EU General Data Protection Regulation and How It Affects You as an Artist

Ugh. Legal schmegal. Ok, it's boring and most people don't really care because it doesn't concern them. But it does. Especially this one if you have an internet presence and have services that are sold or given away for free to residents of the EU.

If you have a newsletter sign-up, a store on your website, or even just a website with a gallery and there is professional or commercial activity, then you need to understand the EUs General Data Protection Regulation (GDPR).

Beginning in May, 2018, there will be one set of data protection rules for data processing for companies operating in the EU, wherever they are based. These data protection rules provide people with more control over their personal data, through transparency.

what is personal data

  • Name
  • Address
  • email
  • identification card number
  • location data
  • Internet Protocol (IP) address
  • cookie ID

What is data processing?

It is the collection, recording, organization, structuring, storing, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction of data.


Basically, if you gather or delete any personal data through your website or in person and store it, you are processing this data. Some examples:

  • A person visits your website. Their IP address is automatically collected and a cookie is stored in their system for easy recognition of the person later.
  • A person signs up for your newletter, or email list.
  • A person makes a purchase from your website and you have their name, address, and email on file for correspondence on their order.
  • A person makes a purchase from you in person and you take their name, address and email to enter into your computer for later use (marketing, referrals, newsletter).
  • A person's photo is posted on a website.
  • Documents or files are shredded or deleted containing personal data.

who does the law apply to?

  • A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  • A company established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.

It does not matter what size your company is.

how can i abide with this law?

Personal Data can only be processed when:

  • there is consent of the individuals.
  • there is a contractual obligation.

There are a few other ways, that don't really pertain to artists, but include legal obligations, public interest, vital interest and legitimate interests.

Once the above has been met, the following conditions apply:

  • Personal data must be processed in a lawful and transparent manner.
  • There must be a specific reason for collecting the data.
  • The amount of personal data collected is what is necessary for the purpose that it was collected for.
  • The data cannot be used for reasons beyond the scope of the original reason for collection.
  • Technical and organizational safeguards are in place to ensure the security of the personal data.

Ways to accomplish meeting the requirements of this law.

  • Update your email and customer lists.
  • Make sure your mailing list service has an opt out (most do).
  • Make sure your website has a cookie notification and instructions on how to opt out of cookies.
  • Make sure your website has a privacy policy which states when, how, why and what information is collected and used and who uses it. 

Not suprisingly, this law is written vaguely. The law states that if you do any of the above, it applies to you but in another paragraph in a different section it states that if "your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR". I'm not sure if this statement pertained to the example on the GDPR website, or in general. I don't know about anyone else, but I target whoever will purchase my product. I'll play it safe and update the items that need it.

All of the above information was gathered from EUs General Data Protection Regulation (GDPR) website. 

For people selling online through Etsy, you should recieve some emails regarding the changes they have made and what you might need to do. Similar sites should be doing the same.

Here is the Update on the European Union Privacy Regulation and Etsy Policies and this article will be useful to anyone looking ro write or revise their website's Privacy Policy: A Guideline on How-To Write Privacy Policies from Etsy.

And for those of you who missed it in 2011, here is some information on the EU Cookie Law.

This article was not written by a lawyer, nor should it be construed as legal advice.

  • Share on: