Privacy Policy

Background information

Caution: As Base4NFDI does not give any binding legal advice, it is recommended to let the privacy policy be checked by the Institution’s responsible data protection officer.

Privacy policies must be provided by every website according to the law (Art. 12 GDPR/DSGVO). It must be accessible from every (sub)page of the website. We recommend linking it in the website footer.

A privacy policy is an informative document written for the users of a website (‘data subjects’). It informs about all personal data processing that occurs during the regular use of that website and beyond. Personal data is information that can be directly or indirectly used to identify a specific person, such as name, address, mail, ID-numbers, photos, location, or IP address (Art. 4(1) GDPR/DSGVO). There are specific regulations for so-called “special categories of personal data” such as data about religion, political opinions, health, genetics, race (Art. 9 GDPR/DSGVO).

A clear, easy-to-read, and accessible privacy policy not only ensures compliance but also fosters trust between the website and the users. Clearly state what ‘personal data’ includes in the privacy policy to help users understand what type of personal data is processed.

Privacy policies need to be up-to-date, and regularly reviewing privacy policies ensures compliance and protects against potential penalties. Any changes in data processing on a website require adjustments. This may be the case if, e.g.

  • external services processing personal data are added, discontinued or settings are changed
  • a new data protection officer is appointed
  • data processing principles change (e.g. change of data processing purposes)
  • the legal situation changes (e.g. national opening clauses)

Make sure that the privacy policy only reflects the specific jurisdiction(s) applicable to the website. Relevant law includes the General Data Protection Regulation (GDPR/DSGVO), the Federal Data Protection Act (Bundesdatenschutzgesetz - BDSG-neu), the applicable State Data Protection Laws (Landesdatenschutzgesetz - LDSG) as well as the Telecommunications and Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz - TTDSG) and the Digital Service Act (Digitale-Dienste-Gesetz - DDG).

Privacy policy generators usually only cover standard cases and default settings of third party services that need to be adjusted to the specific data processing. Also, using their content often requires a mandatory note with a link to the generator in the privacy policy. It is always a good practice to get the generated policy reviewed by a privacy specialist.

Privacy policy content and structure

Art. 13 and 14 GDPR/DSGVO determine what information a privacy policy needs to provide.

Consequently, a privacy policy roughly consists of two parts:

  • General information sections informing about data protection along with rights (chap. 3 GDPR/DSGVO) and contact options the website users (‘data subjects’) have regarding their personal data and its collection on the website.
  • Sections informing about external data processing by third parties (one paragraph per service) on the website. These sections are necessary only for services that are integrated into the website. However, there are obligations for the content of these paragraphs, which are explained below.

The privacy policy template comes with an adjustable structure and content as well as examples for paragraphs on external data processing. Please skip third-party processing content and examples if no third-party data processing is involved.

General information, mandatoryExternal data processing by third parties, mandatory only if applicable
General information on data protection and the related use of the websiteCookies
Legal basis and purpose(s) of data processing by the data controller (website operator) & third parties (see Art. 6 GDPR/DSGVO)Server log files
Rights of and contact options for data subjects (e.g. contact details of responsible data controller and data protection officer)CMS (e.g. WordPress) / static site generator
Information that privacy policy is subject to changeFonts (e.g. Google Fonts)
Explanation of terms if necessary (see Art. 4 GDPR/DSGVO)Contact options (e.g. via mail, contact form)
Interactive elements (e.g. comment fields)
Newsletter (incl. CAPTCHA, tracking)
Tracking & Analytics Tools (e.g. Matomo, Google Analytics, Google Adwords)
Maps (e.g. OpenStreetMap, Google Maps)
Plugins and other website extensions (e.g. social media, Open Project)
APIs
Account creation & login

Likewise, paragraphs on external data processing must suffice the information requirements stated in Art. 13/14 GDPR/DSGVO if that information is not given elsewhere in the privacy policy. This typically includes, but is not limited to, the following information:

