Data protection on websites

As the website operator, we are responsible for our website. We must therefore implement the applicable data protection law. What exactly do we have to do?

I am constantly adding to this article and will take you step by step through the topics that may be important for your website.

Disclaimer: This article does not constitute legal advice or a substitute for consulting a lawyer. It is based on my own research, training and experience on this topic. I cannot accept any liability for its accuracy. For comprehensive reading on the subject of data protection and WordPress, I also recommend the sources listed below.

* * *

The GDPR generally applies to every website operator, with the exception of purely private websites that are not publicly accessible.

Personal data

All personal data must be protected, including

Name
Address
Email address
Telephone number
Date of birth
Account details
Location information
IP addresses

Since the IP address is also transmitted when a website is accessed, it is clear that the EU regulation applies to every website.

The principles of data protection newly formulated in the GDPR are Lawfulness of data processing, data minimisation, purpose limitation, data security, transfer to third countries, rights of data subjects, independent supervision, effective enforcement.

Personal data may be processed if a) there is a legal basis or b) explicit consent has been given, otherwise not. Only data that is really necessary for the respective purpose may be collected. And if this purpose no longer applies, the data must be deleted (e.g. cancellation of the newsletter subscription). This also has consequences for existing databases.

Step by step

WordPress and data protection

Some of the following list is self-evident, but it should be mentioned again here anyway. For example, as a website operator, you are not ensuring the best possible data protection according to the state of the art if you do not regularly install the latest updates.

Always keep WordPress, your theme and all plugins up to date (Update administration).
Also all server-side technologies (PHP, MySQL, Linux, Apache, etc.). Check the hoster settings and update if necessary.
Encrypt the data transmission of your website (https / SSL).
Choose a strong password for each WordPress login. Important!
Regular data backups (backups). Daily is best. Find out about the possibility of importing backups, this saves time and nerves in an emergency.
If you commission third parties to process the personal data collected from you, an order processing contract must be concluded with them; classic cases are your hoster, Google Analytics or newsletter services.
Does your site use Google fonts? Probably yes! If so, you should integrate these fonts locally on your server and prevent access to the Google server, which provides both data security and speed benefits.
Check all plugins used to see whether they collect and store personal data; examples include WooCommerce, newsletter plugins, analytics plugins, etc.
Avoid plugins from services that transfer personal data (usually IP addresses) to servers outside the EU. Examples are MailChimp (newsletter service), iThemes Security (website protection).
Anonymise the IP addresses in any analysis software (e.g. Google Analytics).
Contact form: Integrate a consent checkbox for data processing as a mandatory field.
Newsletter subscription function: integrate a consent checkbox for data processing as a mandatory field.
Make sure that your web server sends outgoing mails encrypted, e.g. with an SMTP plugin (SMTP server port 465 or 587).
Anonnymise IP transmission for blog comments.
Deactivate the avatar display in WordPress.
Update your privacy policy - regularly!
Keep a register of data processing activities.
In the event of a data breach (e.g. if your site has been hacked), contact the responsible supervisory authority (data protection officer of the respective federal state) within 72 hours, Link to the State Commissioner for Data Protection in Bavaria).

I will advise and support you in implementing the new data protection law on your website

As an eRecht24 agency partner, I can support my customers in the implementation of a correct privacy policy in accordance with the GDPR and in the area of legal notices. Part of my services in the area of website creation is of course also the support in the implementation of a GDPR-compliant privacy policy and practical, lawyer-approved content on the GDPR.

As a web developer, I offer you the technical implementation and integration of legally compliant tools. The most frequently affected functional areas of a website are already mentioned here: Encryption, cookie notification, avoidance of external server access, form customisation, sharing function, local integration of Google fonts and symbol fonts, newsletter management, backup and update administration.

Data protection service for your website

Copyrights (off-topic)

Something that is not thematically related to the GDPR, but which poses a risk of warning letters for many websites, is German copyright law. Images, photos, videos, songs and texts are protected. Only self-created content can be used without any problems. If third-party content is used, a suitable licence agreement must be concluded with the author (e.g. photographer, copywriter) or the rights exploiter (e.g. picture agency). The author must also be named on the work; under German copyright law, naming the author in the legal notice is not sufficient. The latter is often not observed and should be corrected if necessary.

UST-ID and tax number (off-topic)

The tax number is also sometimes entered incorrectly on a website. So: Did you know? - If available, the VAT ID should be included in the legal notice. The following applies to small businesses according to §19 UStG: reference must be made to the small business status. But: the tax number does not belong on the website! It could possibly be used to obtain information about your tax affairs from your tax office.