After a two-year transition period, the Europe-wide General Data Protection Regulation (GDPR for short) came into force on May 25, 2018. The GDPR is intended to ensure that personal data is protected in the best possible way during automatic processing, thus preventing its unintentional disclosure to third parties. The IP addresses of visitors stored when calling up a website also constitute personal data within the meaning of the GDPR. Website operators are obliged under the GDPR to take appropriate technical and organizational measures (TOM) to prevent the unlawful use of data by third parties.
Violations of the GDPR can be subject to heavy fines. Implementation of the necessary measures is therefore strongly recommended!
TTDSG as of 2021-12-01
As of December 01, 2021, the Telecommunications Telemedia Data Protection Act (abbreviated TTDSG) will come into force. It replaces the previous data protection regulations of the Telecommunications Act (TKG) and the Telemedia Act (TMG) with regard to the GDPR, which applies throughout the EU.
The TTDSG goes beyond the provisions of the GDPR:
- it protects information with and without personal reference(thus also business information)
- the protected end user can be a natural or legal person
Exceptions from the consent requirement of cookies there are only in two cases(§25 para 2 TTDSG):
- Where the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
- If the storage of information in the end user's terminal equipment or the access to information already stored in the end user's terminal equipment is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.
Violations of the TTDSG are considered a administrative offense and can be punished with fines of up to 300,000 euros .
Checking the website for GDPR compliance should be a top priority in organizations (even if it is a bit annoying because it is tech-heavy). In our article on Topology of a website you will get an overview of how the data flows (to be protected) during a website visit in most cases.
As a TYPO3 agency, we look at these below from a TYPO3 perspective:
The "order processing contract" (AV contract) is one of the most important formal requirements of the GDPR. You must conclude such a contract with every service provider who gets access to and processes "your data" and especially that of your website visitors. This includes external agencies and freelancers as well as your provider and service providers such as Google Analytics.
You may enter into an AV agreement with google electronically as follows:
- Log in with your Google account
- Go to Analytics at https://analytics.google.com
- Go to Administration (gear at the bottom left)
- Then click on account settings
- At the very bottom you can agree to the "Data processing addendum
The GDPR obliges website operators to use secure and "state of the art" software (Article 32). In particular (but not only) affected: The server-side scripting language PHP and of course TYPO3 itself. More info on this in our article on the individual PHP/TYPO3 versions and their dependencies.
Make sure that you always use a current PHP and TYPO3 version. The relevant release plans and the associated periods for Long Term Support are decisive for this..
As soon as your website requests personal data from visitors (classic example: contact form), encryption of the website with SSL is mandatory. You can recognise an encrypted website by the prefix "https://" in the address line of the browser. To do this, define the "Entry Point" in the "Site Configuration" by specifying "https://...". The prerequisite is that your server provides a certificate for this domain (with LetsEncrypt there are already free SSL certificates on the market). Use the .htaccess or settings in your hosting package to force the domain to always redirect to "https" when called up with "http".
Even if your website does not have any forms, we recommend encryption. Reason: Google marks non-encrypted website in the chrome browser as "insecure". More info in this heise article.
Make sure that the domain with and without "www" as well as with and without "https" always refers to the main domain preceded by "https://".
Also make sure that the HTTP Strict-Transport-Security response header (HSTS) is set (see point 6), so that only https requests are made from the client to the server.
A mere notice with a link to deactivate cookies (so-called OptOut procedure) is, according to EuGH judgement not sufficient and thus a violation of the data protection regulations (GDPR).
A consent box is not only required for cookies, but for all resources (e.g. external fonts, use of CDNs, etc.) and applications (e.g. social media integration, iframe integration, etc.).
Social media plugins (e.g. Facebook likes, Twitter integration, etc.) inform the platform operators about every website visitor without being asked - just by calling up the page. This is a violation of the GDPR. Our recommendation is therefore quite clear: Remove the plug-ins from your website. Firstly, they are useless anyway and secondly, they slow down the loading time of the website.