  • Name (and address) of the service provider
  • Legal basis and purpose of data collection (see Art. 6 GDPR/DSGVO; as purpose e.g. receiving the newsletter)
  • Scope of the processing of personal data
    • Type of data processing (e.g. collection, recording, structuring, storage, adaptation, alteration, retrieval, …)
    • Types of personal data collected (enumeration, e.g. name, address, IP address, …)
    • Data source (if data is not indicated by data subject)
    • Duration and location of data storage/servers (e.g. Germany/EU/other countries)
    • Data recipient
    • If there is any, mention of data processing agreement (dt. Auftragsverarbeitungsvertrag) with the service provider
    • Enumeration and consequences of further integrated data collection as part of the service (e.g. reCAPTCHA, newsletter tracking)
  • Instructions on how to object the collection of personal data (lowest possible effort, e.g. provide a link or checkbox) along with possible consequences/disadvantages for the data subject
  • It is a good practice to use features such as an easy opt-out mechanism for cookies or data deletion to simplify compliance and improve user satisfaction
  • Link to the privacy policy of the service provider for further information

It is recommended by the Data Protection Authorities to use non-technical, user-friendly language and format so users better understand their rights and website privacy practices.

Data processing principles

If personal data is collected and processed (e.g. if active indication of personal data is integrated and offered to the website users) the following data processing principles should be kept in mind:

  • Lawfulness, fairness and transparency (Art. 5(1a) GDPR/DSGVO)
    • “Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject”
    • What that means: Always make all personal data processing transparent and easy to understand, e.g. in the privacy policy.
  • Purpose limitation (Art. 5(1b) GDPR/DSGVO)
    • “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes”
    • What that means: All purposes regarding data processing on the website have to comply with the regulations in Art. 6 GDPR/DSGVO and need to be specified in the privacy policy. As they are the legal basis for personal data processing, it is required to strictly adhere to them. Special regulations may apply for scientific research purposes (see Art. 89(1) GDPR/DSGVO).
  • Data minimisation (Art. 5(1c) GDPR/[DSGVO}(https://dsgvo-gesetz.de/art-5-dsgvo/))
    • “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
    • What that means: One may only collect a minimum set of data that is necessary to fulfil the respective data processing purpose. The collection of further data requires consent from the data subject.
  • Accuracy (Art. 5(1d) GDPR/DSGVO)
    • “Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
    • What that means: Always keep stored personal data accurate and up-to-date. Inaccurate data needs to be corrected or deleted.
  • Storage Limitation (Art. 5(1e) GDPR/DSGVO)
    • “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.”
    • What that means: Only store personal data as long as necessary to fulfil the processing purpose. Therefore, define and implement time limits for erasure. Statutory storage obligations (‘gesetzliche Aufbewahrungspflichten’) may apply.
  • Integrity and confidentiality (Art. 5(1f) GDPR/DSGVO)
    • “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
    • What that means: Use technical and organisational measures such as encryption, regular security updates and access controls to ensure secure data processing.

Additionally, keep the following regulations in mind:

  • Rights of the data subject (chap. 3 GDPR/DSGVO)
    • Data subjects have certain rights regarding their personal data, given in chap. 3 GDPR, that also need to be transparently communicated in the privacy policy or when requesting consent. Data subjects can exercise these rights at any time.
    • Comment: When creating a privacy policy, it’s important to have a clear process in place from the start for handling requests related to personal data. This includes knowing what data is stored, how it can be accessed, and how it can be deleted. Rather than waiting for a user request, this procedure should be established at the time the privacy policy is written, ensuring everything is ready for action if and when needed.
  • Conditions of consent (Art. 7/8 GDPR/DSGVO)
    • If data subjects are asked for consent to process their personal data, one needs to be able to demonstrate that this consent was given (e.g. in written form). Consent requests must be written in clear and plain language. Consent can be withdrawn by the data subject at any time, and the withdrawal must be as easy as giving consent. Children can give consent from the age of 16.
  • Processing of special categories of personal data (Art. 9 GDPR/DSGVO)
    • The processing of personal data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is only legitimate under certain conditions, given in Art. 9 GDPR.
  • Data protection by design and by default (Art. 25 GDPR/DSGVO)
    • In the technical design, it is required to incorporate GDPR regulations to protect the rights of the data subject accordingly at all times. When asking for data entry or consent, it is required to have user-friendly pre settings only asking for minimum data necessary to fulfil the respective data processing purpose (e.g. “no” as default, single click to deselect all options).
  • Communication of a personal data breach to the data subject (Art. 34 GDPR/DSGVO)
    • In case of a personal data breach, respective data subjects need to be notified under certain conditions, described in Art. 34 GDPR.

For further guidance on the language of the privacy policy and interpretation of GDPR please refer to the guidelines below by the European Data Protection Board (EDPB):

The Privacy Policy Template will be sent to the basic service teams separately.