Skip to main content
Digitisation in medium-sized businesses

The 10 most serious GDPR mistakes and how you can avoid them as a website operator

By 26. March 2024April 16th, 2024No Comments3 min read
Privacy Policy

The 10 most serious GDPR mistakes and how to avoid them

1. Insufficient imprint:

In accordance with the provider identification requirement in Section 5 of the Telemedia Act, every website operator is responsible for providing a complete legal notice. This includes information such as first name, last name, street, zip code and place of residence in order to make the necessary information accessible to visitors and potential contractual partners.

2. Lack of data protection declaration:

A clear data protection declaration is essential to inform visitors about the collection and processing of personal data. All collected data, including IP addresses, browser data, cookies and analysis tools such as Google Analytics, should be presented transparently. In addition, the visitor should be given the opportunity to influence the use of data.

3. Missing cookie notice:

The GDPR and ePrivacy Directive impose the obligation to obtain the user’s express consent before setting cookies. A so-called cookie notice when the website is first visited allows the visitor to select and agree to the desired cookies.

4. Non-anonymous tracking:

The use of tracking tools such as Google Analytics requires secure anonymization of the transmitted data. Even if you agree to tracking, the user cannot be identified.

5. Missing order processing:

According to the GDPR, it is mandatory to agree on a contract for data processing with all service providers who store personal data. This contractual regulation documents responsible data processing by external service providers.

6. Incorrect contact forms:

The encryption of contact forms via HTTPS as well as a clear reference to the data protection declaration are required. In addition, a checkbox in the contact form can contribute to consent to data processing.

7. Non-encrypted data transmission:

All data, especially personal data, must be transmitted in encrypted form. Converting the entire website to SSL (HTTPS) ensures secure transmission.

8. Facebook pixel without consent:

The integration of the Facebook pixel for social media campaigns should only take place after the prior consent of each user. The Borlabs Cookie Plugin helps to ensure data protection-compliant integration.

9. YouTube videos and embeds without consent:

Embedding YouTube videos and other “embeds” should only take place after the visitors’ express consent in order to prevent the transmission of personal data.

10. Insecure hosting:

Choosing a secure hosting provider with clear privacy policies and encrypted servers is crucial to fully protecting the website and the data stored on it.


The GDPR has significantly tightened the requirements for website operators. Compliance with the measures mentioned and the use of tools such as the cookie box make it easier to implement a data protection-compliant website.

However, continuous reviews and adjustments are essential in the dynamic data protection environment in order to minimize legal risks.


Author Lea

Leas umfangreiche Praxiserfahrung bereichert unser Team mit neuen Perspektiven und innovativen Methoden, insbesondere in den Fachgebieten SEO, Website-Analyse und Einhaltung der DSGVO. Ihr Studium als Wirtschaftsinformatikerin ermöglicht es ihr, eine Brücke zwischen technischen Lösungen und wirtschaftlichen Anforderungen zu schlagen – eine Kombination, die bei der Betreuung unserer mittelständischen Kunden von entscheidender Bedeutung ist. Diese spezialisierten Kenntnisse sind fundamental, um unsere digitalen Vorhaben voranzutreiben.

More posts by Lea