Key Takeaways
- An imprint is mandatory: Commercially used websites need a complete provider identification under §5 DDG, the successor norm to the old §5 TMG since May 2024.
- Data protection from the first form: As soon as personal data is processed, the duty to inform under Art. 13 GDPR applies.
- Cookies only with consent: Tracking and marketing cookies require prior consent under §25 TDDDG.
- Fines are real: Breaches of the GDPR duty to inform fall into the upper fine tier of up to 20 million euros or 4% of global annual turnover (Art. 83 GDPR).
A legally compliant imprint (Impressum) and a clean privacy policy are not optional extras. They are a legal duty for almost every commercially used website. Since May 2024, the basis has been the Digital Services Act (Digitale-Dienste-Gesetz), which in §5 DDG took over the earlier requirements of the Telemedia Act. Anyone who cuts corners here risks formal warning letters and fines. This article shows which details are mandatory, when a privacy policy applies, and where the costly traps lie.
With a new website, the design usually takes center stage. Looks and user guidance matter, no question. But success or risk is decided by two legal building blocks that rarely get attention: the provider identification and the handling of personal data. Both stay invisible until something goes wrong. Then they become very visible and very expensive.
What must a legally compliant imprint contain under §5 DDG?
A legally compliant imprint must clearly name who stands behind a website. The mandatory details are governed by §5 DDG, the successor norm to the still often cited §5 TMG since 14 May 2024. The Telemedia Act was replaced, but the substance of the duty stayed almost the same. Many templates online lag behind here.
These mandatory details belong in the imprint
The provider identification includes the name or company name with legal form, a valid postal address where documents can be served, and quick contact options. A post office box is not enough. An email address is mandatory, plus a second, fast channel such as a phone number. Depending on the company type, a register entry, register number, and the VAT identification number under §27a UStG are added.
Regulated professions have additional duties. Physicians, lawyers, architects, or tax advisors must state their chamber, professional title, and the competent supervisory authority. For journalistic and editorial offerings, a responsible person under §18(2) MStV must also be named. Sounds like detail work. It is.
Reachability: two clicks, two channels
Reachability is precisely regulated too. The imprint must allow immediate and efficient contact. Case law often finds a plain email address insufficient, because it does not guarantee a fast response. A second channel, such as a phone number or a promptly handled contact form, closes that gap. It is also important that the imprint can be reached from every page in no more than two clicks and is clearly labeled as such. Hidden links or vague labels like "Info" do not satisfy the duty.
From numerous mid-market projects at Evelan, I know that the valid postal address and the second contact channel are exactly what regularly go missing. Both are easy targets.
Why copied templates are risky
A common misconception: that the imprint is done with a name and an email. In reality, the scope depends on legal form and activity. A sole proprietor needs fewer details than a GmbH with a commercial register entry. An online shop has different duties than a pure company presence. Anyone who copies content from another project almost always carries over details that do not fit and forgets ones that are missing. That is precisely what makes the imprint vulnerable.
The following table summarizes the central mandatory details under §5 DDG and shows who they apply to.
| Mandatory detail | Applies to |
|---|---|
| Name or company name plus legal form | All commercial providers |
| Valid postal address, no post office box | All commercial providers |
| Email plus a fast contact option | All commercial providers |
| Authorized representative | Legal entities such as GmbH or UG |
| Commercial or association register plus register number | Registered companies and associations |
| VAT identification number under 27a UStG | Providers with a VAT ID |
| Chamber, professional title, supervisory authority | Regulated professions |
| Responsible person under 18(2) MStV | Journalistic and editorial offerings |
Mandatory detail / Applies to
- Mandatory detail
- Name or company name plus legal form
- Applies to
- All commercial providers
- Mandatory detail
- Valid postal address, no post office box
- Applies to
- All commercial providers
- Mandatory detail
- Email plus a fast contact option
- Applies to
- All commercial providers
- Mandatory detail
- Authorized representative
- Applies to
- Legal entities such as GmbH or UG
- Mandatory detail
- Commercial or association register plus register number
- Applies to
- Registered companies and associations
- Mandatory detail
- VAT identification number under 27a UStG
- Applies to
- Providers with a VAT ID
- Mandatory detail
- Chamber, professional title, supervisory authority
- Applies to
- Regulated professions
- Mandatory detail
- Responsible person under 18(2) MStV
- Applies to
- Journalistic and editorial offerings
Anyone planning a new website should clarify these points early. In our website projects, we check the mandatory details to match the legal form and industry, instead of dropping in a standard template.
