Home   I   Guide: E-Commerce   I   10 tips for a privacy compliant website!

10 tips for a data privacy-compliant website

Nina Nguyen I 18.08.2021

The EU General Data Protection Regulation (GDPR) has been in force since 25 May 2018 and serves to protect personal data. Since then, (web) companies have always had to keep abreast of innovations and the conformity of their collection and processing of personal data, because the requirements and information obligations have been constantly tightening since this regulation came into force. Each and every one of us has the right to determine what happens (or is not allowed to happen) to our data. In times of inexorably advancing technological achievements and constantly new leaks, hacking attacks and data scandals, companies with a website need to be all the more careful about the issue of data protection.

Why? Data privacy violations are very expensive. Since May 2018, fines of up to 20 million euros or 4% of the previous year's turnover have been threatened. A good and well-known example from the social media world is the data protection breach of the platform TikTok in the Netherlands. This incident shows that companies in the international context need to look even more closely at whether they are still complying with all data protection guidelines in other countries in order to avoid heavy fines and bad publicity.


What exactly does the GDPR now mean for website owners and what requirements apply? How can you ensure that the translation of your privacy policy is legally correct? Here are our 10 tips for a data privacy-compliant website.

Tip 1. Privacy policy

The requirements for the content of the privacy policy are high. Important: Any processing of personal data must be explicitly described on the website. Every visitor must be informed transparently and in detail. In addition, the privacy policy must be translated and available in all languages in which the website content is offered. The example of the social media platform TikTok shows that it is not enough to make the privacy policy available in English. TikTok is required to make its privacy policy available in the languages of the countries where the platform is permitted.

The following information must be included:

infobox

Tip 2. Legal notice

In some cases, further information is required, such as the responsible supervisory authorities, commercial, association, partnership or cooperative registers, the person responsible for the content and the VAT or business identification number.

The visitor must be able to find the legal notice within 2 clicks.

The following must be specified:

Infobox
  • Download more icon variants from https://tabler-icons.io/i/circle-1 Name
  • Download more icon variants from https://tabler-icons.io/i/circle-2 Current address of the provider
  • Download more icon variants from https://tabler-icons.io/i/circle-3 Legal form
  • Download more icon variants from https://tabler-icons.io/i/circle-4 Persons authorised to represent
  • Download more icon variants from https://tabler-icons.io/i/circle-5 At least one e-mail address

Tip 3. Forms

The easiest way for visitors to get in touch with you is via a contact form. Since personal data is transmitted, this form must be in conformity with data protection regulations under all circumstances. The same principle applies to other forms, such as the newsletter, registration, login or checkout in an online shop.

Applicable here is: Only data that is actually necessary for the respective purpose may be collected. For a contact form, mandatory fields must be checked and clearly marked and optional additional fields are possible.

Website visitors must be clearly informed in the privacy policy about what information is collected and exactly what it is used for. If you use several forms on the website, you must clearly indicate which form the declaration refers to. It is best to inform your visitors directly below the input field about the purpose of the processing (incl. link to the privacy policy) and add a checkbox where they can give their consent. Please also note that the data from the contact form may only be used for the purposes of contact. These data must be deleted after transmission. It is also your responsibility to ensure the secure transmission of data between the computer and the server. This requires an SSL certificate, which will be discussed below in the 4th tip.

Tip 4. SSL certificate

Personal data may not be read, copied, changed or deleted by unauthorised persons during transmission between the computer and the server. The transmission must therefore be encrypted, e.g. with an SSL certificate ("Secure Sockets Layer"), which ensures encrypted communication between computer and server.

You can recognise an SSL certificate by the "https" and a lock symbol in the address line.

Tip 5. Comments

If there is a comment function on your website that requires personal data to be entered (e.g. e-mail address), this comment function must be mentioned in the privacy policy. Please note that the data provided for the comments may not be used for purposes other than those described in the privacy policy. Here, too, an SSL certificate is necessary for secure transmission.

Also explain to your website visitors how their data is stored and used by linking to the privacy policy. If you want to make the data protection of your comment function even more secure, you can set the comments so that their contents are first checked before publication. Or names can be replaced by abbreviations or pseudonyms.

