Content type

Does my company's website comply with the General Data Protection Regulation?

30 Aug 2021. 14:11
Tiempo lectura
5 min. of reading
Published by
Imagen colaborador
Logo Acelera pyme
Acelera pyme

Términos de uso

You can use the resource for personal or informative use with attribution to the entity following our terms of use.


  • SME maturity
    1. Ciberseguridad
    Scope to digitize
    1. Cybersecurity

Compartir píldora


Adapt your website by following the guidelines on privacy and cookie policy to avoid possible sanctions.

Imagen o video destacado
Pill about whether my company's website complies with the General Data Protection Regulation

As you know, the General Data Protection Regulation (GDPR) applies to all companies that process any type of personal data that identifies or allows the identification of an individual (such as name, address, email, telephone, IP address, online identifier, bank card number... and so on). Generally, companies use websites to give visibility to their business, or even to offer or provide their services.

Websites often collect personal data through several channels, such as forms or cookies. Therefore, whether your business uses a website only to give visibility to products or services or if you offer them through it (e-commerce), you must ensure that it complies with both data protection regulations (GDPR and OLDPGDR) and the Law on Information Society Services (LISS).


Some keys to avoid possible sanctions.

Although the adaptation of your website may have different needs depending on the case, here are some keys that you should not forget when adapting your website and avoid possible sanctions, which are increasing and are becoming more and more frequent.


  1. Privacy policy.

It is essential to have a privacy policy that clearly states how you are going to treat the data of users and/or clients. It is very common to find general templates on the Internet, but you should avoid them. This is because it is important that this policy reliably reflects the purposes of the processing (what they are collected and used for), the bases that legitimise it (if it is by means of consent, if it is necessary for the execution of a contract, etc.), if there are going to be transfers to third parties, how long you are going to keep the data, who they should contact to exercise their rights, and other aspects that really apply to the specific processing that you carry out on your website.

The Spanish Data Protection Agency (SDPA) facilitates compliance with the level of information through this Guide to comply with the duty to provide information. It is quite specific and contains very useful examples.


  1. Cookie policy.

You will also need a cookie policy where you identify which cookies are used on your website, whether they are your own or from a third party, what they are used for and how long they last. The issue of cookies also requires the possibility of choosing which ones you want to install and which ones you do not, and you must also explain to the user how to customise these preferences. This is a crucial point, as the SDPA recently fined a company 30,000 euros for not allowing the rejection of cookies, installing them without the user's consent.

It is highly recommended that you consider the Spanish Data Protection Agency's guide on cookies. Like the guide on how to comply with the duty to provide information, it explains in detail the specific information that must be provided and how, with some practical examples.


  1. Information in layers.

Once these points have been drafted, in order to make them clearer and more visible to the user, it will be essential to introduce notifications on the website to correctly implement the duty to provide information. This is related to the AEPD's recommendation to offer the information in layers so that it is more convenient for the user to know the basic and most relevant information in a first layer, being able to access a second layer to expand this information. 

The guides above-mentioned provide exhaustive explanations and examples of how to write and place the information in layers (cookie banner, basic information in contact forms, comments, subscription to a newsletter, contracting services, etc.). Do not forget in these cases to add the "I accept the privacy policy" button linking to it.


  1. Technical and organisational actions.

In addition to these formal requirements, it will be necessary to ensure that all data processing reflected in the policies is carried out with all the legal guarantees, which implies implementing some technical and organisational actions (such as having a security certificate (SSL) and security plugins installed, knowing how to exercise the rights you may receive and how to process them, or having mechanisms that allow you to have visibility of whether your website suffers a security breach, assess its impact and how to act on it).


As you can see, correct compliance with the regulations is not limited to including a generic privacy policy, but it must be effective, so that on many situations, depending on the difficulty of the processing of our website, it can be really complex. The SDPA has a consultation channel on 912 66 35 17. In any case, it is highly recommended to have the help of an expert in the field, avoiding offers that are too "competitive" for your website to adapt correctly to the regulations. Cheap can be expensive.


¿Te ha gustado este contenido?
No votes have been submitted yet.