Running a website in Germany: everything you must know

This guide will show you what you need to do to legally run a website in Germany.



Welcome to the absurd word of European regulations. I'll be your guide. Buckle up, because making a website comply with German and European Union laws is no walk in the park.

The General Data Protection Regulation went into effect on May 25, 2018. It sets strict rules on how websites can collect personal data about European Union citizens. Personal data includes anything that could personally identify a user: name, email, phone number, location data, cookies, IP address and so on.

Here are the basic principles of GDPR:

Here are resources that helped us understand and comply with this regulation.

Who needs to do this?

Any website who has European Union visitors, no matter who runs the website or where it is hosted. It applies to personal, non-commercial websites too. See Who does the data protection law apply to? for more details.

Legal basis

The General Data Protection Regulation is available online here.

Examples

All About Berlin does not store any personal data. We anonymize the information we send to Google Analytics and set a reasonable expiration date for the usage data we collect. We also collect server logs, but do not log IP addresses. We disclose what data we collect in our privacy policy.

To-do list

Understand the GDPR regulation

Only collect the data you really need

Disclose what data you collect about your users

Set an expiration date for the data you collect about your users

Allow your users to delete the data you collect on them

Cookies

If you use cookies on your website, there are a few rules you must follow.

You can't set any tracking cookies until the users give you their explicit consent.

This means marketing and tracking cookies must be opt-in. That includes cookies set by Google Analytics. You can't force users to accept tracking cookies to use your website.

You can't make tracking cookies a condition for using your service. You can't say "by using this website, you agree to accept our cookies". You can't force users to accept tracking cookies in your terms and conditions.Art.6.1, Art.7.4 You must allow users to opt out of tracking cookies.

Users must have a way to opt out of tracking cookies, except for cookies that are needed to make the website work. Necessary cookies do not need consent.

You don't need the user's consent to set cookies that contain no personally identifying information, and that are necessary to make the website work. You don't need to allow the users to opt out of these cookies.1, 2 Your privacy policy must clearly explain what cookies you set, and what they are used for. Be careful with embedded content.

YouTube videos, Disqus comments, Facebook like buttons and other third-party widgets often set tracking cookies1. You can either disable these widgets until you get consent from your users, or stop using them entirely. For example, we removed Disqus comments from All About Berlin.

Here are articles that helped us understand how cookies work with the GDPR:

Tools like CookieBot, Consently and Cookie Consent can help you implement a cookie notice that is GDPR compliant.



Legal basis

In the European Union, cookies were regulated by the Cookie Directive and now by the General Data Protection Regulation (GDPR), particularly articles 6 and 7. § 15 Abs.3 Telemediengesetz (TMG) is not relevant anymore, since it's superseded by the GDPR.

Examples

CookieBot's cookie notice lets you choose which cookies you want to allow. Analytics cookies are enabled by default, and marketing cookies are disabled by default. Essential cookies cannot be disabled.

Gruender.de's cookie notice lets you choose which cookies you want to allow, with no pre-selected answer.

Piwik Pro's cookie notice also lets you choose which cookies you want to allow, with no pre-selected answer.

To-do list

If you use cookies, inform your users with a detailed cookie notice.

Explain how and why you use cookies in your website's privacy policy.

Require explicit consent from your users before setting tracking cookies, and give them a way to opt out of non-essential cookies.

Google Analytics

There are specific rules regarding how Google Analytics must be used by German websites.

Accept the Data Processing Terms.

If you use Google Analytics on a website in the European Union or Switzerland, you must agree to Google Analytic's Data Processing Terms. To do this, open Google Analytics, and under Admin > Account settings > Data processing amendment, click "Review amendment"1. Anonymize IP addresses.

First, you must enable IP anonymization1, 2. Some websites already got in trouble for incorrectly anonymizing IP addresses in Google Analytics1, 2, so this is a very important step. You anonymize IP addresses by adding ga('set', 'anonymizeIp', true) before the ga('send', 'pageview') line in your tracking code. You are also supposed to delete the data Google Analytics saved prior to anonymizing IP addresses1. This is done by recreating the property (that's your website) from Google Analytics and creating it again. Require consent before setting Google Analytics cookies.

You must obtain consent from your users before you start tracking them. This means Google Analytics must be turned off until your users explicitly agree to be tracked. See the section on cookies for more details. This guide explains how to disable Google Analytics tracking for your users. Update your privacy policy.

