GDPR: EU General Data Protection Regulation

GDPR & ePD & TTDSG

A short overview for smaller websites:

• A cookie notice for merely technical WordPress session cookies is not required. A paragraph in your privacy policy is advised.
• A privacy policy can be easily created with an online generator.
• Google web fonts must be integrated locally.
• Videos can be embedded locally.
• Contact forms and other forms can be protected with CAPTCHAs and other solutions that do not require the transmission of data protection-relevant information to third-party providers.
• GMaps and YouTube videos can be individually provided with a declaration of consent before loading.
• If tracking, marketing and other tools are used as well, a cookie consent banner for the entire website should be considered (see below).

Recommendation for all WordPress website owners: Sign a data processing agreement with your provider. If necessary, also with other third-party providers that process personal data, for example via server log files, Webalizer, AStats, etc.

Services:

I would be overjoyed to help you with data protection and legal notices or to integrate data protection texts into your website which were created using a generator or by your legal advisor.

• Consultation
• Creation of imprint and data protection texts via online generators
• Integration of individual consent requests
• Integration of cookie consent banners
• Spam protection and data protection consent for forms

GDPR & ePD & TTDSG – more detailed:

• General Data Protection Regulation (GDPR).
• Privacy and Electronic Communications Directive (ePD: ePrivacy Directive) (2002/58/EC).
• Telecommunications-Telemedia Data Protection Act (TTDSG).

Data protection texts, cookie notices and anonymized IP addresses – a little guide for your WordPress websites.

Web fonts from Google or Adobe etc.: Fonts should be integrated locally!

You can also use ‘safe’ web fonts such as Arial, which are available on almost all devices, provided your design can accommodate this.
It would be great if all operating systems such as Microsoft Windows, Apple OS, Google Andorid, Linux etc. (or all browsers…) would ship with the top 100 web fonts. This would also save resources, traffic and CO₂.

Cookies

For technically necessary cookies (session cookies, for example from the WordPress core and for language switching), which are only set briefly during the visit to the website, no cookie banner is required. A paragraph about usage and functionality in the privacy policy is sufficient for this.

Consent is required for all other cookies (tracking, marketing, other functions and tools). Important: Without unlawful user influence, for example through unequal presentation of the opt-out option.
Consent can be implemented for the entire website or only on individual subpages on which, for example, a YouTube video is integrated.
Links to mandatory information such as the legal notice and privacy policy must not be covered by the cookie consent banner.

Analysis programs and plugins such as Google Analytics and YouTube should only transmit anonymized IP addresses in compliance with data protection regulations.

Here are some common tools that require consent:

• Google Maps (including individual Google Map with Google Maps API)
• Google ReCaptcha (may also load Google web fonts!)
• Google Analytics (tracking cookies)
• Google Conversion Tracking
• Google Tag Manager
• Google Ads
• Google AdSense
• Google DoubleClick
• Youtube & Vimeo
• Matomo (formerly Piwik)
• Facebook Pixel
• Facebook Conversion API
• WordPress Plugins (WP Statistics) and other CMS
• Newsletter registration/distribution

Adaptation of your legal texts to the EU General Data Protection Regulation and ePrivacy:
A GDPR-compliant privacy policy should be customised for your company.

What you should consider:

Which paragraphs should be included in a privacy policy and which changes are advisable depends on the functionality on your website as well as the size and legal status of your company. You should explain as simple as possible how you handle personal data. For most websites without automated data processing it is advisable to include the following paragraphs for the EU General Data Protection Regulation in your data protection texts. These include, where applicable:

• Data processing
• Disclosure of personal data (third-party providers etc.)
• Security of personal data
• Personal data of children and adolescents
• Right of information
• Storage, storage duration, storage location
• Data portability / change of provider
• Right to erasure / right to be forgotten
• Right to object to data processing / right of withdrawl
• Right to lodge a complaint with a supervisory authority
• Cookies
• Social networks

Legitimate interest?

Tracking: Legitimate interest versus user-friendliness – Tracking can be used in the case of “legitimate interest” after consent has been obtained. The benefits, effort and user-friendliness should also be weighed up here, as even asking for consent can lead to the user leaving the website and thus to an increased bounce rate. If tracking is only to be used for statistical purposes, an evaluation of the server log files can be used if applicable, for example via Webalizer, AStats or Matomo.

gMaps notice: Please note that it is not permitted under copyright law to include screenshots from Google Maps, for example as a preview image for Google Maps. Google has prohibited such use of Google Maps.