Ultimately, if you run a personal website in your spare time and you’re not making any money from it, then you have nothing to worry about.
Beyond this however, there are issues that can mean that your website falls under the scope of GDPR.
Let’s break this down.
GDPR and Personal Data
GDPR exists to protect the personal data of people living in the European Union. As such, if you’re not processing personal data, then it is not worth a second thought.
Under GDPR however, personal data is a much wider category than you might think. It includes any information that can be used to identify someone – something that is explained in more detail in another one of our blogs.
Practically, this means that you may need to consider GDPR compliance if your personal website contains a comment section or newsletter subscription option.
It also applies to any website that allows users to register, input their personal details, or request notifications via email, for instance.
What is a Personal Website?
Websites don’t have to be all business, and many people create websites so that they can explore passions, share feelings, or just talk about what’s going on in their private lives.
These things are sometimes called “personal websites”, but they’re also known as blogs and online diaries – it’s all the same thing.
But as far as GDPR is concerned, it’s important not to confuse these with social media like Facebook and Twitter or blogging sites, like Medium and Substack.
If you’re using these sites, then you don’t have to worry about privacy laws, since GDPR considers them to be the “data controller”. This means that they are accountable for any personal information posted there – not you.
However, this still assumes that any personal data you process through these platforms is done only for personal activities.
What Does GDPR Say About Personal Websites?
This is covered in Recital 18, which states:
“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities”.
This part of GDPR – otherwise known as the “domestic purposes” exemption – means that, if your website collects personal data (including IP addresses), then it is exempt from GDPR if you are running it for personal reasons.
However, if you’re selling merchandise for instance, then GDPR would classify you as a business and you need to get your data ducks in line.