We have summarized the most important items for you so that you can check whether your website complies with the latest data protection regulations.
Wherever personal data is transmitted directly or indirectly over a website, the provisions of the General Data Protection Regulation apply.
The following areas are affected:
Data transfer via forms,
e.g. contact form or newsletter subscription
Plugins, programming or other tools,
e.g. Google Maps, Google reCaptcha, Google Analytics
Order data processing with your webhoster
Data transfer via forms
By filling in and sending the form, the person in question must agree to the use of the data. In addition, the use of this data must be made clear (= link to data protection policy) and the revocation of data use must be pointed out. In addition, this consent must be recorded for the purpose of verifiability. There are plugins which cover these requirements.
So that the data transfer is secured by a form or encrypted, it is advisable to purchase an SSL certificate via the webhoster. The GDPR does not stipulate this explicitly, but all implementations are to be derived from the guideline text, nevertheless the security of the data is in the first place.
The encryption of websites, recognisable by the lock displayed on the left in the browser link, is already standard today and is rewarded accordingly in Google Ranking. Good web hosting companies offer simple encryption, usually included in the web package, so that no additional costs are incurred.
Plugins, programming or other tools
These collect data about which conclusions can be made about a person. This often happens in the background, without our knowledge. Therefore, these tools must be limited if possible and the way in which data is collected must be explained in the data protection policy.
This includes, for example, Google integrations and services such as Google MyFonts, Google reCaptcha, Google Maps or Google Analytics. Other providers that offer evaluation and statistical tools are also included.
As part of the data protection declaration, we comply with our obligation to provide information on the part of the person concerned. In a simple language, comprehensive information should be provided on the purpose for which, on what basis and to what extent data is collected, for how long it is stored and what rights the person affected has. Of course, text templates from lawyers are used here.
Order data processing with the hoster – AV contract
A new addition is an order data processing contract or an order data contract with the hosting service. In principle, if the data gets into third hands, such a contract is to be concluded with this person or institution.
Since the data of the website are stored and administered on the server of the hosting provider, this contract is additionally necessary. Typically, the contract is concluded online within the customer menu. This contract lists the types of data and the hosting provider undertakes to protect the data as much as possible. When Google Analytics is integrated, an AV contract must be signed with Google.
In the case of an external audit by the data protection officer of the respective federal state, the order data contract is always an audit object. Therefore it should not be neglected.