WordPress is considered the most popular content management system and offers a large number of functions and plugins, themes and widgets for the creation and design of websites, with which you can individually build and expand websites. However, not all of these comply with the General Data Protection Regulation (DSGVO), which requires personal data to be handled in a privacy-compliant manner.
Anyone who still uses these tools on their website regardless could face warnings or penalties. In this article, we will explain how to make WordPress compliant with the DSGVO and which plugins and widgets are useful when designing websites in accordance with the regulations.
According to the DSGVO, it is your duty to collect, store and process personal data only with legal basis. Examples of this are when using the contact form, subscribing to the newsletter, writing a comment or filling in contact details to purchase a product.
In addition, users must be informed about any use of:
Tracking, marketing or analysis tools,
and the transfer of personal data to third parties.
be informed. Accordingly, it must also be possible for users to refuse the use of the tools. The best way to regulate the acceptance and rejection of cookies is via a cookie consent banner.
In the imprint, in addition to the name and contact details of the person responsible, the VAT identification number and/or business identification number must be stated, the register number and location of the register (if registered), in the case of freelancers the chamber affiliation and in the case of online stores and service providers information on the consumer arbitration board.
Every cookie that you set on your website must be listed in a cookie banner, regardless of whether they are technically necessary or tracking cookies for analysis purposes.
For technically necessary cookies, you do not necessarily need the visitors' consent. But as soon as you use tracking, analysis or marketing tools on your website, you are usually required to obtain user consent for tracking or analysis. Tracking or analysis must be pointed out in the cookie banner and agreed to by each user via the banner.
the name of the tool
the description of the tool
why it is used
the recipient of the personal data
the duration of the storage
the extent to which individuals are required to provide their data for this purpose
the opt-out option
Besides the helpful cookie and consent banner widget from WordPress, you can also use WordPress plugins to create a custom cookie banner. Useful plugins here are "Real Cookie Banner", "Borlabs Cookie" and "hellotrust". All three are DSGVO-compliant plugins.
If you want to include third-party tools, plugins, cookies or similar for tracking or performance purposes on your website, you need to check whether they are compliant with the DSGVO. Tracking or analysis tools from Google, for example, such as "Google Analytics" or "Google Tag Manager" are not DSGVO-compliant, as Google is based in the USA and is therefore outside the scope of the DSGVO.
You either have to find a way to integrate tools like Google Analytics on your website in a privacy compliant way or directly choose tools, plugins, themes etc. that are in line with the DSGVO.
With each third-party provider or service provider that you choose for your tools, plugins, etc., and who also receives the personal data, stores it and processes it further, you must conclude an order processing agreement. Thus, you contractually hold the lawful transfer of data with each provider.
If you want to link your social media channels on websites, you need to know that the personal data will be passed on directly to the respective social network as soon as the visitor presses the social button. If the visitor has not explicitly agreed to this beforehand, you are in breach of the DSGVO.
WordPress plugins like "MashShare" or "Smash Balloon" help you to integrate your social media channels on your website according to the DSGVO. "Smash Balloon", for example, shows users Instagram posts directly on the website without establishing connections with the social network. Please make sure that you enable the DSGVO features on this plugin.
Since the release of the DSGVO in 2018, it is a must to encrypt websites with an SSL ("Secure Sockets Layer") certificate. This means that the website is loaded via the HTTPS protocol when it is called up and a secure exchange of data between the visitor and the website is ensured. In this way, unauthorized third parties cannot access confidential data.
You can either do the SSL encryption yourself or use a WordPress plugin. The "Really Simple SSL" plugin is particularly suitable for this. With the help of one click, you can now enable SSL encryption. Under the plugin's settings, you should also activate the "Mixed Content Fixer" tab to switch the http connection to HTTPS. You do not have to activate the other functions.
This way, the lock icon will now appear in the URL bar of your website and your visitors will know that your website is secure and encrypted.
Any pre-installed WordPress theme that you use for WordPress websites must be DSGVO compliant or you must ensure that it becomes DSGVO compliant. If the theme is not DSGVO compliant, it may load fonts from third party servers such as Google (Google Fonts), which are not in accordance with the DSGVO without the users' consent.
If you still want to use a WordPress theme that you know loads fonts from the Google server, you can use the WordPress plugin "Disable Google Fonts", for example, to prevent Google Fonts from loading on your website. In addition, always embed fonts on web pages locally so that they are loaded from your server and not from other servers such as the Google server.
However, to avoid all this work, you can also opt for a theme that is designed to be DSGVO compliant from the start. These often have privacy tools built in to prevent any breach of the DSGVO. Examples of WordPress themes compliant with the DSGVO are "Ave Theme", "Digixon" and "The 7".
If visitors of your website want to contact you or support or write a comment on the content, they have to provide personal data - usually at least the name and email address. This input is done via a form.
With the help of the "Contact Form 7" plugin, you can create privacy-compliant contact forms that comply with the DSGVO. With the WordPress plugin "WP DSGVO Compliance", you can create a consent field for both contact forms and the comment function, through which users can consent if they agree to the collection and further processing of their data.
Under the "Inclusions" tab on the "WP DSGVO Compliance" plugin, you can click the "Include WordPress comments" item. At this point, the plugin can also be linked to the functions of "Contact Form 7". The comment function, contact form, and user consent field are customizable and can be customized.
Since the IP address of the visitor is stored when submitting a comment, you can use the WordPress plugin "DSGVO Tools: Remove comment IP" plugin to determine the storage period and also already stored IP addresses can be removed with this plugin.
When it comes to data protection with WordPress, it should be noted that this must always be at the forefront of your mind at all times. In order to comply with this, you must collect personal data DSGVO compliant, may only use this data for the stated purpose and must obtain the consent of the users for this.
WordPress collects personal data when a user fills out a contact form, writes a comment, or signs up for the newsletter. Personal data can be the name, IP address, email address, address, but also payment data in the case of an online store.
For you as a website owner, it is important to handle this data in a trustworthy manner, to protect it, not to pass it on to third parties without the users' consent and to protect the users' privacy. Inform your visitors about any disclosure, further processing and the storage period of their data.
Note: You may not share, process or store personal data without a legal basis. Otherwise you will face penalties or warnings.
If you are unsure whether your WordPress websites are designed in accordance with the DSGVO, then you are welcome to have them checked by us at decareto. You don't have to perform regular checks yourself, because we will do it for you. If regulations change or you need to make corrections to the website, we will notify you immediately.
With our DSGVO scanner, we examine websites for errors or illegal executions. Here, we do not only pay attention to the start page, but also include the contents of all sub-pages in order to be able to carry out a comprehensive analysis. Afterwards you will receive a detailed and easy to understand report about the results.
If there are still any unanswered questions about how to make WordPress DSGVO compliant or if you would like to test our DSGVO scanner for 14 days free of charge, feel free to contact us or register directly for a trial run using the form on our website. Get started today!