The General Data Protection Regulation, in force since May 2018, is mainly based on the lawful handling of personal data of website users and includes some rules on how a website should look like in order to be legally compliant.
In particular, the General Data Protection Regulation relies on the rights of individuals to protect them on the Internet.
In this article, we will show you which regulations to follow and how to make your website DSGVO compliant in just a few steps.
How to make a website DSGVO compliant?
Make privacy policy and imprint legally compliant
The most important thing if you want to make your website DSVO compliant is to have a complete privacy policy and a complete imprint. Website operators must ensure that you have listed all important and required information in both documents and have informed users of their rights.
The information that belongs in the privacy policy and imprint are:
- Name and contact details of the operators (first name, last name, address, phone number, email address).
- Information about the processing of user data
- What data is collected, how and by what means, for what purpose (marketing purposes, etc.) and how long it is stored.
- Rights of the users
- Information about the cookies, tracking tools and social plug-ins used.
Not only the privacy policy, but also the imprint must be quick and easy to find on every page. Most website operators place their privacy policy and imprint in the footer, which must be accessible from every page of the website.
All information about personal data is written down in the DSGVO in Article 4, No. 1.
Include cookie banner
Cookie banners are important whenever you request personal data or information on your website - this can be, for example, when using the contact form or signing up for the newsletter.
Likewise, if you use tracking tools such as Google Analytics and Co. on your website, you must obtain user consent with the help of a cookie. Regardless of whether you use these tools for marketing or analysis purposes, you must obtain the users' consent that they agree that you may use this tracking tool. This is done via the aforementioned cookie banner.
The situation is similar for retargeting purposes. Retargeting is part of online marketing and is used to serve personalized ads to users on other websites through tracking. You also need your visitors' consent for this marketing strategy. If they do not want this, there must be an option to object to this tracking in the cookie banner.
Rejected cookies, regardless of their type, must not prohibit the visitor from continuing to browse the website. If the entire user experience is restricted by the rejection, the visitor must be informed of this.
Any use of cookies must be listed by website operators in the privacy policy and explained to their users in detail.
Encrypting the website
Encrypting one's own website has already become one of Google's ranking factors and, according to Article 32, paragraph 1 of the DSGVO, should always be done as soon as a website requests personal data. If a URL starts with https:// or has a lock in the URL bar, then it is secure and encrypted.
To encrypt the website, you need an SSL certificate, which ensures the secure exchange of data between the user and the server on it. Only with this SSL certificate the HTTPS protocol can be included on your website. Accordingly, HTTP pages are unencrypted pages that offer hackers the opportunity to access confidential personal data.
Obtain user consent for social plug-ins.
The aforementioned social plug-in is the famous social media button that directs the user from the website to the social network with one click, so that the user can share there the content they have just read.
However, this button or social plug-ins such as the "Like me button" or the "Twitter button" may not be placed on a website just like that. Regardless of whether visitors use this share button or not, the personal data and information such as the IP address are passed on to the respective social networks without them knowing.
According to DSGVO requirements, it is therefore necessary to give users the option in the cookie banner to reject this sharing of data or, precisely, to obtain their consent. All exact details about the social plug-ins must be recorded by website operators in the privacy policy.
Another option is to place an image of the social network on the website, which initially has no function, instead of a button. Only when the user actively clicks on it must he confirm on a second page that he wants to log in and thus pass on data to the network. Before that, the networks are not allowed to collect any information, unlike with the button.
Point out tracking tools
If you want to use tracking tools like Google Analytics, Google Tag Manager or even Google Search Console on your website, that is your right. You can use Google Analytics, for example, to find out how your users behave on the Internet. However, if you want to use such a tool, there are requirements you need to follow.
For example, you are obliged to refer to tracking tools in the cookie banner and to provide information on this in the privacy policy of your website. Users must be informed about which data or information is passed on to third parties and also have the chance to reject this passing on via the so-called opt-out.
