This guide explains the rules to follow when you run a website in Germany.
GDPR/DSGVO compliance
Businesses that serve European Union customers must follow the General Data Protection Regulation (GDPR in English, DSGVO in German).
The basic principles of GDPR:
- Do not collect data without consent
Do not track people or collect information about them without their explicit consent. - Only collect the data that you need
- Delete the data when you no longer need it
- Be transparent about the data you collect from your users.
Disclose what data you collect, why you collect it, and who you collect it for. Put this information in your privacy policy.21 - Only use the data for the intended purpose
- Store the data about your users securely
- Give your users a way to delete their data
People have the right to be forgotten. Give your users a way to close their account and erase their data.
Who needs to do this?
All websites that serve people in the European Union, no matter who runs the website or where it is hosted. It applies to personal, non-commercial websites too. See Who does the data protection law apply to? for more details.
Legal basis
- General Data Protection Regulation (DSGVO in German)
GDPR checklist
- Understand the GDPR regulation
- Only collect the data you really need
- Disclose what data you collect about your users
- Set an expiration date for the data you collect about your users
- Allow your users to delete the data you collect on them
Cookies
If you use cookies on your website, you must follow a few rules:
- Don’t set tracking cookies without consent
Before you set any tracking cookies, get consent from the user. Normally, you do this with a cookie banner. - Make it easy to refuse tracking
Don’t hide the “refuse tracking” button. Refusing must be as easy as accepting. - Don’t force your users to accept tracking
You can’t make tracking cookies a condition for using your service. You can’t say “by using this website, you agree to accept our cookies”. You can’t force users to accept tracking cookies in your terms and conditions.23 - Allow users to opt out of tracking.
Users must have a way to opt out of tracking cookies, except for cookies that are needed to make the website work. Google Analytics is not needed to make the website work. - Necessary cookies do not need consent
You don’t need consent to set cookies that are necessary to make the website work. You don’t need to allow the users to opt out of these cookies.1 - Explain how you use cookies in your privacy policy
Your privacy policy must clearly explain what cookies you set, and what they are used for. - Be careful with embedded content
YouTube videos, Disqus comments, Facebook buttons and other third-party widgets often set tracking cookies.2 Disable these widgets until you get consent from your users, or don’t use them at all.
These articles helped me understand how cookies work with the GDPR:
Tools like CookieBot can help you implement a cookie notice that is GDPR compliant.
Legal basis
In the European Union, cookies were regulated by the Cookie Directive and now by the General Data Protection Regulation (GDPR), particularly articles 6 and 7.
Examples
- CookieBot’s cookie notice lets you choose which cookies you want to allow. Analytics cookies are enabled by default, and marketing cookies are disabled by default. Essential cookies cannot be disabled.
- Gruender.de’s cookie notice lets you choose which cookies you want to allow, with no pre-selected answer.
- Piwik Pro’s cookie notice also lets you choose which cookies you want to allow, with no pre-selected answer.
- Many websites ask for permission before they load content from YouTube, Twitter and other websites.
Cookies checklist
- If you use cookies, inform your users with a detailed cookie notice.
- Explain how and why you use cookies in your website’s privacy policy.
- Require explicit consent from your users before setting tracking cookies, and give them a way to opt out of non-essential cookies.
- Make it easy to refuse cookies.
- Test your website with an ad blocker. Some ad blockers hide cookie consent notices, and break the website for some users.
Tracking and analytics
If you use Google Analytics, you must get consent from your visitors before you track them. Do not track your users at all until you get consent.
Other tracking options like Plausible are privacy-friendly, and don’t require a cookie notice. This is what I use on All About Berlin.
Who needs to do this?
Any EU resident or company who uses Google Analytics on their website.
Legal basis
The rules for tracking users are defined by the GDPR (DSGVO in German).
Tracking checklist
- Do not track your users before you get their consent.
- Agree to the Google Analytics Data Processing Terms.
- Configure Google Analytics to anonymize IP addresses.
- Delete the data Google Analytics collected before anonymizing IP addresses.
- Inform your users about Google Analytics cookies in your cookie notice, and in your privacy policy.
- Give your users a way to opt out of Google Analytics cookies.
- Set the Google Analytics data retention period to 14 months or less, and enable “Reset on new activity”.
Impressum
The Impressum is a page with your business’ contact information. It helps users contact you.
Your Impressum page must be “easily identifiable, directly accessible and constantly available”.5 In other words, it must be easy to find from any page on your website. It must be available in the same languages as your website.12
Your Impressum must always contain…
- The full name of the website owner6
If it’s a company website, it must include the full name of the company, including its legal form (for example, GmbH or UG). - Contact information
You must be quickly reachable electronically, and non-electronically.8 An email address that can be used to reach the company or website owner.7 - VAT number
- Handelsregisternummer, if applicable
- Names of the managing directors and authorized representatives, if applicable
It’s important to have a complete Impressum. You can get sued for damages if it’s missing or incomplete.11 Some lawyers make money by finding invalid Impressum pages.
If you can, hide your Impressum page from Google.
Who needs to do this?
Any German resident or company who runs a commercial website, even if the website is hosted in another country, or has a .com domain.3 Personal, non-commercial websites do not need an Impressum.4
Commercial Facebook, Instagram and social media pages must also have an Impressum.6
Legal basis
Examples
- SAP’s Impressum
- BMW’s Impressum
- Facebook’s Impressum
- Google’s Impressum, featuring details of the authorized representative
- A medical clinic’s Impressum, featuring details about supervisory authorities
Impressum checklist
- Read the Ministry of Justice’s Impressum guidelines.
