Compliance · GDPR

GDPR for press websites: the publisher's checklist.

Last updated: 6 mai 2026 · All claims sourced from Regulation (EU) 2016/679 (GDPR), CNIL guidance, and EDPB guidelines.

What the GDPR is, in one paragraph

The General Data Protection Regulation (Regulation (EU) 2016/679) sets the legal framework for processing personal data of EU residents. It applies regardless of where the controller or processor is established, as long as the processing relates to offering goods or services to people in the EU, or to monitoring their behaviour (Article 3.2). For press websites running reader contribution, this means every reader account, every IP-tracked anonymous comment, every newsletter signup, every reaction-to-an-article, falls under the GDPR.

What counts as personal data on a press website

The GDPR defines personal data extremely broadly (Article 4.1): any information relating to an identified or identifiable natural person. For a press website, this includes:

  • Reader account data: name, email, password hash, profile picture, biography
  • Engagement data: comments, votes, likes, shares, time spent on articles
  • Technical data: IP addresses, device fingerprints, browser identifiers, session cookies
  • Inferred data: interest tags derived from reading behaviour, audience scoring outputs
  • Subscription and payment data, where applicable

The six legal bases (Article 6)

You can only process personal data if you can rely on at least one of the six legal bases listed in Article 6:

  • Consent (6.1.a), explicit, granular, withdrawable. Used for marketing, profiling, optional data.
  • Contract (6.1.b), required to deliver a service the user signed up for. Used for account creation, subscription processing.
  • Legal obligation (6.1.c), required to comply with a law (e.g. retention obligations).
  • Vital interests (6.1.d), rarely applies to publishers.
  • Public interest (6.1.e), primarily for public sector / public service media.
  • Legitimate interest (6.1.f), your interest, balanced against the user's rights. Used for fraud prevention, anonymous analytics, security.

For comments and reader contribution, the most common combination is contract (you're delivering a participation service the user opted into) plus legitimate interest (security, anti-spam, fraud).

The eight reader rights (Articles 12–22)

You must enable the user to exercise the following rights, in plain language and within one month (Article 12.3):

  • Right of access (Art. 15) — the user can ask for a copy of all data you hold on them
  • Right of rectification (Art. 16) — correct inaccurate data
  • Right to erasure / right to be forgotten (Art. 17) — delete data when there's no legitimate ground to keep it
  • Right to restriction (Art. 18) — limit processing under specific circumstances
  • Right to data portability (Art. 20) — export structured data to switch service
  • Right to object (Art. 21) — opt-out of legitimate-interest-based processing
  • Right not to be subject to fully automated decisions (Art. 22)
  • Right to lodge a complaint with a supervisory authority (Art. 77) — in France, the CNIL

International transfers (Chapter V)

If your comment system or reader database is hosted outside the EU, the GDPR requires safeguards under Articles 44–50. After the Schrems II ruling (CJEU, 16 July 2020), transfers to the United States rely on the EU-US Data Privacy Framework (in effect since July 2023), with additional supplementary measures often required by the EDPB. Many publishers find it simpler to keep the data in the EU entirely.

Roles: who is the controller, who is the processor

For your press website's reader data:

  • You (the publisher) are the controller — you decide why and how the data is processed (Art. 4.7).
  • Your comment system / moderation tool (Logora, Disqus, Viafoura, etc.) is typically a processor — it processes data on your behalf, under instructions in a Data Processing Agreement (Art. 28).

The DPA is mandatory under Article 28.3. It must specify the subject-matter, duration, nature, purpose, types of data, categories of data subjects, your obligations and rights as controller. Without a signed DPA, you cannot lawfully use a third-party processor for personal data.

What this means in practice for your publisher operations

  • Privacy policy on your site, plain language, listing every processing activity (Articles 13–14)
  • Cookie banner only when required — non-tracking, non-targeting cookies are exempt (CNIL guidance on the ePrivacy Directive)
  • Signed DPAs with every third-party processor: comment system, moderation tool, analytics, ad tech, email service
  • Records of processing (Article 30) — an internal register listing all processing activities
  • DPO appointment (Article 37) if you do large-scale processing or systematic monitoring
  • Data breach notification within 72 hours to the authority (Article 33) and to affected users when there's a high risk

How Logora handles it

  • Data Processing Agreement signed with every client, structured per Article 28.3
  • EU-only hosting on OVH, France — no transfer outside the EU, ever
  • First-party data — reader accounts belong to the publisher's database, not Logora
  • No third-party tracking cookies by default; any analytics is anonymous and cookieless
  • Right-of-access export built into the administration space — one click to fulfil an Article 15 request
  • Right-to-erasure handling on a per-user basis, with deletion cascading to comments and votes per the publisher's retention policy

Sources

Need to audit your reader data setup? Book a 60-min call with our team.

User guides
Moderation Best practices Moderation charter
Examples
Use cases Documentation Administration panel
About us
Team Blog Partners Positioning Contact
Legal
Legal Mentions Terms Privacy
No tracking cookies. Sovereign infrastructure on OVH (France).
Created for democracy by Logora
⌘K / Ctrl+K to open