The new General Data Protection Regulation (GDPR) came into force on May 25 in 2018. The directives apply throughout the EU and basically affect everyone who stores and uses personal data. All website operators must act with legal certainty – from “small blogs” to the online presence of companies, clubs, or authorities to online shops and large portals. Those who send newsletters, use advertising banners, or affiliate links will also have to do so in accordance with GPDR in the future. seo-nerd® has compiled a GDPR checklist in which you can also find out how to use Google Analytics in compliance with GDPR.
The GDPR harmonises data protection law in the EU. As this is a regulation, it does not have to be transposed into national law first. The new data protection guidelines will therefore also apply in Germany as of May 25, 2018.
The purpose of the regulation is to strengthen the rights of people whose data is collected, such as Internet users. The GDPR refers in particular to the right to…
- Transparent information: As soon as data is collected, this must be indicated in an easily accessible, precise, and understandable way (so that children also understand this information).
- Information: Users have the right to see whether and which personal data has been collected about them. The information must be in a common, structured and machine-readable format.
- Correction: The user may at any time request that incorrect data will be corrected.
- Deletion: A user may at any time request that his or her personal data will be deleted.
- Restriction of processing: The user may require the person responsible (this is usually the website operator) that the data may only be processed to a limited extent.
- Objection: Users must be able to object to the processing of their personal data at any time.
WHAT IS PERSONAL DATA?
A person is directly or indirectly identifiable through personal data. Therefore, the name, address, e-mail address, date of birth, or telephone number apply to personal data.
In Germany, the IP address is also considered personal data. However, this assessment is highly controversial from a legal point of view. On the one hand, the IP address is the same as an online identification, since it can at least be assigned to a certain person by the provider (on court order). On the other hand, despite this assignment, only the owner of the IP address could be identified. Whether he was actually on the pages or perhaps another person, could then at least always be disputed.
Google therefore does not count the IP address as personal data. This is important because Google generally prohibits the storage of personal data in analytics. However, the IP address may be stored. The following solution is available to ensure that this will continue in future in compliance with the new Data Protection Regulations:
THE IP-ADDRESS MUST BE ANONYMIZED UNDER THE GDPR
The problem here is that the tracking code offered by Google does not meet the data protection requirements of GDPR! You should therefore implement the _anonymizelp code extension:
- For Universal Analytics: ga(‘set’, ‘anonymizeIp’, true);
- For Classic Analytics: _gaq.push([‘_gat._anonymizeIp’]);
The IP is anonymized as soon as the IP address arrives in the Analytics data acquisition network and before the data is stored or processed.
WHAT ELSE HAS TO BE CONSIDERED WHEN PROCESSING DATA?
You meet the requirements of GDPR, when you collect only data that is really needed and store it for only as long as absolutely necessary
- If you want to save data, you should ask the person whose data you want to save for an appropriate consent
- You have to inform the user what happens to the data
- You must document what you do with the data (for example, when you send a newsletter to an address)
- You must give the user the possibility to view, correct or delete his or her data
- You are obliged to take precautions against unauthorized access to personal data by third parties (keyword: data security)
The following steps will show you how to fulfill these conditions.
EMBED DATA PROTECTION DECLARATION
What exactly has to be stated in the data protection declaration always depends on your individual website. However, you can find some data protection generators on the net. They can usually be used free of charge by private individuals and small businesses:
ENCRYPT CONTACT FORMS WITH SSL/TSL
The GDPR already makes the collection of data subject to specific conditions. The collection of data according to Art. 6 GDPR is only permitted if
- the collection is based on consent
- there is a legitimate interest of the website operator
The latter is the case, for example, if you as the website operator need the data to fulfil a contract. The use of a contact form on a website is therefore legitimate in principle, but also subject to conditions:
- To ensure that your e-mails are also sent securely, your website should send e-mails via SMPT or TLS (“Transport Layer Security”). For this you need the data of the outgoing e-mail server and the port, user name and e-mail address as well as your password. With Joomla you can make the setting directly under System/Configuration by entering the data, selecting the default setting “SSL/TLS” under “SMTP Security” and allowing SMTP authentication. For WordPress there are plugins like WP Mail SMTP or WP GDPR Compliance
WEB-HOSTING – ORDER PROCESSING CONTRACT
If you host your pages through service providers, you use an external service provider who has access to personal data collected from you. As soon as external parties have access to such data, you should conclude an order processing contract with them. The contract is therefore also necessary if you commission external parties with the backup, the data conversion, or the maintenance of your own server.
