In this blogpost we ask if website owners must have a technical tool to automatically detect and record 3rd parties on their websites.

We will explain how Trackerdetect automatically detects and builds information about 3rd parties on your website to help you detect whether 3rd parties appear on your website and build a record of which 3rd parties that appear where and when, and which 3rd parties that pull in other 3rd parties on your site.

This will help you to

  • be able to demonstrate that you have the technological measures to detect and record 3rd parties on websites, as required by the GDPR Articles 24.1, 30.1(d) and Recital 87.

In the following it is assumed that

  • you have 3rd parties on your site
  • the personal data of your website visitors are disclosed to the 3rd parties on your site

Accountability Measure

If you are a website owner, you can ask yourself

“Must I have a technical tool to automatically detect and record 3rd parties on my website?”

The answer is, yes, most probably.

This is the rule in GDPR Article 24.1, first sentence (and Recital 74, second sentence, Recital 78, second sentence).

If having 3rd parties on site owner's site is likely to result in a high risk to the rights and freedoms of the website visitors, then it is proportionate that site owner must “implement appropriate technical and organisational measures to

  • ensure that processing is performed in accordance with the GDPR, (GDPR Article 24.1), and
  • be able to demonstrate that processing is performed in accordance with the GDPR, (GDPR Article 24.1).

The literal meaning of “ensure” is to make certain that something will occur or be the case or make certain of obtaining or providing something.

Consequently, the GDPR requires site owners to have tools to automatically detect 3rd parties on their sites in order to

  • identify that the personal data of their site visitors are disclosed to the 3rd parties on the site, and
  • ensure that the personal data of their site visitors are lawfully disclosed to the 3rd parties on the site.

The literal meaning of “be able to demonstrate” is to have the power, skill, means, or opportunity to give proof or evidence.

Consequently, the GDPR requires site owners to have tools to automatically record 3rd parties on their sites in order to

  • give proof or evidence that the personal data of their site visitors are disclosed to the 3rd parties on the site.

Record Keeping Measure

If you also ask yourself

“Must I have a technical tool that actually records 3rd parties are on my site, both not authorised and authorised 3rd parties?”

The answer is yes.

This is the rule in GDPR Article 30.1(d) and Recital 82.

More on this in the blogpost Keep a record of all 3rd parties on websites?

Personal Data Breach Detection Measure

If you also ask yourself

“Must I have a technical tool that actually detects 3rd parties not authorised on my site?”

The answer is yes.

This is the rule in Recital 87 of the GDPR.

Site owners must implement "technological protection and organisational measures ... to establish immediately whether a personal data breach has taken place ... .“

More on this in the blogpost Is having unauthorised 3rd parties on a website a personal data breach?

Ongoing confidentiality

You can also ask yourself

"Must I continuously detect 3rd parties on my website?"

The answer is, yes, most probably.

Article 32 of the GDPR, “security of processing,” explains that when implementing technical and organisational measures to ensure a level of security appropriate to the risk, consideration should be given, amongst other things, to “the ability to ensure the ongoing confidentiality ... of processing systems and services.”

Tools to identify and record 3rd parties on websites

If you also ask yourself

“How can I identify and record 3rd parties that are on my site?”

The answer is that you can use Trackerdetect.

How can Trackerdetect help?

With Trackerdetect you can automatically detect all 3rd parties on your site

  • at a given time by manual clicks
  • at given intervals, e.g. each 6th hour
  • from a given location
  • and store the information about the 3rd parties in a record with Signatu
  • including information about their
    • legal entity
    • contact details
    • etc

Other blogposts on Trackerdetect

In other blogposts about Trackerdetect on

we have explained reasons why you should become aware of 3rd parties on your site and how Trackerdetect automatically detects and builds a record of 3rd parties that are on your website to

  • help you meet the record keeping requirements in GDPR Article 30.1.
  • help you meet the information and transparency requirements in GDPR Article 13.
  • help you respond to your website visitor's Access Request in GDPR Article 15.
  • equip you with their contact details so you can communicate to those 3rd parties that your website visitor requests to exercise his/her right.
  • enable you to classify 3rd parties to determine whether or not you are required to enter into an agreement with the detected 3rd parties, as required in GDPR (data processing agreement (GDPR Article 28), joint controller agreement (GDPR Article 26), controller to controller agreement).
  • help you identify all 3rd parties on your website so that you can assess whether your website-3rd parties' processing operations pose risks to the rights and freedoms of your website visitors and whether a DPIA is necessary, in accordance with GDPR.
  • help you understand how 3rd parties appear on your website so that you can adopt internal data protection policies for having 3rd parties on your website, as required by GDPR Article 24.
  • help you to identify whether unauthorised disclosure of your website visitors’ personal data have occurred and whether you need to notify the personal data breach to the supervisory authority and your website visitors.

Reach out to us

If you have an interest in Trackerdetect, please send us an email to hello@signatu.com.