GDPR

What Actually Requires GDPR Compliance for a Website in Germany

Who Must Comply

  • Any website that processes personal data of individuals located in the European Union, including Germany, must comply with the General Data Protection Regulation (GDPR), regardless of where the website operator is based or where the website is hosted128.

  • This includes both commercial and non-commercial websites if they process any personal data (such as collecting names, emails, IP addresses, or tracking user behavior)145.

What Triggers GDPR Requirements

  • Processing Personal Data: GDPR applies whenever a website collects, stores, or processes personal data. Personal data includes any information that can identify an individual, such as names, email addresses, IP addresses, cookies, and online identifiers46.

  • Offering Goods or Services to EU Residents: If your website targets or offers goods/services to people in Germany or the EU, GDPR applies28.

  • Monitoring Behavior: If your website tracks or profiles users (e.g., via analytics, cookies, or advertising), GDPR requirements are triggered24.

Key GDPR Requirements for Websites in Germany

1. Privacy Policy (Datenschutzerklärung)

  • Every website must have a privacy policy that clearly explains what personal data is collected, how it is processed, the legal basis for processing, data retention periods, and users’ rights (including access, correction, deletion, and objection)135.

  • The privacy policy must be easily accessible and written in clear, understandable language5.

2. Cookie Consent

  • Consent is required before setting cookies or using tracking technologies that are not strictly necessary for the website's basic function (e.g., analytics, advertising, social media plugins)2.

  • Consent must be obtained through a clear, affirmative action (e.g., a cookie banner with opt-in options). Implied consent by scrolling or continued browsing is not allowed in Germany2.

3. Data Minimization and Purpose Limitation

  • Only collect data that is necessary for the stated purpose and do not use it for unrelated purposes16.

  • Clearly state the legal basis for each data processing activity (e.g., consent, contractual necessity, legal obligation, legitimate interest)45.

4. User Rights

  • Users must be informed of their rights, including:

    • Right to access their data

    • Right to rectification

    • Right to erasure (“right to be forgotten”)

    • Right to object to processing

    • Right to data portability45

5. Data Security

  • Implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or breach410.

6. Data Protection Officer (DPO)

  • If your organization regularly and systematically monitors individuals on a large scale or processes special categories of data, or if you have 20 or more employees handling personal data, you must appoint a Data Protection Officer and register them with the authorities4.

7. Data Breach Notification

  • In the event of a data breach, you must notify the relevant supervisory authority within 72 hours and, in some cases, inform affected users24.

Additional German Requirements

  • Impressum: Commercial websites must include an Impressum (legal notice) with information about the website operator. This is required by German law and is separate from GDPR1.

  • Bundesdatenschutzgesetz (BDSG): This is Germany’s national data protection law, which supplements the GDPR with specific local rules, particularly for employee data and public bodies4.

Summary Table: GDPR Requirements for German Websites

RequirementApplies ToKey ActionsPrivacy PolicyAll websitesPublish clear privacy policy detailing data processingCookie ConsentAll using non-essential cookiesObtain explicit opt-in consent for analytics/tracking cookiesData MinimizationAll websitesOnly collect necessary data, state legal basisUser RightsAll websitesInform users of rights, provide access/correction/deletionData SecurityAll websitesImplement technical/organizational safeguardsData Protection OfficerIf criteria metAppoint and register a DPOData Breach NotificationAll websitesNotify authority within 72 hours if breach occursImpressum (Legal Notice)Commercial websitesPublish operator details

Enforcement and Penalties

  • Germany enforces GDPR strictly, with fines up to €20 million or 4% of global annual turnover for serious violations24.

In summary: Any website in Germany (or targeting German users) that processes personal data must comply with GDPR by providing a privacy policy, obtaining valid cookie consent, safeguarding data, and respecting user rights. Additional requirements may apply depending on the website’s size, purpose, and activities