The popular website check can be used free of charge and helps to find and fix data protection problems. A redesign of the check and the additional service packages makes finding errors clearer and more fun.
Introduction
The Website-Check in its current form has been available since 2017. Although the GDPR came into effect only in 2018, in 2017 the BGH had already ruled with its Breyer-Urteil that almost every data transfer on the internet is to be considered as person-related. The reason is that IP addresses are transmitted from the user to the website operator each time a webpage is accessed. The BGH defined IP addresses as person-related even if they are frequently changing (dynamic) addresses.
A scanner that takes equal account of technology and law.
Quite different from purely technical solutions such as Webkoll.
The special thing about Dr. GDPR's GDPR scanner is the combination of technology and law and the fact that it was probably the first scanner of its kind to be made freely available online.
Websites are a deeply technical construct. The GDPR, on the other hand, is a regulation with legal content. Looking only at the technology does not help those with legal knowledge. And only considering the legal provisions does not help the technical layperson. This is why the website check offers assistance in solving data protection problems. These recommendations are based on an interpretation of the technical conditions identified by the scanner in the light of the GDPR.
It was time to improve and modernize the look of the check. The test results, however, remain reliable. What can be tested is being tested. Excluded from this are server locations, which are derived from IP addresses. This does not work reliably and is just a matter of wiping one's eyes.
The new features: Redesign of the look, better accessibility of the full versions, performance checks, internationalization
Some new features have already been implemented, others will be released soon.
In addition, a new option for the full versions of the check will be provided to make the full versions accessible to a larger group. The results of the website check will also be made available in English in the near future.
Is AI used for the website check?
The checks themselves do not use AI. There is no reason why AI needs to be used to determine and interpret findings. All this can be done more reliably, faster and safer without AI. If it could be done better with AI, AI would be integrated into the process.
However, AI was used to redesign the look and create new sections, including an order form and the offer page with the different variants of the full versions. Thanks to AI, the design was not only significantly improved, but also achieved with acceptable effort.
Clearer design
The website check exists in various forms (see below). A redesign of the visual appearance is therefore a challenging adjustment. It has now been completed. Here are some of the adjustments, grouped according to the different scanner types.
Online Website-Check
The introduction to the GDPR website check now looks clearer and more modern. The tag line (subheading) says directly what it's all about: "Find data protection errors in seconds".
Because it has been asked for repeatedly, there is a reference to the full versions, which are presented in more detail below.
After entering a website to be checked and starting the check process, the scanner shows a progress bar as before. The findings look different depending on the result of the check. Here is an example of a scan result:
The result of the quick test is given in the form of a short evaluation. In the example, the diagnosis reads "GDPR compliance only partially given". Since it is important from a data protection point of view to also check the page optically, the website scanner creates two screenshots. The left screenshot in the image shows the view on larger screens and the right screenshot shows the mobile version. It is important because the so-called cookie pop-ups sometimes cover up the important links to the imprint or the privacy policy, making them often invalid. This can cause legal problems.
Some websites refuse to take sufficient account of the right to privacy. In known cases, this notice appears in the free version of the scanner.
As a service, a tool is offered directly to request data information from the website operator. Some operators always reply with the same text module, no matter what requests you make. The information generator therefore always generates different texts for your information request. This makes it easier to take action against the operator in case of doubt, as they can no longer easily talk their way out of it.
Attention: The Spiegel website offers a choice between an extremely large number of advertising trackers and a paid model. The scanner checks the website before this "pay-or-OK barrier" (which may be illegal), also because simulating clicks on websites can be considered a criminal offense. The Pro-Check (see below) is recommended to check such a website in more detail. It contains manual expert checks that assess issues that cannot be dealt with automatically.
The following message appears for websites that are clearly illegal (from the scanner's point of view):
This finding of the scanner usually applies. For example, the following findings:
Suggested solutions are often offered for the problems found by the scanner:
The buttons link to background articles on Dr. GDPR, which provide details on the topic.
A statistics and browser fingerprint show various additional information. In particular, redirects are also important from a data protection perspective. Equally important is whether an SSL certificate is present, whether the redirect is carried out on SSL throughout, and whether the certificate is secure and still up-to-date.
Nowadays, every website should have an SSL certificate. It used to be said that this should only be present if contact forms or a newsletter are offered.
The scanner also shows a list of the pages found and scanned. The list is shortened for the sake of clarity. Images and tracking pixels found are also listed.
Last but not least, here is some information about the tool. The reason for this is that website operators often do not believe the scanner. This happens in particular when things happen on special pages that are beyond the operator's attention (or control). A special page is, for example, a 404 page. It is not uncommon for a Google Ads script to be integrated there. The users of the GDPR check are then so surprised that they don't want to believe it.
