I feel like the current presentation of the feature Netlify Analytics leaves open many questions that data protection officers would need to answer to fulfill their legal obligations on internal documentation and transparency towards their website visitors, e.g. in the case of requests for information from their visitors.
The matter is somehow complex and my current employment does not allow me to provide you a feedback on the matter. However, I would like to share with you some relevant files that you should carefully read to understand more about the legal requirements of a) websites of EU organisations and b) websites that address specifically an audience in the EU.
- https://edps.europa.eu/sites/edp/files/publication/16-11-07_guidelines_web_services_en.pdf (mainly written for EU institutions, but the law is similarly enough to learn from the conclusion of the European Data Protection Authority on compliance for website analytics)
Questions to begin your assessment with:
- Does the website process personal data and if so, for which purpose?
- What is the legal basis for the processing given a particular purpose?
- If the legal basis is consent, how is the consent obtained? How can visitors give and withdraw consent?
- How to deal with data subject rights (access, right to be forgotten)?
- Is the processing using opt-out or opt-in.
- Is personal data transferred to Non-EEA countries and if so, which legal tool would allow you to carry out such transfers nevertheless?