GDPR Obligations for Websites: What You Really Need to Know
Privacy policy, cookie consent, legal notice - three obligations every website must fulfil. Clearly explained for directors and board members, without legal jargon.
What is a privacy policy - and why does every website need one?
A privacy policy informs visitors to your website about which personal data is collected, why this happens, and what rights they have. This sounds abstract but is very concrete: as soon as someone visits your website, the server stores an IP address. That is personal data. This alone brings every website under the GDPR.
The General Data Protection Regulation (GDPR) has been in force across the entire EU since May 2018. It obliges every website operator - whether corporation, SME, association, or charity - to maintain a complete privacy policy. If it is missing or outdated, warnings and fines can follow.
Important: a privacy policy is not the same as a legal notice (imprint). The imprint identifies who is responsible for the website (required under national digital services legislation). The privacy policy governs how data is handled (under the GDPR). Both are mandatory and must exist as separate pages.
The most common privacy policy mistakes
In practice, we see the same problems again and again. Many are easily avoidable - if you know what to look for.
Outdated templates
Many websites still use privacy policies from 2018 or earlier. Since then, laws have changed (new rulings on Google Fonts, Analytics, and updated national ePrivacy legislation). A template from three years ago is almost certainly no longer compliant.
Missing details
The GDPR requires specific information: name of the controller, contact details for the data protection officer (if applicable), legal basis for each processing activity, retention periods, and data subject rights. If any of these are missing, the policy is incomplete.
Copy-paste without customisation
A privacy policy must match your actual website. If you use Google Analytics but only mention Facebook Pixel, that is a problem. If you use no analytics tools at all but include three paragraphs about them, that is equally problematic.
Empty or hidden pages
Some websites have a link to the privacy policy in the footer, but the page behind it is empty or leads nowhere. Supervisory authorities check this systematically - and specialist lawyers even more so.
Cookie consent: why a simple notice is not enough
Cookies are small text files that websites store on a visitor's device. Some are technically necessary (e.g. for the shopping cart in an online shop). Others serve analytics or marketing - and this is where it becomes legally relevant.
The ePrivacy Directive (implemented nationally in each EU member state - as TDDDG in Germany, PECR in the UK, etc.) requires that before non-essential cookies are set, the visitor must actively consent. This means: a banner reading "This website uses cookies - OK" is not sufficient. The visitor must have a genuine choice - with the ability to reject individual categories.
In practice, you need a Consent Management Platform (CMP). This tool displays a cookie banner on the first visit with at least two options: "Accept all" and "Necessary only". Only after consent may tracking cookies be set. Without a functioning CMP, any tracking on your website is unlawful.
Note: embedded YouTube videos, Google Maps, and social media buttons also set cookies. If you embed such content, you need either consent or a two-click solution that loads only after approval. The topic of website security is directly connected - insecure integrations can also cause data protection issues.
The better solution: not needing a cookie banner at all
There is an alternative to the cookie banner dilemma: build your website so that it sets no non-essential cookies at all. No tracking, no external fonts, no third-party embeds - then you need neither a banner nor a CMP. This saves money (CMP tools cost EUR 50-500 per month), improves load times, and makes GDPR compliance trivial.
Sounds unrealistic? gosign.de itself is the proof: zero cookies, zero banners, Lighthouse 100/100, full analytics via cookieless tools. What is behind it and how it can work for your website too - we explain in detail:
Website without cookie banner - here is howGDPR, ePrivacy Directive, Digital Services Act - which law governs what?
Three regulatory layers, three areas of responsibility. For website operators, it is important to understand the differences - because violations of each can be sanctioned separately.
| Regulation | Governs | Website obligation |
|---|---|---|
| GDPR | Processing of personal data | Privacy policy, processing records, data subject rights |
| ePrivacy Directive | Access to end devices (cookies, fingerprinting) | Cookie consent before non-essential cookies |
| Digital Services Act | Information obligations for digital services | Legal notice with full provider details |
The GDPR is an EU regulation and applies directly. The ePrivacy Directive is transposed into national law in each member state (as TDDDG in Germany, PECR in the UK) and specifically regulates access to end devices. The Digital Services Act (DSA) updates platform and information obligations. All three apply in parallel - and all three must be satisfied.
Special case: charities and non-profit organisations
A common misconception: charities, associations, and non-profit organisations are exempt from the GDPR. This is not true. The GDPR applies to every organisation that processes personal data - regardless of legal form or purpose.
