Running a website in Germany: everything you must know

Running a website in Germany: everything you must know

Here are all the laws and regulations you must follow to run a website legally in Germany. This guide includes information about GDPR requirements.

This guide will show you everything you need to do to legally run a website in Germany.

Welcome to the absurd word of European regulations. I'll be your guide. Buckle up, because making a website comply with German and European Union laws is no walk in the park.

GDPR/DSGVO compliance

The General Data Protection Regulation went into effect on May 25, 2018. It sets strict rules on how websites can collect personal data about European Union citizens. Personal data includes anything that could personally identify a user: name, email, phone number, location data, cookies, IP address and so on.

Here are the basic principles of GDPR:

  1. Only collect the data you really need
    Be careful about data you accidentally collect, such as server logs.
  2. Do not store data for longer than necessary
    Set appropriate retention policies for the data you collect about your users, and delete it when it's no longer needed.Art.5
  3. Do not store personal data without the user's consent.
    Get explicit consent from your users before collecting their data. The only exception is for data that's absolutely necessary to make your service work.Art.6.1
  4. Be transparent about the data you collect from your users.
    Disclose the data you collect, why you collect it and who you collect it for. Put this information in your privacy policy (Datenschutzerklärung).Art.5
  5. Only use the data for the purpose it was collected for.
  6. Store the data about your users securely.
  7. Give your users a way to delete their account and erase their data.
    They have the right to be forgotten.

Here are resources that helped us understand and comply with this regulation.

Who needs to do this?

Any website who has European Union visitors, no matter who runs the website or where it is hosted. It applies to personal, non-commercial websites too. See Who does the data protection law apply to? for more details.

Legal basis

The General Data Protection Regulation is available online here.

Examples

All About Berlin does not store any personal data. We anonymize the information we send to Google Analytics and set a reasonable expiration date for the usage data we collect. We also collect server logs, but do not log IP addresses. We disclose what data we collect in our privacy policy.

To-do list

  • Understand the GDPR regulation
  • Only collect the data you really need
  • Disclose what data you collect about your users
  • Set an expiration date for the data you collect about your users
  • Allow your users to delete the data you collect on them

Cookies

If you use cookies on your website, there are a few rules you must follow.

  1. You can't set any tracking cookies until the users give you their explicit consent.
    This means marketing and tracking cookies must be opt-in. That includes cookies set by Google Analytics.
  2. You can't force users to accept tracking cookies to use your website.
    You can't make tracking cookies a condition for using your service. You can't say "by using this website, you agree to accept our cookies". You can't force users to accept tracking cookies in your terms and conditions.Art.6.1Art.7.4
  3. You must allow users to opt out of tracking cookies.
    Users must have a way to opt out of tracking cookies, except for cookies that are needed to make the website work.
  4. Necessary cookies do not need consent.
    You don't need the user's consent to set cookies that contain no personally identifying information, and that are necessary to make the website work. You don't need to allow the users to opt out of these cookies.12
  5. Your privacy policy must clearly explain what cookies you set, and what they are used for.
  6. Be careful with embedded content.
    YouTube videos, Disqus comments, Facebook like buttons and other third-party widgets often set tracking cookies1. You can either disable these widgets until you get consent from your users, or stop using them entirely. For example, we removed Disqus comments from All About Berlin.

Here are articles that helped us understand how cookies work with the GDPR:

Tools like CookieBot, Consently and Cookie Consent can help you implement a cookie notice that is GDPR compliant.

Legal basis

In the European Union, cookies were regulated by the Cookie Directive and now by the General Data Protection Regulation (GDPR), particularly articles 6 and 7. § 15 Abs.3 Telemediengesetz (TMG) is not relevant anymore, since it's superseded by the GDPR.

Examples

  • CookieBot's cookie notice lets you choose which cookies you want to allow. Analytics cookies are enabled by default, and marketing cookies are disabled by default. Essential cookies cannot be disabled.
  • Gruender.de's cookie notice lets you choose which cookies you want to allow, with no pre-selected answer.
  • Piwik Pro's cookie notice also lets you choose which cookies you want to allow, with no pre-selected answer.

To-do list

  • If you use cookies, inform your users with a detailed cookie notice.
  • Explain how and why you use cookies in your website's privacy policy.
  • Require explicit consent from your users before setting tracking cookies, and give them a way to opt out of non-essential cookies.

Google Analytics

There are specific rules regarding how Google Analytics must be used by German websites.

