Online Data Privacy

- Data protection legislation requires strict compliance by companies to avoid sanctions.
- Cookie notices are mandatory for website operators due to EU directives.
- Online data protection requires measures to minimize risks and protect personal data.
- GDPR requires explicit consent for data processing with clear opt-in/opt-out procedures.
- Websites must include a legal notice and a privacy policy to meet legal requirements.
Legal foundations for data protection on the internet
The General Data Protection Regulation (GDPR) serves as the primary legal framework governing data protection on the internet. This mandatory regulation, which standardizes data protection law across Europe, has been in effect since May 2018 and includes specific obligations for businesses.
Designing websites in compliance with internet data protection
Website operators conducting business online are required to provide an imprint (Impressum), the minimum content requirements for which are set out in Section 5 of the German Telemedia Act (TMG). The imprint serves to identify the operator, and its absence or incompleteness can result in significant fines. The scope and purpose of data collection must be made easily accessible to users via a privacy policy on the website. Furthermore, third-party content or links to other service providers' websites must be continuously monitored for legality and clearly identified. The fundamental principle of these data protection regulations is the protection of personal data. Media content embedded on a website that depicts specific individuals may only be published with their consent.
Social networks are becoming increasingly important for businesses. However, the courts have not yet reached a final decision on how these legal requirements apply to a company's social media presence.
Data protection on the internet: Processing customer data
For many companies, customer data is their most valuable asset. For this very reason, such information should never be shared without permission.
German data protection law—which continues to apply alongside the stricter European General Data Protection Regulation—is based on the principle of prohibition with the reservation of permission. In other words, personal data may not be processed unless the individuals concerned have given their explicit consent. A blanket consent clause in a company's terms and conditions, as is often seen, is insufficient. To comply with legal requirements, consent must be clearly and prominently highlighted.
Data may be processed if a legal provision explicitly permits it. Article 6(1)(f) of the GDPR provides a key legal basis for data processing by allowing an exception to the prohibition if it is necessary for the purposes of legitimate interests pursued by the company, provided that these are not overridden by the interests or fundamental rights of the customer. It is also necessary to distinguish between consumers and business customers and to observe the additional restrictions of the TMG.
In conclusion, companies and their data protection officers are well-advised to handle personal data on the internet with great care. For businesses, as for everyone else, data is capital that can be easily squandered through mismanagement.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.













