15 points for a GDPR-compliant website

After a two-year transition period, the EU General Data Protection Regulation came into force on May 25, 2018, replacing national data protection regulations. Specifically, data protection is now subject to uniform European legislation.

While consumers are granted more rights under the new regulations, companies are under greater obligation. This applies to all large and small companies, bloggers and even private websites. The consequences of non-compliance with the EU Data Protection Regulation are hefty fines and warnings.

To prepare your website for this as a preventative measure, we therefore recommend that you observe and implement the following points.

First of all, let me briefly explain what this is all about:

What happened?
On May 25, 2018, the previous General Data Protection Regulation was uniformly transposed into European law. This means that data protection and data protection declarations on your own websites must be implemented differently than before, for example through the Telemedia Act.

Who is affected?
Basically every website on the internet. Even a mere read access to a website generally reveals the dynamic IP to the website operator, which is already considered a personal data record according to a ruling by the Federal Court of Justice in May 2017.

The only exceptions are family or personal pages, but even here it is important to be careful: any affiliate link or advertising banner, however small, can invalidate this special regulation.

Why is this so important?
The data protection authorities have been instructed to monitor the new provisions more closely. Once the law comes into force, they can impose fines of up to 20 million euros or 4 percent of the total global turnover of the previous financial year.
However, other companies may also issue warnings to websites on the basis of unfair competition from May 25.

The biggest problem with the new regulations will initially be a certain amount of legal uncertainty, as lawyers cannot fall back on established case law. For better or worse, however, all website operators will have to adapt to these new regulations and start making their website GDPR-compliant. But what needs to be done?

Our recommendations
It is generally advisable to consult a data protection officer or legal expert for your own website. However, we have summarized the most important points for you:

Data processing on behalf of
Anyone who does not host their own website (i.e. does not operate their own server) may not store data without further ado, as in this case the web space belongs to a third party. This third party must be integrated into the process by means of order processing.

The provider Strato, which informs its customers about this in this link, serves as an example to illustrate this: https://www.strato.de/faq/article/2763/Fragen-zur-Auftragsdatenverarbeitung-ADV-und-der-neuen-EU-Datenschutzgrundverordnung-DSGVO.html

As with many other providers, the form in which order processing will be guaranteed after the new GDPR comes into force is still being worked out.

Caution: If you have your website hosted on a non-European server, you must check carefully whether this server still complies with this form of data processing following the change in the law. In the USA, for example, there is the Privacy Shield, an agreement between the EU and the USA that guarantees this. Every American server with this certificate is subject to the new GDPR - however, the long-term nature of the agreement is unclear.

Data protection declarations
Data protection declarations have long been mandatory on every website, but many new requirements are being placed on them in terms of content, as the GDPR expands the Telemedia Act. The privacy policy must now include the legal basis (in the case of online stores, for example, for the conclusion of the purchase contract) and the specific interest in data processing (temporary IP address storage to protect against attacks).

On standard websites, data that can be obtained (in addition to the IP) exists, for example, in log files, geolocalization, registrations, contact forms, newsletter registrations, comment functions, social sharing buttons and analysis and tracking services.

Website operators must now explain in detail for what purpose they collect which data. In addition, the rights of the user must now be safeguarded even more clearly. This includes the right to information, erasure and rectification of data, as well as the right to withdraw consent. In addition, information about the restriction of processing, the right to lodge a complaint with a supervisory authority and the right to data portability are now required. Above all, the right to object must be highlighted visually (in bold or framed).

The privacy policy must be easy to find (link on the homepage, preferably in the navigation and thus universally accessible) and be available "in a precise, transparent and easily accessible form in clear and simple language".

There are online generators that help with the creation.
Link: https://www.e-recht24.de/muster-datenschutzerklaerung.html

Data minimization
However, it is not only the information on processing that is important. For example, it is also important to minimize data, such as only requesting email and name for newsletter registrations, but not date of birth or postal address. Data that is not absolutely necessary for registrations must be marked and remain optional.