Tip 6. Tracking and cookies

You have the option of evaluating and analysing visitors and their surfing behaviour with the help of web trackers such as Google Analytics. You must bear in mind that the data will be transmitted to third parties. So pay attention to the following:

* IP addresses may only be stored anonymously.
* Expansion in the privacy policy with the description of how and for what purpose the visitor data is stored, as well as information regarding to whom it is passed on. Visitors must be offered the possibility to object at any time ("opt-out" function).
* An order processing contract is required for a third-party web tracker and must be sent to Google.

Cookies

Cookies are used to record the behaviour of users and thus create a user profile, e.g. in order to serve targeted advertising. However, users must actively consent to the processing of their data. This is done via a cookie banner that appears on the first visit to the website. Visitors decide which data may be passed on to third parties by ticking the appropriate boxes. A new decision of the European Court of Justice (ECJ) recently ruled that pre-set checkmarks were not permissible in this regard.

Tip 7. Newsletter

Recipients of your newsletter must have expressly consented to the sending of the newsletter to their e-mail address. For example, the visitor actively enters his or her e-mail address or ticks the corresponding checkbox. A check mark automatically set in advance when completing a purchase or filling out a contact form does not comply with the requirements of the GDPR.

You as a website operator must always be able to prove consent here. You can play it safe by sending the recipient an email after registration in which he or she must confirm the registration for the newsletter via a link. You must record this confirmation.

In addition, the newsletter subscriber must be able to unsubscribe at any time. This information must be included in the registration and in every newsletter. If your newsletter is sent via a service provider, you must inform your newsletter recipients of this and an order processing contract with the service provider is necessary. And here, too, a corresponding paragraph must be added to the privacy policy.

Tip 8. Social media

To link your website directly to your social media accounts, platforms such as Facebook, Twitter or Instagram offer "share" buttons. Personal data of the visitor is transmitted directly to the provider without anonymisation when the website is called up and used to generate profiles for advertising purposes. However, your visitors have not yet consented to the transmission of their data at that time. Therefore, the use of these share buttons is not GDPR-compliant, even if this is clearly mentioned in your privacy policy.

You have two options here:

2-click solution (consent on the website)

Here, functionless graphics with a link to your social media profiles are embedded on your website. When clicking on the graphic, the visitor is informed about the transfer of his/her personal data and consents to this. Only after consent is given will it be forwarded to the social media platform.

Shariff solution

Here the visitor is redirected directly to a new window. From there, the respective provider informs about the data processing and there is no direct transfer of personal data.

Tip 9. Scripts and external content

If you use additional plug-ins and add-ons on your website, you should check whether personal data is processed and passed on. In the case of a data transfer, once again an order processing contract is required and the visitor must be informed about the use of plugins/add-ons in the privacy policy and be informed about his/her right to object.

Tip 10. Order processing contracts

These contracts must be concluded with all third parties to whom personal data is disclosed in exchange for their services. The core components are the subject and duration of the agreement, the type and purpose of the processing of personal data, the rights and obligations of the principal, the obligations of the contractor, the documentation and cooperation obligations as well as technical and organisational measures.

So nowadays it is no longer enough to have a privacy-compliant website in your own country. When expanding and internationalising your business, it is even more important that you inform yourself about the transnational and country-specific regulations. In any case, you can be on the safe side if you have your data protection statement, order processing contracts and all related documents translated into the respective language. This is the first step towards informing all website visitors in their native language about your data collection and processing, tracking systems and data transfer to third parties in an understandable way.

About the author

@Nina Nguyen | Global Content Manager, lingoking



As is unmistakable by my surname, I have Vietnamese roots, but I grew up in a beautiful small town in Lower Franconia (hint: famous for the "battle keys"). Since my school days, I have been passionate about the languages of this world and the different cultures that enrich us. With my experiences from my studies and in the professional field of translation, localisation, transcreation and content, I work in the marketing team of lingoking to introduce the world of lingoking beyond national borders and to inspire companies as well as each individual with our platform.

Interested?

Schreibt mir @Lorenz Schweiger

Live.   Work.   Travel.   Scale.   Pushing boundaries.

More articles

Even more exciting guidebook topics from the field of e-commerce

ABOUT US

Find out who is behind lingoking. Where we come from, what drives us and which mountains we have already climbed.

Get to know us

TRANSLATIONS

Available anywhere and at any time. Book translations quickly and easily with our digital web-App for translations.

To our translation services

LANGUAGES

Get an overview of our range of over 70 languages here.


Discover our linguistic diversity

#WeAreLingoking "Lets Push The Boundaries"