GDPR Compliant Websites and Apps - 10 topics you should be aware of (GDPR Checklist, Data Protection)

This article gives an overview of the requirements of data protection law (namely the General Data Protection Law, GDPR) regarding websites, apps and online platforms in Germany.

It is targeted to all persons who design, develop or take responsibility for websites or advise on data protection (e.g. clients of website projects in companies, online and web agencies, software developers, data protection officers, lawyers and data protection consultants).

The reader does not require any in-depth technical or legal prior knowledge. However, this and the complexity of the subject require a certain generalization and simplified presentation. The aim of the text is to raise awareness for relevant topics but not to deal with all data protection issues in detail.

Table of Contents

1. Data Protection Notices
2. Data Processors
3. Tracking
4. Cookies and Cookie Banners
5. E-Mail Marketing / Newsletter
6. Input Forms
7. Provider outside the EU/EEA
8. Plugins
9. Records of Data Processing Activities
10. Apps

1. Data Protection Notices

Does the website contain current data protection information that explains the specific functions of the website and contains all legally required information?

The website must have privacy notices, i.e. a text explaining how personal data is handled. Other terms are "privacy statements", "privacy information" or "privacy policies".

The storage of the IP address of a website visitor in a log file may already qualify as a processing of personal data about which information must be provided.

For each website function (e.g. contact form, order form, tracking) the following questions have to be answered:

• What data is collected?
• What is the data used for?
• How long is the data stored?
• Who receives the data internally and externally?
• What is the legal basis of the processing?

"Website functions" means all the functionalities and technologies of a website that process personal data. Website functions are e.g.

• Input forms (contact form, order form for newsletter)
• Tools and technologies to analyze the behavior of website visitors (e.g., log files, tracking tools from Google, e-Tracker, or Adobe), and
• the integration of social media plugins (e.g. like buttons) and marketing tags (e.g. Google Remarketing).

An overview of other website functions can be found in my "Form/Checklist - Preparation of Privacy Notices for Websites (Privacy Notices, Privacy Policy)". The form can be used to collect and document all information necessary for drafting tailored privacy notices.

In case of new or changed website functions (e.g. input forms, tracking tools), the data protection notices may have to be amended.

2. Data Processors

Have data protection agreements been concluded with all providers who act as data processors (e.g. hosting companies, tracking tool providers) and have providers been audited?

If website functions (e.g. plugins) are provided by third parties and personal data is processed or if the vendor has access to personal data, these often qualify as “data processors”. The website operator must then enter into data processing agreements (controller-processor agreements) with the suppliers and the data security of the suppliers must be reviewed and documented. When choosing a provider it should be checked whether they offer the necessary controller-processor contracts and can provide a documentation of their data security measures.

Examples:

• Tracking providers such as Google Analytics, Adobe or eTracker
• Providers of functions for integrating online applications into own websites
• Providers of newsletter registration functions, which are integrated into the own web page
• Providers of newsletter tools (e.g. MailChimp, CleverReach)
• Providers of online surveys
• Hosting providers (not: mere providers of housing/co-location services that do not have access to the data).

Providers who access personal data as part of their service are also considered data processors (e.g. web agency or developer with access to the database, web server or analytics data).

Providers that use data under their own responsibility are not data processors, e.g. Google in the provision of Google Maps or Facebook in the provision of Like-Buttons. In such cases, it may be necessary to conclude special "Joint Controller" agreements.

3. Tracking

Are tracking technologies used in lawfully?

“Tracking technologies" are procedures by which the behavior of website visitors or e-mail recipients is monitored, stored any analyzed. Tools like Matomo/Piwik, Google Analytics, Adobe Analytics or HubSpot are examples.

If the data on usage behavior is linked to a person known by name (e.g. through an e-mail address), explicit and informed consent must be obtained beforehand. The implementation of such consent requires some technical effort and limits the amount of visitors than can be tracked, since without consent no tracking may be carried out.  For valid consent, the user must take an active action (e.g. check a box). The mere statement that further using of or surfing on a website is deemed to be consent is not sufficient.