The double opt-in procedure is generally recommended for registrations. Find out more here:

Encrypted data/SSL certificate
Anyone who offers a contact form on their website, for example, must ensure that the data provided (name, email, subject, message) is protected as well as possible when it is sent from the server by email. A secure connection through a so-called SSL or TLS certificate contributes to this, "as it protects the communication between your website visitor and the server on which your website is hosted". You can obtain these certificates, and alternatively "Let's Encrypt", from your host / server provider. The prices for such encryption vary depending on the type of hosting package booked and the form of certification, ranging from free of charge to just under 100 euros per year. Important: Even after the activation of such a certificate, most websites are still far from being protected by HTTPS! CMS systems such as WordPress in particular require some adjustments, which are best carried out by a professional administrator.

In addition: https://partnerundsoehne.de/fuenf-schritte-zur-ssl-verschluesselung-ihrer-webseite/

Cookies and the option to object
In future, website operators must give users the option of "informed consent" (what are cookies? https://de.wikipedia.org/wiki/Cookie ). Because it is not (or no longer) sufficient to simply set a notice for the use of cookies, a cookie banner is recommended.

Ideally, this is a pop-up (modal layover) before interacting with the website, which informs the user about the use and links to a detailed description. Although cookies may continue to be used in many cases, Google, for example, has certified itself for the Privacy Shield for its tracking and analysis tools, visitors must be able to object to this by opting out. Under the new law in particular, this means that visitors must be able to work with the website even if they object to data collection.

Social media and videos
Another important component is the integration of social media sharing. As the mere integration of like or share buttons already transmits information to the social media platforms, the Düsseldorf Regional Court ruled back in 2016 that Facebook tools may not be integrated on your own website without consent.

It is true that there are certain procedures in which social networks are only allowed to request visitors' data once the relevant button has been clicked. However, due to the unclear legal situation and the lack of transparency as to which data is collected for what purpose, this is not advisable for the time being.

If you still want and need to deal with it, you should take a closer look at the c't Sharrif program:

The mere linking via text or logo link to your own Facebook or Twitter page etc. fortunately does not fall under this problem: https://medienkompass.de/facebook-profil-in-website-einbinden-rechtslage/

Caution should also be exercised when embedding YouTube videos, especially via WordPress and Visual Composer. Although these work very easily, "embedding YouTube videos establishes various connections to Google servers, through which several cookies are stored in your readers' browsers and information about them is sent to YouTube and Google's DoubleClick advertising service". YouTube itself now provides a "no cookie" embedding link, which therefore only sends data to YouTube after the video has been played.

More information: https://www.it-recht-kanzlei.de/youtube-videos-online-shop.html

WordPress and plugins
Most websites these days are created using the WordPress CMS. However, in addition to the many advantages, we need to take a closer look at the GDPR in contrast to static HTML pages. Although the WordPress manufacturer is working with a dedicated compliance team to maintain a certain level of GDPR compliance and to encourage plug-in operators to comply with this, website operators themselves must carefully check whether and what data is collected by WordPress, themes and plug-ins.

WP-Ninjas has summarized a catalog of measures very well, in which all the other points above are summarized again in addition to the measures for WordPress:
https://wp-ninjas.de/google-analytics-opt-out (Especially which plug-ins are really blacklisted)

You can also find further plug-in information here (in addition to your own and free research): https://www.blogmojo.de/wordpress-plugins-dsgvo/

Important measures for your WordPress site:
1. ADV contract with the hoster
2nd ADV contract with the web designer
3. data processing agreement with Google (when using Google Analytics)
4. SSL certificate (or deactivation of the contact form/newsletter)
5. HTTPS conversion
6. forms opt-ins
7. forms data protection notice
8. newsletter ADV (with Mailchimp, for example)
9. newsletter double opt-in
10. disable comments (because IP is stored)
11. cookie notice and Google Analytics with opt-out solution
12. link Google fonts
13. anonymize IP (Google Analytics)
14. deactivate social plugins/functions
15. renew privacy policy

It is clear that the new legislation, which aims to promote greater transparency but is ironically very confusing, is initially a major challenge for everyone.

If you have any further questions about the new GDPR or an initial assessment of how much you are affected by this regulation, please do not hesitate to contact us.

Image source: freepik