This guide shows you what you must do if you run a website in Germany. It's based on my experience running All About Berlin.

GDPR/DSGVO compliance

Since May 2018, all websites that serve European Union customers must follow the General Data Protection Regulation (GDPR in English, DSGVO in German).

Here are the basic principles of GDPR:

  1. Only collect the data you really need
    Be careful about data you accidentally collect, such as server logs.
  2. Do not store data for longer than necessary
    When you no longer need the data, delete it.Art.5
  3. Do not store personal data without the user's consent.
    Get explicit consent from your users before collecting their data. The only exception is for data that's absolutely necessary to make your service work.Art.6.1
  4. Be transparent about the data you collect from your users.
    Disclose the data you collect, why you collect that data, and who you collect that data for. Put this information in your privacy policy (Datenschutzerklärung).Art.5
  5. Only use the data for the purpose it was collected for.
  6. Store the data about your users securely.
  7. Give your users a way to delete their account and erase their data.
    They have the right to be forgotten.

Here are resources that helped us understand and comply with this regulation.

Who needs to do this?

All websites that serve people in the European Union, no matter who runs the website or where it is hosted. It applies to personal, non-commercial websites too. See Who does the data protection law apply to? for more details.

Read the General Data Protection Regulation.

Examples

All About Berlin does not collect personal data about its visitors (I use Plausible analytics). It does not set tracking cookies.

There are a few forms that collect user data. It only collects it for one purpose (contacting a broker). Once the job is done, the data is deleted.

All of this is explained in the privacy policy.

To-do list

  • Understand the GDPR regulation
  • Only collect the data you really need
  • Disclose what data you collect about your users
  • Set an expiration date for the data you collect about your users
  • Allow your users to delete the data you collect on them

Cookies

If you use cookies on your website, you must follow a few rules:

  1. Don't set tracking cookies without your users' explicit consent.
    You can't set tracking cookies before you get permission from your user. This means marketing and tracking cookies must be opt-in. That includes cookies set by Google Analytics. It's not limited to cookies; it also applies to all personal data about your users.
  2. Refusing cookies must be as easy as accepting cookies.
    Don't hide the "refuse cookies" button. The "accept" and "refuse" buttons must be equally easy to click. Many websites break this rule.
  3. You can't force your users to accept tracking cookies.
    You can't make tracking cookies a condition for using your service. You can't say "by using this website, you agree to accept our cookies". You can't force users to accept tracking cookies in your terms and conditions.Art.6.1, Art.7.4
  4. You must allow users to opt out of tracking cookies.
    Users must have a way to opt out of tracking cookies, except for cookies that are needed to make the website work. Google Analytics is not needed to make the website work.
  5. Necessary cookies do not need consent.
    You don't need the user's consent to set cookies that contain no personally identifying information, and that are necessary to make the website work. You don't need to allow the users to opt out of these cookies.1, 2
  6. Your privacy policy must clearly explain what cookies you set, and what they are used for.
  7. Be careful with embedded content.
    YouTube videos, Disqus comments, Facebook like buttons and other third-party widgets often set tracking cookies1. Either disable these widgets until you get consent from your users, or don't use them at all.

Here are articles that helped us understand how cookies work with the GDPR:

Tools like CookieBot can help you implement a cookie notice that is GDPR compliant.

In the European Union, cookies were regulated by the Cookie Directive and now by the General Data Protection Regulation (GDPR), particularly articles 6 and 7. § 15 Abs.3 Telemediengesetz (TMG) is not relevant anymore, since it's superseded by the GDPR.

Examples

  • CookieBot's cookie notice lets you choose which cookies you want to allow. Analytics cookies are enabled by default, and marketing cookies are disabled by default. Essential cookies cannot be disabled.
  • Gruender.de's cookie notice lets you choose which cookies you want to allow, with no pre-selected answer.
  • Piwik Pro's cookie notice also lets you choose which cookies you want to allow, with no pre-selected answer.
  • Many websites ask for permission before they load content from YouTube, Twitter and other websites.

To-do list

  • If you use cookies, inform your users with a detailed cookie notice.
  • Explain how and why you use cookies in your website's privacy policy.
  • Require explicit consent from your users before setting tracking cookies, and give them a way to opt out of non-essential cookies.
  • Make it easy to refuse cookies.
  • Test your website with an ad blocker. Some ad blockers will hide cookie consent notices. This breaks some websites.

Google Analytics

If you use Google Analytics, you must get consent from your visitors. You must not track your users at all before they gave their consent.

Who needs to do this?

Any EU resident or company who uses Google Analytics on their website.

The rules regarding the tracking of users are defined by § 11 Bundesdatenschutzgesetz (BDSG), and the DSGVO.

To-do list

  • Do not track your users until you have their consent.
  • Agree to the Google Analytics Data Processing Terms.
  • Configure Google Analytics to anonymize IP addresses.
  • Delete the data Google Analytics collected before anonymizing IP addresses.
  • Inform your users about Google Analytics cookies in your cookie notice, and in your privacy policy.
  • Give your users a way to opt out of Google Analytics cookies.
  • Set the Google Analytics data retention period to 14 months or less, and enable "Reset on new activity".

Impressum

The Impressum is where you list your contact information. This page is mandatory for all commercial websites operated by a German person or organization, even if the website is hosted in another country or has a .com domain1. A personal, non-commercial website does not need an Impressum1. In other words, if you live in Germany and use your website to make money or promote a business, you need an Impressum.

An Impressum must be "easily identifiable, directly accessible and constantly available"1. This usually means putting a clearly labelled "Impressum" link at the bottom of every page.

