Data Protection and GDPR Compliance

Dear all,

I feel like the current presentation of the feature Netlify Analytics leaves open many questions that data protection officers would need to answer to fulfill their legal obligations on internal documentation and transparency towards their website visitors, e.g. in the case of requests for information from their visitors.

The matter is somehow complex and my current employment does not allow me to provide you a feedback on the matter. However, I would like to share with you some relevant files that you should carefully read to understand more about the legal requirements of a) websites of EU organisations and b) websites that address specifically an audience in the EU.


Questions to begin your assessment with:

  • Does the website process personal data and if so, for which purpose?
  • What is the legal basis for the processing given a particular purpose?
  • If the legal basis is consent, how is the consent obtained? How can visitors give and withdraw consent?
  • How to deal with data subject rights (access, right to be forgotten)?
  • Is the processing using opt-out or opt-in.
  • Is personal data transferred to Non-EEA countries and if so, which legal tool would allow you to carry out such transfers nevertheless?

Some more References:

Thanks for all this detailed information! We got a lot of legal advice when we set up our DPA last year, and it is intended to be one size fits all. We believe it is sufficient for our needs and use, and that it successfully makes you liable for handling your own PII like for submission data and identity logins.

I am not a lawyer, so I can’t give legal advice, but of course, you’re welcome to engage your own lawyer and make your own call about whether our DPA is acceptable for you to do business.


This is a perfect answer Chris (@fool), because it speaks to the fact that everyone has to cover their own responsibility/liability (get legal advice).

1 Like