Every website needs a Data protection declaration

All websites need a Data protection declaration in addition to the legal notice. This is even required by law.

Zuletzt aktualisiert: 19.12.2023

Why do you need a Data protection declaration?

Almost every company today has its own website and every website collects user data (e.g. IP addresses), which also means that it invades the privacy of users.
A clear privacy policy contributes to user trust. If visitors to your website know how their data is handled, they are more likely to provide their data or use the website.
What's more, a Data protection declaration can protect your company legally by setting out clear rules for data use. This can help to avoid or quickly resolve legal problems and disputes.
And: If you do not provide visitors to your website with complete, correct and timely information, you are committing an infringement of Section 11 of the German Telemedia Act (Telemediengesetz). In the worst case, this administrative offense can result in a fine of up to 50,000 euros.
You may also run the risk of being warned by a competitor (see, for example, the "Act to Improve the Civil Law Enforcement of Consumer Protection Provisions of Data Protection Law" (Gesetz zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts).

What points should your Data protection declaration contain?

A Data protection declaration for a website must contain certain information in order to comply with the requirements of the General Data Protection Regulation (DSGVO) and is also derived from the content of the homepage.
In any case, you must provide information about the use of the data obtained through general data collection and about special features that are integrated into the site. General data collection includes, for example, IP addresses, without which the website cannot be accessed. It also includes the data provided by the browser, such as the browser type, the operating system used and the websites visited. In addition, information must be provided on the use of all data collected via special categories such as competitions, newsletters, contact forms or web analysis tools. In particular, the handling of all personal data (information about a specific or identifiable person) must be clearly regulated in your Data protection declaration.
This Data protection declaration must be accessible at all times. That's why it belongs in its own tab - just like the legal notice.

Here are some important points that should be included in a Data protection declaration for your website

  1. Responsible body:
    Name and contact details of the controller (e.g. company name, address, e-mail address).
  2. Data protection officer:
    If available, the contact details of the data protection officer.
  3. Purpose of data processing:
    Clear information on the purposes for which personal data is collected and processed. This could include, for example, the provision of services, responding to inquiries or marketing activities.
  4. Legal basis for processing:
    Explanation of the legal basis(s) on which the data processing is based (e.g. consent, performance of contract, legal obligation).
  5. Types of data:
    A list of the types of personal data being processed (e.g. name, address, email address).
  6. Data recipients:
    An indication of whether and to whom personal data is disclosed, including third parties or processors.
  7. Transfer of data abroad:
    If personal data is transferred outside the EU, this must be stated and it must be ensured that the process is legally secure.
  8. Storage period:
    Determining the duration for which personal data is stored.
  9. Data subject rights:
    Explanation of the rights of data subjects, including the right of access, rectification, erasure and objection.
  10. Right of withdrawal:
    Indication that data subjects can withdraw their consent to data processing at any time.
  11. Right to lodge a complaint:
    Information about the right to lodge a complaint with the data protection supervisory authority.
  12. Cookies and tracking technologies:
    Information about the use of cookies and other tracking technologies and the possibility for users to manage their consent.
  13. Security measures:
    Indication of security measures to protect personal data.
  14. Changes to the privacy policy:
    Indication that the privacy policy may be updated from time to time and a reference to the current version.
  15. Contact:
    Provision of contact details for data protection inquiries.
  16. Social media:
    It is necessary that you also inform visitors to your social media accounts about data protection. To do this, you can link directly to the privacy policy of your website if it contains separate passages about data processing on your accounts.


The above points can of course only serve as general guidelines.
It is important to ensure that the privacy policy is specific to the activities and practices of your website. Also note that the requirements for Data protection declaration may vary depending on the type of data processed and the type of website.
Therefore, as always, it is advisable to seek legal advice to avoid (costly) mistakes.