Launching a website: tips & tricks.
What you need to know.
Launching a website for your company is always associated with new processing activities. This is definitely the case when your site offers a webshop and visitors can create an account and make online purchases. But you are also processing personal data when visitors can contact you via the website or subscribe to your newsletter, or when you allow social media plugins to share the content of your site.
If your website uses non-essential/non-functional cookies (i.e. analytical cookies, advertising cookies and social media plugins), you must obtain the visitor's consent via a cookie banner or pop-up on the landing page. The permission must be given per category of cookies. These cookies cannot be placed before the visitor has given his or her consent. Nor can access to the website be refused if the visitor decides not to accept the cookies in question. The website must contain a cookie statement that provides the visitor with more information about the cookies used on your site. The visitor must be able to change his or her cookie preferences at any time (e.g. via the same cookie banner or pop-up).
When visitors can subscribe to your newsletter via the website, you must obtain valid permission. This consent must meet the requirements of the GDPR (freely given, specific, informed and unambiguous). You can offer an incentive to visitors (e.g. a discount on the first purchase) as long as the incentive is limited and is not withdrawn when the visitor unsubscribes. The visitor must also clearly know what he or she is agreeing to and must take a clear action (e.g. enter an e-mail address, tick a box). The place where consent is given always contains a link to the privacy statement on the website.
Launching a website often entails cooperation with third parties (web developers, providers of marketing tools, live chats, etc.). They usually qualify as processors, and therefore a data processing agreement within the meaning of Article 28 GDPR must be concluded with them. If your website offers a platform for other companies to sell products, or contains elements that allow social media platforms or other companies to conduct online marketing, there may be a joint processing responsibility. In that case, the necessary arrangements must be made in accordance with Article 26 GDPR (e.g. who provides the privacy statement, who responds to requests from data subjects, etc.).
What you need to do.
When you launch a (new) website, always go over the following checklist of the most important points of attention:
- Map out all processing activities on your website and include them in a privacy statement. Check whether it is useful to also publish other processing activities/privacy statements on your site. If you have physical stores where customers can create a loyalty card, it may be easier to provide a QR code on the card that links to the privacy statement on your website, rather than to make physical versions available in-store. If there is camera surveillance within your company, the camera surveillance icon can easily refer to your website for more information. In your supplier contracts you can include a link to the website instead of providing a privacy statement in attachment. Link to the privacy statement(s) via the footer of your website, and provide the necessary translations if your site is available in multiple languages.
- Identify all of the companies you work with for the website in order to make the necessary contractual arrangements in good time. These contracts must be signed before the processing (i.e. the launch of your website) begins. These companies usually have a template agreement available; if not, you can provide your own template.
Please consult our website or contact one of our team members if you have questions or require more information:
In the Picture - July 2021
Forum selection and choice of law clauses: they’re not just boilerplates...