Berlin +49 30 120 856 32 mail@dlx-media.com
Contact
GDPR

GDPR

The GDPR regulates the protection of personal data in the EU and affects every website - with obligations such as privacy policies and cookie consent.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the central data protection law of the European Union. It has been legally binding in all EU member states as well as in Iceland, Liechtenstein, and Norway since 25 May 2018. The aim is to standardise the protection of personal data across Europe and give individuals more control over their own data.

For website operators, the GDPR is particularly relevant because almost every website processes personal data, often without the operator being aware of it. Even storing IP addresses in server logs or using analytics tools falls under this regulation.

What constitutes personal data?

Personal data includes any information relating to an identifiable individual. This includes obvious details such as name, email address, or telephone number, but also less obvious data like IP addresses, location data, or cookie identifiers. It is precisely these inconspicuous data types that are constantly processed on websites.

Who does the GDPR apply to?

The GDPR applies to any company or organisation that processes data of individuals in the EU, regardless of where the company itself is based. This means that even a provider from the USA or Asia must comply with the GDPR as soon as they target users in the EU. For website operators, there is no minimum size requirement. Even a small blog or an association website is affected.

The key principles

  • Lawfulness and transparency: Data may only be processed on a valid legal basis, and the data subject must be able to understand what happens to their data.
  • Purpose limitation: Data may only be used for the purpose for which it was collected.
  • Data minimisation: Only the data that is truly necessary may be collected.
  • Storage limitation: Data may not be stored longer than necessary.
  • Integrity and confidentiality: Data must be protected by appropriate technical measures.

What rights do users have?

The GDPR grants every individual extensive rights against those who process their data:

  • Right of access: Know whether and which data is being processed.
  • Right to rectification: Have incorrect data corrected.
  • Right to erasure: Also known as the "right to be forgotten".
  • Right to data portability: Receive one's own data in a common format.
  • Right to object: Object to the processing of one's own data.

Companies must generally respond to such requests within one month.

What does the GDPR mean in practice for website operators?

The theory results in several very practical obligations for every website:

  • Privacy policy: Every website needs a complete, easily accessible privacy policy that explains all services used and data processing activities.
  • Cookie consent banner: For all cookies and tools that are not technically necessary (such as analytics or marketing tools), the active consent of visitors must be obtained in advance. A mere notice is not sufficient.
  • Secure contact forms: Forms should be SSL-encrypted and only request the fields that are truly necessary.
  • Data processing agreements (DPA): A corresponding contract must be concluded with service providers who process data on your behalf (for example, hosting providers or newsletter tools).
  • Privacy-friendly tool selection: Tools with servers located in the EU or with anonymised data collection make compliant use significantly easier.

Common pitfalls on the web

  • Host Google Fonts locally: When fonts are loaded directly from Google servers, the visitor's IP address is transmitted to Google. Fonts should instead be stored locally on your own server.
  • Load analytics tools only after consent: Tools like Google Analytics may only become active after the visitor has given their consent.
  • Embedded content: YouTube videos, maps, or social media buttons often transmit data to third parties as soon as the page loads. Two-click solutions or privacy-friendly embedding options can help here.

Fines for non-compliance

The GDPR provides for severe penalties. In cases of serious violations, fines of up to 20 million euros or 4% of the global annual turnover may be imposed, whichever amount is higher. While such maximum fines usually affect large corporations, warnings and smaller fines also pose a real risk for small website operators.

Conclusion

While the GDPR may seem complex at first glance, it can be implemented for most websites with manageable effort: a clear privacy policy, a functional cookie consent banner, SSL encryption, and a conscious selection of privacy-friendly tools cover the majority of requirements. Those who take data protection seriously not only avoid legal risks but also strengthen the trust of their visitors.

Note: This text is for general information purposes only and does not constitute legal advice. For specific questions regarding implementation, a lawyer specialising in data protection or your data protection officer should be consulted.

Back to glossary