New data protection regulations according to GDPR

Last modified:

What does GDPR mean?

After a two-year transition period, the Europe-wide General Data Protection Regulation (GDPR for short) came into force on May 25, 2018. The GDPR is intended to ensure that personal data is protected in the best possible way during automatic processing, thus preventing its unintentional disclosure to third parties. The IP addresses of visitors stored when calling up a website also constitute personal data within the meaning of the GDPR. Website operators are obliged under the GDPR to take appropriate technical and organizational measures (TOM) to prevent the unlawful use of data by third parties.

 

Violations of the GDPR can be subject to heavy fines. Implementation of the necessary measures is therefore strongly recommended!

TTDSG as of 2021-12-01

As of December 01, 2021, the Telecommunications Telemedia Data Protection Act (abbreviated TTDSG) will come into force. It replaces the previous data protection regulations of the Telecommunications Act (TKG) and the Telemedia Act (TMG) with regard to the GDPR, which applies throughout the EU.

The TTDSG goes beyond the provisions of the GDPR:

  • it protects information with and without personal reference(thus also business information)
  • the protected end user can be a natural or legal person

Exceptions from the consent requirement of cookies there are only in two cases(§25 para 2 TTDSG):

  1. Where the sole purpose of storing information in the end user's terminal equipment or the sole purpose of accessing information already stored in the end user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
  2. If the storage of information in the end user's terminal equipment or the access to information already stored in the end user's terminal equipment is strictly necessary for the provider of a telemedia service to provide a telemedia service expressly requested by the user.

Violations of the TTDSG are considered a administrative offense and can be punished with fines of up to 300,000 euros .

 

 


Actions for more data protection of TYPO3 websites

Checking the website for GDPR compliance should be a top priority in organizations (even if it is a bit annoying because it is tech-heavy). In our article on Topology of a website you will get an overview of how the data flows (to be protected) during a website visit in most cases. 

 

As a TYPO3 agency, we look at these below from a TYPO3 perspective:

 


1. AV contracts with service providers

The "order processing contract" (AV contract) is one of the most important formal requirements of the GDPR. You must conclude such a contract with every service provider who gets access to and processes "your data" and especially that of your website visitors. This includes external agencies and freelancers as well as your provider and service providers such as Google Analytics.

 

You may enter into an AV agreement with google electronically as follows:

 

  • Log in with your Google account
  • Go to Analytics at https://analytics.google.com 
  • Go to Administration (gear at the bottom left)
  • Then click on account settings
  • At the very bottom you can agree to the "Data processing addendum

2. keep PHP and TYPO3 up to date

The GDPR obliges website operators to use secure and "state of the art" software (Article 32). In particular (but not only) affected: The server-side scripting language PHP and of course TYPO3 itself. More info on this in our article on the individual PHP/TYPO3 versions and their dependencies

 

Make sure that you always use a current PHP and TYPO3 version. The relevant release plans and the associated periods for Long Term Support are decisive for this..


3. Use https

As soon as your website requests personal data from visitors (classic example: contact form), encryption of the website with SSL is mandatory. You can recognise an encrypted website by the prefix "https://" in the address line of the browser. To do this, define the "Entry Point" in the "Site Configuration" by specifying "https://...". The prerequisite is that your server provides a certificate for this domain (with LetsEncrypt there are already free SSL certificates on the market). Use the .htaccess or settings in your hosting package to force the domain to always redirect to "https" when called up with "http".

 

Even if your website does not have any forms, we recommend encryption. Reason: Google marks non-encrypted website in the chrome browser as "insecure". More info in this heise article.

Make sure that the domain with and without "www" as well as with and without "https" always refers to the main domain preceded by "https://".

Also make sure that the HTTP Strict-Transport-Security response header (HSTS) is set (see point 6), so that only https requests are made from the client to the server.


4. Cookie Consent

If your website uses cookies, you must ask website visitors for permission ("consent") BEFORE doing so. Cookies that are required for the technical operation of the websites (e.g. session cookies for shopping cart functions or protected login areas) are excepted. This is usually done via a Cookie Consent Box, for which we have programmed a TYPO3 Extension.

 

A mere notice with a link to deactivate cookies (so-called OptOut procedure) is, according to EuGH judgement not sufficient and thus a violation of the data protection regulations (GDPR).

Important:

A consent box is not only required for cookies, but for all resources (e.g. external fonts, use of CDNs, etc.) and applications (e.g. social media integration, iframe integration, etc.).

 


5. Avoid social media plug-ins

Social media plugins (e.g. Facebook likes, Twitter integration, etc.) inform the platform operators about every website visitor without being asked - just by calling up the page. This is a violation of the GDPR. Our recommendation is therefore quite clear: Remove the plug-ins from your website. Firstly, they are useless anyway and secondly, they slow down the loading time of the website.

