Is the web developer responsible for compliance with GDPR or business owner?

Relax and enjoy The Lounge. For all Non-Joomla! topics or ones that don't fit anywhere else. Normal forum rules apply.
Joomla! Intern
Joomla! Intern
Posts: 55
Joined: Tue Sep 25, 2007 11:50 am

Is the web developer responsible for compliance with GDPR or business owner?

Post by aimlesslady » Tue May 15, 2018 6:40 pm

I am a Joomla website developer/implemeter in the USA. Does anyone know what responsibility/liability I have as a webmaster regarding GDPR? Is it up to my clients (who I created the website for) to comply to GDPR (if applicable) and then retain me to make any necessary modifications to their site and forms? Or do I have a responsibility to notify my clients that this needs to be done? Does it matter if they retain me with a maintenance agreement to update their sites, or if after I create their site, they are on their own?
Am I over thinking this? I accept that going forward I will make sure forms comply and Privacy Policies are part of the website, but what about existing sites?
Also, what about IP addresses that are collected by Admin Tools for Failed Logins and other attempted breaches?
Looking for some guidance.

User avatar
Joomla! Guru
Joomla! Guru
Posts: 636
Joined: Tue Jan 13, 2009 11:50 pm
Location: San Diego, California, USA

Re: Is the web developer responsible for compliance with GDPR or business owner?

Post by creativesights » Tue May 15, 2018 7:38 pm

Depends on your agreement with your client(s).

Unless you're collecting and storing consumer data on their behalf, my general assumption would be that you're not liable.

Reaching out to clients and advising that a regulatory change that might affect there business is a pretty good excuse to contact them. If you can get them to pay you for a consultation and/or site evaluation that's even better.

Even better still if they will contract with you to make the changes and sign a maintenance agreement.

It's generally your job as the web developer to advise your clients to do what's best, if they decide to act otherwise, that's out of your control.

Furthermore, as a fellow USA developer, I'm more concerned about our clients complying with Section 508 and the W3C’s Web Content Accessibility Guidelines. I'm aware of a lot more lawsuits there.

Disclaimer - I'm not an attorney and do not want to be one.
Andrew Crossan
Professional Custom Website Design & Development in San Diego

User avatar
Joomla! Master
Joomla! Master
Posts: 15032
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Is the web developer responsible for compliance with GDPR or business owner?

Post by mandville » Tue May 15, 2018 7:40 pm

depends what is on your contract with your client.
If they havent twigged by now that they must meet GDPR/WP29 IF they have clients from the EU then they should be panicking about now.. well mildly worried, well worried, well concerned., err where have you been for the last 2 years on this subject?
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
Joomla! Exemplar
Joomla! Exemplar
Posts: 9999
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: Is the web developer responsible for compliance with GDPR or business owner?

Post by sozzled » Tue May 15, 2018 7:55 pm

The question—who is responsible—can only be tested in a law court as a matter of due diligence. In the first instance (for those people who may be subjected to a legal claim) the person responsible is the website owner. There is a chain of responsibility that extends from the site owner up to the webhosting company and therefrom through to the ISP and telco who manages the transfer of data ... but we're getting ahead of ourselves.

First of all, GDPR hasn't come into effect and, more importantly, it hasn't been tested.

Returning to the substance of this topic: due diligence is at the heart of the matter. There's a wonderful legal adage that goes like this (in Latin): ignorantia iuris non haud excusat. Just because the client might attempt to excuse their legal obligations (by claiming a lack of due diligence on the part of the developer who "failed" to advise the client of the need for GDPR compliance—assuming the developer was au fait with the need for the client's potential compliance with the GDPR in the first place) doesn't mitigate the client's responsibility to be aware of laws pertaining to the client's jurisdiction. I mean, fair go and all that: I live in Australia and I have no knowledge of the intricacies of European law. Unless (and until) the Australian High Court is prepared for the Australian Privacy Act to be subjugated to a foreign law, I really don't have an interest in this. Likewise, I'd be surprised if people living in the USA, in South America, Africa, the Indian sub-continent or South Georgia and the South Sandwich Islands would be overly concerned about the GDPR either!

So, as far as whether a European court would give leave to a defendant to enjoin a foreign-based developer in an action brought under the GDPR, there is no legal precedent ... as far as I'm aware. Furthermore, the client has to establish that the developer did not exercise due diligence in advising them of their legal responsibilities. Well ... let them give it their best shot!

If, as a developer, you want some measure of protection, then you could insert a clause in your contract that reads: "It is the client's responsibility to ensure that all trade practices and privacy obligations, as required under law pertaining to the client in the operation of the client's business, are the responsibility of the client. The client further indemnifies the developer from any and all actions, civil claims or legal torts in the operation of the client's business."
“If you think I’m wrong then say, ‘I think you’re wrong.’ If you say ‘You’re wrong!’, how do you know?” :)

Joomla! Enthusiast
Joomla! Enthusiast
Posts: 234
Joined: Thu Feb 25, 2010 4:37 pm

Re: Is the web developer responsible for compliance with GDPR or business owner?

Post by MyFirstPage » Sat Jun 09, 2018 1:17 pm

If it would infect me I would sue the Company, People who is in the Impress Named as Owner of the Page.


Return to “The Lounge”