PINGDOM_CHECK

#ExtractSummit2026 The world's largest web scraping conference returns. Austin Oct 7–8 · Dublin Nov 10–11.

Register now
Data Services
Pricing
Login
Try Zyte APIContact Sales
  • Unblocking and Extraction

    Zyte API

    The ultimate API for web scraping. Avoid website bans and access a headless browser or AI Parsing

    Ban Handling

    Headless Browser

    AI Extraction

    SERP

    Enterprise

    DocumentationSupport

    Hosting and Deployment

    Scrapy Cloud

    Run, monitor, and control your Scrapy spiders however you want to.

    Coding Agent Add-Ons

    Agentic Web Data

    Plugins that give coding agents the context to build production Scrapy projects. Starts with Claude Code.

  • Data Services
  • Pricing
  • Browse

    • BlogArticles, podcasts, videos
    • Case studiesCustomer outcomes
    • White papersIn-depth reports
    • EventsConferences, webinars, recordings

    Subscribe

    • NewsletterSwiftly delivered
    • Discord communityExtract Data community
  • Product and E-commerce

    From e-commerce and online marketplaces

    Data for AI

    Collect and structure web data to feed AI

    Job Posting

    From job boards and recruitment websites

    Real Estate

    From Listings portals and specialist websites

    News and Article

    From online publishers and news websites

    Search

    Search engine results page data (SERP)

    Social Media

    From social media platforms online

  • Meet Zyte

    Our story, people and values

    Contact us

    Get in touch

    Support

    Knowledge base and raise support tickets

    Terms and Policies

    Accept our terms and policies

    Open Source

    Our open source projects and contributions

    Web Data Compliance

    Guidelines and resources for compliant web data collection

    Join the team building the future of web data
    We're Hiring
    Trust Center
    Security, compliance & certifications
Login
Try Zyte APIContact Sales

Zyte Developers

Coding tools & hacks straight to your inbox

Become part of the community and receive a bi-weekly dosage of all things code.

Join us
    • Zyte Data
    • News & Articles
    • Search
    • Social Media
    • Product
    • Data for AI
    • Job Posting
    • Real Estate
    • Zyte API - Ban Handling
    • Zyte API - Headless Browser
    • Zyte API - AI Extraction
    • Web Scraping Copilot
    • Zyte API Enterprise
    • Scrapy Cloud
    • Solution Overview
    • Blog
    • Webinars
    • Case Studies
    • White Papers
    • Documentation
    • Web Scraping Maturity Self-Assesment
    • Web Data compliance
    • Meet Zyte
    • Jobs
    • Terms and Policies
    • Trust Center
    • Support
    • Contact us
    • Pricing
    • Do not sell
    • Cookie settings
    • Sign up
    • Talk to us
    • Cost estimator
All articles
AI60, 60 articles
Data quality13, 13 articles
Developer interest57, 57 articles
Integration2, 2 articles
Open-source40, 40 articles
Proxies29, 29 articles
Scraping practice17, 17 articles
Scraping strategy26, 26 articles
Web data60, 60 articles
Web scraping APIs33, 33 articles
Zyte API59, 59 articles
Scrapy48, 48 articles
Scrapy Cloud10, 10 articles
Web Scraping Copilot12, 12 articles
AI & Machine Learning1, 1 articles
Automotive2, 2 articles
E-commerce & retail26, 26 articles
Entertainment & Streaming2, 2 articles
Financial Services8, 8 articles
Government2, 2 articles
Market Research & Intelligence3, 3 articles
Media & publishing8, 8 articles
Real Estate2, 2 articles
Recruitment & HR3, 3 articles
Transportation & Logistics2, 2 articles
Travel & hospitality2, 2 articles
Extract Summit25, 25 articles
PyCon1, 1 articles

Appearance

Discord Community
BlogLeadershipGDPR and Web Scraping: IIAP Europe Data Protection Congress
ArticleLeadership

GDPR and Web Scraping: IIAP Europe Data Protection Congress

GDPR & Web Scraping: IIAP Europe Data Protection Congress - Learn about GDPR's impact on web scraping and data protection from industry experts at IIAP Europe Data Protection Congress.

S

Sanaea Daruwalla

4 min read · December 13, 2018

GDPR and Web Scraping: IIAP Europe Data Protection Congress

Do what is right not what is easy!

I was recently invited to speak at the IAPP Europe Data Protection Congress in Brussels about web scraping and GDPR. The panel also included Claire François of Hunton Andrews Kurth and Peter Brown from the Information Commissioner’s Office (ICO). For more information, you can check out my blog about this topic GDPR Compliance for Web Scrapers: The Step-by-Step Guide.

Key takeaways from the event:

1: Scraping Personal Data - Legitimate Interest

There are only two legal bases for scraping personal data (1) consent or (2) legitimate interest. While consent is rare in web scraping cases, it’s the cleaner of the two options, so much of the panel discussion at the IAPP Congress was spent on legitimate interest. In reality, legitimate interest will typically be the only legal basis at your disposal when scraping personal data, so is there a compliant way to use legitimate interest as a legal basis when web scraping?? Maybe . . . sometimes . . . if you’re really careful.

2: Legitimate Interest Explained

Where no other legal basis is available, many companies are turning to a legitimate interest. Legitimate interest can be used where the use case for the personal data is a use that the data subject would reasonably expect and have a minimal privacy impact. When determining if this is the case, this three-factor test can be utilized:

  1. Identify the legitimate interest (for example, Recital 47 of the GDPR states that “...the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”);
  2. Show that processing is necessary to achieve that legitimate interest; and
  3. Balance the legitimate interest against the individual’s rights.

