DSGVO Website Checklist: What to look for on your Website

Erstellt am 25. November 2022

If you want to build a website for a business, there are some regulations you need to adhere to in order to make your website legally compliant. The DSGVO, which has been in effect since 2018, mandates these regulations in Germany.

To help you know what to do to make websites DSGVO compliant, we've put together a DSGVO website checklist below.

DSGVO checklist for websites

Data protection declaration and imprint according to the DSGVO

Website owners are required under the DSGVO to include a privacy policy and an imprint on their website. Both forms must be clearly visible and easy to find. An example of placing the privacy policy and the imprint is to integrate them next to each other in the footer of the website.

For both the privacy policy and the imprint, make sure that both are also accessible on the mobile version of the website.

Privacy policy

The data protection declaration contains the name and contact details of the responsible persons on the one hand and information about the processing of personal website visitor data on the other. The privacy statement lists which data is collected in which way, what it is used for and how long it is stored.

In addition, the privacy policy lists the rights of users in accordance with the DSGVO and provides information about hosting and the use of cookies. You must also provide information about analysis tools used, sharing on social media, plug-ins used and the newsletter, if any.


If you offer services or products on your website, it is necessary to integrate a DSGVO-compliant imprint on your website in addition to the data protection declaration. Here you must enter all data (first name, last name, street, postal code, place of residence, telephone number, e-mail) of the operator of the website. In addition, the sales tax ID and the representative of the company belong in the imprint.

cookie banners

When using a cookie banner, there are several ways to indicate cookie usage on the website. Which of these banners you use depends on which cookies you use on your website.

Some cookies are required. These include, for example, technically necessary or for the consent (Consent) of the processing of personal data in the contact form or newsletter. Without these, you may not collect this data.

Other cookies that indicate tracking or user behavior analysis are used exclusively for website analysis. Obtaining consent for this is essential. Examples of tracking tools are Google Analytics or Google Tag Manager.

No matter which cookies you use, you must point them out to visitors and also list them in your privacy policy in accordance with the DSGVO.

Data collected in the contact form

As soon as you offer a contact form on your website that allows visitors to get in touch with you, it is important to obtain the user's consent that their data may be processed.

When it comes to the contact form, data economy is what counts most. Mandatory fields may only be those whose information you also need - in a simple contact via. E-mail, you do not need the user's telephone number or first AND last name. You must report on the data collected in the contact form in the privacy policy.


Just as with the contact form, when signing up for the newsletter, you need the user's confirmation that you are allowed to process their data and that they would like to receive the newsletter on a regular basis. Also, make sure that the newsletter software you use is DSGVO compliant. One of the DSGVO compliant tools for your newsletter is MailChimp.

Also, for the personal data collected in the newsletter, provide the user with more information in the privacy policy.

Third Party Plugins

social plugins

Any social media button such as Facebook's "Like" thumb, Twitter's Tweet icon or similar methods for visitors to share the content of websites on social networks are called third-party plug-ins or social plug-ins.

However, a cookie is important for the use of these plug-ins, through which the user must agree that data may be stored and shared with the respective social networks in accordance with the DSGVO.


The embedding and subsequent playing of videos from YouTube, for example, on websites also requires the user's consent via a cookie. The latter agrees that he or she consents to his or her data being passed on to YouTube or the corresponding platform.

Encrypted website

Since you are required to protect all data collected from visitors, it is mandatory to encrypt websites using an SSL certificate. This way, unauthorized people will not have access to the personal data.

You can recognize an encrypted or secure website by the lock symbol before the URL or the prefix https://. In this way, you know that data entered in the contact form, for example, is sent securely and encrypted.

Tip: An SSL-encrypted website is now one of Google's ranking factors. A secure website therefore leads to a higher ranking in Google.

pairing prohibition

The data economy in the contact form goes hand in hand with the coupling ban. On the one hand, not too much data may be collected in the contact form, but on the other hand, according to the DSGVO, the user may not automatically be included in the newsletter distribution list.

Whether that is when buying a product or contacting the operator: Users who provide their personal data must give their explicit consent that they are willing to receive the newsletter regularly. This can be done by simply ticking a box. If you do not have this consent, you may not include the user in the newsletter distribution list.

Google Analytics

With the help of Google Analytics or similar web analysis tools, you can use the visitor's IP address to track their behavior on the web. However, according to the DSGVO, you may not do this without the user's confirmation.

Accordingly, you must allow visitors using a cookie to consent to this collection or reject it. This must be pointed out in the privacy policy.

It is also necessary to anonymize the IP address of users. To do this, simply extend the Google Analytics code with "anonymizeIP" and include it in the source code of the website.

Last but not least, you need to sign a DSGVO order processing agreement with Google (Analytics) so that Google Analytics is authorized to collect your visitors' data.

Order Processing Agreement

A so-called order processing contract according to DSGVO must always be concluded if personal data collected by a website is passed on to third parties or external service providers and processed. For example, when using Google tools (e.g. Analytics), MailChimp or cloud providers, you must conclude such an order processing contract with them.

Stock photos

If you want to use photos on websites, they must comply with the DSGVO. To avoid getting into copyright problems, you should think about including stock photos if necessary. If companies do not have their own videos or photos, so-called stock photo agencies are used.

In general, there is nothing against the use of stock photos on websites, but you should definitely pay attention to the licensing conditions with the respective agencies and, if necessary, consider the image source proof.

What happens if the website is not DSGVO compliant?

If the website is not DSGVO compliant, fines can be expected. These include, among other things, insufficient information on data collection, an incomplete or missing data protection declaration and an imprint, copyright violations or insufficient encryption of the website.

Other DSGVO violations could also be the lack of reference to the use of cookies and the use of analysis tools such as Google Analytics and not to include them in the data protection declaration. If these DSGVO violations occur, fines or a warning may be issued.

Do you have questions about the DSGVO website checklist?

We really hope that the DSGVO website checklist was helpful to you and that you were able to draw useful information from it. If you follow this checklist, you can avoid fines and warnings for your website. 

Please pay particular attention to a complete data protection declaration, as everything important about data protection on your website must be listed here.

If you still have questions or would like more information on the subject, please do not hesitate to contact us.

Zurück zur Übersicht