You must inform that you use Google Analytics to track visitors in your privacy policy. See the section on the privacy policy for more details. Set the data retention period.

In the Google Analytics console, you change the data retention period to 14 months or less to comply with the GDPR/DSGVO regulation1. You must also disable "Reset on new activity". You will find these settings under Admin > Account settings > Tracking info.

Who needs to do this?

Any German resident or company who uses Google Analytics on their website.

Legal basis

The rules regarding the tracking of users are defined by § 11 Bundesdatenschutzgesetz (BDSG), as well as the newly introduced DSGVO.

To-do list

Do not track your users until you have their consent.

Agree to the Google Analytics Data Processing Terms.

Configure Google Analytics to anonymize IP addresses.

Delete the data Google Analytics collected before anonymizing IP addresses.

Inform your users about Google Analytics cookies in your cookie notice, and in your privacy policy.

Give your users a way to opt out of Google Analytics cookies.

Set the Google Analytics data retention period to 14 months or less, and enable "Reset on new activity".

Impressum

The Impressum is where you list your contact information. This page is mandatory for all commercial websites operated by a German person or organization, even if the website is hosted in another country or has a .com domain1. A personal, non-commercial website does not need an Impressum1. In other words, if you live in Germany and use your website to make money or promote a business, you need an Impressum.

An Impressum must be "easily identifiable, directly accessible and constantly available"1. This usually means putting a clearly labelled "Impressum" link at the bottom of every page.

It's important to have a complete Impressum. Some lawyers aggressively scrutinise the websites of their clients' competitors, and claim damages when they find a missing or incomplete Impressum1, 2, 3. Website owners even received cease-and-desist letters for not having an Impressum on their Facebook page.

If you can, remove your Impressum page from Google search results. Some lawyers make money by finding invalid Impressum pages. If they find yours, they might send you an Abmahnung.

Who needs to do this?

Any German resident or company who runs a commercial website. It doesn't matter if the website uses a .com domain or is hosted in another country.

Legal basis

The rules regarding the Impressum are defined by § 5 Telemediengesetz (TMG), § 55 Rundfunkstaatsvertrag (RStV) and § 2 DL-InfoV.

Examples

To-do list

Add an Impressum to your website with all the required information.

Add an Impressum to your Facebook business page, if applicable.

Make the Impressum clearly visible and directly accessible from every page on your website.

Remove your Impressum from Google search results.

Privacy policy (Datenschutzerklärung)

Your website must have a privacy policy where you outline how you collect, process and use data about your users. If you fail to include a privacy policy on your website, you can receive an Abmahnung1.

If you need help with your privacy policy, you can either hire a lawyer, or use a privacy policy generator.

Who needs to do this?

Any German resident or company who runs a website, even for non-commercial purposes1.

Legal basis

The privacy policy is required by § 13 Abs. 1 Telemediengesetz (TMG).

Examples

Stripe's privacy policy contains detailed information about how they collect and process data about their users

N26's privacy policy is a PDF file linked at the bottom of every page on their website

Coup's privacy policy is found at the bottom of every page on their website.

All About Berlin's privacy policy is on the same page as our Impressum, and is linked at the bottom of every page

To-do list

Add a privacy policy to your website

Server logs

According to the GDPR, an IP address is considered personal data. Your server logs probably contain the IP addresses of your visitors, so they contain personal data. This means the GDPR also concerns your server logs.

Here are basic guidelines for GDPR-compliant server logs1:

Don't collect logs unless you have to.

The easiest way to have GDPR-compliant logs is to have no logs at all. Don't store logs for longer than you have to.

If you need to collect server logs, keep them for the shortest time possible. Set a lot rotation policy that automatically deletes older server logs. If you collect logs, don't log personal information in them.

IP addresses are personal data. Since most server logs contain IP addresses, your logs contain personal data. If you collect logs without IP addresses or other personal data, they are already GDPR-compliant. If you collect IP addresses in your logs, tell your users your privacy policy.

You can collect logs without consent under certain conditions, but in any case, you must inform your users in your privacy policy.

Useful links

Who needs to do this?

Any website that collects logs that contain personal data. Most web servers collect access logs by default.

Legal basis

IP addresses are considered personal data according to the GDPR.

