, it’s your responsibility when letting another processor deal with personal data on your behalf to make sure that processor also has taken adequate measures to protect the privacy of the data subjects. Additional responsibilities arise when the data processing is especially risky or the controller is a large enterprise.

Make sure you check the privacy policies of any processor you make use of and include this information in your own privacy policy.

In addition to security precautions, it’s worth mentioning the requirement to notify both authorities and data subjects in the event of a data breach. Also, unless you are covered by the exception for small-scale data processing, you need to keep records of processing activities. I would guess that most private websites will either be covered by that exception or simply outsource all processing of personal data to processors (who will keep records). If that’s not the case, don’t forget to keep this record.

If you are a big organisation or are interested in that case, then this blog post is not written with you in mind and you should read Chapter 4 carefully.

Transfer of data outside EU

This is an area where complying with the GDPR gets especially complicated. Anyone who uses cloud services is almost bound to enlist the help of some American company as a processor of personal data. For this to be compliant with the GDPR, you need to follow Chapter 5.

In short, the company outside of EU needs to provide appropriate safeguards for the processing of personal data such that the data subjects’ privacy will not be worse than if the processing happened within the European Union. What ways are acceptable for achieving and assessing this is a bit more complicated. Most companies that process personal data outside of EU (such as Google) provide information on their website about this.

Transferring data to the US is surprisingly problematic. See my newer blog post for more about this: GDPR and Transfer of Data to the US.

Scenarios

Here are a few simple scenarios where I apply the above information.

Static site generators

These tools, such as Jekyll and Hugo, are popular nowadays. They generate static HTML pages instead of running computer code for each page request. This offers great security, performance, and low cost. Does it mean that the GDPR doesn’t apply? No.

As we’ve already seen, even when hosting static websites, it’s common to collect access logs that contain IP addresses and potentially other personal data. As such, the GDPR applies to your website and at a minimum you need a privacy policy. I believe this is the case whether you use Firebase hosting, Google Cloud Storage, Amazon S3, GitHub pages, or Netlify.

Static site generators are still a great idea and it typically requires a small effort to comply with the GDPR in this scenario, unless you add external data processing for comments or analytics.

See above for potential problems with hosting provided by American companies.

Google Analytics

It’s clear that full use of Google Analytics with cookies for tracking individual users, will require consent under the GDPR.

However, Google Analytics without any cookies and with IP anonymisation enabled is, as far as I can tell, fine without consent. You are again processing small amounts of personal data related to requests, but that should be fine under the basis of a legitimate interest. It has a very limited affect on the visitor’s privacy. You should still tell the visitors about this and I believe it goes under the GDPR up to the point where you can no longer potentially identify any natural person from the collected data.

See above for potential problems with hosting provided by American companies.

Personal posts on Facebook or Twitter

As long as you only process personal data that is purely personal (related to you), this is a clear case of the exception where the GDPR doesn’t apply to you. Facebook or Twitter will be the controllers and are responsible.

The situation gets more complicated in similar situations where you have more control over the website such as on some blogging services. Somewhere, a hard-to-draw line exists. On the other side of that line, we have your own website that is fully controlled by you (i.e. you are the controller) and which is hosted using e.g. a generic cloud platform (in the role of a processor). See above for more on this.

You are in the UK

As is often the case, this is a bit different. After Brexit, the UK has its own UK GDPR. In the UK, you also have to pay a registration fee to comply in many cases. See ICO’s website.

Learning more

There are many resources for learning more about GDPR and this post only scratches on the surface. The European Data Protection Board offers guidelines and recommendations online. The regulation itself is worth reading, which is easy at for example gdpr-info.eu. There are also plenty of books by now, of which I can recommend EU GDPR: An international guide to compliance.

To better understand the GDPR, it also helps to read up on EU law in general. Any introductory book on the subject works well for that. The same goes for books on law in general, of course, and for reading up on related privacy legislation.

Especially if you’re Swedish, then you can find more information on the official website of the Swedish data protection authority.

  1. GDPR Article 99: Entry into force and application↩︎

  2. See e.g. BBC News: GDPR: Tech firms struggle with EU’s new privacy rules from 24 May 2018. ↩︎

  3. Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)↩︎

  4. EU law is a vast area in itself. See any introductory book for details. ↩︎

  5. EUR-Lex: Summaries of EU Legislation: Protection of personal data (from 2018)↩︎

  6. europa.eu: Regulations↩︎

  7. GDPR.EU: Cookies, the GDPR, and the ePrivacy Directive↩︎

  8. GDPR Article 4: Definitions↩︎

  9. Wikipedia: Natural person↩︎

  10. Wikipedia: Personal data↩︎

  11. GDPR Article 2: Material scope↩︎

  12. GDPR Article 3: Territorial scope↩︎

  13. European Commission: What is personal data?↩︎

  14. GDPR Recital 26↩︎

  15. GDPR Article 2: Material scope (2)↩︎

  16. Case C‑212/13 from 2014 about the same phrase in Directive 95/46/EC. ↩︎

  17. Case C‑25/17 from 2018 about the same phrase in Directive 95/46/EC. ↩︎

  18. Case C–345/17 from 2019 about the same phrase in Directive 95/46/EC. ↩︎

Tags: law, blog, gdpr, web, data.