Skip to content

EU Visitors Access My Website: Do I Need to Comply with the GDPR?

Most businesses or organisations with a website collect personal data about their visitors. The way in which Australian businesses collect personal data changed with the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) on 25 May 2018. This article explains the GDPR and whether your business needs to comply with the GDPR.

What is the GDPR?

The GDPR aims to protect the personal data of individuals based in the EU. The main difference between the GDPR and the Australian Privacy Principles (APPs) is its application. The GDPR not only applies to businesses located within the EU, but also to all businesses (wherever they may be located) that collect personal data from individuals based in the EU. Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply.

Additionally, penalties for breaching the GDPR can attract substantial fines – up to 4% of a business’ annual global turnover or €20 million (whichever is greater). Therefore, it is important to ensure compliance.

Does the GDPR Apply to My Australian Website?

The GDPR affects your website and collection of personal data, if your business:

  • is established in the EU;
  • offers goods or services to EU-based individuals (free or paid); or
  • monitors EU-based individuals’ behaviour.

If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, you should work out whether you offer goods or services to EU-based individuals. However, as most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.

For example, factors that indicate an intention to offer goods or services to EU-based individuals can include:

  • using a European language on your website;
  • using a European currency on your website; or
  • mentioning customers or users who are in the EU.

Ultimately, if you tailor your website, marketing or any other aspect of your website to attract and sell to individuals based in the EU, then your business must comply with the GDPR.

Compliance With the GDPR

To comply with the GDPR, you may need to tweak your IT systems, internal processes and legal documents. Accordingly, it is best practice to have a lawyer review your business documents and methods. To comply with the GDPR, you should:

  1. Update your privacy policy
    Having a privacy policy that is compliant with the APPs is a good start. However, as the GDPR provides individuals with additional rights, you may need to update your current privacy policy.
  2. Update your processes and systems on your website
    Ensure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you must have a lawful basis for processing the personal data. For example, obtaining consent for collecting personal data is one of the six lawful bases. To obtain consent, you can include a consent statement and a link to your privacy policy next to a ‘tick to accept’ box.

Key Takeaways

Your business must comply with the GDPR if you collect personal data and your business:

  • is established in the EU;
  • offers goods and services to EU based individuals; or
  • monitors the behaviour of individuals in the EU.

Ultimately, compliance depends on what personal data your business collects and how your business collects it. If you need help putting effective cybersecurity measures in place, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 258 4780 or visit our membership page.   

Register for our free webinars

Franchisor Compliance Update: Code Obligations from November 2025

Online
Stay compliant with the new franchising updates from November 2025. Register for our free webinar.
Register Now

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now
See more webinars >
Rowan ONeill

Rowan ONeill

Read all articles by Rowan

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards