Technical Security. Beyond legal paperwork and signatures
The obligation of proactive security and its technical impact.
Third-party scripts, CDNs, and the "Trojan Horse" risk.
Analysis of real fines due to basic technical failures.
The "Paper Fetish": Why Your DPA Won't Stop an Attack
In the traditional legal world, GDPR compliance was often summarized as having a folder full of signed contracts. However, the General Data Protection Regulation (GDPR) introduced a concept that has changed the rules of the game: Proactive Responsibility (Accountability).
It is no longer enough to say that your providers are secure because they signed a DPA. GDPR Article 32 obliges you to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.
The Paper Fortress Analogy
Imagine you build a mansion full of valuable customer data. You hire a security company and sign a magnificent contract. But, in practice, you leave the front door open, have no alarms, and allow anyone walking down the street (an untrusted third-party script) to walk into your living room.
If you get robbed, the judge won’t just blame the security company (your SaaS provider). They will blame you for negligence. The paper is your legal shield, but the technical configuration is your stone wall.
What do DPAs really require in 2026?
Based on recent resolutions, Agencies no longer accept excuses like “we didn’t know this could be hacked”. Audits now review:
- Diligence in Selection: Did you technically audit your provider before integrating them?
- Security by Design: Are hardening mechanisms like Content Security Policy (CSP) active?
- Continuous Monitoring: Do you have alerts that notify you if someone is attempting to exfiltrate data?
Technical Negligence
Maximum Corporate Risk- → Blindly trusting third-party scripts (Chatbots, Analytics) without CSP.
- → Lack of 2FA in admin panels and databases.
- → Failure to audit security header configurations.
Due Diligence
Legal and Technical Shielding- ✓ Implementation of Subresource Integrity (SRI) for external CDNs.
- ✓ Strict CSP capable of blocking "Form Grabbing" exfiltration.
- ✓ Impact audits and active monitoring for breaches.
Supply Chain: The Trojan Horse in Your Frontend
One of the greatest modern threats is the Supply Chain Attack. Your website is secure, your servers are hardened, but… you load a script from an analytics library that has been hacked.
That script has the same level of access as your own code. It can perform Keylogging, steal session cookies, and send your customers’ data to a server abroad.
How do you protect yourself legally?
If this happens, the Data Protection Agency will ask you: “What did you do to prevent that third-party script from reading your users’ data?”. If your answer is “Nothing, I just installed it”, prepare for the maximum sanction.
The technical solution is SRI and CSP:
- SRI (Subresource Integrity): Allows you to verify that the file you download has not been modified. If a single bit changes, the browser blocks it.
- CSP (Content Security Policy): Acts as custom control. You tell the browser exactly where scripts can be loaded from and, most importantly, where they can send data.
Infected analytics.js library
Loads malicious code
without integrity check
CSP blocks
data exfiltration to hacker
Lessons from the Trenches: Sanctions You Could Avoid
Let’s analyze the €3.2 million fine imposed on a retail giant in 2025. The reason? Not just the breach itself, but accumulated technical negligence. For a full privacy roadmap, check out our Cookie Banner Best Practices and the Global Privacy Control (GPC) implementation.
The critical failures detected by the Agency were:
- Lack of Active Monitoring: Attackers were exfiltrating data for weeks before anyone noticed.
- Absence of Multi-Factor Authentication (MFA): Critical panels were only protected by a password.
- Delayed Patch Implementation: Known vulnerabilities were left unaddressed for months.
This leading us to a clear conclusion: Security is not a state; it is a continuous process. You cannot audit once a year and forget. You need automated systems that validate your compliance every time you deploy code.
'Expect-CT' and CSP-Report Monitoring
Setting the policy isn't enough. You have to listen to it. Configure Report URIs to receive real-time alerts whenever a browser blocks an attack attempt.
Zero-Trust Architecture
Assume your internal network is already compromised. Verify every request, use short-lived tokens, and segment access to your customer data.
SRI Implementation: Your First Line of Defense
To harden your supply chain, start using SRI in all your external scripts today. It’s as simple as adding the integrity attribute to your <script> tags.
The Roadmap: From Uncertainty to Total Shielding
At AldeaCode, we have systematized this process to make it undecipherable for attackers and reassuring for DPOs. This is our 4-step methodology:
01. Supply Chain Audit
We identify every script, pixel, and widget loaded by your site. We evaluate the technical reputation of each provider and their security mechanisms.
02. Header Hardening (CSP/HSTS)
We configure a dynamic shield. We start in "report-only" mode to avoid breaking anything, and then strictly enforce once legitimate traffic is validated.
03. Encryption & Identity Management
We implement MFA across all administrative access points and review database encryption protocols (At-Rest and In-Transit).
04. Technical GDPR Certification
We generate the detailed technical report your DPO needs to demonstrate proactive diligence before any audit.
Frequently Asked Questions: Technical and Legal Shielding
Is having an SSL enough to comply with Article 32?
No. SSL only encrypts the tunnel. Article 32 requires measures proportional to the risk. Today, that includes control over third-party scripts, security header policies, and breach detection systems.
What are the risks of using external analytics scripts?
The risk is the "Supply Chain Attack". If the provider is hacked, their script on your site can steal form data in real-time (Keylogging). It's vital to use CSP to limit where these scripts can send data.
Why should I use Subresource Integrity (SRI)?
SRI guarantees that the file your browser loads is exactly the same one you approved. If a hacker injects malicious code into the CDN, the hash will not match and the browser will block execution.
Does GDPR sanction for lack of Multi-Factor Authentication (MFA)?
Yes. Recent cases exist where the lack of MFA on panels with sensitive data has been considered failure of appropriate technical measures, aggravating the sanction after a security breach.
What is the Principle of Proactive Responsibility?
It means you are responsible for demonstrating that you have implemented all possible technical means. It's not enough to not have incidents. You must have defensive evidence.
How does Content Security Policy (CSP) affect compliance?
It is the technical compliance tool par excellence. By defining a whitelist of trusted sources, you demonstrate total control over the code executed on your site, mitigating XSS and exfiltration attacks.
What sanctions can be imposed for technical failures?
Fines can reach €20 million or 4% of global turnover. In 2025, we have seen sanctions of €3.2 million for technical negligence in breach management.
Is it mandatory to audit my SaaS providers?
Yes, it is part of Due Diligence. You must verify that your providers meet security standards and that their integration into your site does not introduce critical vulnerabilities.
Would your site pass a technical audit today?
Don't wait for a Data Protection Agency notification. We analyze your architecture, your headers, and your supply chain to ensure real, demonstrable compliance.
Technical Trust • Legal Security • AldeaCode 2026