If you send newsletters, you should already use the double opt-in procedure anyway. A confirmation e-mail will be sent to the e-mail address registered for the newsletter. This is to ensure that only those who have access to the relevant mail account receive the newsletter. Attention: The confirmation mail must not contain any advertising.
If you use a shipping service like CleverReach, Newsletter2Go or Mailjet, you have to conclude an order processing contract with them. If the provider, such as the popular service MailChimp, is located in the USA, you should check whether it offers a guarantee for third countries (this is the case with MailChimp).
The teaser of the online registration form for a newsletter should contain the following information:
- What is the content of the newsletter (e.g. information about your products, certain topics etc.)
- If you request more than just the e-mail address: what is the purpose of the request for this other data?
- Name of the shipping service used (if you do not send the mails yourself)
- Indication of possible success measurements (these are usually obligatory for shipping service providers)
- Reference to the right of withdrawal
- Notice of any competitions linked to the newsletter, dispatch of e-books and the like
With this information and instructions on how to subscribe to the newsletter, you can then simply link to your data protection declaration.
THESE STEPS LEAD YOU TO GDPR-COMPLIANT USE OF GOOGLE ANALYTICS
- Conclude contract for order data processing. The safest way is to download the contract as a PDF file.Then print it out twice. Now enter your company data in both printouts. You must sign on page 2 and page 14 – please sign both copies again and, if available, add your own stamp. For your documents you should now make a copy (physically, as a scan or photo). The two signed and completely filled out contract documents you send (completely and best by advice of receipt international) to:
Contract Administration Department
Google Ireland Ltd
IrelandAs soon as you receive the document back signed by Google, you should make a copy of this version. Keep the version returned by Google and your copy in two different places.
- Confirm the additional agreement: To do so, proceed as follows:
- Log into the account at Google Analytics
- In the “Administration” menu item, go to >Account settings and then to >Add-on for data processing
- If you now click on “Show addition”, you can confirm the order processing contract
- Now you should add your company and contact data under “Manage data processing details”.
- Finally, please do not forget to click on “Save”
- Implement the code extension “anonymizelp” – as shown above
- Optimize right of objection: Google offers a deactivation ad on, but according to many experts this is not legally compliant with the GDPR. You should therefore extend the script so that an opt-out cookie is set that excludes future data collection. It must also be ensured that the user can declare his objection on all systems used. A device-independent assignment of the usage to a created user ID is not permitted.
- Define retention period for data:
- Sign up with Google Analytics
- Go to the menu item “Administration” and click on the property you want to edit
- Click in the column >Property and go to >Tracking Information >Data Retention
- In the field “Storage of user and event data” you downsize to 14 months (or less)
- The field “Reset on new activity” must now be set to “Off”
- Delete old data: If you have not made the data anonymous in the past, you should delete this “old data”. Go back to the menu item “Administration” and select “Property Settings”. There you will find the button “Move to recycle bin”. The data will then be deleted within 35 days
With all these tips you should keep in mind that as a website operator you are always responsible for ensuring that your site complies with data protection regulations. If in doubt, it is always better to consult an expert.
THE SEO-NERD® HELPS YOU WITH THE GDPR-COMPLIANT SETUP AND GDPR-CONVERSION OF YOUR WEBSITE
The seo-nerd® is there for you from Monday to Friday between 9am and 6pm. You can reach us by phone at +49 30 700 10 99 0 or send us an e-mail. We are happy to realize corresponding inquiries even at short notice.