The privacy policy on websites: Content and guidance

A privacy policy must be available on every public website. In addition to standard texts, it must also contain explanations of all tools used and all data processing operations. However, the privacy policy alone is not enough.

Introduction

The data protection declaration on websites is mandatory. This can be seen from Art. 12 as well as Art. 13 GDPR and the fact that network addresses are personal data. Almost every website presents an offer. If a website is almost empty, it may not need a data protection declaration. Alone the notice on one's own (commercial) field of activity suffices to fulfill the character of an offer (see example, where I think the data protection notices are missing). You can also refer to my investigation into the concept of data collection and the resulting responsibility.

For legal reasons, it is better to label the data protection page with the designation "Data Protection Information" or "Data Protection Notice". In this contribution, instead, the previously less critical designation "Data Protection Declaration" is used. See the judgment of 27.12.2018 – 23 U 196/13.

From experience, I know that dangers (complaints, warnings, fines) primarily do not arise from data protection texts but from illegally embedded tools, missing SSL certificates, non-functioning consent requests, too many requested data in forms or missing links to the privacy policy.

Explaining something does not mean that it is allowed.

Take the example of contract killers:

You hire a contract killer and explain your intention to the victim. Will that make it better?

Frequent misunderstanding about data protection declarations

It is allowed to point out that creating data protection texts in general is possible for everyone and often makes sense. You don't need a lawyer for that. The risks lie elsewhere. If you want to secure your websites, think first of other things than the data protection declaration. Furthermore, I claim that even lawyers often can't really get these notice texts right. Among other things, this is due to the fact that it is often not clear or many people don't know exactly which data processing by whom actually takes place for tools from Google or Facebook.

From experience I assert that for creating good data protection texts for tools first technical understanding and secondly basic legal understanding are beneficial. Furthermore, knowledge about the structure of data protection texts is helpful because all texts of this kind have the same basic structure.

Content of the privacy policy

The content of the data protection information can essentially be divided into three parts:

• Website-specific information: Introduction text, mention of responsible authority, mention of DSB, contact details
• General Obligations: These are always the same (as of 09.08.2021)
• Information about special data processing operations on the website: Relevant when using newsletters, forms or tools like Google Maps

General Obligations

Initially a series of general information must be given. This includes:

• Rights of those affected: Standard texts
• Legal Bases: Standard texts (can also be specifically designed further)
• Responsible Authority: Who is responsible for data protection on this website and how can they be reached?
• Notification of contact details of the data protection officer: May be omitted

The rights of data subjects can be explained as follows.

Rights of data subjects

The rights of those affected are derived from Art. 15 GDPR. Here is a sample text for mentioning the rights of those affected. Please adjust if necessary. The text should only be used with a thank you link to https://dr-dsgvo.de.

You have the right:

• According to Art. 15 GDPR, you can request information about the personal data I have processed, in particular: information on the processing purposes, categories of personal data, recipients to whom your data has been or will be disclosed, planned storage duration, right to correction, erasure, restriction of processing or objection, right to complain, origin of your data if not collected from you, and existence of automated decision-making including profiling and possibly informative details thereof;
• in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by me;
• in accordance with Art. 17 GDPR, to demand the deletion of your personal data stored by me, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
• in accordance with Art. 18 GDPR, to demand the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
• in accordance with Art. 20 GDPR, to receive your personal data that you have provided to me in a structured, commonly used and machine-readable format or to request that it be transmitted to another controller;
• in accordance with Article 7(3) of the GDPR you may withdraw your consent at any time from me. This has the consequence that we are no longer allowed to continue processing the data, which was based on this consent, in the future and
• In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or the place of the alleged infringement if the data subject is of the opinion that the processing of personal data concerning them is in breach of the EU General Data Protection Regulation (GDPR).

Legal basis

The legal bases should be named in general. In addition, a specific naming can take place for each data processing operation, if it is not obvious. Here is an example text. The text should only be used with a thank you link to https://dr-dsgvo.de.

We process the data that is generated when you visit our website or use the contact options offered in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). Depending on the matter for which you contact us via the website, there are different legal bases for this. The specific legal basis for data processing depends on the context and purpose for which we receive your data. As a rule, the legal basis for data processing results from the options listed below:

Art. 6 I lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose. Consent that has been granted can be withdrawn at any time.

If the processing of personal data is necessary for the performance of a contract to which the data subject is party, as that required by processing operations such as those for the supply of goods or the provision of any other service, then the processing is based on Article 6 I lit. b GDPR. The same applies to processing operations which are necessary for the performance of pre-contractual measures, e.g. in cases of inquiries about our products or services.

We are subject to a legal obligation which requires the processing of personal data, for example in order to fulfill tax obligations, based on Article 6 I lit. c GDPR.

Ultimately, processing operations could be based on Article 6 I lit. f GDPR. Processing operations based on this legal basis are those that are not covered by any of the previously mentioned legal bases, if the processing is necessary for the protection of a legitimate interest of our company or a third party, as long as the interests, rights and freedoms of the data subject do not prevail.

Sample text for the citation of legal bases

Please note that it is not possible to visit a website without personal data being processed. Therefore, it should not be stated that it is possible to visit the website without providing personal data.

