Skip to content

On the safe side: Imprint and privacy policy

By now, most companies know that they have to make an imprint and a privacy policy available on their website - otherwise, there is the threat of high warnings and serious legal consequences. In order to be able to complete the topic quickly, the texts are taken over in a hurry from googled online generators. In doing so, the text for the data protection statement is often copied directly under the imprint section, which is illegal according to a decision of the Higher Regional Court of Hamburg and can have serious consequences. One thing is certain: every website needs a privacy policy that is complete in terms of content and can be called up separately from the imprint! We have summarised what companies must pay attention to when setting up an imprint and data protection declaration on their website and what will change in 2018 with the General Data Protection Regulation:

Website: Data protection declaration is mandatory

As soon as personal data is collected on a website, it must have a data protection statement, the Federal Data Protection Supervisory Authority (BfDI) has decided. According to this ruling, however, almost every site needs a data protection statement - even if the homepage only has minimal content. Without many website operators being aware of it, integrated measuring tools of the provider and tools such as Google Analytics store data of website visitors such as time, browser, IP address, entry and exit page, operating system used and data volume in the background. Personal data is also collected when cookies or contact forms are used. But ignorance is no excuse, because: All these data are considered personal data, as they can be used to establish a connection to a person. Therefore, every website - whether private or commercial - must have an adequate privacy policy.

Proper imprint and data protection statement

This is what companies must bear in mind when implementing the data protection regulations on their website: The data protection statement must not simply be inserted into the imprint page, but must be clearly separated from it and unambiguously recognisable. It must be clearly accessible from every page of the website - the imprint, on the other hand, must only be accessible by means of two clicks and thus not be directly linked on every page. The privacy policy can also be placed in the imprint if the imprint can be reached by means of one click on the entire website and it is clear from the link that the privacy policy is also available there.

The new General Data Protection Regulation

From May 2018, the new General Data Protection Regulation will apply to all European companies, and the requirements for a correct data protection statement will be further increased in the course of this. In future, visitors to websites must be informed even more precisely about the collection and use of their data - they have extensive rights to information, correction and deletion. The lawyer Michael von Rothkirch of the law firm Heinz v. Rothkirch, specialist lawyers for copyright and media law, therefore warns of the expensive consequences of a missing or incorrectly linked data protection declaration: "This is an administrative offence that can be punished with a fine of up to € 50,000. These fines increase drastically with the new General Data Protection Regulation. In addition, there is the threat of warning letters and legal proceedings for infringement of competition law provisions."

IT law is continuously evolving and poses many challenges for digitalising companies, because there is a risk of being warned or sued if regulations and laws are ignored. As a digital agency, we are keen to communicate relevant developments and intricacies of IT law, but we are not authorised to provide legal advice. Companies should seek advice from a law firm or lawyer specialising in IT law in order to continue to grow in online commerce without legal obstacles.