WordPress & DSGVO / Data Protection
We help you with the implementation of measures for the General Data Protection Regulation (GDPR).
WordPress & DSGVO
Privacy with WordPress
The GDPR is a highly topical issue for you as a website and blog operator. For you, it is about the processing of personal data and the free movement thereof. The data protection regulation refers to natural persons whose fundamental rights and freedoms are to be protected. In the corporate sector, this concerns not only the regular employee-employer relationship, but also company websites, online stores, as well as service providers who use the Internet to place orders. Whether customer orders, in email campaigns or user tracking, the topic is relevant everywhere. In each of these operations, you process and use data from customers.
What is the General Data Protection Regulation?
The original Federal Data Protection Act applicable in Germany is losing its validity in one place or another or is receiving new regulations. The EU's General Data Protection Regulation standardizes data protection law. Different standards in different countries are abolished. The General Data Protection Regulation is not only aimed at EU members. It automatically becomes binding for data processing outside the EU. The criterion for this is the data processing of persons from the EU. Data protection is to become more user-friendly and transparent. This is accompanied by higher fines that apply in the event of a violation of the new regulation.
Who is affected?
What is personal data?
Data that fall within the scope of the General Data Protection Regulation are:
- E-mail address
- Phone number
- Account data
- Car license plate
- Location data
- IP addresses
What happens in case of violation?
If you are found to be in breach, you should contact the data protection authority in your own country. A breach will result in serious penalties for you. Previous fines have ranged from €50,000 to €300,000. These related to serious data protection violations. With the new regulation, the fines have increased. They can be as high as €20 million or 4 % of the previous year's global turnover. This will force global companies to comply with the new regulations. If you do not comply, you can expect warning letters. Violations are relevant under competition law for you and others.
What has changed?
You are prohibited from collecting, processing and using personal data if your users do not give permission. Permission is granted to you by laws, such as the EU-DSGVO, the BDSG or consumer consent. You may only collect and process as much data as necessary for you. Data processing beyond that is illegal. You may only use the data for the purpose for which it was collected. They must be content, factually correct and up to date. Art. 32 concerns the issue of data security and deals with data processing taking into account the current state of technology, as well as the cost, nature, scope, circumstances and risk analysis. Take the right technical and organizational measures to ensure proper data protection! The aspect of the level of protection is relevant here. Depending on the personal data, these require different levels of protection.
The right to erasure
Until now, EU citizens have been able to demand that search engines no longer display search results. Their users have the right to have data deleted or blocked, especially if there is no longer a use for the data. Consumers can assert the right to be forgotten wherever their personal data is processed. In the General Data Protection Regulation, Art. 17 deals with this point. Data must be deleted if the purpose for the data processing ceases to exist, if the data subject revokes his or her consent for the data processing, or if the data processing was unlawful.
The right to data portability
Article 20 regulates the right to have data transferred. Consumers make use of this right when they switch from one provider to another. The data controller must transfer the personal data to the new provider in a common format. This is particularly relevant when switching social networks, switching from one bank to another, and changing employers.
As a processor of the EU GDPR, you are accountable. According to Art. 5 (2) of the GDPR, data controllers must demonstrate compliance with data protection principles when required to do so. To do this, you must set up a data protection management system where you document compliance with data protection requirements. This documentation can be used to prove proper compliance to the supervisory authority upon request.
The consent to data processing
Consent does not require any special form. It can be given in writing, verbally and electronically. Nevertheless, it is advisable for you to make sure that it is documented. Consent can be given via an opt-in box. For opting out, an opt-out box is not sufficient. The consent must be given voluntarily by your contractual partner. Furthermore, it must be for a specific purpose and the processing purpose must be documented. General consent is not permitted by the EU Data Protection Regulation. You must be able to prove that you have given your consent to data processing. Anyone who has given consent has a right of withdrawal. He can make use of this at any time. Under company law, it is not necessary to obtain renewed consent for data processing from each customer. The proof of consent is legally stipulated for you according to Art. 7 of the EU-DSGVO.
The adaptation according to the GDPR
The procedure directory
According to Art. 30, you must create a processing directory. This is a directory of processing activities. This does not have to be public and can be provided on demand. The company management is responsible for this directory. It must be submitted to the data protection authority upon request. It can be kept in writing or in electronic form.
The data protection officer
It is advantageous for your company to employ a data protection officer. The topic concerns employers as well as employees. The works council must not be left out in relation to the DSGVO conversion.
If you operate a website or a blog, you process data. No one can excuse themselves under the pretext that they do not process personal data. Server statistics also harbor data that is processed. With WordPress, Jetpack in particular is a tricky issue. Statistics must be IP anonymized. The General Data Protection Regulation grants you no transition periods and is bindingly valid.
Our GDPR service:
We help you avoid high fines due to violations of the GDPR:
... help you with your Google Opt-Out settings
... support you with the conversion of your website to SSL
... assist you with the creation of the cookie notice
... ensure adequate IP anonymization on your site
... support you in the integration of tracking solutions
... help you with the conversion of WordPress & components
... support the integration of opt-in and opt-out solution
... work hand in hand with your lawyers and data protection officers