Almost every website needs both a data protection notice and an imprint. Both the data protection declaration and the imprint must be easily accessible from each page of a web presence. This applies equally to smartphones as it does to tablets, notebooks, and desktop computers.
Provider identification obligation
A legal notice must be provided by almost every website. The obligation to provide a legal notice is regulated § 5 TMG as well as §18 Abs. 2 MStV. It suffices if at least one of the following reasons applies:
- Operational business website
- Website with editorial content
Commercially is a website in particular, if there is a profit-making intention or possibility of profit-making given. It does not matter whether actual profits or revenues are achieved. For example, an affiliate link or the display of advertising already indicates that a website is commercially operated.
Editorial Content is already present when an Opinion Statement is made. This should be the case almost always. Exceptions could be websites with password protection that are only accessible to a limited group, such as family members. Also empty websites, for example with the text "a website will be set up here soon" are probably not opinion statements. Whoever mentions their company and writes something about it is expressing his opinion almost always. Whoever writes about horoscopes and says that many of them are often correct is, in my opinion, expressing an opinion.
Data Protection Obligation
In what follows, a data protection statement is being discussed. Legally less problematic is the term Data Protection Notice, which should be used on websites instead of it. The reason is the character of the concept. An explanation can easily be interpreted in the direction of Contractual Relationship. A data protection statement, however, I claim, is not a contract, but at most a contractual component.
The data protection statement must be guaranteed on every website in contrast to the imprint. The website only needs to be publicly accessible and represent an offer. An offer is present when someone offers something, whether it's information or services. In one case, a website only listed contact details. However, the contact details also contained a hint at the activity of the operator. Thus, an offer is present, I claim. Often this question does not arise because every commercial website is an offer. But even private websites that offer information are obviously an offer.
When a website is accessed, the visitor's IP address is transmitted to the website, thus always a relevant process under GDPR takes place. IP addresses are known personally identifiable data.
For the data protection declaration a responsible body must be named. This is regulated in Article 13 Number 1.1. There it is required that the name and contact details are to be given. As contact data, I think an email address suffices. If there is an imprint present and the responsible person is identical with the operator of the website, however, the full address can be given without any disadvantages and for security reasons.
Accessibility of vendor identification and privacy notices
For imprint and data protection statement, it is equally valid that they must be linked from every side (§ 5 TMG). These links should each be callable with a maximum of two clicks. Furthermore, these links may not be obscured to the point of invisibility by other visual elements such as pop-ups. Of course, one could dispense with linking if on every page the content of provider identification and data protection notices is mentioned. In practice, however, this approach has not been successful for understandable reasons.
Different screen resolutions
The numerous devices with their different display sizes necessitate a so-called responsive design. Responsive means a website if it adapts its presentation to different screen resolutions. For example, on a smartphone, the font size for headings is often reduced to avoid unsightly line breaks. Another example of responsive design are texts that are hidden in smaller resolutions (such as on the iPhone). Of course, the imprint link and the link to the data protection declaration must be visible in every resolution, i.e., for each device.
Here is an example from this website for three resolutions:
Due to space reasons, the desktop PC view is missing. From left to right recognizable in the image: View for Galaxy S9, iPad and Kindle Fire. The Hamburger Menu on the top right with three horizontal lines appears only at smaller views. In this menu you can find the links to Imprint and Data Protection Declaration. At larger views the links are displayed directly. Furthermore these two links can be found at the end of each page, almost as an additional security measure.
That a responsive accessibility of important links apparently is not self-evident, shows my examination of numerous websites. A very popular internet presence for real estate presents in the desktop version the links for imprint and data protection correctly. In the mobile version these legally prescribed links are incorrectly simply hidden. The entire web presence is therefore considered as without imprint
The presentation of link texts must be done in a way that excludes excessive searching. Sufficient contrast between text and background should therefore exist. The position should be chosen so that the user can easily find the references. I recommend linking both at the top of each page as well as at the bottom of each page. Because the OLG Munich has decided with judgment from 12.02.2004 (Az.: 29 U 4564/03) that fourfold scrolling of the entire screen area at a height of 768 pixels speaks against easy accessibility of a link. The judgment is, however, older and probably outdated by now, alone because many users are accustomed to scrolling on their smartphones. At the time of the judgment, smartphones were not yet widespread.
Link naming
The imprint should be named exactly like that, namely with imprint. Then there will be least problems. The labeling Anbieterkennzeichnung should also be possible, is however more cumbersome and less common. Also the naming with Kontakt is allowed. It becomes problematic then possibly, if both a link with the latter designation and one with a similar designation, like Kontaktaufnahme, are present or if under Kontakt also a contact form can be found, which possibly stands above the mention of the provider.
The Data Protection Declaration can be integrated into the imprint. Especially on less clear pages it is recommended to provide a separate page for the data protection declaration and to equip this with an individual link. Permissible names are especially Data Protection Declaration (do not use, see above), Data Protection Notes, Notes on Data Protection, Data Policy, Data Protection Policy. If the data protection declaration and the imprint are housed on a common page, the link text should express this, for example: "Imprint & Data Protection Notes".
