Not only since the “cookie ruling” of the European Court of Justice (C673/17 Planet49 v. Verbraucherzentrale) have online media been in the focus of data protection supervisory authorities. In the past, data protection and data security have tended to be treated as marginal issues, if at all, in the design and implementation of online presences, both by companies and public bodies. In the vast majority of cases, those responsible as operators have delegated these issues to web designers and web agencies and probably hoped that these would perform their task carefully and in compliance with the law. In very few of the cases known to us were concrete specifications made by the client with regard to data protection and security requirements. Agencies and web designers had a free hand here and often, at least with regard to data protection aspects, had little, if any, prior training.
The client is and remains responsible
The lack of concrete specifications on data protection and security issues can have bitter revenge. For example, after a successful attack on its online store, the CSU in Bavaria had to admit that it had never been updated since it was created. Even federal ministries, such as the recent Federal Ministry for Family Affairs, Senior Citizens, Women and Youth, are sometimes conspicuous for their inadequate implementation of security standards on websites. In our audits, we also repeatedly find that outdated software components are in use that are no longer provided with security updates, a clear violation of the GDPR.
When clients point out that this is the agency’s responsibility, they often counter with the comment that there is no mandate for regular updates. However, the fact that many agencies leave their clients in the dark about the need for regular updates is the other side of the coin. According to Article 28 of the GDPR, the responsibility for data protection violations clearly lies with the client, as long as the processor does not act against the client’s instructions. So it makes absolute sense to hire service providers with clear contractual rules and specifications.
You don’t know whether your website or store is set up properly in terms of data protection?
A data protection audit that also includes current case law and concrete proposals for solutions provides you with a good basis for your assessment. A data protection audit for your store or website is always less expensive than a possible fine or even a lawsuit by a consumer protection association. You can find out more about the costs here.
Pitfalls for responsible parties
1. inadequate maintenance
The already mentioned inadequate maintenance of own online presences is the first serious pitfall for the responsible party. Unfortunately, we repeatedly discover outdated PHP versions, ancient store or CMS software, unmaintained web servers, etc. during data protection audits. The resulting security gaps are an invitation for cyber criminals.
2. integration of third party providers without legal basis
The integration of third-party providers without a sufficient legal basis is another common breach of the GDPR. In our investigation of healthcare websites, only three out of 45 websites examined refrained from integrating third-party providers. In almost all cases, the method of integration was not legally compliant or at least questionable.
3. lack of encryption
Actually, word should have spread long ago that the unencrypted transmission of personal data, for example in web forms, is an absolute faux pas. Nevertheless, we keep finding websites that believe they can do without SSL encryption.
4. lack of transparency
Quite honestly, many a data protection statement from otherwise reputable companies reads like a fairy tale. As a rule, however, they lack literary quality. That’s why the pleasure of reading it is clearly limited. Transparency about the processing that actually takes place? Missing!
5 Pointless Cookie banners
Absolutely pointless, but illegal cookie banners are still frequently encountered despite clear, supreme court rulings. Apart from the fact that these things are just annoying, they are only good for the (false) reassurance of the responsible person.
6. incorrectly programmed or integrated content tools
Consent tools that only give the appearance of legality, either due to programming errors or faulty integration, are legally invalid. Consent tools that are programmed and integrated correctly, but whose design makes it almost impossible for the visitor to give truly free and informed consent to processing processes, are on the borderline.
Data protection and data security should already be included in the planning phase.
Anyone faced with the question of redesigning their website or store would be well advised to consider the central issues of data privacy and data security in their planning from the outset. This also applies to companies that want to use a web construction kit or ready-made online store. Even large providers sometimes find it difficult to implement legal requirements. For example, at the time of publication of this article, neither Strato nor IONOS are in a position to offer users of their web construction kits a legally compliant consent tool.
The orientation towards the guarantee goals of the standard data protection model of the DSK should become the guiding principle for future planning. We will be happy to answer any questions you may have.
Data privacy audit for your website or store
A data protection audit for your website or store usually costs between 250 and 450 euros, depending on the scope. A higher amount can only be expected for large websites. We will gladly provide a binding offer upon request.