If you still don't want to do without social media plug-ins, you can make them "subject to consent" with our Cookie Extension.
The use of HTTP Security Headers is another way to make one's own website more secure. The headers instruct browsers, for example, to make server requests only via "https"( "HTTP Strict-Transport-Security response header" or in short HSTS) and avoid, among other things, attacks by Cross Site Scripting, MIME Sniffing and Clickjacking.
You can test whether your website is adequately protected with these headers at https://securityheaders.com
The following is a relatively simple TYPOSCRIPT solution to make important security settings:
config.additionalHeaders.10.header = Strict-Transport-Security: max-age=31536000; includeSubdomains config.additionalHeaders.20.header = Referrer-Policy: strict-origin config.additionalHeaders.30.header = Feature-Policy: geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none' config.additionalHeaders.40.header = Permissions-Policy: geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), vr=(), speaker=(), ambient-light-sensor=(), gyroscope=(), microphone=() config.additionalHeaders.50.header = Content-Security-Policy: frame-ancestors 'self'
Please note that the CSP header (Content Security Policy) in particular can be configured much more extensively. However, a detailed description would (a) go beyond the scope of this article and (b) usually be too vague due to the individual circumstances in each case.
Actions for local integration of jQuery and/or Bootstrap:
- Download the required files from the external server and upload them to a suitable location on the web server.
- Integration via "page.includeCSS" and "page.includeJS" (TypoScript)
Actions for the local integration of Google Fonts:
Google fonts are usually published under the SIL OpenFont Licence and are thus considered Open Source. This means that they can be used freely to a large extent. We therefore recommend installing the fonts locally on your own server and integrating them from there..
To do this, the following steps can be taken:
- Calling the tool https://google-webfonts-helper.herokuapp.com/font
- Selection of font in the left column
- Selection of styles (e.g. "200" or "200italic")
- Check and, if necessary, change the path to the fonts
- Copy CSS and integrate into the website in question
- Download fonts and upload them to the server of the website in question
- Preventing the external loading of the fonts
In addition to the imprint, there should in any case be a pagedata protection notice. It serves to comply with data protection information obligations. The content and scope of the data protection page depend on what processing takes place on the website. Since an IP address is a personal data, every website at least processes this data (since it is necessary for the technical connection/communication between the visitor's device and the web server) and needs a data protection notice..
With the data protection declaration, the controller of a website complies with its obligations pursuant to Art. 12 EU-GDPR et seq.
We are not lawyers and therefore cannot formulate legally binding texts. Since the information is also very individual, you should, together with your developer/agency, make use of lawyers with the appropriate expertise.
Note: Make sure that the data protection notice is visible and easily clickable on every page.
What you should absolutely observe in the context of the GDPR is the "principle of data minimisation"(Art.5(1)(c)):
- For newsletter registrations, only the email address is requested. We generally advise against personalised newsletters.
- For contact forms, only the really necessary fields are requested.
- Mandatory fields are kept as minimal as possible. In the case of a callback service, for example, only the telephone number is requested.
Make sure that personal data is only stored for as long as necessary. The log files of the web server should contain anonymised IP addresses and be deleted after 60 days at the latest.
Enquiries/orders or other forms with a personal reference should also be deleted regularly.
TYPO3 offers a scheduler task "Table garbage collection" which can be used to perform such tasks automatically(see: https://docs.typo3.org/c/typo3/cms-scheduler/master/en-us/Installation/BaseTasks/Index.htmll).
Advice and support in the implementation of the GDPR
Within the scope of our TYPO3 Support, we are happy to support you in analysing and implementing the individual adaptation requirements and recommend the steps that we consider necessary. If you operate a TYPO3 website, we can help you with the conversion to https, setting up a cookie notice on all pages and setting up a correct data protection notice including the option to deactivate web analysis cookies.
Jetzt kostenlose Beratung anfordern!
Please note that we cannot offer any legal advice. You are therefore still responsible for checking that the DGSVO is complied with completely and correctly, and this may require the involvement of a lawyer.