Zum Inhalt springen
Website, shop & visibility from one source
Datenschutz

GDPR-Compliant Website: Checklist 2026

A practical checklist for a GDPR-compliant website: legal notice, privacy policy, cookies, forms and hosting in Germany. Factual, not individual legal advice.

13 min read DSGVODatenschutzImpressumCookiesWebsite

Whether a trades business, a medical practice or a service provider: as soon as a website receives visitors, it processes personal data, often from the very first page view via the IP address. The General Data Protection Regulation (GDPR) and the German Digital Services Act (DDG) set clear rules for this. Breaches are not a theoretical risk: the fine ceiling reaches up to 20 million euros (Art. 83 GDPR) or 4 percent (Art. 83 GDPR) of worldwide annual turnover, and small details such as externally loaded fonts have already led courts to award 100 euros (Regional Court Munich I, ref. 3 O 17493/20) in damages per case. This article summarises the five central building blocks of a data-protection-compliant website as a practical checklist: legal notice, privacy policy, cookies, forms and hosting. The text is kept factual and does not replace individual legal advice, but it should give you a solid orientation on which points typically need checking.

GDPR-Compliant Website: the Five Building Blockshttps://your-website.deSend enquiryCookie consentAcceptDeclineCheck the mandatory blocksLegal noticeProvider identification under Section 5 DDGPrivacy policyTransparent information under Article 13 GDPRCookies and consentActive opt-in before non-essential servicesForms and encryptionTLS, data minimisation, clear consentHosting in GermanyData processing agreement, EU server location20mEuro fine ceiling (Art. 83)100Euro per Google Fonts case5blocks in the checklistData protection is not a one-time checkbox, it is an ongoing process.Document legal bases, embed services sparingly, log consent cleanly and review regularly.

Why Data Protection Belongs to Every Website's Basics

Data protection on a website is not a purely formal matter; it touches trust and reputation. A recent survey shows that 68 percent (Cisco Consumer Privacy Survey) of consumers worry about how their data is handled online, and a significant share of them avoid providers they do not trust on data protection. At the same time, the effort for supervisory authorities and data subjects is rising: since the GDPR came into force, fines totalling more than 5.8 billion euros (DLA Piper GDPR Fines Survey) have been issued across Europe. For small and medium-sized businesses this rarely means record sums, but rather warnings, complaints and the time an avoidable mistake costs.

The good news: most requirements can be implemented cleanly with manageable effort if you plan for them from the start. Anyone building or relaunching a website can build data protection directly into the structure instead of retrofitting it later. How to plan such a rebuild without losing visibility and function is described in our article on which mistakes to avoid during a website relaunch. The following five building blocks form the framework that most checks are based on.

Briefly explained: GDPR, DDG and TDDDG

The GDPR governs the processing of personal data across Europe. The German Digital Services Act (DDG) replaced the Telemedia Act in 2024 and contains, among other things, the legal-notice obligation. The Telecommunications Digital Services Data Protection Act (TDDDG, formerly TTDSG) governs access to end devices, meaning cookies and similar technologies. These three sets of rules interlock for a website.

Almost every commercial website in Germany needs a legal notice, a provider identification under Section 5 DDG. The obligation applies not only to online shops but also to the website of a trades business, a practice or an association, as soon as it goes beyond purely private or family purposes. The legal notice must be easily recognisable, directly accessible and permanently available. In practice this means a clearly labelled link, for example Legal notice in the footer, reachable from every subpage with a single click. Labels such as Contact or About us as the sole route are considered insufficient.

Depending on the legal form, the content includes the full name and address, for legal entities the authorised representatives, a fast electronic means of contact including an email address, where applicable the register entry and register number, the VAT identification number and, for certain professions, additional details such as chamber, professional title and professional regulations. For doctors, tax advisors, lawyers or master craftspeople these additional details are particularly relevant. An incomplete legal notice is one of the most common grounds for a warning, even though it can be avoided with little effort.

Quick check: legal notice

A clearly labelled link in the footer, reachable from every page in one click, complete address and authorised representatives, email address and fast means of contact, register and VAT details where applicable, additional professional details for regulated professions. If unsure about the mandatory details, a brief legal review is worthwhile.

Block 2: Designing the Privacy Policy Transparently

The privacy policy informs visitors about which data the website processes, for what purpose and on which legal basis. It is based above all on the information obligations under Article 13 GDPR. Unlike the legal notice, the privacy policy is not a static standard text; it must reflect the services and processing operations actually used. Anyone using a contact form, reach measurement, a map embed or a newsletter must name exactly those operations. A policy copied from the web that does not match your own website is, in case of doubt, worthless or even misleading.

Usual components include details about the controller, the categories of processed data, purposes and legal bases, recipients and processors, storage duration or deletion periods, and the rights of data subjects to access, rectification, erasure, restriction, data portability and objection. This is supplemented by a note on the right to lodge a complaint with a supervisory authority. If data is transferred to countries outside the EU, for example through services with servers in third countries, this requires a suitable legal basis and a corresponding note. The policy should be written in clear, understandable language and be accessible without registration.

A living document, not a one-off task

Every new feature, every new tool and every new service provider can change the privacy policy. It should therefore be maintained alongside every major change to the website. A policy that describes a service long since removed, or conceals a newly added one, protects no one.