  1. An Impressum must always contain:
    • The full name of the website owner, or the full name of the company including its legal form1.
      • SAP's Impressum shows the company's full legal name: SAP Deutschland SE & Co. KG
    • An email address that can be used to reach the company or website owner1. You must be quickly reachable electronically, and non-electronically1.
    • The full address of the company or website owner. You cannot use a PO box1.
    • The telephone number and fax number of the website owner. The European Court of Justice says a phone number is not mandatory if the user has alternative options for rapid contact and direct and efficient communication1, 2.
  2. An Impressum must also contain, if applicable:

It's important to have a complete Impressum. Some lawyers aggressively scrutinise the websites of their clients' competitors, and claim damages when they find a missing or incomplete Impressum1, 2, 3, 4. Website owners even received cease-and-desist letters for not having an Impressum on their Facebook page.

The Impressum must be available in the same languages as your website1.

If you can, remove your Impressum page from Google search results. Some lawyers make money by finding invalid Impressum pages. If they find yours, they might send you an Abmahnung.

Who needs to do this?

Any German resident or company who runs a commercial website. It doesn't matter if the website uses a .com domain or is hosted in another country.

Commercial Facebook, Instagram and social media pages must also have an Impressum1.

The rules regarding the Impressum are defined by § 5 Telemediengesetz (TMG), § 55 Rundfunkstaatsvertrag (RStV) and § 2 DL-InfoV.

Examples

To-do list

Privacy policy (Datenschutzerklärung)

Your website must have a privacy policy where you outline how you collect, process and use data about your users. If you fail to include a privacy policy on your website, you can receive an Abmahnung1.

If you need help with your privacy policy, you can either hire a lawyer, or use a privacy policy generator.

Who needs to do this?

Any German resident or company who runs a website, even for non-commercial purposes1.

The privacy policy is required by § 13 Abs. 1 Telemediengesetz (TMG).

Examples

To-do list

  • Add a privacy policy to your website

Terms and conditions

Your website should have a terms and conditions (AGB or Allgemeine Geschäftsbedingungen) page. Usually, it's the page where you say "we are not responsible for the accuracy of our content".

The terms in conditions must be available in the same languages as your website1, 2.

Who needs to do this?

It is not required unless you have customers, but it's always a good idea1, 2.

The AGB is required by § 312d BGB if you have customers.

Examples

To-do list

  • Add a terms and conditions page to your website. There are many AGB generators and templates online. Most of them are in German.

Creative Commons images

If you use images with a Creative Commons licence, make sure you properly attribute the author. In Germany, using the wrong attribution format can be a costly mistake. We to pay several hundred euros in lawyer fees for making that mistake.

Here are the basic guidelines about using Creative Commons images on your website:

  1. Pay attention to the licence for the images you use on your website. Wikipedia images are not always free to use. Ideally, use public domain images that can be used without restrictions. You can find public domain images on pxhere.com.
  2. Understand that "free images" sometimes come with conditions. Some variants of the Creative Commons licence require attribution to the author, prohibit commercial use, and even prohibit derivative works. See this overview for more details.
  3. Use the correct format when giving credit to the author. Proper credit includes the Title, the Author, the Source and the Licence. See this guide for more details.

Who needs to do this?

Anyone who uses Creative Commons media on their website. Most images that come from Wikipedia are under a Creative Commons licence, so you need to give credit to their author.

The requirement for appropriate attribution is found in the Creative Commons licence.

Examples

The correct attribution format for Creative Commons images is described in this handy guide.

To-do list

  • Make sure you have the right to use the images on your website.
  • Attribute the Creative Commons images you use with the correct format.

The Telemediengestz stipulates that advertising on a website must be clearly labelled. You can't disguise an ad as genuine content. Otherwise, it's surreptitious advertising (Schleichwerbung), and you can get an Abmahnung for "unfair competition"1.

Here are the basic guidelines for ads and sponsored content on your website:

  1. Affiliate links need to be labelled
    Affiliate links are "commercial communications" according to § 6 TMG, but not according to § 3 MDStV, since you placed the links "independently and without financial compensation". Multiple lawyers suggest to mark affiliate links as ad1, 2, even if you are not directly getting financial compensation for affiliate content. A footnote regarding affiliate links might be insufficient1.
  2. Sponsored content needs to be labeled
    If you get paid to put a sponsored post on your blog, you need to clearly tell your users that this post is an ad, and tell them who is sponsoring the ad. In other words, you can't disguise an advertisement as an editorial text.

According to Kanzlei Plutte, "sponsored content" is not a sufficient label, and you should use a clear word like "advertisement" to label advertising on your website. He backs his opinion with court cases, but admits that Twitter, Facebook and Instagram use the term "sponsored".

Who needs to do this?

Any German resident or company who uses affiliate links, sponsored content or ads on their website.

According to § 6 Telemediengesetz (TMG), "commercial communications must be clearly recognizable as such." Commercial communications are further defined by § 3 Mediendienstestaatsvertrag (MDStV).

Examples

Google marks sponsored search results as ads. I disclose affiliate links on this website.

To-do list

  • Clearly mark sponsored content as advertisements
  • Clearly mark affiliate links as advertisements, or at least disclose that the post contains affiliate links

Income-generating websites

If your website generates income, it's a business. If it's not part of a registered business, you will need to register it with the Gewerbeamt and the Finanzamt.

Related guides:

Who needs to do this?

Any German resident or who runs a website as a standalone business.

Examples

Our tax number (Steuernummer) can be found in our Impressum.

To-do list

Need help?

Where to find help ➞ Legal questions