WordPress is considered the most popular content management system and offers a large number of functions and plugins, themes and widgets for the creation and design of websites, with which you can individually build and expand websites. However, not all of these comply with the General Data Protection Regulation (DSGVO), which requires personal data to be handled in a privacy-compliant manner.
Anyone who still uses these tools on their website regardless could face warnings or penalties. In this article, we will explain how to make WordPress compliant with the DSGVO and which plugins and widgets are useful when designing websites in accordance with the regulations.
What do you need to do to use WordPress DSGVO compliant?
To be able to use WordPress DSGVO compliant, you have to make sure, among other things, that you always process data with a legal basis, properly design the privacy policy and the imprint, create a lawful cookie banner and encrypt the website.
Process data with legal basis
According to the DSGVO, it is your duty to collect, store and process personal data only with legal basis. Examples of this are when using the contact form, subscribing to the newsletter, writing a comment or filling in contact details to purchase a product.
In addition, users must be informed about any use of:
Cookies,
Tracking, marketing or analysis tools,
social plugins,
and the transfer of personal data to third parties.
be informed. Accordingly, it must also be possible for users to refuse the use of the tools. The best way to regulate the acceptance and rejection of cookies is via a cookie consent banner.
Privacy policy and imprint
Not only the privacy policy, but also the imprint must always be present and up to date on websites. Both legal texts must be an individual document and easily accessible from every page of the website. Both the privacy policy and the imprint must always include the full name and contact details of the person responsible.
A privacy statement contains information about what personal data is collected from visitors via the website. In addition, it must be clear from the privacy policy in what way the personal data is collected, why this is done, what functions this has and how long the data is stored. It must also be made clear at this point whether the data is passed on to third parties or third countries.
The privacy policy must also show which analysis tools are used on the site, as well as whether and which plugins or cookies are used. All tools, cookies and plugins used (also from WordPress) must be described and explained in detail in the privacy policy.
Furthermore, you must make the rights of users clear in the privacy policy and inform users that they are entitled to have their personal data deleted if necessary.
In the imprint, in addition to the name and contact details of the person responsible, the VAT identification number and/or business identification number must be stated, the register number and location of the register (if registered), in the case of freelancers the chamber affiliation and in the case of online stores and service providers information on the consumer arbitration board.
Create a DSGVO-compliant cookie banner
Every cookie that you set on your website must be listed in a cookie banner, regardless of whether they are technically necessary or tracking cookies for analysis purposes.
For technically necessary cookies, you do not necessarily need the visitors' consent. But as soon as you use tracking, analysis or marketing tools on your website, you are usually required to obtain user consent for tracking or analysis. Tracking or analysis must be pointed out in the cookie banner and agreed to by each user via the banner.
In addition, each tool must be detailed in the privacy policy. Here, at least:
the name of the tool
the description of the tool
why it is used
the recipient of the personal data
the duration of the storage
the extent to which individuals are required to provide their data for this purpose
the opt-out option
are enumerated.
Besides the helpful cookie and consent banner widget from WordPress, you can also use WordPress plugins to create a custom cookie banner. Useful plugins here are "Real Cookie Banner", "Borlabs Cookie" and "hellotrust". All three are DSGVO-compliant plugins.
Pay attention to third-party providers
If you want to include third-party tools, plugins, cookies or similar for tracking or performance purposes on your website, you need to check whether they are compliant with the DSGVO. Tracking or analysis tools from Google, for example, such as "Google Analytics" or "Google Tag Manager" are not DSGVO-compliant, as Google is based in the USA and is therefore outside the scope of the DSGVO.
You either have to find a way to integrate tools like Google Analytics on your website in a privacy compliant way or directly choose tools, plugins, themes etc. that are in line with the DSGVO.
No matter which variant you choose: You must, as already mentioned, refer to each tool, to each non-technically necessary cookie and to each plugin used in the privacy policy and let each user decide for himself whether he agrees to the use of these or not.
With each third-party provider or service provider that you choose for your tools, plugins, etc., and who also receives the personal data, stores it and processes it further, you must conclude an order processing agreement. Thus, you contractually hold the lawful transfer of data with each provider.
Attention with social plugins
If you want to link your social media channels on websites, you need to know that the personal data will be passed on directly to the respective social network as soon as the visitor presses the social button. If the visitor has not explicitly agreed to this beforehand, you are in breach of the DSGVO.
WordPress plugins like "MashShare" or "Smash Balloon" help you to integrate your social media channels on your website according to the DSGVO. "Smash Balloon", for example, shows users Instagram posts directly on the website without establishing connections with the social network. Please make sure that you enable the DSGVO features on this plugin.
