Safe Website for the EU: What You Need for Legal Operation in the EU
A simple guide that will protect you from fines
Why does this affect EVERYONE who works with clients from the EU?
It doesn’t matter where your company is registered — if your website is visited by EU residents, collects their data, or sells them goods/services, you are required to comply with:
Authorities that can impose fines:
- GDPR (General Data Protection Regulation) — the main privacy law
- ePrivacy Directive — rules on electronic communications (cookies, newsletters)
- EU consumer law — if you sell goods/services
Authorities that can impose fines:
- National Data Protection Authorities (DPAs) — one in each EU country
- Consumer protection authorities
- Tax and trade inspection authorities
1. Cookie Banner — Not Just “OK”
What is required:
What is NOT allowed:
- The banner appears on the FIRST visit
- The user must be able to reject as easily as accept
- Detailed explanation of what each type of cookie is used for
- Separate settings for: essential, analytics, advertising cookies
- Storing consent logs for each user
What is NOT allowed:
- “By continuing to use the site, you agree” — this is NOT valid consent
- Pre-ticked boxes
- Placing tracking cookies before consent is given
2. Privacy Policy — Your “PhD Thesis” on GDPR
Mandatory sections:
Important: Use clear, human language — not legal jargon.
- Who you are — company name, contact details, registration information
- What you collect — name, email, IP address, payment details, etc.
- Why you collect it — specific purposes (order processing, newsletter)
- Legal basis — consent, contract, legitimate interest
- Who you share data with — hosting, CRM, analytics, service providers
- How long you store the data — specific terms or criteria
- User rights — how to delete data, obtain a copy, file a complaint
- Data transfers outside the EU — if you use services in the US, etc.
Important: Use clear, human language — not legal jargon.
3. Legal Information in the Footer — Your Business Card
Every website must include at minimum:
Plus links to:
Why this is checked: Missing information = lack of transparency for the consumer.
- Full company name
- Registered address
- Business/registration number
- VAT number (if applicable)
- Email for legal matters
Plus links to:
- Privacy Policy
- Cookie Policy
- Terms of Service (if you sell anything)
- Contact page
Why this is checked: Missing information = lack of transparency for the consumer.
4. Additional Requirements for Online Stores
Mandatory pages:
On every product page:
- Terms of Sale — what, how, pricing, timelines
- Right of withdrawal information — 14-day return period for distance sales
- Complaints procedure — how and where to file a complaint
- Additional charges — shipping, packaging, fees
On every product page:
- Clear price including taxes
- Delivery times
- Who the seller is (an identifiable business entity)
5. Technical Security — Not Only for IT Specialists
SSL Certificate (HTTPS)
Every form that collects personal data (name, email, etc.) must:
Data Minimization
For advanced compliance:
- The website must use a secure connection (https://). This encrypts data and is a basic legal requirement.
Every form that collects personal data (name, email, etc.) must:
- Have a separate non-pre-ticked checkbox for consent
- Display text next to the checkbox with a link to the Privacy Policy (e.g., “I agree to the processing of my personal data in accordance with the [Privacy Policy].” The words “Privacy Policy” must be an active link leading directly to the document.)
Data Minimization
- Do not request unnecessary information. Only ask for what is required for the specific action (e.g., a newsletter needs only an email address).
For advanced compliance:
- DPA agreements (Data Processing Agreements) — sign contracts with all third-party services (hosting, CRM, email service providers) that process your users’ data
- RoPA (Record of Processing Activities) — an internal document recording what data you process, how, and why. Regulators may request it.
6. User Rights — Not Just Text, But Real Mechanisms
Users must be able to easily:
Tip: Create a dedicated form or email address for such requests.
- Obtain a copy of all their data
- Request correction of inaccuracies
- Delete their account and all data (“right to be forgotten”)
- Withdraw consent for marketing
- Submit a complaint to a supervisory authority
Tip: Create a dedicated form or email address for such requests.
7. What Is the Cost of Non-Compliance? Real Numbers
Failing to comply with EU requirements can be extremely costly. Here are the sanctions commonly imposed for typical violations:
No or incorrect cookie banner
Missing or incomplete Privacy Policy
Hidden or false legal information (name, address, registration number)
Violation of user rights (e.g., failure to delete or provide data)
Personal data breach (security failure)
For online stores: missing return-right information
No HTTPS encryption
No or incorrect cookie banner
- Potential fine: up to €20 million or 4% of global annual turnover (whichever is higher)
- Who fines: national DPA
Missing or incomplete Privacy Policy
- Potential fine: up to €10 million or 2% of global turnover
- Who fines: DPA
Hidden or false legal information (name, address, registration number)
- Potential fine: up to 5% of annual turnover, plus possible prohibition from operating in the EU
- Who fines: consumer protection or trade authorities
Violation of user rights (e.g., failure to delete or provide data)
- Potential fine: up to €20 million or 4% of turnover
- Who fines: DPA
Personal data breach (security failure)
- Potential fine: up to €20 million or 4% of turnover
- Plus potential lawsuits from affected users
- Who fines: DPA
For online stores: missing return-right information
- Consequences: significant fines plus the obligation to refund all customers who invoke their right
- Who fines: consumer protection authorities
No HTTPS encryption
- Consequences: browsers mark the site as “not secure,” harming trust and conversions
- Regulators may issue warnings leading to fines, and in severe cases the site may be blocked for EU users
8. Useful Links (Official Sources)
GDPR and data protection:
ePrivacy and cookies:
EU consumer rights:
- Full text of the GDPR
- EU DPA map — find the authority for your country
- EDPB guidelines — clarifications on complex topics
ePrivacy and cookies:
EU consumer rights:
9. Conclusion: This is Not Bureaucracy, but a Competitive Advantage
A website compliant with EU law:
If you found this information useful — share it with your colleagues!
