WordPress & DSGVO
Data protection with WordPress
The GDPR is a highly topical issue for you as a website and blog operator. For you, it is about the processing of personal data and the free movement thereof. The data protection regulation refers to natural persons whose fundamental rights and freedoms are to be protected. In the corporate sector, this applies not only to the regular employee-employer relationship, but also to company websites, online shops and service providers who use the internet to place orders. Whether it's customer orders, email campaigns or user tracking, the issue is relevant everywhere. In each of these operations, you process and use data from customers.
What is the General Data Protection Regulation?
The original Federal Data Protection Act in force in Germany is losing its validity in one place or another or is getting new regulations. The EU's General Data Protection Regulation standardises data protection law. Different standards in different countries are abolished. The General Data Protection Regulation is not only aimed at EU members. It automatically becomes binding for data processing outside the EU. The criterion for this is the data processing of persons from the EU. Data protection is to become more user-friendly and transparent. This is accompanied by higher fines that apply in the event of a violation of the new regulation.
Who is affected?
What is personal data?
Data that fall within the scope of the General Data Protection Regulation are:
- E-mail address
- Telephone number
- Account details
- Vehicle registration number
- Location data
- IP addresses
What happens in the event of an infringement?
If you are found to be in breach, you should contact the data protection authority in your own country. A breach will result in serious penalties for you. Previous fines ranged from €50,000 to €300,000. These related to serious data protection violations. With the new regulation, the fines have increased. They can be up to €20 million or 4% of the previous year's global turnover. This will force global companies to comply with the new regulations. If you do not comply, you can expect warnings. Violations are relevant for you and others under competition law.
What has changed?
You are prohibited from collecting, processing and using personal data if your users do not give permission. Permission is granted to you by laws, such as the EU-DSGVO, the BDSG or consumer consent. You may only collect and process as much data as is necessary for you. Data processing beyond that is illegal. You may only use the data for the purpose for which it was collected. They must be accurate in content, factual and up to date. Art. 32 concerns the topic of data security and deals with data processing taking into account the current state of technology, as well as the costs, nature, scope, circumstances and risk analysis. Take the right technical and organisational measures to ensure the right level of data protection! The aspect of the level of protection is relevant here. Depending on the personal data, these require different levels of protection.
The right to erasure
Until now, EU citizens could ask search engines to stop displaying search results. Their users have the right to have data deleted or blocked, especially if there is no longer a use for the data. Consumers can exercise the right to be forgotten wherever their personal data is processed. In the General Data Protection Regulation, Art. 17 deals with this point. Data must be erased if the purpose for the data processing ceases to exist, if the data subject withdraws consent for the data processing or if the data processing was unlawful.
The right to data portability
Article 20 regulates the right to have data transferred. Consumers make use of this right when they switch from one provider to another. Data controllers must transfer the personal data to the new provider in a commonly used format. This is particularly relevant when switching social networks, switching from one bank to another, and switching employers.
As a processor of the EU GDPR, you are accountable. According to Art. 5 (2) of the GDPR, data controllers must demonstrate compliance with data protection principles if required to do so. To do this, you must set up a data protection management system where you document compliance with data protection requirements. This documentation can be used to prove proper compliance to the supervisory authority upon request.
Consent to data processing
Consent does not require any special form. It can be given in writing, orally and electronically. Nevertheless, it is advisable for you to make sure that it is documented. Consent can be given via an opt-in box. An opt-out box is not sufficient for unsubscribing. The consent must be given voluntarily by your contractual partner. Furthermore, it must be for a specific purpose and the purpose of the processing must be documented. General consent is not permitted by the EU Data Protection Regulation. You must be able to prove that you have given your consent to data processing. Anyone who has given consent has a right of withdrawal. He can make use of this at any time. Under company law, it is not necessary to obtain renewed consent for data processing from every customer. The proof of consent is legally stipulated for you according to Art. 7 of the EU-DSGVO.
The adaptation according to the GDPR
The procedure directory
According to Art. 30, you must create a processing directory. This is a list of processing activities. It does not have to be public and can be provided on request. The company management is responsible for this directory. It must be submitted to the data protection authority upon request. It can be kept in written or electronic form.
The Data Protection Officer
It is advantageous for your company to employ a data protection officer. The topic concerns employers as well as employees. The works council must not be left out in relation to the GDPR changeover.
If you run a website or a blog, you process data. No one can excuse themselves under the pretext that they do not process personal data. Server statistics also harbour data that is processed. With WordPress, Jetpack in particular is a tricky issue. Statistics must be IP-anonymised. The General Data Protection Regulation does not grant you any transition periods and is bindingly valid.
Our GDPR service:
We help you to avoid high fines due to violations of the GDPR:
... help you with your Google Opt-Out settings
... support you in converting your website to SSL
... assist you with the creation of the cookie notice
... ensure adequate IP anonymisation on your website
... support you with the integration of tracking solutions
... help you with the conversion of WordPress & components
... support you in the integration of opt-in and opt-out solutions
... work hand in hand with your lawyers and data protection officers