Important note
The texts on this page are for information purposes only and do not constitute legal advice. We recommend using the services of a lawyer when formulating contracts and notices on the website. We have compiled the information with great care, but we cannot accept any liability for it.
The information on this page is updated on an ongoing basis. Status: 24.5.2018
For further information, we can recommend the following book
"EU General Data Protection Regulation in Business" by Tim Wybitul
Introduction
The General Data Protection Regulation (GDPR) regulates the processing of personal data. It applies uniformly throughout the EU. Similar regulations based on the GDPR are being implemented in other countries.
The GDPR was adopted by the EU Parliament on 14.05.2016 and will enter into force on 25.05.2018. It replaces the previous Federal Data Protection Act (BDSG). The provisions of the GDPR apply throughout the EU, meaning that it does not need to be transposed into national law. However, the states have the option of specifying the provisions of the GDPR, which is done in the new BDSG.
The GDPR applies to anyone who processes personal data as a controller or on behalf of a controller and offers these services within the EU. Companies, websites or stores outside the EU that offer their services in the EU are also affected by the GDPR.
Difference between GDPR and previous BDSG
Many provisions of the GDPR were previously already regulated in the Federal Data Protection Act. For companies in Germany, the changes are therefore not as serious as they might be in other countries. Nevertheless, there are some significant differences:
- The burden of proof is reversed. Previously, a company had to prove a breach of the BDSG. In future, the company will have to prove that it has not breached the GDPR. There are also extensive documentation obligations on the part of companies
- Drastically higher penalties. Violations of the BDSG were previously punished with a fine. In individual cases, this could be up to 50,000 or 300,000 euros (in the case of intent).
Under the GDPR, fines of up to 20 million euros or 4% of annual turnover are possible. Article 83 of the GDPR states that: "Each supervisory authority shall ensure that the imposition of fines ... for infringements of this Regulation ... is effective, proportionate and dissuasive in each individual case."
Information for website operators
All website operators are obliged to comply with the GDPR. Only privately operated websites are exempt. As soon as a private blog contains affiliate links or advertising, for example, the GDPR also applies.
First of all, the conclusion of an order processing contract between the website operator and the hosting provider is required.
We offer our customers the conclusion of a corresponding contract via the customer menu (menu item General->GDPR contract).
Storage of log files
Data is stored in log files as part of the hosting process to ensure the security of our information technology systems. This data is not analyzed for marketing purposes. Our legitimate interest in data processing lies in the aforementioned purposes.
Here is a list of the data collected in log files:
- Apache web server
Data is stored in the web server log files each time the website is accessed. The data is required to ensure operation and to analyze attacks on the website. The data is deleted after 7 days. The following data is stored:- IP address
- Date and time of the request
- Time zone difference to GMT
- Content of the website
- Access status (HTTP status)
- Amount of data transferred
- Website from which you accessed our website
- web browser
- operating system
- Language and version of the browser
- FTP/SFTP server
Data is stored in the log files of the FTP/SFTP server each time it is accessed. The data is deleted after 30 days. The following data is stored:- IP address
- Username of the user
- Date and time of the request
- Time zone difference to GMT
- Information on whether a file was downloaded or uploaded
- Path and file name of the transferred file
- Amount of data transferred
- SSH access
Data is stored in the log files of the terminal service when you log in. This data is deleted after 30 days. The following data is saved:- IP address
- Username of the user
- Date and time of the request
- Apache Error Log
In the event of an error, messages from the Apache web server are stored in log files. This data is deleted after 30 days at the latest. The following data is stored:- IP address
- Date and time of the error
- Error code
- Error message in text form
- MySQL Error Log
In the event of an error, messages from the MySQL database server are saved in log files. This data is deleted after 30 days at the latest. The following data is saved:- IP address
- Date and time of the error
- Name of the database used
- Error code
- Error message in text form, including the database query used if applicable
- Mail server log
Metadata is stored in the mail server log files and deleted after 7 days. The following data is stored:- Sender
- Recipient
- Time of sending
- IP address of the sender
- Size of the e-mail
This data is not stored together with your other personal data.
The log files are not stored in the customer account. For the Apache access logs, the customer can activate the extraction of the data relating to him and the storage in the /weblogs directory of the customer account for each domain via the customer menu. In this case, the customer is responsible for deleting the data himself. The scope of the data corresponds to the information mentioned under 1). When activating the creation of the extracted Apache access logs, you can specify whether the data is automatically deleted after 7 days.
In the cloud hosting tariffs, the Apache and Nginx access logs are stored in the /logs/[Domainanme]/ directory. The IP addresses in these logs are anonymized once a day.
From 25 May 2018, the IP address will be anonymized in the FTP log files and in the customer menu log.
Which cookies are set by TYPO3?
TYPO3 version up to 6.1:
A session cookie 'fe_typo_user' is set when the website is accessed. The setting of cookies can be prevented in the install tool with the setting "dontSetCookie", but then no login (e.g. for closed user groups) is possible.
TYPO3 version 6.2 and higher:
A cookie 'fe_typo_user' is only set if this is necessary (e.g. for the login function). The option "dontSetCookie" has been removed as it is no longer required.
This information applies to the standard configuration of TYPO3. When using additional functions (e.g. Google Analytics, Matomo/Piwik, Facebook Pixel, affiliate programs, etc.) further cookies are set.
Are IP addresses stored in TYPO3?
IP addresses are stored in various database tables in TYPO3:
Table sys_log:
System events are stored in this table. These include login processes in the backend (editors), but also error messages when the website is called up. The sys_log table can be deleted automatically after a configurable number of days via a task in the planner.