Another case are forgotten pages on websites with many subpages. It can happen that Google Fonts or a social media plugin is integrated on one in 100 pages. A good example of the latter is the unsightly WordPress plugin called "Gravatar". It is data-hostile, has no benefit for the website and is often installed automatically. The scanner will find it (at least if the page runs through the scanner; this is not as likely in the free version as in the full versions).
There is a donation button for anyone who would like to contribute to the costs of hosting and the work that goes into the scanner and the Dr. GDPR blog. Incidentally, the Kuketz blog calls for donations in such a way that it receives € 3380 per month (as of 11.12.2025, source: his blog). The donations for the Dr. GDPR blog are neither based on standing orders nor are they that high.
The free scanner cannot do as much as a full version due to its resource consumption and liability issues.
Offer page
In order to make the various website scanners available in their full versions, a corresponding offer has been provided on the page with the full versions (outside of Dr. GDPR).
The focus is on advice (not only on Dr. DGSVO, where private individuals and companies have been receiving answers to their questions free of charge for many years), which can also be seen in the new look.
Different solutions are relevant depending on the target group. The filter directly shows the offers that are relevant in each case:
The agency package and scan package are explained below.
The Pro-Check offers a manual examination of websites including professional and technical advice as well as legal assessments (by the way: everyone is allowed to give legal advice, but it must not have the character of predominantly legal work).
The Pro-Check can be considered as gold standard. More is not possible for this price. Out of fairness, larger websites are more expensive than smaller ones. A semi-famous lawyer (who probably had little technical understanding) offered a check with similar performance features almost three times as expensive.
There is also the so-called popular tariff. In the background, the same scanner works as on Dr. GDPR, with two differences:
- Scan of up to 200 subpages (instead of approx. 10 with the free scanner)
- Detailed data protection report with findings, problems found, sample data protection texts, cookie analysis and suggested solutions for common problems (instead of a good overview with the free scanner)
The online tool is explained below. It is similar to the free online check on Dr. GDPR, but has significantly higher rate limits.
The full versions provide a data protection report (except for the online tool).
Data protection reports of the website check
The free scanner does not provide such a report, but "only" a helpful overview. The full versions are offered by IT Logic as wwwschutz.
A clear statistics shows the essential "construction sites":
The report contains many information (findings, identified problems, recommendations for action, cookie list, privacy texts, list of recognized pages…). A table of contents makes these contents in the report easier to access:
The print function is particularly popular because an HTML page can be converted into a PDF that can easily be passed on to colleagues or clients.
The action guidelines provide recommendations on where to take what action.
The privacy report contains helpful details on these points. For example, the reader sees which pages were identified as a possible legal notice. A website should only have one imprint (related to a specific domain!), because otherwise discrepancies will occur and can lead to legal problems. The imprint clearly shows that the GDPR-Check does more than just perform technical analyses. Although the imprint has nothing directly to do with data protection, it is mentioned in the same breath as the term "website". Therefore, an imprint check is performed.
Tips for the legal notice: 1) Never enter the tax number, only the VAT ID (if available). 2) Always name the person editorially responsible: As a natural (!) person with address (tip: write "Address: see above" and thus refer to the website operator. 3) Never specify the legal provisions, as this information is not necessary but may become incorrect due to new laws. Example: Instead of "Responsible according to § 5 TMG:" -> "Responsible for this website:". Analogous for the editorially responsible person!
These checks are also carried out in the Pro-Check.
An overview of the most important pages provides a good overview for further checks.
Websites are also listed that were identified as possibly important based on less relevant criteria. In this example, a page (URL) was named as a possible contact form. Some websites build their content dynamically, which prevents crawlers from reliably identifying forms when they are accessed. It has proven effective to list pages with lower recognition probability as well.
The website scanner detects tools and plugins that are present on a page. The detection works even if the tool was not loaded when the page was called up.
The most common case is tools that are loaded directly. Their detection works by evaluating the network traffic. If a plugin sets cookies, the plugin can also be recognized via these cookies. Services that are only loaded after consent has been given can be detected via source code analysis, by reading the consent tool or via a manual check (Pro-Check).
The cookies detected by the website check are listed together with their meaning, if this is known and stored in the cookie database.
You can't tell the purpose of a cookie. It is often known for widely used services. Exceptions are cookies from Google and other data octopuses that are reluctant to talk about how they process personal data. In the Pro-Check, the presumed purpose can be worked out more precisely.
Most websites do not require a "cookie pop-up".
Prerequisite: All unnecessary data processing that requires consent must be avoided.
In addition to details of the SSL certificate found (or not found), the report also shows which data protection texts for the tools and plugins detected were recognized as being present.
