GDPR for websites & online shops including a checklist

The GDPR – the General Data Protection Regulation – has been in force since the end of May 2018. Despite two years of “transition period”, many companies, associations and webmasters were completely surprised by the new laws. “Ignorance does not protect against punishment”, which is why you have to deal with the GDPR and implement the relevant laws in your own company and on websites.  I have dealt intensively with the General Data Protection Regulation and would now like to give you tips and answer frequently asked questions. GDPR – what is it actually? The General Data Protection Regulation – GDPR for short – is a new EU regulation that aims to harmonize data protection standards throughout the European Union. This new regulation mainly regulates the handling of personal data and thus affects every company in the EU, or companies that have access to personal data (e.g. names, email addresses or telephone numbers) of EU citizens. There are no exceptions to this. Whether sole proprietorship, association or large company – the GDPR affects everyone. The GDPR for websites & shops Personal data is also used on websites and especially in online shops, which is why there is a need for action here too. I am often asked if there is need for action on every website. I can answer that clearly “yes”. Because often you don’t really know what kind of data is actually being transferred in a shop or on a website. Plugins or scripts currently in use, for example from Facebook, like to access data “in the background” without you or the user noticing anything. But even if you don’t use such services, at least the privacy policy of a website has to be adapted. Data protection According to Art. 12 GDPR it is required that the necessary information must be communicated to the users in “[…] in a precise, transparent, understandable and easily accessible form in clear and simple language […]”. Hardly any data protection declaration that has been created in recent years can meet this requirement. Furthermore, data protection users must of course also be informed how personal data such as e-mail addresses or the IP address are used. FREE OF CHARGE IN THE NEWSLETTER:   The implementation of the GDPR on your website is still a big mystery for you? My personal GDPR checklist sheds light on the dark and helps you to implement the General Data Protection Regulation in your online project. REGISTER & RECEIVE CHECKLIST FREE OF CHARGE Cookies Cookies have long been a hot topic. Can I use cookies? Do you have to point this out to the user? Do you even need consent? Two current judgments force every website or shop operator to think about cookies. Specifically, this is about the judgments of the European Court of Justice of October 1, 2019 and July 29, 2019 . Of course, you don’t need to read through the judgments, so the most important things are summarized here: The user must actively consent before a cookie can even be set. Therefore, of course, a solution had to be found for the online marketing site that made exactly that possible. Here I am really happy to tell you that I found a safe and easy solution: The Borlabs Cookie Plugin. This plug-in gives you the option of integrating cookies, for example from Google Analytics etc., as prescribed. Only when the user has agreed is the respective script activated and the cookie set. It can look like this, for example: WordPress cookie plugin Each user also has the option of determining which cookies they want to accept and which they do not. This can be done in individual data protection settings: WordPress cookie settings In this overview you can see the “External Media”. Because these can also become a problem. For example, if you embed a YouTube video in your website, a cookie will be set immediately – without the user having played the video. That is also a problem. Borlabs therefore automatically blocks this content and provides it with a banner, so that the user must first agree before the video can be displayed: Block Youtube with Borlabs Cookie With Borlabs Cookie, you don’t have to embed every video into your website from scratch. The plugin finds the sources automatically and blocks them until the user has given their consent. By the way: You can customize the appearance of the cookie banner and the “blocking banner” for external media at Borlabs Cookie without any knowledge of CSS . Plugins & Scripts Many websites and shops use plugins to add functionality. The problem: With many plugins it is not easy to understand whether any personal data is being passed on to third parties. In most cases this would not be allowed. In addition, in such cases, an order data processing contract (ADV – contract) must be concluded with the third party, in which, for example, the following aspects must be dealt with: Subject and duration of processing Type and purpose of processing Type of personal data This also applies, for example, to the “Share & Like” scripts that Facebook and Co. offer for websites. Here, too, data is passed on to third parties. Analysis services, such as Google Analytics, should also be taken into account here, because in this case too the tool picks up personal data from your website. By the way, you can find out how you can continue to use Google Analytics in my free, personal GDPR checklist. One point that is very often overlooked is embedded videos. Because here, too, in most cases a connection is established to another server, which can then possibly also access the personal data of your users. You can also find more information on this in my GDPR checklist. Forms Almost every website has at least one contact form. The users can transmit personal data to you via such a form. So that the transmission of your e-mail address, name, telephone number, etc. is really secure and nobody can interfere and access data, you should ensure that this data is encrypted with an SSL certificate. You can tell whether a website has an SSL certificate not only from the beginning of a URL with https: //, but now also in the browser line of many browsers: An SSL certificate can be recognized by the green lock in the browser By the way, in most cases you can order an SSL certificate directly from your hoster. In the case of forms, however, the question then arises whether mine requires the explicit consent of the user. Here, too, I have to tell you again: There is no unequivocal answer. Personally, I do not