Imprint format
Ideally, the imprint should be directly accessible on the screen in the browser. The link to the data protection declaration should also be available there. That's why the ideal format is the HTML-Format, which can be displayed directly in any browser. An imprint in the PDF-Format may possibly be legally compliant, but there are certain legal uncertainties here.
Ultimately, it depends on whether a PDF file presents an accurate imprint as a judge would assess it. There is at least one ruling that says PDF files can now be opened from almost any device. This was not always the case in the past. For example, PDFs could not be reliably opened on smartphones because a viewing program was not available or assumed to be present on every phone, tablet, or other mobile device. Today it seems different, at least current smartphones and tablets usually have a built-in PDF viewer.
Permanent link availability
The imprint must from every single page of a website be accessible. There may be no exceptions. I think that even login pages, intended for administrators, should follow this rule. If one interprets the rule strictly, RSS pages would also have to offer a link to the imprint. In practice, however, it does not seem necessary, since a page with an RSS feed (often) is not displayed directly in the browser but leads to opening with a special program.
If a website consists of 500 pages, then an imprint link must be present on each page in any resolution. It is essential that special pages also contain a link to the imprint.
What applies to the imprint also applies to the Data Protection Declaration. It must also be accessible from every page. Special pages, for example, are login pages for administrators, editors or customers. This also includes print views of pages that can be called up via a JavaScript functionality or as so-called Plain Text. If the page is accessible via a direct link, i.e. a publicly known URL, there must be a link to the provider's identification. This is often neglected, which reduces legal security.
A while ago I had brought it to the attention of the Bavarian Data Protection Authority BayLDA that their website, which is publicly accessible and directly reachable, does not display a data protection declaration in print view. The authority responded promptly and took action on this matter.
Inhalt des Impressums
General mandatory information includes the following details: Name and address of the company Contact details (e.g., phone number, email) VAT ID (if applicable) Registration number (if applicable):
- Registration: Company name, legal form of the company. Example: Doe GmbH
- Mailing address: The company's address at which they can be written to
- Email address: Email address under which the company can be written to
- VAT identification number (VAT-ID): The company's ID if available. If not available, no ID should be given, nor a tax number (the latter could be misused by third parties)
- Phone number: Not mandatory in every case, but recommended, especially for online shops
- Editorially responsible: This person must be a natural person and is to be distinguished from the person responsible for the website. They are only necessary if opinions or subjective statements are present. This is almost always the case. The person responsible must be named with an address. If there are several, there must be a clear separation of editorial content
Examples of legal-form specific statements include, for instance:
- Managing Director: For example, in a Ltd. (limited liability company)
- Court designation: For example, in a Ltd
Other legal forms such as AGs, GmbH & Co. KG etc. have further requirements. The GmbH being the most common case provides here hints for the majority of companies. The UG has the same requirements as the GmbH regarding the imprint. So could an imprint for a Ltd. look like:
Responsible for this website
Doe Ltd
Street of Patterns 111111
Musterhausen
Email: muster@mustermail.com-is-here.de
Tel.: +49 (0) 111111 – 22222345
Managing Director: Max Musterman and Erna Musterwoman
USt-ID: 47110815
District Court Musterhausen, Commercial Register HRB 12345678
Editorially Responsible: Erna Doe, Address: Doe Street 1, 11112 Doe City
Typical imprint for a Ltd. (German limited liability company)
After that, a hint at the alternative dispute resolution of the European Commission could follow, which is not always binding. It does no harm to mention it, perhaps with the note that this is not necessary (if applicable), but you give the hint anyway for caution's sake.
The European Commission provides a platform for out-of-court online dispute resolution (so-called OS-platform): We are however neither obliged nor willing to participate in the mediation procedure.
Reference to online dispute resolution in the imprint
Occasionally, the text or link for dispute resolution changes. Then an update on the website is required. This notice should also be included in the terms of use.
Reachability Test
A test of accessibility for provider identification and data protection policy is difficult. Those with little technical expertise will have a real practical test in mind using smartphones, tablets, and a PC. Such a practical test not only takes up a lot of time but also often fails because not for all resolutions from 320 to 1920 pixels wide devices are available for the test. Background: 320 pixels is the width of an iPhone with a small display and 1920 pixels is the HD resolution of a desktop monitor. I recommend using a professional service provider who can perform such tests and has expertise in technology and data protection law.
Special pages for popular content management systems like WordPress or Typo3 should be no foreign words for the service provider.
At least there is a Dr. GDPR online website check. With this you can't test the accessibility of imprint and data protection notices, but you can see directly if there are any data protection problems on the website. I bet that's almost always the case. My tool hardly ever makes mistakes.
Key messages
Almost all websites need a data protection notice and an imprint, which should be easily accessible on every page.
Websites must clearly and easily display links to their imprint (legal information) and data protection statement on every page.
Your website must have a clearly named imprint and data protection declaration that are easily accessible from every single page.
Websites that are publicly accessible should clearly display contact information and legal details about the company running the site.
It's difficult to properly test website accessibility for things like data protection. It's best to use a professional service that specializes in this area.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
