Vertragsabschluss Symbolbild

Was ist eine Datenschutzerklärung und wieso reicht sie nicht mehr aus?

Lesedauer: 6 Minuten

Jetzt lesen

As soon as a website collects, stores or processes (personal) data, visitors to the site must be informed about this. This information is often found under the keyword "privacy policy". However, it does not matter whether exactly this term is used or others. What is important is that this page is accessible from every other page of a website. In addition, it must be worded clearly and understandably so that users can actually inform themselves without being confused by complex formulations.

In brief, the following components must be included:

  • Options for contacting the providers of the website.

  • Legal basis and purpose of data processing

  • Recipients and to which third countries data is transferred

  • Storage period

  • Rights of the users concerned

Under the contact options, both the operators of the site and the person responsible for data protection must be listed. Articles 13 & 14 of the GDPR as well as provisions from the TKG are usually stated as the legal basis or relevant regulations. It is important to note that the information on the purpose of the processing must be presented in a comprehensible manner, because a violation of the information obligation under the GDPR can result in fines of up to 20 million euros or 4% of the last annual global turnover. This is a point that is unfortunately very often disregarded and still neglected in practice. On the other hand, those who clearly express themselves in their privacy policy can gain a long-term competitive advantage.

The storage period of the data may vary, but the basic principle is not to store the data longer than necessary or required by law. If the period cannot be specified precisely, it is advisable to at least specify the criteria for determining the storage period.

Finally, users must also be informed of their rights, which include:

  • Right to information

  • Right of revocation

  • Right to rectification

  • Right of deletion

  • Right to complain

A privacy policy must therefore meet a lot of criteria, so something can be forgotten. To prevent this from happening, there are now kits and services that allow you to generate your own declaration step by step, without leaving anything out.Some examples can be found here, here and here.

These and other generators, checklists and sample forms can now be found relatively quickly in connection with the search term privacy policy. However, you should not trust them blindly; many providers provide a note stating that they do not guarantee legal certainty and should only be seen as a guideline. Some providers of these generators also oblige the users to specify the generator used as soon as the created privacy policy is embedded on their own website. Failure to comply with this obligation may result in penalties. To be on the safe side, it is worthwhile to create or review the privacy policy together with legal advice. The most important point, however, is to be clear about which services are offered on your own website and which data they collect.

Not sure which services are stored? The Google Tag Assistant or the Ghostery Plugin can be used to find out which data a website wants to collect and which and how many external services are placed on it. If you open the Developer Tools in Firefox, you can also see which cookies are set on and by which website in the console under the "Web Storage" tab.

How this search works in other browsers and devices can be found here and here.

Web-Storage tab

A privacy statement, privacy policy or whatever else it may be called is no longer sufficient on its own to keep up with the applicable regulations. Although the information required in the privacy policy must be provided on the respective website, the consent of the user must be explicitly obtained before any data can be collected. We are now familiar with this procedure from various cookie banners on the edge of a page or cookie walls that cover up the content of a page as soon as it has finished loading. Only when consent is given here for one or more purposes may data that does not concern the basic functioning of the page be collected and processed in accordance with the information given.

Basic functions include, for example, the language setting or the storage of content and products in the shopping cart. If cookies are used, they must of course also be added to the privacy policy. In this case, information must be provided about which cookies are set and for what purpose they are used. Regulations regarding these practices were previously found in Germany in the TMG and TKG, but since the TTDSG came into force on December 1, 2021, regulations regarding this have been bundled in one place for the first time and clearly specify that a cookie notice must be played as soon as they are used on a website.

APOCRAT's 360 degrees support

The privacy policy thus provides an overview of all aspects relating to the data protection issues of a website. However, the privacy policy alone is no longer sufficient due to the currently applicable regulations:

Every user must give explicit consent for the respective purposes of data collection and processing before data about the respective person is collected. However, this no longer only applies to websites, but also to networked devices such as vacuum cleaners and Internet-enabled light sources since the TTDSG came into force. In our previous blog posts you can find more information on exactly these regulations, such as the GDPR and the TTDSG.

So how does APOCRAT fit into the picture? We don't write you a privacy policy, but we are there for you when it comes to data protection for networked devices. From the smart light bulb, to the networked coffee machine, the Internet-enabled toys of your children, to the automatic feeder for your four-legged friends, we ensure data security within your own four walls.Thanks to our cooperation with law firms and professional associations, we provide you with the best advice and are always up to date with the latest legislation. You want to know more about our solution? Use the contact details below to arrange your personal consultation appointment right away and test our demo!

Partner & Sales Manager: Alexander Jürgens
Mobile: +43 676 4025255