Data protection liability risks: How web agencies navigate safely through the GDPR

Created 23. May 2023
Young man consulting his business partner at meeting in office

When web agencies create websites for customers, they must also pay attention to data protection. There are liability risks here. We show you when you are liable and how you can deal with the risks.

For web agencies, the question of liability in the event of data protection violations by the customer is a sensitive issue. After all, despite all the care taken in creating websites and implementing data protection measures, the risk of data protection breaches remains. The question, then, is whether a web agency can be held liable for its client's data protection breaches. Generally, the customer who processes personal data via its website is responsible for compliance with data protection regulations. This means that the customer has a duty to protect the data of its website visitors and to take appropriate technical and organizational measures to ensure this.

However, the web agency can also be held responsible to a certain extent. This is especially true if the agency is involved in the processing of personal data and thus acts as a processor. In this case, the agency is obliged to comply with the provisions of the General Data Protection Regulation (GDPR) and to take appropriate technical and organizational measures to protect its customers' data.

Who is liable for the processing of personal data on your client's website?

In principle, the person responsible for processing personal data is liable, i.e., in the case of websites, the owner of the website. Violations of data protection law therefore first affect the person responsible. Nevertheless, the web agency may be liable to the customer for data protection deficiencies:

  • If data protection conformity of the website was contractually agreed in the contract, the agency shall be liable for this property in any case.
  • If the condition of the website is assumed to be state of the art, it can also be concluded under certain circumstances that the agency is liable to the customer if the website has certain properties that are not data protection compliant.
  • Errors in data protection may also in principle constitute a defect of the website under certain circumstances, since a legally compliant website is owed as a work. An example of this could be an incorrect configuration of the consent banner. However, the provision of a website without SSL encryption may also constitute a defect.

The question of liability always depends on the specific circumstances of the violation and the contractual agreements between the web agency and the customer.

What about liability as a processor?

If you take over the hosting of the website for your customer or if you operate an analytics service for them on an agency server, then you may be acting as a processor. As a processor, you are the executing arm of the customer, without having your own design option in the use of the data. Processors are required by Article 28(1) of the GDPR to provide sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing is carried out in compliance with the requirements of the GDPR and ensures the protection of the rights of the data subject. Typical examples of personal data breaches include cyber-attacks, server crashes, viruses, and other attacks on IT. You must ensure that the technical and organizational measures correspond to the level of protection of the personal data you process. In this context, certain personal data are particularly protected: According to Art. 9 GDPR, this includes, for example, health data, biometric data, or data on sexual orientation. These must be given special protection. Here, for example, special measures are required for the encryption or anonymization of data.

If, despite all the measures taken, a data protection incident occurs, you are obligated to report the incident to your customer immediately and to support him in fulfilling his reporting obligations.

If you act as a processor, you must conclude a contract on commissioned processing (AV contract) with your customer. This contract defines once again what data is involved and, above all, what measures you will take to protect the personal data and what control options you will grant your customer to check the protective measures. It is advisable to define a liability regulation in the AV contract, which clarifies the responsibilities and liability issues in the event of data protection violations. Templates are available on the Internet. However, it is safer to go to a data protection officer or lawyer. They can adapt the contract on commissioned processing for your purposes.

Who is responsible for the content of the imprint, privacy policy and consent banner?

The responsible person is the owner of the website. He must therefore also check whether all the content on the website is complete and legal. In the best case, your web agency only takes over the prepared content of your customer and fills the website with it. However, if the customer makes specifications that are already illegal, it is your duty to inform the customer about this.

You do not owe him legal advice, but the work you provide must be legally compliant. This means that you must point out to your customer if, for example, the privacy policy is obviously incorrect. For example, if important information such as the name of the person responsible is not provided, or if certain processing operations, such as tracking, are not named, even though you know that these are used on the website.