  1. Accept the Data Processing Terms.
    If you use Google Analytics on a website in the European Union or Switzerland, you must agree to Google Analytic's Data Processing Terms. To do this, open Google Analytics, and under Admin > Account settings > Data processing amendment, click "Review amendment"1.
  2. Anonymize IP addresses.
    First, you must enable IP anonymization1, 2. Some websites already got in trouble for incorrectly anonymizing IP addresses in Google Analytics12, so this is a very important step. You anonymize IP addresses by adding ga('set', 'anonymizeIp', true) before the ga('send', 'pageview') line in your tracking code. You are also supposed to delete the data Google Analytics saved prior to anonymizing IP addresses1. This is done by recreating the property (that's your website) from Google Analytics and creating it again.
  3. Require consent before setting Google Analytics cookies.
    You must obtain consent from your users before you start tracking them. This means Google Analytics must be turned off until your users explicitly agree to be tracked. See the section on cookies for more details. This guide explains how to disable Google Analytics tracking for your users.
  4. Update your privacy policy.
    You must inform that you use Google Analytics to track visitors in your privacy policy. See the section on the privacy policy for more details.
  5. Set the data retention period.
    In the Google Analytics console, you change the data retention period to 14 months or less to comply with the GDPR/DSGVO regulation1. You must also disable "Reset on new activity". You will find these settings under Admin > Account settings > Tracking info.

Who needs to do this?

Any German resident or company who uses Google Analytics on their website.

Legal basis

The rules regarding the tracking of users are defined by § 11 Bundesdatenschutzgesetz (BDSG), as well as the newly introduced DSGVO.

To-do list

  • Agree to the Google Analytics Data Processing Terms.
  • Configure Google Analytics to anonymize IP addresses.
  • Delete the data Google Analytics collected before anonymizing IP addresses.
  • Inform your users about Google Analytics cookies in your cookie notice, and in your privacy policy.
  • Give your users a way to opt out of Google Analytics cookies.
  • Set the Google Analytics data retention period to 14 months or less, and enable "Reset on new activity".

Impressum

The Impressum is where you list your contact information. This page is mandatory for all commercial websites operated by a German person or organization, even if the website is hosted in another country or has a .com domain1. A personal, non-commercial website does not need an Impressum1. In other words, if you live in Germany and use your website to make money or promote a business, you need an Impressum.

An Impressum must be "easily identifiable, directly accessible and constantly available"1. This usually means putting a clearly labelled "Impressum" link at the bottom of every page.

  1. An Impressum must always contain:
    • The full name of the company or website owner.
    • An email address that can be used to reach the company or website owner
    • The full address of the company or website owner. You cannot use a PO box.
      • SAP's Impressum shows the company's full legal name: SAP Deutschland SE & Co. KG
    • The telephone number and fax number of the website owner. The European Court of Justice says a phone number is not mandatory if the user has alternative options for rapid contact and direct and efficient communication12.
  2. An Impressum must also contain, if applicable:

It's important to have a complete Impressum. Some lawyers aggressively scrutinize the websites of their clients' competitors, and claim damages when they find a missing or incomplete Impressum12, 3. Website owners even received cease-and-desist letters for not having an Impressum on their Facebook page.

Who needs to do this?

Any German resident or company who runs a commercial website. It doesn't matter if the website uses a .com domain or is hosted in another country.

Legal basis

The rules regarding the Impressum are defined by § 5 Telemediengesetz (TMG)§ 55 Rundfunkstaatsvertrag (RStV) and § 2 DL-InfoV.

Examples

To-do list


Privacy policy (Datenschutzerklärung)

Your website must have a privacy policy where you outline how you collect, process and use data about your users. If you fail to include a privacy policy on your website, you can receive an Abmahnung1.

If you need help with your privacy policy, you can either hire a lawyer, or use a privacy policy generator.

Who needs to do this?

Any German resident or company who runs a website, even for non-commercial purposes1.

Legal basis

The privacy policy is required by § 13 Abs. 1 Telemediengesetz (TMG).

Examples

To-do list

  • Add a privacy policy to your website

Server logs

According to the GDPR, an IP address is considered personal data. Your server logs probably contain the IP addresses of your visitors, so they contain personal data. This means the GDPR also concerns your server logs.

Here are basic guidelines for GDPR-compliant server logs1:

  1. Don't collect logs unless you have to.
    The easiest way to have GDPR-compliant logs is to have no logs at all.
  2. Don't store logs for longer than you have to.
    If you need to collect server logs, keep them for the shortest time possible. Set a lot rotation policy that automatically deletes older server logs.
  3. If you collect logs, don't log personal information in them.
    IP addresses are personal data. Since most server logs contain IP addresses, your logs contain personal data. If you collect logs without IP addresses or other personal data, they are already GDPR-compliant.
  4. If you collect IP addresses in your logs, tell your users your privacy policy.
    You can collect logs without consent under certain conditions, but in any case, you must inform your users in your privacy policy.

Useful links

Who needs to do this?

Any website that collects logs that contain personal data. Most web servers collect access logs by default.