Encrypt website with SSL
Since the release of the DSGVO in 2018, it is a must to encrypt websites with an SSL ("Secure Sockets Layer") certificate. This means that the website is loaded via the HTTPS protocol when it is called up and a secure exchange of data between the visitor and the website is ensured. In this way, unauthorized third parties cannot access confidential data.
You can either do the SSL encryption yourself or use a WordPress plugin. The "Really Simple SSL" plugin is particularly suitable for this. With the help of one click, you can now enable SSL encryption. Under the plugin's settings, you should also activate the "Mixed Content Fixer" tab to switch the http connection to HTTPS. You do not have to activate the other functions.
This way, the lock icon will now appear in the URL bar of your website and your visitors will know that your website is secure and encrypted.
DSGVO compliant themes
Any pre-installed WordPress theme that you use for WordPress websites must be DSGVO compliant or you must ensure that it becomes DSGVO compliant. If the theme is not DSGVO compliant, it may load fonts from third party servers such as Google (Google Fonts), which are not in accordance with the DSGVO without the users' consent.
If you still want to use a WordPress theme that you know loads fonts from the Google server, you can use the WordPress plugin "Disable Google Fonts", for example, to prevent Google Fonts from loading on your website. In addition, always embed fonts on web pages locally so that they are loaded from your server and not from other servers such as the Google server.
However, to avoid all this work, you can also opt for a theme that is designed to be DSGVO compliant from the start. These often have privacy tools built in to prevent any breach of the DSGVO. Examples of WordPress themes compliant with the DSGVO are "Ave Theme", "Digixon" and "The 7".
Make contact form and comment function DSGVO compliant.
If visitors of your website want to contact you or support or write a comment on the content, they have to provide personal data - usually at least the name and email address. This input is done via a form.
With the help of the "Contact Form 7" plugin, you can create privacy-compliant contact forms that comply with the DSGVO. With the WordPress plugin "WP DSGVO Compliance", you can create a consent field for both contact forms and the comment function, through which users can consent if they agree to the collection and further processing of their data.
Under the "Inclusions" tab on the "WP DSGVO Compliance" plugin, you can click the "Include WordPress comments" item. At this point, the plugin can also be linked to the functions of "Contact Form 7". The comment function, contact form, and user consent field are customizable and can be customized.
Since the IP address of the visitor is stored when submitting a comment, you can use the WordPress plugin "DSGVO Tools: Remove comment IP" plugin to determine the storage period and also already stored IP addresses can be removed with this plugin.
What should be considered when it comes to data protection with WordPress?
When it comes to data protection with WordPress, it should be noted that this must always be at the forefront of your mind at all times. In order to comply with this, you must collect personal data DSGVO compliant, may only use this data for the stated purpose and must obtain the consent of the users for this.
Since you explain in detail in your privacy policy which data you collect, how and why you do so, which tools, plugins etc. you use and all other information here, you must be aware of this. you use and mention all other information here, you can ask users to simply agree to the privacy policy when collecting personal data.
Accordingly, you can simply refer to the privacy policy when using the contact form, comment field, newsletter subscription, purchasing products or other places where users have to provide their data.
What data does WordPress collect?
WordPress collects personal data when a user fills out a contact form, writes a comment, or signs up for the newsletter. Personal data can be the name, IP address, email address, address, but also payment data in the case of an online store.
For you as a website owner, it is important to handle this data in a trustworthy manner, to protect it, not to pass it on to third parties without the users' consent and to protect the users' privacy. Inform your visitors about any disclosure, further processing and the storage period of their data.
Note: You may not share, process or store personal data without a legal basis. Otherwise you will face penalties or warnings.
Would you like to have it checked whether your WordPress website is designed to be DSGVO-compliant?
If you are unsure whether your WordPress websites are designed in accordance with the DSGVO, then you are welcome to have them checked by us at decareto. You don't have to perform regular checks yourself, because we will do it for you. If regulations change or you need to make corrections to the website, we will notify you immediately.
With our DSGVO scanner, we examine websites for errors or illegal executions. Here, we do not only pay attention to the start page, but also include the contents of all sub-pages in order to be able to carry out a comprehensive analysis. Afterwards you will receive a detailed and easy to understand report about the results.
Possible errors could be, for example, the unwitting transfer of personal data to third countries, an incomplete privacy policy, the use of cookies on your website that are not required or other violations of the DSGVO. Upon request, we can help you fix the errors on your website and give you tips on how to avoid them in the future.
If there are still any unanswered questions about how to make WordPress DSGVO compliant or if you would like to test our DSGVO scanner for 14 days free of charge, feel free to contact us or register directly for a trial run using the form on our website. Get started today!
Author: Eckhard Schneider