If consent is not obtained, the following four points should be observed:

• The usage data may not be directly assigned to a person, but must be stored under a pseudonym. Pseudonym means an identification number or a cookie ID. In addition, it must be ensured that the pseudonym is not combined with directly identifying data (e.g. name, e-mail address).
• The usage data may not contain any IP addresses or the IP addresses may only be stored in shortened form.
• The user must have the opportunity to object to the tracking (e.g. via an opt-out link in the privacy notice, which will set an opt-out cookie).
• The scope, storage period and intended use and the opt-out mechanism must be set out in the data protection notice.

These measures can reduce the risk of a data protection law violation. However, the lawfulness under data protection law and the requirements for the use of tracking mechanism are still unclear, so that a legal risk remains. In particular, some data protection regulators in Germany hold the view that user consent is also required for pseudonymized tracking, at least for tracking taking place across websites and devices (e.g. Universal Analytics byGoogle). This view, however, is controversial.

In case of third party tracking vendors (e.g. Google), a controller-processor agreement must usually be concluded.

Compliance with these requirements should be reviewed as early as possible when the decision on a tracking mechanism and provider is made.

4. Cookies and Cookie Banners

Is the use of cookies explained and - if necessary - is the user's consent obtained before the cookie is set?

The legal situation with regard to cookies in Germany is unclear due to the lack of or insufficient implementation of the ePrivacy Directive into German law and the ePrivacy Regulation being still in the EU legislative process.

If cookies are used to process personal data, the cookie must in any case be explained in the data protection notice.

In addition, it must be reviewed whether the user's consent must be obtained before setting a cookie:

• Cookies, which are required for the technical provision of the website and which are deleted when the browser window is closed, generally require no consent (e.g. session cookies, cookies for the realization of shopping cart functions or for user authentication, cookies for load balance of web servers). 
• Cookies, which store the user's settings regarding the user interface, are also generally permitted without consent (e.g. selected language or font size).
• Cookies, which serve marketing purposes and are also transmitted to third parties (e.g. Google) and are not deleted when closing the browser, may require consent.

If consent is necessary, the following applies:

• The cookie may only be set if the user has actively agreed to it (e.g. by clicking a button or ticking a box). 
• The statement in a "cookie banner", according to which the further use of the website is considered as consent to the use of cookies, is invalid because such deemed consent is not given clearly and the declaration of consent can hardly be proven.

5. E-Mail Marketing / Newsletter

Are data protection requirements complied with when collecting and using the e-mail address for marketing e-mails?

As it concerns data protection requirements, please see my blog post on “Lawfullness of Direct Marketing in Germany under Data Protection Law” that will be published soon.

If the behavior of e-mail recipients is tracked, the requirements set out in the section "Tracking" above must be observed. Examples of such tracking are the recording and analysis of when e-mails were opened, read or forwarded or which links were clicked in e-mails. If this information can be linked to a specific e-mail address, tracking requires prior informed consent under data protection law. This consent should be given separately from the opt-in to marketing mails and users should be able to withdraw it separately from the marketing opt-in.

6. Input Forms

Are only the necessary data collected when using input forms and is the purpose of use transparent?

For all online forms through which visitors can enter personal data, the following requirements must be met with regard to each data field (examples of online forms are contact and feedback forms, surveys, newsletter subscription forms or forms for downloading whitepapers):

• Is the purpose for which the information is used clear (purpose of use)?
• If the information is not absolutely necessary, is the respective field optional?
• Is it clear to users which fields are required and which ones are optional?

The purpose of use for specific data can be explained in the data protection policy. It is advisable to integrate a link below the input form to the respective section of the data protection policy (e.g. "Details on the use of your contact data are set out in section 5 of our data protection notice"). The purpose of use can also be explained next to the input fields or in form of a "tooltip" (e.g. "We use your date of birth to determine your age for the age verification.").

An explicit confirmation or consent to the privacy notice within a form is a neither necessary nor accurate ("Wrong:"[ ] I accept the privacy policy"). Exceptions only apply if consent is required in as a legal basis for handling specific data (e.g. for marketing purposes).

7. Provider outside the EEA

Are the specific data export requirements met when using providers outside the European Economic Area (EEA)?