The following information is exciting and helps to identify missing data protection texts and fix the problem:
Since mid-2024, it is essential to have all necessary data protection texts at hand. For by this time the ECJ decided that a breach of the information obligations constitutes an unlawful data processing (ECJ, judgment of 11.07.2024 – C‑757/22). This means that if data protection texts are missing for example for Facebook Connect, then the use of Facebook Connect is already illegal on this account alone (see Article 12 GDPR).
To ensure that missing data protection texts do not become a problem, the data protection report provides numerous sample texts free of charge.
The texts for the data protection statement are not shown here due to their length. Note: Providing information about a tool in the data protection statement does not mean that the tool can be used because of it. Rather, the legal basis must be checked according to Art. 6 (1) GDPR. For harmless plugins, one can rely on the legitimate interest. Online shops can occasionally refer to contract fulfillment as a legal basis. Otherwise, an opt-in query usually remains for legitimation.
In the page-specific notes, the data protection report illustrates in detail which findings exist and where there is a need for action. This is underpinned by specific information on the findings.
Here, for example, several plugins were detected on a WordPress site. The plugins are diagnosed as to whether they are questionable or harmless. The diagnosis is based on a local plugin database that the scanner accesses.
Some details from the report could not be reproduced here due to the level of detail in the report.
The redesign of the report is in full swing and is scheduled for completion at the end of 2025. The same applies here: clear presentation with an appealing look.
Not just a privacy advisor's best friend
The online website scanner is not only used by DPOs, but often also by website operators. While data protection consultants often check several different websites of clients, website operators usually target their own individual homepage.
Several usage models have been developed to meet different needs:
- Free Online Scanner: For all on Dr. GDPR available.
- Extended free version: Available for all newsletter subscribers. The scanner checks more pages.
- Popular tariff: Check a single website. Within the annual period, the website can be checked as many times as desired. Available through IT Logic GmbH under the label wwwschutz.
- Volume Tariffs for DSBs, Agencies, Operators of multiple websites:
- Agency Package: Freely definable websites, up until the maximum number of booked websites is reached. Within the annual billing period, each website can be scanned as often as desired. More Info.
- Scan Package: Scan individual websites. Offers better value compared to the Agency Package if websites are typically checked only once a year or if each website is scanned on average only once. More Info
The content on Dr. GDPR is free of charge and will remain so. The additional offers are therefore provided via the channels mentioned.
Incidentally, all website checks work without artificial intelligence. Customers have asked when AI support would be available. However, no one was able to say what exactly would be done with AI. In any case, the evaluation of technical findings is optimally solved, better than is possible with AI. Data protection texts are available in the template, which also does not require AI.
On the subject of the AI Act, it was asked whether the scanner can support this. The answer is: websites cannot reliably detect whether AI systems such as chatbots are embedded. And if this is detected, the scanner only sees the user interface and not the language model or similar. What is not visible cannot be checked.
Do you have any suggestions or requests for the scanner? Then simply write to us.
Bonus
In addition to the online data protection check for websites, there will also be a website performance tool. It includes an SEO checker and a security checker. Here is a picture of the prototype:
Websites can be checked for the following criteria:
- How well do search engines find the website?
- Does the website load fast enough?
- Core Vitals check
- What optimization options are available? Images are also checked
- What security gaps are there?
- How to fix the problems
Extra
The online website check or the previously mentioned website performance tool is available in free variants. Those who want more should pay for it. However, it shouldn't be too expensive. To make everything fair and economical, there will be a Buy It Now option for low-priced products (payment platform from Europe).
It will be possible to order directly from the free online check. Here are a few impressions:
Just like the new website scan on Dr. GDPR, the homepage has a clear look and shows the main advantages of the GDPR check.
Three packages are offered for online purchase, two of which are very inexpensive. But it gets even cheaper: a special feature are the voucher codes and the discount for a testimonial (experience report):
If you want the full version with cookie scanner and sample data protection texts + suggested solutions, you can enter a voucher to save money. The vouchers are issued from time to time via the newsletter or other suitable channels. They are always limited in time and have an upper limit on the number of uses.
Another option for a discount is the experience report mentioned above. It helps to improve the check. The report should be honest and unembellished, but friendly.
The explanations of the testimonial discount hopefully say it all: The process is simple. The testimonial provider receives a request by e-mail, replies with their experience report and that's it. The feedback is either used to improve the GDPR checker or published on the website, naturally in compliance with data protection regulations (with a pseudonym or with consent).
If there are any questions left at the end, they will be answered in the FAQ section.
By the way, newsletter subscribers will receive the above-mentioned voucher code for the full version of the Website Check if the buy-it-now option is available.
Do you have any suggestions for the check? Then please get in touch. Perhaps there is also a voucher for good ideas 😉
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
