Joomla! Forum - community, help and support

I am a Joomla website developer/implemeter in the USA. Does anyone know what responsibility/liability I have as a webmaster regarding GDPR? Is it up to my clients (who I created the website for) to comply to GDPR (if applicable) and then retain me to make any necessary modifications to their site and forms? Or do I have a responsibility to notify my clients that this needs to be done? Does it matter if they retain me with a maintenance agreement to update their sites, or if after I create their site, they are on their own?
Am I over thinking this? I accept that going forward I will make sure forms comply and Privacy Policies are part of the website, but what about existing sites?
Also, what about IP addresses that are collected by Admin Tools for Failed Logins and other attempted breaches?
Looking for some guidance.

Depends on your agreement with your client(s).

Unless you're collecting and storing consumer data on their behalf, my general assumption would be that you're not liable.

Reaching out to clients and advising that a regulatory change that might affect there business is a pretty good excuse to contact them. If you can get them to pay you for a consultation and/or site evaluation that's even better.

Even better still if they will contract with you to make the changes and sign a maintenance agreement.

It's generally your job as the web developer to advise your clients to do what's best, if they decide to act otherwise, that's out of your control.

Furthermore, as a fellow USA developer, I'm more concerned about our clients complying with Section 508 and the W3C’s Web Content Accessibility Guidelines. I'm aware of a lot more lawsuits there.

Disclaimer - I'm not an attorney and do not want to be one.

depends what is on your contract with your client.
If they havent twigged by now that they must meet GDPR/WP29 IF they have clients from the EU then they should be panicking about now.. well mildly worried, well worried, well concerned., err where have you been for the last 2 years on this subject?

The question—who is responsible—can only be tested in a law court as a matter of due diligence. In the first instance (for those people who may be subjected to a legal claim) the person responsible is the website owner. There is a chain of responsibility that extends from the site owner up to the webhosting company and therefrom through to the ISP and telco who manages the transfer of data ... but we're getting ahead of ourselves.

First of all, GDPR hasn't come into effect and, more importantly, it hasn't been tested.

Returning to the substance of this topic: due diligence is at the heart of the matter. There's a wonderful legal adage that goes like this (in Latin): ignorantia iuris non haud excusat. Just because the client might attempt to excuse their legal obligations (by claiming a lack of due diligence on the part of the developer who "failed" to advise the client of the need for GDPR compliance—assuming the developer was au fait with the need for the client's potential compliance with the GDPR in the first place) doesn't mitigate the client's responsibility to be aware of laws pertaining to the client's jurisdiction. I mean, fair go and all that: I live in Australia and I have no knowledge of the intricacies of European law. Unless (and until) the Australian High Court is prepared for the Australian Privacy Act to be subjugated to a foreign law, I really don't have an interest in this. Likewise, I'd be surprised if people living in the USA, in South America, Africa, the Indian sub-continent or South Georgia and the South Sandwich Islands would be overly concerned about the GDPR either!

So, as far as whether a European court would give leave to a defendant to enjoin a foreign-based developer in an action brought under the GDPR, there is no legal precedent ... as far as I'm aware. Furthermore, the client has to establish that the developer did not exercise due diligence in advising them of their legal responsibilities. Well ... let them give it their best shot!

If, as a developer, you want some measure of protection, then you could insert a clause in your contract that reads: "It is the client's responsibility to ensure that all trade practices and privacy obligations, as required under law pertaining to the client in the operation of the client's business, are the responsibility of the client. The client further indemnifies the developer from any and all actions, civil claims or legal torts in the operation of the client's business."

If it would infect me I would sue the Company, People who is in the Impress Named as Owner of the Page.