If tools or technologies are used by providers located outside the EEA (i.e. the EU plus Norway, Iceland, Liechtenstein) and if such providers have access to personal data (e.g. data linked to IP addresses), this is referred to as a"data export to an unsafe third country" (except certain "safe" third countries such as Switzerland, Israel or Japan).

Such data export is only lawful under special conditions. The special requirements also apply to EU based providers who use subcontractors in unsafe third countries (e.g. US parent company).

Examples: Use of Amazon Web Services, Google LLC, MailChimp.

For providers in the US, a self-certification according to the Privacy Shield Framework is sufficient. Whether such a certification exists can be verified through the data protection notices of the provider or the following website:  https://www.privacyshield.gov/list . In the absence of such certification, certain standard contracts provided by the EU Commission (so-called "EU standard contractual clauses") must be concluded with the provider.

The transfer of data to a third country must also be explained in more detail in the data protection notice.

Before using suppliers in third countries, compliance with these requirements must be safeguarded.

8. Plugins.

Is a "two-click mechanism" implemented for the integration of plugins?

If third-party components (plugins, scripts, one-pixel images, iFrames or similar) are integrated into a website, this often leads to a direct connection being established between the visitor's browser and the provider's server when the website is accessed. In these cases, the provider can determine the IP addresses of the visitor, record usage data or set cookies.

Examples of such third party components are social media plugins from Facebook, Google or Twitter (e.g. Share or Like Buttons), Google Maps or the YouTube Player.

The use of these components is can be critical under data protection law if the allocation of responsibilities between the website operator and the provider and thus the contractual requirements are unclear (controller-processor relationship, joint or separate responsibility). In addition, the provider often gives only insufficient information on its data processing or the data processing by the provider does not meet the requirements of the GDPR.

It must be evaluated whether the third party component should actually be used. Instead of integration of scripts or iFrames into the website it is often possible, for example, to just set a link to an external service (e.g. link to Google Maps with the address to be displayed, or a like link instead of a like button).

If a plugin is used, the following precautions should be considered to reduce the potential data protection risk, especially if the plugin provider does not act as a data processor for the website operator:

• The user must activate the plugin with a click, before the plugin is loaded and a connection to the server of the provider is established. Before such activate a mere preview image is shown (e.g. two-click mechanism for like buttons or c'ts “Shariff” mechanism).
• The privacy notices provide information on how the plugin works and how to activate it.
• The data processing by the provider is set out in the data protection notice of the website operator and in addition a link is set to the data protection notices of the provider.

9. Records of Data Processing Activities

Are website functions documented in the "Records of Data Processing Activities"?

Website functions can qualify as a so-called "processing activities", which must be documented in the "records of processing activities" of the website operator.  This documentation is required by the GDPR and must be kept by de facto every company in Germany.

However, not each single input form or tool has to be listed in such records. A documentation obligation exists only, if functions of the website serve a superior "larger" purpose or are part of different (offline) procedure.

Examples of website-related processing activities to be documented in the directory of processing activities: Newsletter subscription management, online application platform or tools for analyzing website visitors.

10. Apps

If the company provides a native app (e.g. for iOS or Android) to customers or users and operates as app provider: Have the specific data protection requirements for apps been complied with?

Examples of such apps are self-service apps for employees, customer apps, or conference apps for participants of events.

Apps require special data protection notices, which must be available in the AppStore before the app is downloaded and at any time later from within the app. The developer or provider of the app should provide the company with sample texts or background information on data protection. In addition, the apps must be reviewed with regard to its data protection conformity.

Particular attention should be paid to the following data protection aspects: The app may not require more permissions than necessary (e.g. access to location, contacts or memory) and it must be explained in the privacy notices when and for what purposes the permissions are used. It must be clear what data is collected and where it is stored (on the smartphone or on a backend server). Communication with between the app and the backend must be encrypted. Access to device identifiers such as IMEI or UDID must be handled restrictively. The use of tracking tools must be reviewed.

Apps accordingly require special data protection notices. A mere link to the data protection notices of the company website is not sufficient.