Unveiling the Secrets of GDPR: The Key Elements to Include in Your Privacy Statement


Notes on Privacy Policy

The information on this page refers to the legal situation in the EU, in particular in Germany. Other regulations may apply in countries outside the European Union.

When it comes to the topic of Privacy Policy and GDPR (General Data Protection Regulation), there is often a lot of uncertainty. Many people are unsure and they ask themselves with some insecurity: Do I need a Privacy Statement at all?

Many website operators think that they are not processing any personal data at all. This assumption is very likely wrong. When a user visits your website with their IP address, personal data is already processed. That means, in fact, always.

Note: The following information is based on my own experience. But I am not a lawyer. If you want to ensure that your website is legally compliant, consult an IT or Media Law expert. You can get more information about the requirements of the Privacy Statement (German: Datenschutzerklärung) from the Chamber of Commerce and Industry (Industrie- und Hanelskammer, abbrv. IHK or from an online service such as e-Recht24.de.

A Privacy Statement describes the processing of information and data by an organisation. This includes, above all, personal data such as name, address, e-mail address, IP address. The data privacy statement is to be distinguished from consent in Data Processing. …

According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable individual.

Typical personal data are:

  • Name
  • Address
  • Age
  • e-mail address
  • IP address
  • Location data
  • Social Security Number
  • Identity card number
  • Account number
  • as well as all data concerning the appearance of a person

Who Needs a Privacy Policy?

A Privacy Policy is only required if personal data is collected and processed (Art. 14 GDPR). At first glance, you might think that a private Website doesn't process personal data if it doesn't use a Contact Form, Advertising Banners, Social Media Plug-ins, etc., but this is not the case.

However, the server on which the Websites are hosted (stored) collects personal information in the background in the form of server log files. These log files include the IP addresses of visitors. IP addresses are also Personal Data.

Conclusion: Every website needs a privacy policy.

What Do I Need to Include in the Privacy Policy?

The Privacy Policy must be written in simple and clear language and be clearly structured. Legal terminology should be avoided. According to Art. 13 of the GDPR, the following information must be included in the Privacy Policy.

  • Name and contact details of the responsible person (Operator of the Website)

  • General information about the Privacy Statement, such as the purpose and legal basis for collecting and processing personal data.

  • Reference to the Right of access to stored personal data

  • Reference to the Right of confirmation, whether or not personal data is stored

  • Reference to the Right of erasure, objection, and transfer of personal data

  • Reference to the Right to complain to a supervisory authority

  • General Information about Cookies

  • Use of Web Analytics Tools, e.g. Google Analytics

  • Use of Social Media Plug-ins, e.g. Facebook Like Buttons

  • Used Affiliate Programs

For each individual collection of data, the applicable legal basis should also be stated. The following questions must be answered for each data collection.

  • What kind of personal information is collected?

  • Why is personal data collected?

  • How will the personal data be used?

  • Is the personal data collected shared with third parties?

  • What are the measures that are taken to ensure the security of the data?

  • Does a cross-border transfer of data take place?

How Does the Privacy Policy Need to be Integrated into the Website?

It doesn't matter whether you have a personal or a business website. A Privacy Policy is mandatory.

§13 TMG (Telemedia Act) states:

The service provider must inform the user at the beginning of the usage process about the type, the extent, and the purpose of the collection and use of personal data. The content of the information must always be available.

This means that the Privacy Policy must be directly accessible from every sub-page of the website with one click. This also applies to mobile devices such as smartphones and tablets.

Attention: A link in the Legal Notice is not sufficient. The Privacy Policy and the Legal Notice should be clearly separated from each other.

The positioning of the link to the Privacy Policy is not clearly defined. Many website operators place the link to the Privacy Policy in the footer of their web pages. However, it is not clear whether this complies with the requirement at the beginning of use.

My recommendation:
Place the link Privacy Policy in the navigation of your website.

The Legal Notice and Privacy Policy pages can be combined into one page. In this case, the link must be called Legal Notice and Privacy Policy