 

If you still don't want to do without social media plug-ins, you can make them "subject to consent" with our Cookie Extension.

 


6. Use HTTP security headers

The use of HTTP Security Headers is another way to make one's own website more secure. The headers instruct browsers, for example, to make server requests only via  "https"(  "HTTP Strict-Transport-Security response header" or in short HSTS)  and avoid, among other things, attacks by Cross Site Scripting, MIME Sniffing and Clickjacking

 

You can test whether your website is adequately protected with these headers at https://securityheaders.com 

The following is a relatively simple TYPOSCRIPT solution to make important security settings:

 

config.additionalHeaders.10.header = Strict-Transport-Security: max-age=31536000; includeSubdomains
config.additionalHeaders.20.header = Referrer-Policy: strict-origin
config.additionalHeaders.30.header = Feature-Policy: geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'
config.additionalHeaders.40.header = Permissions-Policy: geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), vr=(), speaker=(), ambient-light-sensor=(), gyroscope=(), microphone=()
config.additionalHeaders.50.header = Content-Security-Policy: frame-ancestors 'self'

 

 

Please note that the CSP header (Content Security Policy) in particular can be configured much more extensively. However, a detailed description would (a) go beyond the scope of this article and (b) usually be too vague due to the individual circumstances in each case.

 


7. Integrate external resources locally

External files such as fonts, the Javascript framework jQuery or the CSS framework Bootstrap are often integrated via so-called CDNs (Content Delivery Networks). These are external servers - distributed all over the world - that can provide resources very quickly. Despite the speed argument, we recommend making these files available via the local server.

 

Actions for local integration of jQuery and/or Bootstrap:

  1. Download the required files from the external server and upload them to a suitable location on the web server.
  2. Integration via "page.includeCSS" and "page.includeJS" (TypoScript)

Actions for the local integration of Google Fonts:

Google fonts are usually published under the SIL OpenFont Licence and are thus considered Open Source. This means that they can be used freely to a large extent. We therefore recommend installing the fonts locally on your own server and integrating them from there..

To do this, the following steps can be taken:

  1. Calling the tool https://google-webfonts-helper.herokuapp.com/font
  2. Selection of font in the left column
  3. Selection of styles (e.g. "200" or "200italic")
  4. Check and, if necessary, change the path to the fonts
  5. Copy CSS and integrate into the website in question
  6. Download fonts and upload them to the server of the website in question
  7. Preventing the external loading of the fonts

8. Data protection notice (and imprint)

In addition to the imprint, there should in any case be a pagedata protection notice. It serves to comply with data protection information obligations. The content and scope of the data protection page depend on what processing takes place on the website. Since an IP address is a personal data, every website at least processes this data (since it is necessary for the technical connection/communication between the visitor's device and the web server) and needs a data protection notice..

 

With the data protection declaration, the controller of a website complies with its obligations pursuant to Art. 12 EU-GDPR et seq.

We are not lawyers and therefore cannot formulate legally binding texts. Since the information is also very individual, you should, together with your developer/agency, make use of lawyers with the appropriate expertise.

Note: Make sure that the data protection notice is visible and easily clickable on every page.


9. Principle of data minimisation

What you should absolutely observe in the context of the GDPR is the "principle of data minimisation"(Art.5(1)(c)):

 

Recommendation examples:

 

  • For newsletter registrations, only the email address is requested. We generally advise against personalised newsletters.
  • For contact forms, only the really necessary fields are requested.
  • Mandatory fields are kept as minimal as possible. In the case of a callback service, for example, only the telephone number is requested.

10. Regular data cleaning

Make sure that personal data is only stored for as long as necessary. The log files of the web server should contain anonymised IP addresses and be deleted after 60 days at the latest.


Enquiries/orders or other forms with a personal reference should also be deleted regularly.

TYPO3 offers a scheduler task "Table garbage collection" which can be used to perform such tasks automatically(see: https://docs.typo3.org/c/typo3/cms-scheduler/master/en-us/Installation/BaseTasks/Index.htmll).


Advice and support in the implementation of the GDPR

Within the scope of our TYPO3 Support, we are happy to support you in analysing and implementing the individual adaptation requirements and recommend the steps that we consider necessary. If you operate a TYPO3 website, we can help you with the conversion to https, setting up a cookie notice on all pages and setting up a correct data protection notice including the option to deactivate web analysis cookies.

 

Jetzt kostenlose Beratung anfordern!


Please note that we cannot offer any legal advice. You are therefore still responsible for checking that the DGSVO is complied with completely and correctly, and this may require the involvement of a lawyer.