Legal basis

IP addresses are considered personal data according to the GDPR.

To-do list

  • Only collect logs if necessary
  • Automatically delete older logs
  • If possible, remove personal data like IP addresses from your logs
  • If your logs contain personal data, inform your users in your privacy policy

Creative Commons images

If you use images with a Creative Commons licence, make sure you properly attribute the author. In Germany, using the wrong attribution format can be a costly mistake. We to pay several hundred euros in lawyer fees for making that mistake.

Here are the basic guidelines about using Creative Commons images on your website:

  1. Pay attention to the licence for the images you use on your website. Wikipedia images are not always free to use. Ideally, use public domain images that can be used without restrictions. You can find public domain images on pxhere.com.
  2. Understand that "free images" sometimes come with conditions. Some variants of the Creative Commons licence require attribution to the author, prohibit commercial use, and even prohibit derivative works. See this overview for more details.
  3. Use the correct format when giving credit to the author. Proper credit includes the Title, the Author, the Source and the Licence. See this guide for more details.

Who needs to do this?

Anyone who uses Creative Commons media on their website. Most images that come from Wikipedia are under a Creative Commons licence, so you need to give credit to their author.

Legal basis

The requirement for appropriate attribution is found in the Creative Commons licence.

Examples

The correct attribution format for Creative Commons images is described in this handy guide.

To-do list

  • Make sure you have the right to use the images on your website.
  • Attribute the Creative Commons images you use with the correct format.

Sponsored content and affiliate links

The Telemediengestz stipulates that advertising on a website must be clearly labelled. You can't disguise an ad as genuine content. Otherwise, it's surreptitious advertising (Schleichwerbung), and you can get an Abmahnung for "unfair competition"1.

Here are the basic guidelines for ads and sponsored content on your website:

  1. Affiliate links need to be labelled
    Affiliate links are "commercial communications" according to § 6 TMG, but not according to § 3 MDStV, since you placed the links "independently and without financial compensation". Multiple lawyers suggest to mark affiliate links as ad1, 2, even if you are not directly getting financial compensation for affiliate content. A footnote regarding affiliate links might be insufficient1.
  2. Sponsored content needs to be labeled
    If you get paid to put a sponsored post on your blog, you need to clearly tell your users that this post is an ad, and tell them who is sponsoring the ad. In other words, you can't disguise an advertisement as an editorial text.

According to Kanzlei Plutte, "sponsored content" is not a sufficient label, and you should use a clear word like "advertisement" to label advertising on your website. He backs his opinion with court cases, but admits that Twitter, Facebook and Instagram use the term "sponsored".

Who needs to do this?

Any German resident or company who uses affiliate links, sponsored content or ads on their website.

Legal basis

According to § 6 Telemediengesetz (TMG), "commercial communications must be clearly recognizable as such." Commercial communications are further defined by § 3 Mediendienstestaatsvertrag (MDStV).

Examples

Google marks sponsored search results as ads. We disclose affiliate links in our overview of German banks.

To-do list

  • Clearly mark sponsored content as advertisements
  • Clearly mark affiliate links as advertisements, or at least disclose that the post contains affiliate links

Income-generating websites

If your website generates income, it's a business. If it's not part of a registered business, you will need to register it with the Gewerbeamt and the Finanzamt.

  • If your website qualifies as a Gewerbe, you need a trade licence (Gewerbeschein).
    You must apply for a trade licence at your local Gewerbeamt. In Berlin, this can be done online. If your generates more than 24 500€ per year in revenue, you will also need to pay the trade tax (Gewerbesteuer)1.
  • If your website generates income, you need to register it with the Finanzamt.
    You register by filling the Fragebogen zur steuerlichen Erfassung. You will then receive a tax number (Steuernummer), which you need to put in your Impressum.
  • Making money from your website is considered self-employment.
    If you are not allowed to be self-employed in Germany, you will also need to apply for a freelance visa. You can get a freelance visa in addition to an existing visa1.

Who needs to do this?

Any German resident or who runs a website as a standalone business.

Examples

Our tax number (Steuernummer) can be found in our Impressum.

To-do list

  • Before running a commercial website in Germany, make sure you are allowed to freelance in this country.
  • If your website is a standalone business, apply for a Gewerbeschein at your local Gewerbeamt.
  • If your website is a standalone business, declare it to the Finanzamt by filling the Fragebogen zur steuerlichen Erfassung.
  • Once your receive a tax number (Steuernummer) from the Finanzamt, add it to your Impressum.

Need help with your website?

When I'm not working on All About Berlin, I work as a frontend developer for clients all over the world. I help startups go live, and show small businesses how to build their online presence. If you need a hand, let's get in touch.


Comments

  • Leave a comment