Information on special data processing operations

For each data processing operation on the website, specific statements must be made. See also Art. 15 GDPR. Common sections are:

• Server-Logs: Most servers save access protocols. This should be explained
• Cookies: Most websites set cookies. Technically necessary cookies, such as login management on WordPress sites or cookies from VG Wort, are unproblematic. To avoid questions, even unproblematic cookies should be explained. Please note that cookies are not text files, although it is often claimed so
• Formulare: Please indicate what happens with the data. In general, the data is only used to answer the request and any subsequent questions or further communication that may arise from it
• Newsletter: Specify how data (at least email address) is processed. Mention the option for revocation (unsubscribe from newsletter). Set up a newsletter service, name it. Ensure that there are no tracking pixels in newsletter emails (and if so, ask permission first)
• Other Data Collection: Offer a callback service through the website or handle job application processes through the website or process data on the website for other reasons not yet explained, this must be explained.
• Tools: For each tool used, it must be especially explained:
  • Name of the tool
  • Provider
  • Purpose
  • Cookies used. Per cookie: name, lifespan, purpose
  • Data collected
  • Places of data collection, insofar as they also take place outside the provider's registered office (country)
  • Data recipients, if there are others besides the provider
  • Possible risks, such as data transfer to unsafe third countries
  • Existing guarantees, such as an order processing contract
• External Files: Even for images, fonts, videos, helper libraries etc., it must be explained what's going on with them.

If you have a contract with a provider of a tool or external files, it may be permissible in individual cases not to declare this.

How do you actually know which tools and external files are integrated on your website? Here are a few possible answers. Only one of them is correct:

1. You guess
2. You ask your Internet agency
3. You ask your data protection officer
4. You ask a lawyer
5. They try to take a close look at your website
6. You use a tool that automatically scans your entire website. If you want more security, you pay a little more for an additional manual check

For numerous tools and cookies, there is simply no data protection text. If the provider of a service or its exact company name is unknown, no proper explanation can take place. Often the purposes of cookies are unknown or assumed. In this case, a legally compliant use of tools that manage the relevant cookies is not possible because the required information about the cookie cannot be provided according to Article 13 GDPR.

For analysis tools and other tools that collect data, a user must be given an opt-out option. The consent must also be requested for most tools.

Typical structure of a data protection text for a tool

An example of a possible data protection text for Google Maps should show how a data protection text for a tool can be structured. Please note that here the information on cookies is missing, because apparently nobody except Google seems to know which cookies are used for what specific purpose!

The text addresses several aspects:

• Service Name (Tools). For newsletters, it would simply be named Newsletter
• Service Provider: Full company name including address and common country designation: USA is clear to everyone. Other ISO-codes are not understandable
• Purpose: Why is the service used?
• Legal basis: This can either be specified for a service or in a general section without service connection. Often, the legal basis simply results from how a service is integrated. With consent query, the legal basis is the consent, without such inquiry usually only the legitimate interest remains. A specifically stated legal basis should then also match. Whoever writes "consent" and loads a service without consent provokes problems.
• Specific details: What should the user know?
• Data Processing: What happens to the data that is generated when retrieving and operating the tool?
• Data Receiver: Who can receive the data? In doubt, a higher-level statement is recommended
• Identification of Risks: When transferring data to insecure third countries, a secret service often reads in on it. This should be explained
• Further information: A link to the provider's data protection declaration can be helpful but also harmful. The information provided by Google is not regularly suitable for generating transparency. When linking, it should be noted in particular that a German document should be referred to.

If you now think about how to make the entries for Google Maps, you will find that this is not possible. Alone the specification of the above purpose "We use the map to display our location." should give rise to the question: Is the map even needed, or what is its benefit?

Further recommendations

The explanations should be easily understandable, namely for the average citizen without technical or legal expertise. This is evident from Art. 12 GDPR.

It is fundamentally not forbidden to place the data protection declaration in the form of a separate section in the imprint. I would however recommend placing the statement on its own page or at least making it accessible via its own link from every page.

The link to the data protection declaration must be accessible with a maximum of two clicks. When using responsive design for smartphones, the link should not only be displayed through a hamburger menu but also always visible in the footer. It must also be present on supposedly secret login pages.

The link to the data protection statement should clearly be named, so with Data Protection Statement, Data Protection etc. Update: recommended are the designations Data Protection Notes or Data Protection Information, in order to avoid legal problems.

Name the Data Protection Officer (DSB) in the data protection declaration. If you do not have your own DSB, name the person responsible for data processing.

Every company that regularly assigns more than 19 employees to process personal data must appoint a DSB. This is always the case when the aforementioned number of employees has a computer workstation. Companies with more than 250 employees must also order a DSB.

In addition, the ordering obligation of the DSB applies to many businesses that regularly process personal data (cf. Art. 37 Abs. 1 b GDPR). To this category belong in my opinion all companies with a public website, because since 2017 network addresses have been considered as personal data.

Privacy policy too extensive

The question often arose as to whether too much text in the privacy policy was a problem and whether one should even fear a warning. My opinion on this:

• Structure your privacy policy in clearly recognizable sections
• If there are a few texts too many, that's not a problem
• Just don't overdo it
• If you have recently used a tool but no longer do so, do not remove the text until you are sure that no caches are active
• If you are planning to use a tool (contact form, newsletter, script, analysis tool, etc.) soon, include the data protection text beforehand

The last point in particular makes it clear that you can't have problems because of too much text (if it stays within reason): How is anyone going to prove that they are not planning to use a declared but not yet deployed tool any time soon? In addition, a single page with data protection information can also be kept for several websites at the same time, even if I advise against this for several reasons. However, data protection texts should only be present if they are actually needed. Otherwise, they offer an unnecessary target.

English privacy policy

If a website also targets markets other than Germany, Austria and Switzerland, then the privacy policy should at least also exist in English. A German-language declaration must be provided for the German market.

Also interesting

• Checklist for cookie popups
• Practical test of Consent Tools
• Alternatives for Google Tools
• The Disclaimer