To-do list

Only collect logs if necessary

Automatically delete older logs

If possible, remove personal data like IP addresses from your logs

If your logs contain personal data, inform your users in your privacy policy

Creative Commons images

If you use images with a Creative Commons licence, make sure you properly attribute the author. In Germany, using the wrong attribution format can be a costly mistake. We to pay several hundred euros in lawyer fees for making that mistake.

Here are the basic guidelines about using Creative Commons images on your website:

Pay attention to the licence for the images you use on your website. Wikipedia images are not always free to use. Ideally, use public domain images that can be used without restrictions. You can find public domain images on pxhere.com. Understand that "free images" sometimes come with conditions. Some variants of the Creative Commons licence require attribution to the author, prohibit commercial use, and even prohibit derivative works. See this overview for more details. Use the correct format when giving credit to the author. Proper credit includes the Title, the Author, the Source and the Licence. See this guide for more details.

Who needs to do this?

Anyone who uses Creative Commons media on their website. Most images that come from Wikipedia are under a Creative Commons licence, so you need to give credit to their author.

Legal basis

The requirement for appropriate attribution is found in the Creative Commons licence.

Examples

The correct attribution format for Creative Commons images is described in this handy guide.

To-do list

Make sure you have the right to use the images on your website.

Attribute the Creative Commons images you use with the correct format.

Sponsored content and affiliate links

The Telemediengestz stipulates that advertising on a website must be clearly labelled. You can't disguise an ad as genuine content. Otherwise, it's surreptitious advertising (Schleichwerbung), and you can get an Abmahnung for "unfair competition"1.

Here are the basic guidelines for ads and sponsored content on your website:



Affiliate links need to be labelled

Affiliate links are "commercial communications" according to § 6 TMG, but not according to § 3 MDStV, since you placed the links "independently and without financial compensation". Multiple lawyers suggest to mark affiliate links as ad1, 2, even if you are not directly getting financial compensation for affiliate content. A footnote regarding affiliate links might be insufficient1. Sponsored content needs to be labeled

If you get paid to put a sponsored post on your blog, you need to clearly tell your users that this post is an ad, and tell them who is sponsoring the ad. In other words, you can't disguise an advertisement as an editorial text.

According to Kanzlei Plutte, "sponsored content" is not a sufficient label, and you should use a clear word like "advertisement" to label advertising on your website. He backs his opinion with court cases, but admits that Twitter, Facebook and Instagram use the term "sponsored".

Who needs to do this?

Any German resident or company who uses affiliate links, sponsored content or ads on their website.

Legal basis

According to § 6 Telemediengesetz (TMG), "commercial communications must be clearly recognizable as such." Commercial communications are further defined by § 3 Mediendienstestaatsvertrag (MDStV).

Examples

Google marks sponsored search results as ads. We disclose affiliate links in our overview of German banks.

To-do list

Clearly mark sponsored content as advertisements

Clearly mark affiliate links as advertisements, or at least disclose that the post contains affiliate links

Income-generating websites

If your website generates income, it's a business. If it's not part of a registered business, you will need to register it with the Gewerbeamt and the Finanzamt.

If your website qualifies as a Gewerbe, you need a trade licence (Gewerbeschein).

You must apply for a trade licence at your local Gewerbeamt. In Berlin, this can be done online. If your generates more than 24 500€ per year in revenue, you will also need to pay the trade tax (Gewerbesteuer) 1 .

You must apply for a trade licence at your local Gewerbeamt. In Berlin, this can be done online. If your generates more than 24 500€ per year in revenue, you will also need to pay the trade tax (Gewerbesteuer) . If your website generates income, you need to register it with the Finanzamt.

You register by filling the Fragebogen zur steuerlichen Erfassung. You will then receive a tax number (Steuernummer), which you need to put in your website's Impressum.

You register by filling the Fragebogen zur steuerlichen Erfassung. You will then receive a tax number (Steuernummer), which you need to put in your website's Impressum. Making money from your website is considered self-employment.

If you are not allowed to be self-employed in Germany, you will also need to apply for a freelance visa. You can get a freelance visa in addition to an existing visa1.

Who needs to do this?

Any German resident or who runs a website as a standalone business.

Examples

Our tax number (Steuernummer) can be found in our Impressum.

To-do list