GDPR Compliance: Agency vs Client Responsibility

Introduction: Why GDPR Matters for Your Website

Let's talk about GDPR. Not the most exciting topic, but it's one that trips up a lot of businesses.

Here's the thing: if your website collects any personal information (and most do — think contact forms, newsletter signups, even analytics), you need to care about GDPR. It's not bureaucratic red tape; it's about respecting your users' privacy.

The confusion usually starts when you hire a web agency. Who's responsible for making sure everything's compliant? The agency? You? Both?

The answer: We work as a team. As your agency, we handle all the technical aspect — building, configuring, and maintaining your website's infrastructure. But as the business owner, you remain the Data Controller with specific legal obligations.

Here's the good news: We don't just build your website and leave you to figure out GDPR alone. We guide you through the entire process, help you generate all necessary documents using professional tools like Iubenda, and ensure your platform is compliant from day one.

Let's break down exactly who does what.

Understanding Key GDPR Roles

Before diving into responsibilities, you need to understand two critical GDPR concepts:

Data Controller

The Data Controller decides why and how personal data gets used. This is you — the business owner.

Think of it this way: if you're collecting customer emails through a contact form, you're the one deciding what happens with them. You determine the purpose, the storage duration, and how the data will be used. That makes you the Data Controller.

Data Processor

The Data Processor handles data on behalf of the Data Controller. This is where your web agency comes in, along with services like hosting providers, email marketing platforms, or analytics tools.

So when we build your website, set up your forms, configure your database, and integrate third-party services, we're processing data on your behalf as your Data Processor.

The Agency's Responsibilities

As your Data Processor, we take on the entire technical and infrastructural side of GDPR compliance. This is what we handle for you:

1. Building Security Into the Website

We build data protection into every layer of your site from day one:

• HTTPS encryption — All data transmitted between users and your site is encrypted
• Secure forms — Contact forms built with proper validation and security measures
• Database security — Your data is stored with enterprise-level access controls and encryption
• Cookie consent implementation — We integrate and configure the consent management system

2. Setting Up Third-Party Tools Properly

Google Analytics, Facebook Pixel, live chat widgets — we configure everything the right way:

• Select and implement GDPR-compliant tools
• Configure them to respect user consent choices
• Ensure nothing collects data until the user explicitly agrees
• If users reject cookies, we ensure zero data collection happens

3. Privacy-by-Design Architecture

We build your website with GDPR principles embedded in the code:

• Minimize data collection to only what's necessary
• Set up automatic data retention policies
• Build user data request workflows (access, deletion, portability)
• Implement secure data storage and transmission

4. Data Processing Agreement (DPA)

We provide a comprehensive Data Processing Agreement in accordance with Article 28 GDPR that documents:

• What personal data we process on your behalf
• How we protect it and where it's stored
• All third-party sub-processors involved (hosting, database providers, CDNs, etc.)
• Our obligation to notify you without undue delay of any data breach (as required by Article 33.2 GDPR)
• Technical and organizational security measures we implement

5. Technical Assistance for Legal Documents

We provide technical support using professional tools like Iubenda to help you create:

• Your Privacy Policy tailored to your specific data practices
• Your Cookie Policy listing all cookies and their purposes
• Terms and Conditions (if needed)

Important clarification: While we provide technical assistance and guide you through the document generation process, the Privacy Policy and Cookie Policy are legal documents that remain your responsibility as the Data Controller. We help you configure the tools correctly and explain what each section means, but we do not provide legal advice. For complex data processing activities, we recommend having your legal counsel review the final documents.

The Client's Responsibilities

As the Data Controller, you have the final say on how personal data is used. Here's what remains your responsibility:

1. Full Ownership of Your Privacy Policy

As the Data Controller, you bear full legal responsibility for your Privacy Policy. This is a legal document that binds your business, and you must ensure it accurately reflects your data processing activities.

The Privacy Policy must explain:

• What data you collect and why
• Where it's stored and who has access
• How users can exercise their rights (access, deletion, correction)
• Your contact information for privacy inquiries
• Legal basis for each type of data processing (consent, contract, legitimate interest, etc.)

Our role: We provide technical assistance using Iubenda to help you generate the document, walk you through each section, and explain the technical aspects. However, we strongly recommend having your legal counsel review the final document, especially if you handle sensitive data or operate in regulated industries.

