Is anyone who develops websites or webapps for clients legally responsible for what they are creating and all the gdpr obligations?

Question

Suppose the case of a european (italian) web developer who, at the request of a client, creates a web platform for him from scratch (also with database, saving user’s data, ecc.). When putting the platform online, what are the developer's legal responsibilities? Is the person who develops websites or webapps for clients legally responsible for what he is creating and for all the obligations of the gdpr or anything else imaginable? Thank you.

Answer 1

The GDPR as such puts obligations on the Data Controller (DC), that is the person or firm or other entity who determines the purposes for which data is processed. The entity that hires the developer and operates the web site is responsible for compliance with the GDPR and other laws and regulations, such as the e-privacy directive and its implementing laws.

However, it is highly likely that in commissioning a web site the DC would specify that it be designed to aid compliance with the GDPR and other relevant laws, and if the developer did not do that it might be a breach of contract. Indeed, even if GDPR-friendliness was not explicitly required by the contract between the developer and the DC, the implied warranties of merchantability and fitness for the purpose would probably apply. A designer who, knowing the site is to be hosted and operated within the EU, failed to design it to facilitate GDPR compliance might well be in violation of those warranties. But that would depend on the specifics of Italian law.

But note that GDPR compliance is not a matter of web site design, but of the ongoing practices of the operation of the site. There are various ways to comply with the GDPR, no specific technology or design need be used. The DC must so operate the site as to comply. If the DC fails to do that, penalties could be imposed on the DC, not on the developer.

Answer 2

What you sell has to be fit for purpose

This applies to websites just like it does for anything else, like a car, a haircut, or a toaster. A non-GDPR compliant website, isn’t.