The General Data Protection Regulation, in force since May 2018, is mainly based on the lawful handling of personal data of website users and includes some rules on how a website should look like in order to be legally compliant.
In particular, the General Data Protection Regulation relies on the rights of individuals to protect them on the Internet.
In this article, we will show you which regulations to follow and how to make your website DSGVO compliant in just a few steps.
All information about personal data is written down in the DSGVO in Article 4, No. 1.
Cookie banners are important whenever you request personal data or information on your website - this can be, for example, when using the contact form or signing up for the newsletter.
Likewise, if you use tracking tools such as Google Analytics and Co. on your website, you must obtain user consent with the help of a cookie. Regardless of whether you use these tools for marketing or analysis purposes, you must obtain the users' consent that they agree that you may use this tracking tool. This is done via the aforementioned cookie banner.
The situation is similar for retargeting purposes. Retargeting is part of online marketing and is used to serve personalized ads to users on other websites through tracking. You also need your visitors' consent for this marketing strategy. If they do not want this, there must be an option to object to this tracking in the cookie banner.
Rejected cookies, regardless of their type, must not prohibit the visitor from continuing to browse the website. If the entire user experience is restricted by the rejection, the visitor must be informed of this.
Encrypting one's own website has already become one of Google's ranking factors and, according to Article 32, paragraph 1 of the DSGVO, should always be done as soon as a website requests personal data. If a URL starts with https:// or has a lock in the URL bar, then it is secure and encrypted.
To encrypt the website, you need an SSL certificate, which ensures the secure exchange of data between the user and the server on it. Only with this SSL certificate the HTTPS protocol can be included on your website. Accordingly, HTTP pages are unencrypted pages that offer hackers the opportunity to access confidential personal data.
The aforementioned social plug-in is the famous social media button that directs the user from the website to the social network with one click, so that the user can share there the content they have just read.
However, this button or social plug-ins such as the "Like me button" or the "Twitter button" may not be placed on a website just like that. Regardless of whether visitors use this share button or not, the personal data and information such as the IP address are passed on to the respective social networks without them knowing.
Another option is to place an image of the social network on the website, which initially has no function, instead of a button. Only when the user actively clicks on it must he confirm on a second page that he wants to log in and thus pass on data to the network. Before that, the networks are not allowed to collect any information, unlike with the button.
If you want to use tracking tools like Google Analytics, Google Tag Manager or even Google Search Console on your website, that is your right. You can use Google Analytics, for example, to find out how your users behave on the Internet. However, if you want to use such a tool, there are requirements you need to follow.
Before the introduction of the General Data Protection Regulation, it was common for Google Analytics and other tracking tools to request the IP address of users. Since 2018, however, it has been possible to prevent this by anonymizing the user IP address. Anonymizing the IP address is done by adding "anonymizeIP" to the Google Analytics code.
This code ensures that the end of the IP address is deleted and thus anonymized.
If you want to send a regular newsletter or promotional email from your website to your customers, you need to make this newsletter DSGVO compliant. For example, it is mandatory to obtain consent from your users in accordance with Article 7 DSGVO for you to send the newsletter to them.
Secondly, you must use the double opt-in procedure (double consent) for the newsletter, in which the recipient gives their consent to receive the newsletter by e-mail in the first step.
In a second step, the company then sends a link to the recipient's e-mail address. Via this link in the e-mail, the recipient must confirm once again that he or she actually wishes to receive the newsletter regularly and is also the legal owner of the e-mail address. Only after the second consent by e-mail may he be included in the newsletter distribution list.
Furthermore, you may leave fields such as name, address or age of the user only optional and do not mark it as a mandatory field. The only mandatory field should be the email address.
Also, give newsletter recipients the option to unsubscribe at any time via a link. The user's e-mail address must then be deleted from your address book immediately.
Attention: information and personal data voluntarily given to the website via the contact form may not be directly included in the newsletter distribution list. The strictest coupling prohibition applies here. Sending the newsletter to the respective e-mail address requires explicit consent.
Similar to the newsletter, the contact form must also adhere to the concept of data economy. Do not make fields mandatory if you do not absolutely need this data. An e-mail address for a possible reply should suffice here - however, this depends on the situation.
A contract for order processing must always be concluded if you pass on personal data and information to third parties. Third parties here can be Google (Analytics) or email providers, for example. A contract must be concluded between you and these parties to contractually decide the amount of processing of the data.
Make sure that all third-party providers operate in a legally compliant manner and adhere to the DSGVO. The content requirements of such a contract are set out in Article 28, paragraph 3 of the DSGVO.
All violations of the General Data Protection Regulation are listed under Article 83, paragraph 4-5 DSGVO.
Making a website legally compliant and thus DSGVO-compliant is important for operators to avoid being involved in a legal dispute. Furthermore, it is better to obtain the consent of your users for the processing of personal data and information once more than possibly once too little. In any case, make sure that you do not violate the requirements on your website and follow the requirements of the DSGVO.
Are you not sure if your website is legally compliant or do you need help to make your website DSGVO compliant? Then feel free to contact us or use our decareto website audit. We are always at your side!