In practice, this means: the website of a community foundation, a charity, or a religious institution also needs a complete privacy policy, a compliant cookie banner, and a correct legal notice. The requirements are identical to those for commercial businesses.
There are, however, some organisational simplifications: organisations with fewer than 250 employees are not required to maintain complete processing records in certain cases. The obligations towards website visitors remain unaffected regardless of organisation size.
Charities often have websites with contact forms, newsletter sign-ups, and donation forms - all areas where particularly sensitive data is processed. A sound privacy policy is not just an obligation here but also a matter of trust with donors and funders. The technical foundation of the website also matters - a solid understanding of Schema.org and SEO basics helps to set up the website professionally.
Checklist: 8 points every website must satisfy
Regardless of industry, size, or legal form - these eight points are the minimum for every website operating in the EU.
Privacy policy present and up to date
Complete policy with all GDPR-mandated details. Review at least annually and update after legislative changes.
Legal notice (imprint) complete
Name, address, email, phone, authorised representatives, registration number (if applicable), VAT ID. On a separate page, reachable within two clicks.
Cookie consent banner with genuine opt-in
No pre-selected "Accept all". Equal options for consent and rejection. Non-essential cookies may only be set after consent.
SSL/TLS encryption active
The entire website must be reachable via HTTPS. Without encryption, form data is transmitted in plain text - a clear GDPR violation.
Contact forms with privacy notice
Every form needs a note about data processing and a link to the privacy policy. For sensitive data (job applications, health), a separate consent is required.
Data processing agreements (DPAs) in place
For every external service provider with access to personal data (host, email provider, analytics tools), a DPA must be in place. Without a DPA, the data processing is unlawful.
No uncontrolled third-party integrations
Host Google Fonts locally (not from Google servers). Embed YouTube videos only with a two-click solution. No external tracking pixels without consent. Every third-party connection must be documented in the privacy policy.
Accessible access to legal information
Privacy policy and legal notice must be accessible to everyone - including people with disabilities. Since June 2025, the European Accessibility Act requires digital accessibility for many websites.
Get your website privacy checked - 30 minutes, free of charge.
We review your website for GDPR compliance and show you where action is needed.
Request a privacy check25 years of experience - 800+ projects - Hamburg-based data protection practice
What happens if you violate the GDPR?
The consequences of a GDPR violation are real and can be existential. The GDPR provides for fines of up to EUR 20 million or 4 percent of global annual turnover - whichever is higher. In practice, most fines for website violations range from EUR 5,000 to EUR 50,000, but the trend is upward.
In addition to fines, there are two other risks that occur more frequently in practice:
Cease-and-desist letters
Since the CJEU ruling on Google Fonts (2022), the number of cease-and-desist letters has increased significantly. Specialist lawyers and consumer protection organisations systematically review websites for GDPR violations. Cost per letter: EUR 500 to EUR 5,000 - plus your own legal costs.
Supervisory authority proceedings
Data protection supervisory authorities are increasingly proactive. A complaint to the authority is free for any visitor and triggers a formal review. This ties up internal resources and can lead to orders that must be implemented within tight deadlines.
The most important point: most website violations are easily avoidable. An up-to-date privacy policy, a functioning cookie banner, and a correct legal notice cost a fraction of what a cease-and-desist letter or fine costs. Prevention is not a question of budget but of priority.
Gosign is a Hamburg-based digital agency with 25 years of experience in web development, TYPO3, and AI integration. We review websites for GDPR compliance, implement privacy-compliant solutions, and support companies, foundations, and public-sector organisations in meeting all legal requirements.
Last updated: March 2026
Frequently asked questions about website data protection
Does every website need a privacy policy?
Yes, without exception. Since May 2018 (GDPR), every website that processes personal data - and every website does so simply through server log files - must have a complete privacy policy.
Is a simple cookie notice enough?
No. Under the ePrivacy Directive (implemented nationally as TDDDG in Germany, PECR in the UK, etc.), you need genuine consent before setting non-essential cookies. A simple banner with an OK button is not compliant.
Are charities exempt from the GDPR?
No. The GDPR applies to all organisations that process personal data - regardless of legal form. Charities and non-profits must also have a complete privacy policy.
Book a free consultation
30 minutes with a Gosign specialist, no obligation.