Creating current data protection information
The EU General Data Protection Regulation (GDPR), which also applies in Germany, entered into force on 25 May 2018 and requires websites to provide additional information about the personal data they collect on their users.
“Personal” means that the collected data can (either directly or indirectly) be associated with a specific individual (e.g. by collecting the complete IP address when accessing the pages, using tracking and analysis tools, cookies or forms and requesting an email address when the user signs up for a newsletter, etc.).
The data protection information on the university’s central website has already been updated to reflect the GDPR. If your website uses identical data processing, you can use this general data protection information as a template for your website. You will, where necessary, need to adjust the template for the logging procedure and use of cookies on your website.
If you have additional elements on your website that collect personal data, your data protection information will need to contain the respective details.
This includes the type, scope, purpose and time period for the data to be processed. The information may be structured as follows or in a short text as long as it is easy to ready.
1. Scope of personal data processing
This section describes in as much detail as possible which personal data is collected on the website, how it will be processed and by whom.
2. Legal basis for processing personal data
This section identifies the legal basis for processing personal data, which is usually provided by the catalogue listed in § 6 para 1 GDPR. If applicable, you will need to ask for permission before processing the data.
3. Purpose of data processing
This section describes in detail the purposes for which the website collects and processes personal information.
4. Storage duration
Generally data will be deleted as soon as the purpose for which it was collected has been fulfilled. You will, however, need to provide more detailed information about when the data collected on your specific website will be deleted. If this is not possible, you will at least need to list the criteria that will help the users determine when their data will be deleted.
5. User rights
This section could simply refer to the “Your rights” section of the general data protection information.
Other special features could include:
1. A blog with a commenting function
Blogs with commenting functions save additional personal data (e.g. pseudonyms). You must also provide information about subscribing to blog comments. It must only be possible for users to comment on blog posts after giving permission to process their personal data. The legal basis for doing so can then be stated as Art. 6 para. 1 lit. a GDPR.
2. Processing of special categories of personal data, Art. 9 DSGVO
Processing of personal data revealing racial or ethnic origin, political opinions, religious and philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, a natural person's sex life or sexual orientation is generally prohibited. However, a catalogue of exceptions is listed in Art. 9 Abs. 2 GDPR. If websites are to process this type of information, they must first demonstrate it is legal to do so and state the respective norm in their data protection information.
3. Sharing personal date with third parties
A number of websites use add-ons offered by third parties. Often the personal data collected using these add-ons is either shared with the respective third parties or automatically transmitted to them. There may be differences in the type, scope, purpose and time period for the data to be processed. This short guide cannot provide a comprehensive listing of all possible situations in which personal data can be shared with third parties. Therefore, if your website uses such third-party services, you will need to check whether (and which) personal data they collect. This information will need to be included in your website’s specific data protection information.
Some examples of sharing personal data with third parties include:
Data shared with a service provider
Particularly in cases where contracts are concluded via the website, personal data is often shared with service providers, who may also act autonomously on behalf of the website’s operator (e.g. technical support).
Third-party cookies
The university’s own cookies are covered in the general data protection information. Websites, however, often use third-party cookies, which will need to be described in detail. Users must be informed that third-party cookies are used when the website is accessed. Browsers include settings to block such cookies. Whether there is a legal basis for the university if such cookies are used must be evaluated separately.
Use of social media plug-ins
If social media plug-ins are used, personal data of the users is shared with the social network providers. This is also the case with plug-ins from Google Maps or Youtube videos. Even before the introduction of the EU GDPR, we recommended using plug-ins only as part of a “two-click-solution”, which is when data is only shared with the plug-in provider after the users give their permission. This is also a good solution to fulfil the requirements of the EU GDPR. The legal basis for processing personal data after the users have given their permission is Art. 6 para. 1 lit. a GDPR.
Web analytics services
Web analytics services (e.g. Google Analytics or Adobe Analytics) offered by third parties can be used to increase the efficiency of a website and require sharing data about the website’s users with the third-party service provider. Usually, however, users are not asked to give their permission beforehand. The data is transmitted to the United States. Since there are alternative services that do not collect and share personal data (e.g. Matomo, formerly known as Piwik), you should not use the analytics services mentioned above.
Use of Google Fonts, Google Calendars, etc.
It is also very likely, if you use Google Fonts (often for websites in CMS WordPress), that the personal data of your users will be shared with Google. Since it is not possible to ask for the users’ permission first, this does not fulfil our data protection requirements and you should thus not use Google Fonts. The same is true for certain calendars and captchas.
How to check whether your website connects to other pages
It is quite easy to check whether your website connects to other pages, e.g. Google:
- Press F12
- Reload the page
- Click on the "Network Monitor" tab
- Click on the "All" tab
- Under the "Host" heading, all the pages will be listed that connect with the current page.