Articles
GDPR

GDPR on websites: why it also affects ordinary contact forms

If a website collects names, email addresses, phone numbers, IP addresses, order details or account data, data protection is already part of the technical work.

GDPR often sounds like a legal topic. On a website it becomes practical very quickly: what data is collected, why it is needed, where it goes, how long it is kept and who can access it.

The Estonian Data Protection Inspectorate explains that personal data is data that can identify a person directly or indirectly: AKI definitions. On a website this can mean more than an ID number. It may include an email address, phone number, IP address, order history, account data or free text submitted through a form.

Who should care

GDPR affects almost every website where a person can enter information or where behaviour is tracked:

  • contact forms and request forms;
  • online stores and order history;
  • self-service portals and user accounts;
  • newsletter forms;
  • campaign pages and registrations;
  • websites using analytics, advertising pixels or other third-party tools.

It matters to management because the risk is not only technical. It matters to marketing because consent and tracking logic affect campaigns. It matters to developers because a badly built form, log or integration can collect more data than needed. It matters to customer support because people increasingly ask what happens to their data.

What to check on a website

A useful first review can start with simple questions:

  • does each form collect only what is needed;
  • is it clear to the user why the information is requested;
  • does the privacy text match the real workflow;
  • do cookie and analytics tools behave as described;
  • is data sent to third-party services;
  • is data kept for a reasonable time;
  • are permissions limited to people who actually need access;
  • are backups, logs and exports controlled.

Drupal websites add roles and permissions, form storage logic, logs, modules, integrations and old exports. The largest problem is often not one visible sentence, but years of workflows that no one has recently reviewed.

What happens if it is ignored

The softest consequence is loss of trust. If a user does not understand why data is requested, or sees strange cookie behaviour, trust drops before any official problem starts.

The more serious consequence is a data leak or incorrect access. Then the question is no longer only whether the privacy text exists. The organisation has to understand what happened, who was affected, whether notification is required and how to prevent it from happening again.

The European Commission lists possible GDPR enforcement measures such as reprimands, temporary or definitive bans on processing and fines up to 20 million euros or 4% of annual worldwide turnover, whichever is higher: GDPR sanctions. In Estonia, fines are not theoretical. In 2025, the Data Protection Inspectorate issued an 85,000 euro fine in a case where a system attack exposed a large amount of personal data.

Technical work and legal responsibility must meet

WebPro is not a law firm or a GDPR expert. Our role is to help with the technical side: forms, logs, roles, data flows, cookie behaviour, Drupal modules, integrations and tests. A data protection specialist should be involved when a legal assessment is needed.

The best result comes when the legal text and technical reality are aligned. The website should do what the privacy text says it does. If that is unclear, a technical review and data-flow mapping is a good first step.

The Drupal platform assessment can show some public warning signs, but it cannot prove GDPR compliance. That requires checking content, workflows, access rights and the actual movement of data. For technical review, our audit and testing service is a practical next step.

Kaido Toomingas Kaido Toomingas WebPro Company OÜ

Need Drupal help?

If the article describes your situation, you do not have to read everything first. A real person will help you choose the next step.

Contact us