Table index_stat_search:
When using the indexed_search extension (system extension), search queries are logged.
Table tx_solr_statistics:
When using the Solr search (additional extension) and activating the statistics function, search queries are logged together with the IP address.
Table tx_powermail_domain_model_mail:
When using the Powermail extension (additional extension), the IP address of the sender is saved together with the emails sent.
The IP addresses are not automatically anonymized. Since version 7.6 of TYPO3, however, there is a scheduler task that can be used to anonymize IP addresses in database tables.
If other extensions are used, these may also store IP addresses in the database.
What data is stored about editors?
The following personal data is stored for backend users in TYPO3 (editors and administrators):
- Name and e-mail address
- Password (encrypted)
- Details of access authorization (which pages, fields and files may be edited)
- Time of the last login
- Log of the changes made
The data is stored in the tables be_users, sys_log and sys_history. In addition, almost all data records log which user created them and when (cruser_id and crdate).
Contact form, Login: SSL certificate required
If a website has a form (contact or registration form) or offers a login function, according to the Telemedia Act an encrypted transmission of the data is required. For this purpose, an SSL certificate is set up for the domain(s). Via an entry in the .htaccess file in the start directory of the domain, all unencrypted requests should then be redirected to the encrypted connection.
When switching to https://, care must also be taken to ensure that no elements on the website (e.g. JavaScript files or iFrames) are integrated via an unencrypted connection. In this case, the integration must also be switched to https://.
If a <base> entry is set on the website (e.g. in TYPO3 via the config.baseURL setting), this must also be changed to https://.
What needs to be considered for website content?
Editors need to be carefully trained so that they are familiar with the legal regulations governing the storage and publication of content.
The content on a website may contain personal data, e.g. pictures of employees or people at events (obtain permission for publication) or lists of results in sport (e.g. name, year of birth, performance achieved).
The operator of a website should also be prepared to provide a person with information about the stored data and to delete it on request. Such deletion must also take place in existing backups so that deleted data records do not reappear when the data is restored.
Integration of social media buttons and Google Maps
The integration of social media buttons and other external services usually takes place via a snippet of JavaScript code provided by the respective provider.
However, when the website is accessed, data is already transmitted to the external provider without the visitor being able to object to this.
A 2-click solution can be used here. The visitor must explicitly activate the data transfer by clicking on it. From heise.de there is the <LINK www.heise.de/ct/ausgabe/2014-26-Social-Media-Buttons-datenschutzkonform-nutzen-2463330.html - - "Integrate social media buttons in compliance with data protection: Shariff procedure from heise.de">Shariff solution. Such a solution is also required, for example, for integrating Google Maps into a website. For this purpose, a function can be activated in our <LINK extensions.typo3.org/extension/maps2/ - - "TYPO3 extension for the integration of Google Maps, including data protection-compliant activation of the display by explicit click of the visitor">TYPO3 extension maps2, in which the map is only displayed after a click by the visitor.
Integration of external fonts
Many websites use special fonts for their design. These font files are loaded when the website is accessed - either from the same server as the website (harmless in terms of data protection) or from an external service provider (e.g. <LINK fonts.google.com>fonts.google.com ). If the data is loaded from an external server, personal data is also transferred: the user's IP address.
In this case, it is recommended to save the font files locally on the web space (if the provider's license conditions allow this).
Integration of jQuery and other libraries
Websites often use Javascript libraries, such as jQuery. These are often loaded directly from the provider or an external domain. However, data is transmitted to the provider when the library is loaded.
In this case, it is advisable to save the library locally in the hosting package and integrate it into the website from there (if the license conditions allow this). This has the additional advantage that the website can be loaded without any problems even if, for example, the provider's server is unavailable.
Use of Google Analytics, Matomo/Piwik, etc.
The use of tools to analyse visitors is still permitted, but care must be taken to ensure that the IP address is anonymized. This can be configured in the respective tools.
When using external tools (e.g. Google Analytics), it is also necessary to conclude an order processing contract with the provider (e.g. Google).
Such a contract is generally not required for Matomo (formerly Piwik), as this tool can be hosted by the user and therefore no data is transferred to an external provider.
Imprint and data protection notice
Every website used for business purposes must have an imprint and a data protection notice. A separate page should be set up for both pieces of information, which can be accessed directly from each page via a link (e.g. in the footer of the page).
Caution: any cookie notice displayed must not obscure the links to the legal notice and the data protection page!
If you create the content for the legal notice and data protection notice yourself, you should have it checked by a lawyer if possible. Missing information or incorrect wording can lead to costly warnings.
There are also special generators for creating legally compliant formulations for imprint and data protection notice.
Use of e-mail newsletters
Anyone sending a newsletter by email must observe a few important points:
When registering, only the e-mail address may be a mandatory entry; this is the only information required for sending. It is currently unclear whether further [voluntary] information may be collected in the registration form (it is therefore better to omit it).
The double opt-in procedure is required for registration. Consent should be logged as proof of registration.
A link to unsubscribe directly is required in every newsletter sent. Unsubscribing should be immediate and there should be no further confirmation of unsubscription by email.
If an external service provider is used to send the newsletter, an order processing contract must be concluded with them. The contractor must comply with the provisions of the GDPR (even if it is based in the USA, for example).
State of the art: keeping software up to date
According to §13, paragraph 7 Telemedia Act commercial providers of websites are obliged to keep their websites up to date with the latest technology. This includes in particular the use of up-to-date software and security updates. You can find details on this in the on the website of the BSI (Federal Office for Information Security).