WordPress DSGVO Check: What needs to be considered? | decareto

Created 21. March 2023

Since the General Data Protection Regulation (DSGVO) came into force in 2018, the rules for data protection have become stricter. Accordingly, all WordPress websites must be optimized and adapted to the DSGVO.

With the help of a DSGVO Check, you can check whether your WordPress website is designed to be DSGVO-compliant or whether you still need to make adjustments. What exactly a WordPress DSGVO check is, how such a check is carried out and what you have to pay special attention to with WordPress with regard to data protection, we have documented in this article.  

What are the components of a WordPress DSGVO Check?

Privacy policy and imprint

The privacy policy and the imprint are two important components of a DSGVO-compliant WordPress website, because both are documents that are considered legal texts. With both the privacy policy and the imprint, it is important that they are complete, always kept up to date, and that all necessary information is listed.

For the privacy policy, this includes:

the purpose and manner of the personal data collection + legal basis

the information about which data is collected

the storage period of the data

the recipient of this data (third parties)

the user rights

any information about the use of analysis or tracking tools, (social) plugins and/or cookies

a notice for the right of withdrawal 

And for the imprint:

the register number and the location of the register

the sales tax identification number or the business identification number 

for freelancers the chamber affiliation

in the case of online stores or service providers, the information on the consumer arbitration board.

Both documents must also contain information about the person responsible, i.e. the operator of the WordPress website. At a minimum, the full name and contact details (address, telephone number and e-mail address) must be provided. 

SSL certificate

In order to encrypt your WordPress website, an SSL certificate is required. An encrypted site promises your visitors a secure data exchange with you and at the same time ensures that hackers cannot get at this data. Encrypting your own site is also a ranking factor on Google, which means that encrypted websites are displayed higher up on Google than non-encrypted ones. 

In addition, since the publication of the General Data Protection Regulation, it has also become mandatory to offer your own site securely and encrypted for users. With the help of encryption, the transmission of data via HTTPS protocol on the page is ensured. The URL beginning with "https" and the adjacent lock symbol show your visitors that your site is encrypted and that you care about data protection.

Cookie banner

A cookie banner gives your visitors the option of agreeing to or rejecting the use of tracking, analysis tools or other cookies. A distinction is made here between technically necessary and marketing cookies. The use of marketing cookies must be explicitly permitted by users.

Each tool for which you require user consent, you can in the cookie banner, but must in any case explain in detail in the privacy policy. At this point, describe what the tools or cookies are and what you use them for on your WordPress website. If you pass on the collected personal data to third parties, this must of course also be explained and consent obtained.

Third-party providers such as Google Analytics or Google Fonts

Everyone already knows that the integration of Google Analytics and Google Fonts on websites is not legally compliant without further ado. This is because Google is a company based in the USA, which is outside the European Union and therefore outside the scope of the General Data Protection Regulation.

For analysis purposes, it is therefore better to use tools where the providers are located within the EU, but still obtain the consent of your visitors for their use.

If you have chosen a WordPress theme for your new site, you should make sure that it does not include Google Fonts. This leads to an automatic connection to Google servers being established as soon as your page is clicked on.

You can easily find out if your WordPress theme uses Google Fonts by going to the Developer Console and looking at the "Source Code" tab to see which data is loaded from which servers. You can open the developer console either via:

Right-click → "Inspect"

or

Ctrl + Shift + J

Finally, in "Source Code" or even "Sources", search for the names "fonts.googleapis.com" or "fonts.gstatic.com". Optionally, you can also search for the keyword "Google".

Social Plugins

Would you like to add your social networking profiles to your WordPress website? These are called social plugins and you need to be careful with these plugins! Simply linking your profiles of other networks using social plugins is unrestrictedly not allowed and illegal. Because: As soon as users access your site, a connection is established via the social plugins to the respective social networks and the personal data is forwarded to these servers.

Therefore, make sure that you integrate social plugins in a legally compliant manner, for example, by first only inserting an image of the social network so that the data is only forwarded to the network when the user clicks on it. Despite the legally compliant integration of social plugins, you must obtain consent for the transfer of data from your visitors.

Contact form, newsletter and comments

Beyond the cookie banner, it is also important to obtain consent from users for data collection if they need to provide their contact information on your WordPress website. This is the case, for example, with the contact form, newsletter and comment fields. 

Since you have already explained in detail in the privacy policy how you process this personal data in the newsletter and other forms and how long you store it, it is sufficient at this point if you simply provide a checkbox for users. By confirming this field, users assure you that they have read and agree to the privacy policy.

How can you perform a WordPress DSGVO Check?

You can either perform a WordPress DSGVO Check yourself using the above criteria or have it handled by a company specializing in DSGVO compliance. With them, you can usually just paste the URL of your WordPress website and the check will be run.

Since you can expect warnings or penalties for illegal websites, we recommend that you have the DSGVO check performed by a specialized company. Moreover, they are more accurate, work in more detail and you also get help to fix the unlawful errors on your site. 

What do I have to pay attention to with WordPress in terms of data protection?

With WordPress, you have to pay special attention to protecting your visitors' personal data and preserving their privacy. However, you can only do this if you obtain the consent of the users for the collection of the data. Likewise, this applies when you share the data with third parties through plugins, cookies or other tools - you must not do this without the users' consent.

Likewise, this is the case when embedding third-party fonts, videos, audios, advertisements, images, etc. If these are loaded when clicking on your WordPress website, personal data of the users is passed on to these "strangers" - the data protection of the visitors can no longer be guaranteed.

Conclusion

When you create a WordPress website, the data protection and privacy of your visitors must always come first. To manage this, you should always follow the criteria of the General Data Protection Regulation and regularly optimize your site accordingly.

If you are not sure whether your WordPress website is designed legally, you should have a WordPress DSGVO Check performed to protect you and your website from warnings or penalties.

If you are interested in a DSGVO check, feel free to contact us at decareto, we will be happy to check your entire website including subpages for DSGVO compliance with our DSGVO checker. We look forward to hearing from you!

Author: Eckhard Schneider

Back to overview