Before the introduction of the General Data Protection Regulation, it was common for Google Analytics and other tracking tools to request the IP address of users. Since 2018, however, it has been possible to prevent this by anonymizing the user IP address. Anonymizing the IP address is done by adding "anonymizeIP" to the Google Analytics code.
This code ensures that the end of the IP address is deleted and thus anonymized.
Design newsletter DSGVO compliant
If you want to send a regular newsletter or promotional email from your website to your customers, you need to make this newsletter DSGVO compliant. For example, it is mandatory to obtain consent from your users in accordance with Article 7 DSGVO for you to send the newsletter to them.
On the one hand, this must be done via a clickable box, by which they agree to the privacy policy. If website operators do not have this consent, they are not allowed to send the newsletter.
Secondly, you must use the double opt-in procedure (double consent) for the newsletter, in which the recipient gives their consent to receive the newsletter by e-mail in the first step.
In a second step, the company then sends a link to the recipient's e-mail address. Via this link in the e-mail, the recipient must confirm once again that he or she actually wishes to receive the newsletter regularly and is also the legal owner of the e-mail address. Only after the second consent by e-mail may he be included in the newsletter distribution list.
Furthermore, you may leave fields such as name, address or age of the user only optional and do not mark it as a mandatory field. The only mandatory field should be the email address.
Also, give newsletter recipients the option to unsubscribe at any time via a link. The user's e-mail address must then be deleted from your address book immediately.
Obtain consent for data collected in the contact form.
Personal data in a contact form, for example, may only be collected if the visitor also consents. Any information on the processing of personal data must be detailed DSGVO-compliant in the privacy policy - so the user must agree to the privacy policy.
For this reason, every time users provide data, they must give their consent that they agree that the data collected may be further processed or that the user may even be contacted if necessary. Just as with the newsletter, information on collected and processed data must be listed in the privacy policy.
Attention: information and personal data voluntarily given to the website via the contact form may not be directly included in the newsletter distribution list. The strictest coupling prohibition applies here. Sending the newsletter to the respective e-mail address requires explicit consent.
Similar to the newsletter, the contact form must also adhere to the concept of data economy. Do not make fields mandatory if you do not absolutely need this data. An e-mail address for a possible reply should suffice here - however, this depends on the situation.
Conclude a commissioned processing contract
A contract for order processing must always be concluded if you pass on personal data and information to third parties. Third parties here can be Google (Analytics) or email providers, for example. A contract must be concluded between you and these parties to contractually decide the amount of processing of the data.
Make sure that all third-party providers operate in a legally compliant manner and adhere to the DSGVO. The content requirements of such a contract are set out in Article 28, paragraph 3 of the DSGVO.
When must websites be designed to be DSGVO compliant?
Websites must be designed in a DSGVO-compliant manner as soon as a website collects personal data. It is important to write a complete DSGVO-compliant privacy policy, which must include any information about collected data or user rights.
Why do you need to build a website in accordance with the DSGVO?
You have to build a website in accordance with the General Data Protection Regulation, because you can expect fines or warnings if you provide incorrect information or insufficient information about the data collection. Likewise, an incomplete privacy policy can have similar consequences.
Another violation of DSGVO compliance is the lack of user consent for tracking tools such as Google Analytics, for social plug-ins, data sharing or cookie usage. Any collected data, queries or tracking via Google Analytics and Co. must be mentioned in the privacy policy.
All violations of the General Data Protection Regulation are listed under Article 83, paragraph 4-5 DSGVO.
Conclusion
Making a website legally compliant and thus DSGVO-compliant is important for operators to avoid being involved in a legal dispute. Furthermore, it is better to obtain the consent of your users for the processing of personal data and information once more than possibly once too little. In any case, make sure that you do not violate the requirements on your website and follow the requirements of the DSGVO.
Are you not sure if your website is legally compliant or do you need help to make your website DSGVO compliant? Then feel free to contact us or use our decareto website audit. We are always at your side!
Author: Eckhard Schneider
