The degree of personal data protection compliance varies greatly between different websites.
Some organizations and companies, especially in the legal sector or large multinationals, are at the forefront in terms of compliance and have taken measures to adapt to the regulations of Regulation (EU) 2016/679 of the European Parliament and of the Council of 26 April 2026 (“GDPR“) and Organic Law 3/2018, of December 5, on Personal Data Protection and guarantee of digital rights (“LOPDGDD“), while many others, the vast majority of companies, may be in the process of implementation or simply do not comply with the regulations, non-compliance that can be severely sanctioned.
Projecting a good image on the Internet requires being aware of the importance of complying with the RGPD and LOPDGDDD and, therefore, paying attention to the drafting of the privacy policy, cookies policy and properly identify the company through the legal notice.
- Privacy Policy
The web privacy policy is one of the legal texts that can not miss on your website.
The privacy policy is essential on the website since it allows you to comply with the duty of information imposed by Article 13 and 14 RGPD, so that through it both web users and customers are informed of how their personal data are treated.
There is certain information that a web site’s privacy policy should reflect in any case:
- The identity of the controller and its contact details and, where appropriate, its representative (where the controller is not established in the EU).
- The contact details of the Data Protection Officer.
- The purpose of the processing (for which the data collected through the website are used) and information, if any, on the further purposes for which the collected data will be used.
- The legitimacy of the processing, which is closely linked to the purpose.
If the basis of legitimacy is legitimate interest, this must be duly identified. - The conservation period or, in its absence, the criteria to determine it.
- The recipients of the data or the category of recipients, indicating whether the data controller will transfer the data to third parties or intends to make international transfers.
- Way to exercise the ARSULIPO rights (access, rectification, deletion, limitation, portability and opposition to processing).
- The right to file a complaint with a supervisory authority.
- Whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract and whether the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data.
- The existence, if any, of automated decisions, including profiling.
The privacy policy must be visible at all times and accessible from any part of the website (which is why a link to it is usually placed at the bottom of the website), and be in a separate tab.
Additionally, this policy must be simple, written in a clear way, so that it is understandable to any natural person and does not lead to confusion or encourage the user of the website not to read it because it is too long.
On the other hand, in all web forms through which personal data is collected, a link to the privacy policy must be included with a box that is not pre-checked so that users can confirm that they have read the privacy policy and also with additional boxes in the event that it is necessary to obtain consent for certain purposes of treatment or for the transfer of data to third parties.
As an example, if you are going to use the email for the subscription also to send commercial communications, you must inform of this purpose and place the corresponding check box for the user to accept or not this treatment.
- Legal Notice
To comply with the LOPDGDD in a web page for commercial purposes, which includes advertising or collects personal data, it is necessary to include a legal notice.
The legal notice allows to easily identify the company that is providing or advertising a product or service.
The information to be provided is the one indicated in article 10 of Law 34/2002, of July 11, 2002, on information society services and electronic commerce (LSSI).
In summary, the legal notice must contain the following information:
- Name or company name of the owner of the website
- Tax ID or VAT number
- Address
- E-mail address
- If applicable, registration data in the Mercantile Registry or any other public registry in which it is subscribed.
- If applicable, information regarding the corresponding administrative license.
- If applicable, details of the professional association and membership number.
- In the online store, information on the price of products and services (specifying whether taxes are included) and shipping costs.
- If applicable, any codes of conduct to which we have adhered
- Terms of use of the website
In this sense, by providing this information the company complies with the principle of transparency of the RGPD, allowing web users to properly identify the company providing the service and thus know who will manage and process their personal data.
- Cookie Policy
Another requirement of data protection on websites is to write a cookie policy.
The use of cookies is authorized by article 22 LSSI, but information must be provided to the web user about what cookies are, the types, functions and purpose of cookies, duration, who installs cookies, if they are own or third party and how to configure or disable cookies depending on the browser used by the user.
Since personal data is collected through cookies, prior to the installation of the same, it is necessary that the user of the website gives his consent.
Therefore, the website must contain a banner or pop-up window in which it appears:
- An application for consent
- A checkbox that allows you to accept cookies, reject them or configure them
- A link that offers the configuration options and in which only the necessary technical cookies are pre-checked by default.
The cookie policy should appear in a separate tab (although it is also possible to include it within the privacy policy) and be accessible from anywhere on the website.
Penalties for noncompliance
Many companies and freelancers are unaware of the penalties they may face for breaching the Personal Data Protection Act, which in serious cases can reach up to 20 million euros.
- Most common types of GDPR breaches
- Minor infringements of the GDPR
- Failure to comply with the right to provide information.
- Failure to comply with requests to exercise the rights of affected persons.
- Not requesting access to the information collected from the data, such as transparency of its use.
- Failure to notify when a rectification, erasure or limitation of the processing of personal data has been made.
- Failure to inform individuals about to whom their personal data has been communicated.
- Failure to communicate a high-risk data security breach to affected individuals.
- Serious infringements of the GDPR
- Processing data of a minor without obtaining the required consent.
- Obstruct or impede the exercise of the data subject’s rights with his or her personal data.
- Failure to adopt technical and organizational measures for data processing.
- Contracting a data processor that does not comply with the appropriate guarantees for the implementation of technical and organizational measures.
- Not to establish formal data processing contracts with suppliers that access the data.
- Failure to report a security breach to AEPD.
- Very serious infringements of the GDPR
- Unlawful processing of personal data.
- Processing sensitive data without sufficient legal basis.
- Violate the duty of confidentiality of personal data.
- Processing of sensitive data without explicit consent.
- That the purposes of the processing of personal data are not expressed.
- Obstructing the authorities’ supervisory tasks.
- Types of penalties for the RGPD and LOPDGDD according to the infringement
Penalty fines vary according to the seriousness of the violation and can reach high amounts.
The current regulations establish different levels of responsibility for those who carry out the processing of personal data, from its collection to its storage and use.
Therefore, the sanctions of the RGPD and the LOPDGDD may vary depending on whether the offender is a public entity, a company or the data controller.
In order to determine the amount of the fines, the level of infringement of the person or company responsible for the processing of personal data is assessed.
- Sanctions determined by the RGPD:
- Fines for serious infringements: a fine of up to 10 million euros or the equivalent of 2% of annual turnover, whichever is higher.
- Fines for very serious infringements: a fine of up to 20 million euros or the equivalent of 4% of annual turnover, whichever is higher.
- Penalties determined by the LOPDGDD
- Fines for minor infractions: fine of up to 40,000 €.
- Fines for serious violations: fine between €40,001 and €300,000.
- Fines for very serious infringements: fine between 300,001 euros and 20 million euros or 4% of annual turnover, whichever is greater.
The best way to avoid committing infractions and being sanctioned by the RGPD and LOPDGDD is to count on the advice of a professional in data protection, to guarantee the correct treatment of the data and in case of having committed any infraction, to resolve it effectively.
This publication does not constitute legal advice.
_____
How can we help you from LAW4DIGITAL?
At LAW4DIGITAL we are lawyers specialized in digital businesses. We provide comprehensive legal advice to digital companies. We help you with online legal advice.
We will keep you updated on digital business. In any case, you can contact us by mail addressed to hola@law4digital.comby calling (+34) 931 444 820 or by filling out our form at law4digital.com.
We are waiting for you in the next post!
Law4Digital team.