WordPress & DSGVO
Datenschutz mit WordPress
The DSGVO is a highly topical problem for you as a website and blog operator. DSGVO is about the processing of personal data and the free circulation of these. The data protection regulation refers to natural persons whose fundamental rights and freedoms are to be protected. In the corporate sector, this applies not only to the regular employer-employee relationship but also to company websites, online stores and service providers that receive orders online. Whether in regard to customer orders, e-mail campaigns or user tracking, the topic is relevant in many contexts. In each of these cases, you process and use customer data.
What is the DSGVO?
The original Federal Data Protection Act applicable in Germany loses its applicability in certain contexts or gets amended. The basic data protection regulation of the EU standardizes data protection law. Different standards in different countries will be abolished. The basic data protection regulation is not only relevant to EU members. It is automatically binding for data processing outside the EU. The criterion for this is the data processing of persons from the EU. Data protection should become more user-friendly and transparent. At the same time, non-compliance will result in higher fines.
Who is affected?
The regulation applies to every company and individual on the Internet. It applies to user tracking, customer data, newsletters, advertising e-mails, and Facebook. It, therefore, has an impact on every data protection declaration. That also affects WordPress. Privacy statements must be up to date and plugins partially deactivated or updated. Youtube videos can only be integrated with advanced privacy options. WordPress pages require the reader’s consent to data processing via opt-in. The privacy statement came into force on May 25, 2016, and became binding on May 25, 2018.
What is personal data?
Data falling within the scope of the basic data protection regulation are:
- Email address
- Phone number
- Account details
- Vehicle registration number
- Location data
- IP addresses
What happens in case of violation?
If you are found to be in violation, you should contact your national data protection authority. A violation will result in severe penalties. Previous fines ranged from €50,000 to €300,000. These related to serious breaches of data protection. With the new regulation, the fines have increased. They can amount up to €20 million or 4% of the world-wide previous year’s turnover. That will force global companies to comply with the new rules. If you do not comply, you can expect warnings. Violations are relevant under competition law for you and others.
What has changed?
You are prohibited from collecting, processing and using personal data if your users do not give their permission. Permission is granted by laws such as the EU-DSGVO, the BDSG or consumer consent. You may only collect and process as much data as strictly necessary for your operations. Data processing beyond that is illegal. You may only use the data for the intended purpose. They must be correct in content, factual and up-to-date. Art. 32 addresses the issue of data security and deals with data processing taking into account the current state of technology, as well as costs, type, scope, circumstances and risk analysis. Take the necessary technical and organizational measures to ensure the right data protection! Thereby the level of protection is relevant. Depending on the type of personal data, these are subject to different levels of protection.
The right to erasure
Until now, EU citizens could ask search engines to stop displaying search results. Your users have the right to have data deleted or blocked, especially if the data is no longer being used. Consumers can exercise their right to be removed wherever their personal data are processed. Article 17 of the Basic Data Protection Regulation covers this point. Data must be deleted if the purpose of the data processing no longer applies, if the data subject withdraws his/her consent to the data processing or if the data processing was unlawful.
The right to data portability
Art. 20 regulates the right to have data transferred. Consumers make use of this right when they switch from one provider to another. The data controllers must forward the personal data to the new provider in a common format. That is particularly relevant when switching from social networks, from one bank to another and when changing employers.
As a processor of the EU-DSGVO, you are accountable. According to Art. 5 para. 2 of the Basic Data Protection Regulation, data controllers must prove compliance with the data protection principles if this is required. To do this, you must set up a data protection management system in which you document compliance with data protection requirements. On request, this documentation can be used to prove proper compliance to the supervisory authority.
Consent to data processing
The consent does not require any special form. Consent may be given in writing, orally or electronically. Nevertheless, it is advisable for you to document it. You may ask users for their consent via an opt-in box. An opt-out box is not sufficient for the deletion. Your contractual partner must give her consent voluntarily. Furthermore, you must earmark it and document it for the purpose of processing. General consent is not permitted by the EU data protection regulation. You must be able to prove consent to data processing. Who has given the consent, has a right of revocation. She can make use of this at any time. Under company law, it is not necessary to obtain renewed consent for data processing from every customer. The proof of consent is legally stipulated according to Art. 7 of the EU-DSGVO.
Adaptations in accordance with the DSGVO
As a site operator, service provider, shop operator, and company, you have to adapt your data protection regulations. They must be accurate, transparent, understandable, easily accessible, and written in clear and simple language. You must also specify the legal basis for the data processing. Consent must not be conditional on the acceptance of offers. You must reformulate the data protection declaration. Order processing is regulated in accordance with the Basic Data Protection Regulation in Section 11 of the BDSG. This concerns the collection, processing or use of personal data by a contractor. Contractors are jointly responsible for data processing. That includes external customer centers, external newsletter providers, clouds, external companies active in marketing for another company, and external computing centers. According to Art. 30, a directory must be created of the data processing. The contract for ADV can be concluded in electronic form.
The procedure directory
According to Art. 30, you must create a procedure directory. It is a record of processing activities. It does not have to be public and can be accessed on demand. The company management is responsible for this record. It must be submitted to the data protection authority upon request. It can be kept in writing or in electronic form.
The Data Protection Officer
It is advantageous for your company to employ a data protection officer. The issue concerns both employers and employees. The works council must not be left out of the picture with regard to the DSGVO changeover.
If you run a website or a blog, you are processing data. No one can talk their way out of it under the pretext that they are not processing personal data. Server statistics also contain data that is processed. With WordPress, the jetpack is a particularly sensitive topic. Statistics must be IP anonymous. The basic data protection regulation does not grant you any transition periods and is bindingly valid.
Our DSGVO service:
We help you to avoid high fines for violations of the DSGVO:
… help you with your Google Opt-Out settings
… support you with the conversion of your website to SSL
… assist you in the creation of the cookie notice
… ensure adequate IP anonymization on your site
… support you with the integration of tracking solutions
… help you with the adaptation of WordPress & components
… support the integration of opt-in and opt-out solutions
… work hand in hand with your lawyers and data protection officers