Block 3: Handling Cookies and Consent Cleanly

Cookies and comparable technologies may only be set without consent if they are strictly necessary for a service explicitly requested by the user, for example a shopping cart or storing the cookie choice itself. For everything else, in particular reach measurement, marketing and external embeds, an active, informed consent is required under Section 25 TDDDG and the case law of the European Court of Justice. In the Planet49 ruling (ref. C-673/17) the ECJ made clear that pre-ticked boxes do not constitute valid consent. Effective consent requires a deliberate action.

For practical implementation with a consent banner, a few basic rules have become established: non-essential services may only load after consent, not already on page load. Declining must be as easy as accepting, ideally on the same level and with equally visible buttons. Default settings must not feign consent, and the choice once made must be revocable at any time. In addition, it should be documented who consented to which processing and when. This provability is part of the accountability obligation under the GDPR.

AspectNon-compliantCompliant
Load timingTracking loads on page loadNon-essential services load only after consent
ButtonsOnly Accept visible, Decline hiddenAccept and Decline equally visible
DefaultBoxes pre-tickedNo preselection for non-essential services
WithdrawalNo way to changeChoice revocable at any time
RecordNo loggingConsents documented and retrievable

An often underestimated special case is externally loaded resources such as fonts, map services or video embeds. If they are loaded directly from third-party servers, the visitor's IP address is already transmitted to third parties before any consent exists. This was precisely the subject of the mentioned Google Fonts ruling. The clean approach is to embed such resources locally or load them only after consent. How this can be implemented technically without losing speed is covered in our article on Core Web Vitals and page speed.

Block 4: Forms and Data Minimisation

Contact, enquiry and newsletter forms are the most important channel for new orders for many businesses and at the same time a sensitive point in data protection. Two principles are paramount: data minimisation and transparency. Data minimisation means asking only for the details genuinely needed for the respective purpose. For a follow-up question, name, message and a means of contact usually suffice. Mandatory fields such as a full address or date of birth are generally not necessary for a simple enquiry and should remain optional or be dropped entirely.

Technically, the transmission must be encrypted. Continuous TLS encryption, recognisable by the https in the address bar, is the minimum standard today and at the same time a ranking signal. The form itself should carry a short, understandable data protection note referring to the privacy policy. For a newsletter, the double opt-in procedure is additionally common, in which the sign-up is verified via a confirmation link. This proves that the consent actually came from the person specified. The proof obligation applies to forms too: it should be documentable which consent was given with which text and at which point in time.

  • Mark only genuinely needed fields as mandatory, keep the rest optional or remove them
  • Ensure continuous TLS encryption for the entire website
  • Clear data protection note on the form with a link to the privacy policy
  • For newsletters, double opt-in with a logged confirmation step
  • Use spam protection without unnecessary data sharing with third parties
  • Store incoming enquiries only as long as the purpose requires

A well-built form combines data protection and impact: fewer mandatory fields lower the barrier to getting in touch and at the same time increase data minimisation. Both serve the same goal. How to align forms and page structure specifically for more enquiries is explored in our article on conversion optimisation for more enquiries.

Block 5: Hosting in Germany and Data Processing

Anyone outsourcing the operation of a website to a hosting provider hands the processing of personal data such as server logs with IP addresses into external hands. For this, Article 28 GDPR requires a data processing agreement, DPA for short. It stipulates that the provider processes the data only on instruction and within the agreed scope. Without such an agreement, the cooperation is vulnerable under data protection law. Reputable hosts provide the DPA as standard, often ready to conclude directly in the customer account.

A server location in Germany or at least within the EU considerably simplifies the legal situation, because then there is no data transfer to insecure third countries and no additional safeguards are needed. Hosting in Germany is therefore not only a trust argument towards customers but also reduces the documentation effort. When choosing a provider, it is worth looking at the server location, the DPA offered, technical security measures and deletion concepts. What a reliable, privacy-friendly hosting setup looks like is described in detail on our web hosting page.

Frequently overlooked

Even seemingly harmless additional services process data: embedded maps, video players, fonts from external servers, chat widgets or statistics tools. Each of these services needs a legal basis, an entry in the privacy policy and, where applicable, a data processing agreement. Taking stock of all embedded services is the first step towards a clean website.

Data Protection as an Ongoing Process

The five building blocks form a solid foundation, but data protection is not a state you establish once and then tick off. Websites change: features are added, service providers change, case law develops further. That is why a data-protection-compliant website includes a regular look at the embedded services, the currency of the privacy policy and the function of the consent banner. From more than 50 completed website projects (project experience) it becomes clear that most problems do not arise from ill will but from a website that grows faster than its documentation.

Anyone who cannot or does not want to handle this maintenance themselves can hand it over to ongoing website care that keeps technical updates, security and data protection in view together. In addition, it is worth thinking about accessibility, because since 2025 new obligations apply to many providers. How this connects is explained in our article on the accessibility obligation for websites. Data protection, security and accessibility interlock: all three ensure that a website not only looks good but also works reliably and in a legally sound way.

This article is based on data from: Regulation (EU) 2016/679 (GDPR, in particular Art. 13, 25, 28, 83), German Digital Services Act (DDG, Section 5), Telecommunications Digital Services Data Protection Act (TDDDG, Section 25), ruling of the Regional Court Munich I (ref. 3 O 17493/20, Google Fonts), ruling of the ECJ (ref. C-673/17, Planet49), Cisco Consumer Privacy Survey (consumer concerns), DLA Piper GDPR Fines Survey (total fines) and our own projects. Details marked (project experience) are based on our own website projects. This article is a general orientation and does not replace individual legal advice.