Privacy policy

Under German privacy laws which govern the handling and processing of personal data, website operators and online shops are obliged to inform customers about how their personal data will be used.

However, it often occurs that website operators spend little or no time on the topic and in doing so, risk receiving high penalties.

The following gives a brief overview of the requirements a German privacy policy must fulfil.

Purpose of privacy policies

The purpose of a privacy policy is to inform customers about how their personal data will be used. Personal data is defined as information on the personal and material circumstances of an identified or identifiable person (§ 3(1) German Data Protection Act).

Such information includes, but is not limited to: name, age, marital status and date of birth.

Account numbers, car registration numbers or telephone numbers can also be classed as personal data if the data can be linked to a name or if a link can be made directly from the content of the information captured.

The existence of a privacy policy does not absolve a website operator from obtaining the express consent of an individual when wishing to process personal data for commercial purposes.

Does my website need a privacy policy?

Every business website that collects the personal data of its visitors or customers, for example through a contact form or newsletter, must have a privacy policy (§ 13 German Telemedia Act).

A privacy policy is not required if the data collected are statistical with no personal connection, anonymous or system-related. Such information includes the type of browser, the visitor’s operating system and time of server request. However, a privacy policy is required if a website uses cookies or web analysis tools, such as Google Analytics, and the data collected are not anonymous or could provide information that a certain person has accessed the server.

It is currently unclear whether IP addresses belong to such personal data. However the German case law tends to view IP addresses as personal data and this was confirmed by the European Court of Justice in a judgment from 24 November 2011 (C-70/10). It is therefore advisable in such situations to ensure that a privacy policy is in place.

Content of a privacy policy

A privacy policy should set out the purpose, nature and extent of the data processing which is to take place.

The policy should also notify website users of their rights to object to and/or cancel their consent to their data being processed. If the website uses cookies related to personal data, corresponding notification should be provided.

Users should also be informed if the website makes use of social-plugins (Facebook, Twitter, Google+) and a link to the privacy policy of the relevant social media network should be provided.

The information in the privacy policy must be easy to understand and made accessible at all times.

Free privacy policy template

You can download a free privacy policy template from our social media law webpage.

Do you have questions about IT law, licences or data protection? We are happy to help!
German lawyer, Christian Solmecke, and his expert team are available to answer your questions.
Call us on +49 (0) 221 / 951 563 0 or use our contact form.

Back to IT Law

Best rated articles on IT Law

Christian Solmecke is a partner at the law firm WILDE BEUGER SOLMECKE. He is the author of numerous legal publications in the area of internet and IT law. He is also an associate lecturer for social media law at the Cologne University of Applied Sciences.

Do you like this article? Feel free to rate it now:

1 Stern2 Sterne3 Sterne4 Sterne5 Sterne (Not rated yet)