Following on from the Recital 47 example above, in order to complete the final two steps, you would need to (1) show that your scraping of the personal data is required in order to achieve your legitimate interest of direct marketing (meaning couldn’t get the data through some other legal basis, like consent), and (2) ensure that your legitimate interest to the data is not outweighed by the individual’s right to privacy. When weighing the interests, think about the privacy impact your use of the data might have on the individuals and whether the people whose data you scrape would be surprised or likely to object to your use of their data.

Always ensure that you document how you assessed legitimate interest, and if you need additional guidance the ICO has published a legitimate interest assessment form on their site. If you are able to successfully pass the three-factor test and assessment, you may be able to use legitimate interest as your legal basis for scraping personal data.

3: Protecting Data Subject’s Rights?

Well, that’s where things get trickier. If for example you’re using Recital 47 and make a determination that your processing of personal information for direct marketing purposes qualifies as a legitimate interest, how do you inform the data subjects that you have their information or provide them with their right to access data, correct errors, object to processing, and request erasure?

Some ideas considered during our panel discussion:

  1. Conducting a Data Processing Impact Assessment (DPIA)

  2. Review the use case for the data to determine if it aligns with the data subject’s original purpose for sharing the data

  3. Territorial scope -- consider where the scraping is taking place and the location of the company that is conducting the scraping. Remember, GDPR only applies if:

    (a) you are established in the EU and you are scraping data in the context of the activities of your EU establishment; or

    (b) you are not established in the EU and you scrape personal data of individuals in the EU.

  4. If the privacy policy of the website scraped lists categories of third parties that may access the personal data and you fall within those categories

  5. Obtaining consent after scraping the data.

There are potential pitfalls with all of these options that would require legal guidance, but it was great to get this conversation going in an environment full of data protection experts.

4: ICO Recommendations

It was great to hear the ICO’s recommendation, given that they are the ones enforcing GDPR. The ICO was clear that they don’t have any specific recommendations on web scraping, but you can look to their recommendations on “Invisible Processing” to get some guidance. Invisible Processing is the “processing of personal data that has not been obtained directly from the data subject in circumstances where the controller considers that compliance with Article 14 would prove impossible or involve a disproportionate effort.” The ICO considers Invisible Processing “high risk” and thus requires a DPIA to be conducted prior to such processing.

A DPIA is an assessment that helps you analyze, identify, and minimize the data protection risks of a project, to ensure compliance with GDPR. The ICO provides a step-by-step list for conducting a DPIA, which includes:

  1. Identify the need for a DPIA
  2. Describe the processing
  3. Consider outside consultation
  4. Assess necessity and proportionality
  5. Identify and assess risks
  6. Identify measures to mitigate the risks
  7. Sign off and record outcomes
  8. Integrate outcomes into a project plan
  9. Keep your DPIA under review

There are also various data protection software packages on the market, which walk you through a step-by-step DPIA process. At Zyte , if we were to utilize the DPIA approach, it would be our preference to conduct it within the data protection software we use, so that we’re conducting the most robust and thorough analysis possible.

Conclusions

Attending and speaking at the IAPP Congress helped to get web scraping on the minds of some of the leading data protection experts in the world, and we’re hopeful that this will turn into direct guidance from organizations like the ICO about web scraping. In the meantime, Zyte will continue to advocate for fair scraping of public data and will continue to guide our customers to help them lawfully scrape personal data.

Disclaimer: I am a lawyer, but I am not your lawyer and the recommendations in this post do not constitute legal advice. The commentary and recommendations outlined are based on Zyte’s experience helping our clients (startups to Fortune 100’s) maintain GDPR compliance whilst scraping 7 billion web pages per month. If you want legal advice regarding your specific situation then you should consult a lawyer.

Try Zyte API

Build your first scraper in minutes

Free trial, no credit card. From a single request to production in an afternoon.

Get started
Leadership
S

Sanaea Daruwalla

More from this author

In this article

  • 1: Scraping Personal Data - Legitimate Interest
  • 2: Legitimate Interest Explained
  • 3: Protecting Data Subject’s Rights?
  • 4: ICO Recommendations
  • Conclusions

Follow

Get the latest

Zyte and the data web in your inbox — or wherever you already are.

Subscribe

Or follow elsewhere

Continue reading

Electric cars and the journey to the future of web data
Leadership

Electric cars and the journey to the future of web data

Discover how web scraping APIs are replacing proxy-based setups, just as electric vehicles are transforming the auto industry. Learn why APIs deliver lower total cost, better scalability, and long-term value for web data teams.

Iain Lennon·10 min·February 16, 2026
Building solidarity and strategy at Zyte’s global meet-up
Leadership

Building solidarity and strategy at Zyte’s global meet-up

How 180 Zytans from 28 countries came together to plan the future, build relationships and learn from customers.

Suzanne Hassett·5 minutes·February 13, 2026
Balancing innovation and regulation in data scraping
Leadership

Balancing innovation and regulation in data scraping

Explore the balance between innovation and regulation in data scraping. Recent court rulings (like Meta v. Bright Data) favor scraping public data, but compliance with copyright, 'fair use,' and strict GDPR rules for personal data remains essential.

Sanaea Daruwalla·10 Mins·October 14, 2025

The Community · Newsletter

The best of Zyte and the data web, in your inbox.

One curated edition — new articles, product updates, and the stories shaping the data web. No noise.

G2.com

Capterra.com

Proxyway.com

EWDCI logoMost loved workplace certificateZyte rewardISO 27001 iconG2 rewardG2 rewardG2 reward

© Zyte Group Limited 2026