If the website operator explicitly asks you to take care of the imprint, privacy policy and consent banner and you take on this task, you are also liable for ensuring that the information complies with the legal requirements. Tools for the creation of appropriate texts, such as for the privacy policy, offer good assistance. They assist in providing the most important information and have pre-formulated text modules for plugins and third-party providers on the website, for example. These generators reduce the risk of errors in the privacy policy. However, they do not exempt you from liability. The generators do not check whether you have provided your information correctly and completely.

So, if you make the content available yourself, it is advisable to have it checked by a lawyer or a data protection officer beforehand. You may be able to pass on the corresponding costs to your customer.

Download: Your complete data protection technology guide

E-Book image

How to reliably identify privacy gaps on your customers' websites using free tools.

Download now

What are the biggest risks with the privacy policy?

In fact, the biggest liability risk with the privacy policy lies in not having a privacy policy. The absence of the privacy policy is an undoubted violation of the GDPR and can also be warned by competitors via the Unfair Competition Act (UWG). In the second step, the privacy policy must be complete. Above all, the person responsible and, if applicable, the data protection officer must appear from the declaration. In addition, the data subject must be fully informed about his or her rights. The privacy statement must list the various processing operations on the website, for example by third-party providers such as Google Analytics but also self-hosted services such as Matomo. Services such as decareto help to find out where and how data is collected on the website.

When should the customer's data protection officer or an external data protection officer be involved?

In fact, it is important to involve the data protection officer as early as the planning stage of the website. After all, it is conceivable that certain technical components or processes on the website are not data protection-compliant or that other integration is required. It is always more expensive to resolve data protection issues after the fact than to consider them before implementation. You should therefore seek an exchange with the customer's data protection officers for this purpose.

Summary: These are the points you need to pay attention to

  • Take data protection seriously and invest in expertise in this area. The nature of your work also includes legal compliance. To ensure this, you need a basic knowledge of data protection.
  • As a processor, you must sign a contract with your customer for commissioned processing.
  • The technical and organizational measures you take to protect personal data must be commensurate with the risk to the data subject in the event of a possible breach of protection.
  • Get external legal support on board right at the start of a project. Nothing is more expensive than a project that fails because it contradicts legal requirements.

Data protection under control

Rafaul Gaus

With his company Konzepttreu GmBH, IT and data protection expert Rafael Gaus supports entrepreneurs and solo self-employed people in the southern Lower Saxony region with web design, search engine marketing and data protection. In an interview with decareto, he describes the role data protection plays in his company.

Mr. Gaus, you are the owner of a web agency. Where does the topic of data protection crop up in your work?

First, of course, with myself. I have to have data protection under control in my own company. That starts, for example, with the first customer contact, when I explain to the customer how his personal data will be processed. In fact, the sensitivity of customers has also changed here. In the past, I myself had to point out that my customers and I had to conclude a contract on commissioned processing. Today, customers approach me of their own accord.

Do you see yourself as a processor?

Definitely. If it was just web design, that wouldn't be the case. But I do a lot more for my customers. From the moment employee photos are processed, tracking technologies are in use, it's already over. And even when I take care of web hosting and manage the corresponding hosting packages of my customers, personal data such as IP addresses flow. Then I am definitely a processor and a corresponding contract is necessary.

Do you also take care of your customers' privacy policies?

I make my customers a proposal for a privacy policy if they want one. If the customers want to have it checked again, for example by a lawyer, that is of course also fine. For liability reasons alone, I include data protection issues in my consulting: For example, the use of banners and consent management systems. And sometimes I also give tips on whether some tools might be worth considering, such as Matomo as a replacement for Google Analytics.

Are you supported externally by a data protection officer?

I used to get help. In the meantime, I have trained as a data protection officer myself. Not that I work as one, but for me it was important to better understand the subject matter.


Author: Henning Zander

Henning Zander is a certified external data protection officer (TÜV) and a specialist in issues relating to data protection requirements in the healthcare sector. His clients include, in particular, medical, dental and psychotherapeutic practices as well as pharmacies in northern Germany.

Back to overview