last change: February 28, 2019
From a legal standpoint, there are several issues to keep in mind when operating a website. The following topics illustrate several pitfalls to be aware of.
Apart from the imprint (legal notice) requirements (German only), websites must also have a data privacy statement covering any personal data that is collected. This also includes:
- Web server logging
- Tracking tools, including the right to opt out
- If online forms are used, an explanation of the how the data is utilized, forwarded and deleted
The data privacy statement must be placed directly as easy to find as the imprint.
Even if personal data is not collected, a data privacy statement is nonetheless recommended. This is the only way for users to know that the data privacy requirements were not left out and that they are actually surfing anonymously.
When using a central Typo3 instance (from ITSZ), there is no need to create a data privacy statement since it's automatically provided.
Examples for how to formulate the imprint and the data privacy statement are available at the TUM data protection wiki.
Declaration of consent
If personal data is collected through web forms, it's important to note that users must normally provide their explicit consent to having the data processed. Permission is not automatically given due to the mere fact that the user is providing the data to the website through the form. Instead, users must provide their explicit consent, as well as be informed about
- the controller (the person responsible)
- the rights of the data subject
- the purpose of the processing of the data
- and how long it is kept until it is deleted.
Furthermore, the website operator must specify the legal consequences of refusing to consent.
If the data is to be collected for future purposes, consent must be obtained at the time the data is collected, otherwise it may not be used further. In this case a checkbox is recommended as a means to obtain the user's consent. Further information about the declaration of consent can be found under the navigation menu "Declaration of consent"
Description of the processing
Generally speaking, you have to pass a description of the processing to the data protection official before processing personal data.
Please make sure that a secure connection is available when using online forms. The address must begin with https:// when retrieving the form. Personal data may not be collected without this secure connection.
A list of recommended services is available at http://www.it.tum.de/it-sicherheit/fuer-mitarbeiterinnen/dos-and-donts/doodle-co/#c2630
If you publish employee data on your websites, under certain circumstances you are required to create a description of the processing activities that must be passed to data protection official.
For details see section Verarbeitungstätigkeit.
Due to public availability through the Internet, web applications are particularly vulnerable to threats. For these reason we recommend that you consider the following security advices:
- Use only encrypted sessions for your web applications. That means they are only available only via https.
- Think about a restricted ip range to reach the application.
- Take the OWASP Top 10 into account when developing a web application.
In order to improve a website, it's often times helpful to know how users navigate the site, which pages they view and how long they remain on individual pages.
This information can be acquired through the use of tracking tools. TUM offers members of the university a service that conforms to corresponding data protection regulations. The foundation of this service is an analytics platform, which stores anonymous user data.
If you wish to integrate this service into your website, please contact IT Support: firstname.lastname@example.org
Because the use of Google Analytics for TUM websites is problematic, it's not considered a viable alternative.
Users can be identified through the IP address that Google Analytics saves, a technique that violates the German Telemedia Act (TMG) (external link). As specified in §12, paragraph 1 of the TMG, collecting and using personal data is permitted only with the consent of the user or there must be an existing legal basis. Consent must be obtained at the beginning of the utilization process, which is usually not the case with Google Analytics, plus there is no legal foundation.
If there is no way to avoid using Google Analytics, an anonymous IP address must be used (with the "anonymizeIP" function). In addition, the user must be clearly informed of the right to object to the data analysis. The Bavarian Data Protection Official generally advises against the use of Google Analytics.
Further information is available at: : http://www.datenschutz-bayern.de/presse/20100906_google_analytics.html. In its 25. activity report the office of the Bavarian Data Protection Official outlined the following data privacy criteria for using Google Analytics:
- Use of the Google Analytics anonymizeIP function for automatically shortening the IPv4 address of the website user when the data is stored at Google
- Clearly informing users of the right to dissent to having their data analyzed, such as through the data privacy statement
- Ensuring that such dissents can be effectively implemented, such as through a link to the data privacy statement using suitable browser plug-ins
From a data protection standpoint, social media plug-ins such as Facebook, Google+ and Twitter are viewed critically. Below is a brief description using the Facebook "Like" button as an example. Other social media plug-ins rely on a similar approach.
The Facebook "Like" button should be viewed with caution. The issue is that Facebook is in a position to track the Internet activity of website visitors who use the Like" button. This is regardless of whether the website visitor is logged on to or even registered with Facebook.
One way to improve this situation is the so-called 2-click method, which involves initially showing a graphic. The data is then transmitted to Facebook only after clicking on the graphic.