From IndieWeb

GDPR is the EU General Data Protection Regulation which sets much tighter guidelines on use of personally identifiable information, and is backed by law, including fines for non-compliance. Enacted on May 25, 2016, organizations were permitted a two-year grace period to bring their processes into compliance. Organisations which are not compliant after May 25, 2018 face penalties of up to 4% of annual global turnover or €20 Million.

The GDPR is similar to California's CCPA, which took effect 2020-01-01.

Does it apply to my Indieweb site?

Perspective 1

Purely personal sites are exempt per Article 2. If on the other hand your website contains paid ads or advertising for your services or products made by you, it is within scope of GDPR.

Perspective 2

Strict interpretations of the law (e.g. in some German legal literature; only future case law may provide a more definitive answer) indicate a potential applicability of the GDPR to personal, non-commercial websites under certain circumstances.

The conditions for exemption of Art. 2(2) lit. c GDPR are formulated very strictly: "by a natural person in the course of a purely personal or household activity". This is further specified by Recital 18(1) GDPR: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."

Strictly read, "no connection" could potentially mean that the GDPR is applicable to a personal website as soon as it has any connection to a professional or commercial activity, hence not only applying to commercial aspects but e.g. to a web professional discussing web technology on their personal site.

Some GDPR concepts

Please note: The Indieweb Wiki is not a legal resource. Information presented herein may not be accurate, or apply to your specific circumstances.

Legal grounds for processing

GDPR always requires a legal basis for data processing, see Art. 6 GDPR:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interest

Each of these come with strict rules as to their preconditions and resulting obligations.


Consent is one of six possible grounds to justify processing [1]. The Guidelines warn:

  • if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Data Portability

GDPR also requires data portability – that data can be moved from one service to another in a safe, standard, usable way.

Regarding which data the guidelines (PDF) eg. say:

As an example, the titles of books purchased by an individual from an online bookstore, or the songs listened to via a music streaming service are examples of personal data that are generally within the scope of data portability, because they are processed on the basis of the performance of a contract to which the data subject is a party.

This extends to “posts on social networking websites”, as noted on the official FAQ page. Your data will have to be provided to you “free of charge, in electronic format” [2] and you are allowed to give the data to another website [3]. This could make up for silos not offering native export options.

Data Erasure

Building on the 'Right to be Forgotten' decision in the European Courts, the Regulation for the first time codifies the right to have personal data erased by data processors. There are limits to this right, which must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.

Extra Territoriality

Unlike the previous law (Data Protection Directive 95/46/e) the GDPR applies to all companies processing the personal data of all persons residing in the European Union, regardless of the company’s location. This is a major shift to the previous law, which required the establishment of a business in a member State of the Union. Furthermore, the previous gap in the law where data was 'processed' outside the EU no longer applies, as it is the subject of the data now has rights.



Past sessions at IndieWebCamps

See Also