Skip to main content
Digitization in the SME sector

The 10 most serious GDPR mistakes and how you can avoid them as a website operator

By 26. March 2024July 12th, 2024No Comments3 min read
Privacy Policy

The 10 most serious GDPR mistakes and how to avoid them

1. Insufficient imprint:

In accordance with the provider identification requirement in Section 5 of the Telemedia Act, every website operator is responsible for providing a complete legal notice. This includes information such as first name, last name, street, zip code and place of residence in order to make the necessary information accessible to visitors and potential contractual partners.

2. Lack of data protection declaration:

A clear data protection declaration is essential to inform visitors about the collection and processing of personal data. All collected data, including IP addresses, browser data, cookies and analysis tools such as Google Analytics, should be presented transparently. In addition, the visitor should be given the opportunity to influence the use of data.

3. Missing cookie notice:

The GDPR and ePrivacy Directive impose the obligation to obtain the user’s express consent before setting cookies. A so-called cookie notice when the website is first visited allows the visitor to select and agree to the desired cookies.

4. Non-anonymous tracking:

The use of tracking tools such as Google Analytics requires secure anonymization of the transmitted data. Even if you agree to tracking, the user cannot be identified.

5. Missing order processing:

According to the GDPR, it is mandatory to agree on a contract for data processing with all service providers who store personal data. This contractual regulation documents responsible data processing by external service providers.

6. Incorrect contact forms:

The encryption of contact forms via HTTPS as well as a clear reference to the data protection declaration are required. In addition, a checkbox in the contact form can contribute to consent to data processing.

7. Non-encrypted data transmission:

All data, especially personal data, must be transmitted in encrypted form. Converting the entire website to SSL (HTTPS) ensures secure transmission.

8. Facebook pixel without consent:

The integration of the Facebook pixel for social media campaigns should only take place after the prior consent of each user. The Borlabs Cookie Plugin helps to ensure data protection-compliant integration.

9. YouTube videos and embeds without consent:

Embedding YouTube videos and other “embeds” should only take place after the visitors’ express consent in order to prevent the transmission of personal data.

10. Insecure hosting:

Choosing a secure hosting provider with clear privacy policies and encrypted servers is crucial to fully protecting the website and the data stored on it.


The GDPR has significantly tightened the requirements for website operators. Compliance with the measures mentioned and the use of tools such as the cookie box make it easier to implement a data protection-compliant website.

However, continuous reviews and adjustments are essential in the dynamic data protection environment in order to minimize legal risks.


Author Lea

Lea's extensive practical experience enriches our team with new perspectives and innovative methods, especially in the areas of SEO, website analysis and GDPR compliance. Her studies as a business IT specialist enable her to build a bridge between technical solutions and economic requirements - a combination that is crucial when supporting our medium-sized customers. This specialized knowledge is fundamental to advancing our digital projects.

More posts by Lea