2. Your Cookie Policy

Same approach — we help you generate it with Iubenda, and you review and approve it. It needs to clearly state:

• Which cookies your site uses
• What each cookie does (analytics, marketing, functionality, etc.)
• How users can manage their cookie preferences

3. Understanding Consent Requirements

We build the technical system, but you need to understand what's happening:

• Users must actively consent before non-essential cookies are placed
• You must maintain records of consent (we handle this technically)
• Withdrawing consent must be as easy as giving it (we build this functionality)

Don't worry: We'll explain exactly how your consent system works and train you on managing it.

4. Handling User Data Requests

Under GDPR, users can request to:

• Access their data — See everything you have about them
• Correct their data — Fix any inaccuracies
• Delete their data — Request complete erasure
• Export their data — Download it in a portable format

You have 30 days to respond to these requests.

How we help: We build the technical infrastructure to fulfill these requests quickly. Need to find a user's data? Delete it? Export it? We build those tools into your admin panel or provide scripts to handle it.

Where We Work Together

Some areas require close collaboration between us and you:

Common Mistakes to Avoid

1. Assuming the Agency Handles All Legal Responsibility

While we handle the vast majority of the technical work, you remain the Data Controller under GDPR. The legal responsibility for how personal data is collected, processed, and used ultimately rests with you. Our role: We provide technical implementation and guidance, but we strongly recommend involving legal counsel for compliance verification.

2. Copy-Pasting Privacy Policies from Other Websites

Never copy another company's Privacy Policy and change the name. Each policy must accurately describe your specific data practices, legal bases, and processing activities. Generic or copied policies can expose you to significant legal risk. Our approach: We use Iubenda to generate a policy based on your actual website configuration, but you should verify it with legal counsel.

3. Ignoring Cookie Consent Requirements

Placing tracking scripts like Google Analytics or Facebook Pixel without obtaining prior consent is a GDPR violation that can result in substantial fines. Our technical solution: We build consent-first architectures where no non-essential scripts load until the user provides explicit consent.

4. Operating Without a Data Processing Agreement

If your agency processes any personal data on your behalf, Article 28 GDPR requires a written Data Processing Agreement. This is a legal requirement, not optional. We provide this automatically as part of our standard client onboarding process.

What SALATAGS Provides

At SALATAGS, GDPR compliance isn't an add-on — it's built into every project from day one. Here's everything we handle for you:

Technical Infrastructure

• HTTPS encryption on all websites
• Secure hosting with automatic backups and encryption at rest
• Cookie consent management using Iubenda
• GDPR-compliant form handling with secure data storage
• Privacy-by-design architecture built into every component
• Data Processing Agreement provided to all clients

Legal Document Assistance

• Iubenda integration to help you generate your Privacy Policy
• Cookie Policy generation tailored to your website's technical configuration
• Technical walkthrough of all documents (not legal advice)
• Privacy Policy and Cookie Policy pages designed and integrated

Ongoing Support

• Technical support for user data requests
• Platform maintenance and security updates
• Code and infrastructure management — we keep everything running
• Data breach notification — we notify you immediately of any security incidents
• Technical guidance whenever you have GDPR-related questions

What We Need From You

• Review and approve the Privacy Policy with your legal counsel if needed
• Confirm which analytics/marketing tools you want to use
• Provide a contact email for data protection inquiries
• Respond to user data requests within 30 days (we provide technical tools)
• Consult legal counsel for complex data processing scenarios

Bottom line: We handle the technical implementation. You maintain legal oversight and final approval.

Summary: Quick Reference Table

Conclusion

GDPR compliance requires a clear division of responsibilities between technical implementation and legal oversight.

Our role as your Data Processor: We own the entire technical infrastructure. We build your website with privacy-by-design principles, configure secure data handling, implement consent management systems, and maintain the platform. We provide technical assistance with legal document generation and notify you immediately of any security incidents.

Your role as the Data Controller: You maintain legal responsibility for your data processing activities. You review and approve all legal documents (with input from legal counsel when appropriate), make decisions about which data to collect and how to use it, and respond to data subject requests within the legally required timeframes.

Our commitment: We don't hand you a website and disappear. We provide ongoing technical support, help you understand how your systems work, and ensure the technical infrastructure remains compliant. When you have questions, we're here to explain the technical aspects.

When both parties understand their distinct responsibilities, GDPR compliance becomes manageable. Technical implementation and legal oversight work together — that's the foundation of every project we deliver.

At SALATAGS, compliance is built into our process from day one.

Questions About GDPR for Your Website?

If you're unsure about your technical GDPR requirements, need a website built with compliance in mind, or have questions about your current setup — we're happy to discuss.

We can walk you through the technical aspects and help you understand what's needed.

Email: business@salatags.com

Website: www.salatags.com