- Builds more trust — users see transparency
- Reduces risks — no unexpected fines
- Works more efficiently — you collect only what you need
- Opens access to a market of 450 million consumers — without legal barriers
If you found this information useful — share it with your colleagues!
Bonus: Quick 7-Step Checklist for a Safe Website
- Check the address bar: is there a padlock and does the site work via https://?
- Check the footer: does it list the company name, address, and registration number?
- Update your cookie banner: the user must be able to decline non-essential cookies easily.
- Review your Privacy Policy: write it in plain language and include all required details.
- If you run an online store: add Terms of Sale and return-rights information.
- Create a simple form for user requests: e.g., to delete or correct their data.
- Review all forms on your site: consent for data processing must be given manually, not pre-enabled.
This article is for informational purposes only.
For legal advice, consult an EU law specialist.
Updated: 08 December 2025 | Marketing Agency — iuntsevich.cz
For legal advice, consult an EU law specialist.
Updated: 08 December 2025 | Marketing Agency — iuntsevich.cz
Author: Valentin iuntsevich ( linkedin )
Founder of a marketing agency iuntsevich.cz
Share This Article
Evaluate the Article
Fines that could have been avoided
Risk: up to €20 million or 4% of annual turnover.
Examples:
How to avoid it:
Install a cookie banner with a clear option to refuse all non-essential cookies, enable consent logging, and display the banner across all pages.
Examples:
- Google (France) — €150 million for not allowing users to refuse cookies as easily as accepting them.
- Facebook (France) — €60 million for the same issue.
- Small online shop in Spain — €35,000 for setting analytics cookies before obtaining consent.
How to avoid it:
Install a cookie banner with a clear option to refuse all non-essential cookies, enable consent logging, and display the banner across all pages.
Risk: up to €10 million or 2% of annual turnover.
Examples:
How to avoid it:
Clearly describe who collects data, for what purpose, on what legal basis, where data is transferred, how long it is stored, and what rights users have.
Examples:
- The Economist (France) — €500,000 for insufficient disclosure of data processing practices.
- Local online store (Italy) — €6,000 for missing information on user rights.
How to avoid it:
Clearly describe who collects data, for what purpose, on what legal basis, where data is transferred, how long it is stored, and what rights users have.
Risk: fines ranging from hundreds to tens of thousands of euros.
Examples:
How to avoid it:
Publish the full company name, registered address, registration number, VAT number (if applicable), and legal contact information.
Examples:
- Online shop in Germany — €5,000 for missing Impressum.
- Restaurant in Austria — €3,500 for an incorrect legal address on the website.
- Service provider in Czechia — 20,000 Kč (~€800) for missing IČO and contact details.
How to avoid it:
Publish the full company name, registered address, registration number, VAT number (if applicable), and legal contact information.
Risk: up to €20 million or 4% of annual turnover.
Examples:
How to avoid it:
Create an easy-to-use form or dedicated email for requests, respond within 1 month, and log all incoming requests.
Examples:
- TikTok (Ireland) — €345 million for violations of children’s privacy rights.
- A1 Telecom (Austria) — €18 million for improper handling of user requests.
- Small e-shop (Slovenia) — €3,200 for ignoring a data deletion request.
How to avoid it:
Create an easy-to-use form or dedicated email for requests, respond within 1 month, and log all incoming requests.
Risk: up to €20 million or 4% of annual turnover.
Examples:
How to avoid it:
Use HTTPS on all pages, secure all forms, minimize collected data, and sign contracts with service providers.
Examples:
- British Airways — £22 million for a data breach affecting 706,000 customers.
- Small business in Poland — €5,000 for a breach caused by lack of encryption.
How to avoid it:
Use HTTPS on all pages, secure all forms, minimize collected data, and sign contracts with service providers.
Risk: fine + obligation to refund all affected customers.
Examples:
How to avoid it:
Publish Terms of Sale, return rights, procedures, and deadlines directly before checkout.
Examples:
- Online shoe store (Germany) — €12,000 for missing information about the 14-day right of withdrawal.
- Cosmetics store (Czechia) — 50,000 Kč (~€2,000) + mandatory revision of return conditions.
How to avoid it:
Publish Terms of Sale, return rights, procedures, and deadlines directly before checkout.
Risk: warnings from regulators and potential fines.
Examples:
How to avoid it:
Enable HTTPS on all pages, verify all forms and payment flows.
Examples:
- Financial service (Netherlands) — €20,000 fine for lack of HTTPS.
- Online shop (Spain) — €1,500 for processing orders without encryption.
How to avoid it:
Enable HTTPS on all pages, verify all forms and payment flows.
Most fines can be avoided with simple measures such as:
Investing in website compliance is both insurance against financial losses and a powerful way to increase customer trust.
- a proper cookie banner with an opt-out option,
- a complete and easy-to-understand Privacy Policy,
- accurate legal information in the footer,
- a user request form,
- HTTPS and secure forms,
- clear return information for online stores.
Investing in website compliance is both insurance against financial losses and a powerful way to increase customer trust.