10

I am an individual (i.e. not an organisation) with a hobby website that has no commercial interest, no third party affiliations, no social media links, and no third party analytics.

When a user opens the site, their visit is logged. I track timestamp, IP, and some information I obtain using that IP - city, region, country, and internet service provider. A cookie is given to the user with a unique identifier to assist in some deduplication of visits. I do not keep this information secure, in fact the explicit purpose of the site is as a public "guest book". The site publicly displays all of the above information of all past visits in a large table for anyone to see.

I have seen this question, which asks whether web applications as hobby projects need to comply with the GDPR, however I feel that the way I am treating data here is somewhat unique, especially as it relates to third parties.

Do I need to comply with GDPR? If so, how? Is it enough to obtain consent before adding people to the guest book, or do I need to do anything extra about the fact that the information is insecure?

lbfreak
  • 3
  • 1
Anybody
  • 103
  • 1
  • 5

1 Answers1

13

The GDPR Article 2(2)(c) exemption ("by a natural person in the course of a purely personal or household activity") does not seem to be applicable in the hypothetical circumstances described.

Case law says:

"[A]n activity cannot be regarded as being purely personal or domestic where its purpose is to make the data collected accessible to an unrestricted number of people or where that activity extends,even partially, to a public space and is accordingly directed outwards from the private setting of the person processing the data in that manner [...]". (CJEU - C-25/17 - Jehovan todistajat, margin number 42 with further references.)

"That exception [for the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic] must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people." (CJEU - C-101/01 - Lindqvist, margin number 47)

Via gdprhub.eu.

Therefore this hypothetical website must have a 'lawful basis' (Article 6) for the processing of the personal data.

As for cookies or other storage on the visitor's device, the website must obtain consent from the visitor to set cookies that are not 'strictly necessary' for the website to work (ePrivacy Directive).

Lag
  • 20,104
  • 2
  • 46
  • 76