require any special consent for simple contact forms, because everyone who contacts me via a contact form is aware that I have to process the data in order to be able to answer them. In civil law, this is referred to as an implied declaration of intent. This is consent that is given through conclusive behavior without an express declaration. In this case, however, the data may really only be processed for the obvious purpose. Additional consent would be required for a newsletter entry or the like. What should not be omitted, however, is a reference to contact forms in the data protection declaration. Google web fonts Opinions are still divided on the correct use of Google web fonts. While some download Google Fonts and incorporate them directly on the website so that no connection is made to a Google server, others argue with a “legitimate interest”. Because let’s be honest, the GDPR cannot make sense for us to go back 10 years on the web. I also take the “legitimate interest” point of view here. Of course, use should also be made here in the data protection declaration. Email Marketing Even with email marketing, there is one or the other to consider with regard to the GDPR. On the one hand, you should always work with the double opt-in procedure. This means that a user enters himself into your e-mail list and then has to confirm his e-mail address again using a link in a confirmation e-mail. This ensures that users cannot simply enter any e-mail addresses for which they actually do not have permission to send a newsletter. Another point here is the ADV contract. You have to close this with your email marketing provider (for example, click tip). There has also been a so-called coupling ban since May 25th. This means that it is forbidden to request data in return for a free product. You should also consider this in your email marketing. Incidentally, the GDPR not only affects all new entries, but also your old e-mail contacts. If in doubt, you must be able to prove that the users have agreed to be added to your email list and want to receive emails from you. If you cannot understand this in your e-mail list, you should ask the user for renewed consent.   These were some important points that you should consider online with regard to the General Data Protection Regulation. You can find further important tips and hints in my personal free GDPR checklist. Your questions about the GDPR In the last few weeks I have been collecting questions in my Facebook group that I would like to answer here to the best of my knowledge. Do you still have questions about the GDPR? I am happy to try to answer these as well. Just leave me a comment below this post. Can I still build an email list with freebies? I already mentioned the so-called coupling ban earlier. The point here is that for free products or for participation in competitions, consent to registration in a newsletter or the like may no longer be automatically requested. There are once again different interpretations of this “coupling ban”. So everything you read here is not confirmed by any judgments or the like, but at the moment really just a matter of interpretation. Here are some ideas how you can still use freebies to expand your email list: Tell users clearly that they will sign up for your newsletter and receive a gift (your freebie) as a thank you. For my current SEO summer campaign it looks like this, for example: Newsletter subscription with a gift What do online shops have to consider? Online shops of course handle much more and more sensitive data than a website. Basically, online shops have to observe exactly the same thing that normal websites also have to observe. There are major deviations in shops, especially in the data protection declaration. Corresponding payment providers, for example, must also be listed here. What do I have to consider with my email marketing provider? No matter where your email marketing provider is located, the GDPR still has to be observed. For example, you have to conclude a data processing contract with him. In addition, the entry must always be made using a double opt-in procedure. If your provider doesn’t offer this, you’d better switch to another provider. Which plugins can I still use? Theoretically, you have to check whether and how data is passed on for all plugins. For many plugins, however, the work has already been done for you. You can find a list of over 170 plugins in the GDPR check here . Can I still use Google Analytics? Yes, but here it is important that you use the “anonymizeIp” function and conclude the ADV contract with Google. You can find out more about this in my GDPR checklist. Do I need a data protection officer? There is no general answer to this. Whether you need a data protection officer depends on various factors. Among other things, the size of the company and the data to be processed play a role here. You can read more about this here. What do I have to consider with blog comments? Some blog systems make use of a lot of personal data, such as the e-mail address, the name or the IP address. Here, too, the question is to what extent the data fall under a “legitimate interest”. I have arranged it in such a way that I do not have to request any data and that the users can decide for themselves whether they want to enter a name or an e-mail address. The IP address is also no longer stored. GDPR: black and white do not (yet) exist In many things the GDPR is really still a matter of interpretation, where you cannot say with certainty whether something was solved right or wrong. In the case of “legitimate interests” in particular, there will always be leeway in which, in case of doubt, courts will have to decide whether or not there is a legitimate interest. Personally, I hope that there will be first judgments in the next few weeks and months that will bring clarity to the GDPR so that clear instructions for action are also possible. You can find more detailed information and recommendations for action to implement the GDPR on websites and online shops in my personal GDPR checklist.   FREE OF CHARGE IN THE NEWSLETTER:   The implementation of the GDPR on your website is still a big mystery for you? My personal GDPR checklist sheds light on the dark and helps you to implement the General Data Protection Regulation in your online project. REGISTER & RECEIVE CHECKLIST FREE OF CHARGE

Leave a Comment

Your email address will not be published. Required fields are marked *