- Add an Impressum to your website
- Make your Impressum clearly visible and directly accessible from every page on your website.
- Remove your Impressum from Google search results.
- Add an Impressum to your Facebook page, if applicable.
Privacy policy
Your website must have a privacy policy (Datenschutzerklärung) where you outline how you collect, process and use data about your users. If you fail to include a privacy policy on your website, you can receive an Abmahnung.13
If you need help with your privacy policy, you can either hire a lawyer, or use a privacy policy generator.
Who needs to do this?
Any German resident or company who runs a website, even for non-commercial purposes.13
Legal basis
A privacy policy is required by Articles 13 and 14 of the DSGVO.14
Examples
- Stripe’s privacy policy contains detailed information about how they collect and process data about their users
- N26’s privacy policy is a PDF file linked at the bottom of every page on their website
- All About Berlin’s privacy policy is on the same page as our Impressum, and is linked at the bottom of every page
Privacy policy checklist
- Add a privacy policy to your website
- Add a link to your privacy policy in the footer of every page
Terms and conditions
Your website should have a terms and conditions (AGB or Allgemeine Geschäftsbedingungen) page. Usually, it’s the page where you say “we are not responsible for the accuracy of our content”.
The terms in conditions must be available in the same languages as your website.15
Who needs to do this?
It is not required unless you have customers, but it’s always a good idea.16
Legal basis
The AGB is required by § 312d BGB if you have customers.
Terms and conditions checklist
- Add a terms and conditions page to your website. There are many AGB generators and templates online. Most of them are in German.
- Add a link to your terms an conditions to your website’s footer.
Creative Commons images
If you use images with a Creative Commons licence, make sure you properly attribute the author. In Germany, using the wrong attribution format can be a costly mistake. I had to pay hundreds of euros in lawyer fees for making that mistake.
Here are the basic guidelines about using Creative Commons images on your website:
- Pay attention to the licence for the images you use on your website. Wikipedia images are not always free to use. Ideally, use public domain images that can be used without restrictions. You can find public domain images on pxhere.com.
- Understand that “free images” sometimes come with conditions. Some variants of the Creative Commons licence require attribution to the author, prohibit commercial use, and even prohibit derivative works. See this overview for more details.
- Use the correct format when giving credit to the author. Proper credit includes the Title, the Author, the Source and the Licence. See this guide for more details.
Who needs to do this?
Anyone who uses Creative Commons media on their website. Most images that come from Wikipedia are under a Creative Commons licence, so you need to give credit to their author.
Legal basis
The requirement for appropriate attribution is found in the Creative Commons licence. Later versions of the licence have more relaxed requirements.
Examples
The correct attribution format for Creative Commons images is described in this handy guide.
Images checklist
- Only use images that are in the public domain, or that you own the rights to.
- Attribute the Creative Commons images with the correct format.
Sponsored content and affiliate links
The Telemediengestz says that ads on a website must be clearly labelled. You can’t disguise an ad as genuine content. Otherwise, it’s surreptitious advertising (Schleichwerbung), and you can get an Abmahnung for “unfair competition”.17
Here are the basic guidelines for ads and sponsored content on your website:
- Affiliate links need to be labelled
Affiliate links are “commercial communications” according to § 6 DDG. Multiple lawyers suggest to mark affiliate links as ads,18 even if you are not directly getting financial compensation for affiliate content. A footnote regarding affiliate links might be insufficient.22 - Sponsored content needs to be labelled
If you get paid to put a sponsored post on your blog, you need to clearly tell your users that this post is an ad, and tell them who is sponsoring the ad. In other words, you can’t disguise an advertisement as an editorial text.
According to Kanzlei Plutte, “sponsored content” is not a sufficient label, and you should use a clear word like “advertisement” to label advertising on your website. He backs his opinion with court cases, but admits that Twitter, Facebook and Instagram use the term “sponsored”.
Who needs to do this?
Any German resident or company who uses affiliate links, sponsored content or ads on their website.
Legal basis
According to § 6 Digitale-Dienste-Gesetz (DDG), “commercial communications must be clearly recognizable as such.”.
Examples
Google marks sponsored search results as ads. I disclose affiliate links on this website.
Sponsored content checklist
- Clearly mark sponsored content as advertisements
- Clearly mark affiliate links as advertisements, or at least disclose that the post contains affiliate links
Income-generating websites
If your website generates income, it’s a business. If it’s not part of a registered business, you will need to register it with the Gewerbeamt and the Finanzamt.
- If your website qualifies as a Gewerbe, you need a trade licence (Gewerbeschein).
You must apply for a trade licence at your local Gewerbeamt. In Berlin, you can do it online. If your business generates more than 24,500€ in profit per year, you also need to pay the trade tax (Gewerbesteuer).19 For more information, read my Gewerbesteuer guide. - If your website generates income, you need to register it with the Finanzamt. You register by filling the Fragebogen zur steuerlichen Erfassung. You will then receive a tax number (Steuernummer), which you need to put in your website’s Impressum.
- Making money from your website is considered self-employment.
If you are not allowed to be self-employed in Germany, you will also need to apply for a freelance visa. You can get a freelance visa in addition to an existing visa.20
Related guides:
Who needs to do this?
Any German resident or who runs a website as a stand-alone business.
Examples
Our tax number (Steuernummer) can be found in our Impressum.
Income-generating website checklist
- Before running a commercial website in Germany, make sure you are allowed to be self-employed in Germany.
- If your website is a stand-alone business, apply for a Gewerbeschein.
- If your website is a stand-alone business, register it at the Finanzamt.
- When your get your tax number (Steuernummer) from the Finanzamt, add it to your Impressum.