Data Protection Policy
Every online retailer is obliged to provide a data protection policy insofar as he/she collects data from users. It does not matter whether the user simply fills out a typical contact form or leaves his personal data behind when placing an order.
With the upcoming GDPR (deadline: 25 May 2018), the data protection guidelines will be enormously tightened, which will entail new legal requirements for the data protection policy. Members of Händlerbund receive the GDPR-compliant data protection policy in good time in the member area. For everyone else it means: get help quickly, because the changes are more comprehensive than expected.
Extract from the GDPR amendments to the data protection policy
A detailed overview of the forthcoming changes to the GDPR can be found here: Overview of the GDPR
In the data protection policy, the functionality, the recipient, the right of withdrawal and the use of data must be explained separately for each tool. An explicit consent of the visitors will not be necessary, which is quite reassuring. However, an opt-out widget must be made available to enable objections to be raised.
The new information obligations are regulated in Articles 13 and 14 of the GDPR and are to be made available in a precise, transparent, comprehensible and easily accessible form. The following information duties, among others, must be transmitted to the data subject: names and contact data of the responsible person, if applicable the contact data of the data protection officer, the purposes of data processing, etc.
Example: in the future, customers of an online shop may request information on the following information, among others, regarding the personal storage and use of data:
- the purpose of the data processing;
- whether there is a right to rectification, erasure or limitation of data processing;
- whether the customer has a right of objection;
- where and how complaints can be filed with an authority, etc.
Legal Basis & Information on the Integration of the Data Protection Policy
- should be clearly visible,
- can be integrated into the main navigation (e.g. footer) via a button that can be called up at any time.
Check to see if you need a privacy statement:
Special Provisions of the Data Protection Declaration
Social Media Extensions
According to a judgement of the Regional Court Düsseldorf (LG Düsseldorf, judgement of 09/03/2016, file number 12 O 151/15), the use of the so-called Facebook Like Buttons is endangered. A reference in the data protection policy is also not sufficient. The court decision is not valid. The ECJ is currently awaiting a ruling. Nevertheless, we recommend not including the Like button. All other social plugins like Google+, Twitter & Co. have not been judged yet. If you use one of these plugins, a corresponding note in the data protection policy is necessary. Online shop operators who have deactivated the plugin, whereby it must first be activated by the user by double-clicking (so-called 2-click model), are also obliged to supplement the data protection policy with a corresponding note on data collection/data use. But even the 2-click solution no longer offers complete legal security.
Website Analytics Tools
Among the website analysis tools are Google Analytics and etracker. Inform your users accordingly about the collection and use of the collected data in the data protection policy. In addition, you should make sure that you use tools such as Google Analytics in a legally compliant manner, e.g. by concluding a written contract with Google for the order data agreement, using the analysis tool only with abbreviated IP addresses and, if necessary, deleting existing old data. Attention when using Google Analytics! Use this tracking instrument only with the extension "anonymizeIP" to prevent unauthorised and warning-endangered data transmission.
Checklist for a GDPR-compliant website analysis:
- Clause in the data protection policy for each tool separately with explanations on how the tools work
- General obligations to provide information on cookies and analysis tools (new in particular are the legal basis and the
- purpose of the data processing, see above under Information obligations)
- Automatic anonymisation of the visitor ID, especially with Google Analytics
- Respect for the "DoNotTrack" settings
- Opt-out widget
Checklist for a GDPR compliant cookie:
- Understandable clause in the data protection policy about the functionality and purpose of the cookie(s)
- Reference to the opt-out option in the browser settings, optionally with instructions
- General obligations to provide information on cookies (new is in particular the legal basis and the purpose of data processing, see above under "Obligations to provide information")
- Respect for the "DoNotTrack" settings
Your GDPR-compliant Data Protection Policy
From as little as €9.90 per month, you will receive all the legal texts you need for legally compliant trading. For example, the GDPR-compliant data protection policy, legal notice, cancellation policy and general terms and conditions. We assume full liability for all legal texts and also supply suitable legal texts for over 50 sales platforms.
If you need more help with the GDPR, the Unlimited membership is worth it for you! You will then receive legal advice via telephone & e-mail, a comprehensive shop inspection and many other e-commerce services.