An amendment to the Injunctions Act came into force on February 24, 2016. Consumer protection associations can now take action against missing, incorrect or incomplete data protection declarations by issuing a warning letter.
When websites must contain a privacy policy
The German Telemedia Act (Section 13 para. 1 TMG) obliges every website operator to inform the users of their website about the extent to which personal data is collected or used in a privacy policy. The fact that a website operator collects user data happens faster than you might think.
This is because it is often overlooked that it is almost impossible to operate a website today without using personal data. For example, it is sufficient for the server to simply log IP address data in some form. If analysis tools such as Google Analytics are also used, or if the website offers interaction options such as a comment function, the obligation to provide a privacy policy is obvious.
How to integrate a privacy policy
If you are obliged to include a privacy policy for the operation of a website, certain formal rules must be observed. The privacy policy must provide complete information about the use of personal data on the website. It should also do this in a "generally understandable form". The user must be able to access the privacy policy at any time. In practice, the latter can only be achieved by integrating the privacy policy into the website with a separate "Privacy Policy" link. In practice, it has become established that there is now a further link to the privacy policy in addition to the link to the mandatory imprint information.
The content of the privacy policy depends largely on the website. If it is a simple website without many functions, it can generally be very short. If, on the other hand, buttons for social networks and an analysis tool are used, for example, this generally increases the design requirements of the privacy policy considerably.
When designing the privacy policy, it should be noted that processes on the website that are not permitted under data protection law cannot be "cured" by the privacy policy under any circumstances. It merely provides information about the permissible processing of data on the website.
The threat of an incorrect or missing privacy policy
If a website operator omits a privacy policy or is missing important information, this has the following consequences: First of all, there is simply a data protection violation. This can be punished by the responsible data protection supervisory authorities. In the worst case, a fine may be imposed.
However, a warning from a competitor or - as mentioned above - from consumer protection associations is more "dangerous" and certainly more likely. It is still unclear whether the new legal standing of consumer protection associations will lead to potentially mass warnings due to missing or incomplete data protection declarations.
However, one thing is clear with the new legal regulation: the importance of the privacy policy is increasing, as is the risk for the website operator of making mistakes when integrating the privacy policy.