When does a website need a privacy policy?
A privacy policy becomes due as soon as personal data is processed. The duty to inform follows from Art. 13 GDPR. In practice, that is almost always the case. A single contact form, server log files, or the IP address on page load is already enough.
When personal data arises
Personal data arises earlier than many people think. Newsletter signup, embedded maps, fonts from third-party servers, analytics tools, social media buttons: all of this processes data. Each of these functions needs its own assessment and a matching section in the privacy policy.
Even the mere loading of a page triggers processing. The server stores the IP address, the time, and the browser used. These log files are technically sensible, for example to fend off attacks, but they are legally relevant. They too belong in the privacy policy, with the purpose, legal basis, and retention period stated. Anyone who describes only the obvious forms has already made the policy incomplete.
What belongs in the privacy policy
The policy must explain in an understandable way which data is processed, for which purpose, and on which legal basis. Details on retention period, recipients, and the rights of data subjects are also mandatory. These include access, rectification, erasure, and objection. A copied template rarely covers these points in full.
In projects with B2B clients, I regularly see privacy policies that describe a tool which was swapped out long ago. That very gap between text and technology is the expensive mistake. A well-maintained website keeps both in sync.
External services and ongoing maintenance
It gets especially demanding with external services. A map service transmits data to a third-party provider as soon as it loads, often to countries outside the EU. Web fonts, video embeds, and social media plugins work the same way. Each of these transfers needs a legal basis and a note in the privacy policy. If it is missing, a breach of the duty to inform is quickly at hand.
Maintenance is part of it too. A privacy policy is not a one-time document. It ages with every new tool, every feature addition, and every change in the law. Anyone who writes it once and then forgets it often has, after a year, a document that no longer reflects the reality of the website.
What role do cookies and consent play?
Cookies that are not strictly technically necessary may only be set after active consent. This is required by §25 TDDDG, the successor norm to the former TTDSG. For analytics, marketing, and tracking cookies, that means no setting before consent is given.
A technically effective cookie banner
A cookie banner must therefore work correctly on a technical level, not just visually. If an analytics script loads before the click on "Accept," the consent is worthless. Pre-checked boxes are not permitted. Declining must be just as easy as agreeing.
This is the point where many banners fail. They look clean but still fire the scripts immediately. We therefore integrate tracking and marketing tools so that they only start after consent.
Banner and privacy policy belong together
The separation between cookie consent and the privacy policy matters. One does not replace the other. The banner governs whether a non-essential cookie may be set at all. The privacy policy explains, beyond that, which data is then processed and how. Both levels must be present and must fit together. A banner without a matching policy is just as full of gaps as a policy without an effective banner.
What does a faulty imprint or a GDPR breach cost?
The range runs from a formal warning letter to a fine in the millions. Breaches of the duty to inform under Art. 13 GDPR fall into the upper fine tier: up to 20 million euros or 4% of global annual turnover, whichever is higher (Art. 83 GDPR). That is the statutory ceiling, not the usual case.
The warning letter hits SMEs more often
More often than a fine, small and medium operators are hit by the formal warning letter (Abmahnung). Missing or incomplete imprints are among the most common grounds for warnings under German competition law. A single warning letter causes lawyer fees, cease-and-desist declarations, and, in case of repetition, contractual penalties.
The process is unpleasant for those affected. A competitor, a consumer protection association, or a trade body identifies the breach and sends a lawyer's letter. It demands a cease-and-desist declaration with a penalty clause, plus reimbursement of legal fees. Whoever signs is bound. Every renewed breach then triggers a contractual penalty, often in the four-figure range. Whoever does not respond risks a preliminary injunction with further costs. In both cases, the effort is far higher than the effort for clean preparation.
The second damage: lost trust
Beyond the direct costs, there is a second kind of damage that is harder to quantify: loss of trust. A website that explains its data transparently and clearly names who is behind it comes across as serious. Visitors are more likely to fill out a form or send an inquiry. If that clarity is missing, uncertainty arises, even when no one sends a warning. Legal compliance is therefore not only protection but also a conversion factor.
On top of that comes time pressure. Warning letters often set short deadlines, sometimes only a few days. Anyone who only then starts looking for a lawyer quickly comes under stress and makes worse decisions under pressure. Clean preparation shifts this effort to a point where there is enough time to think.
The effort for a clean solution is out of all proportion to the risk. A correct imprint is created in a few hours. A warning letter costs money, nerves, and time, and in case of repetition the contractual penalty remains a lasting burden.
How often must the imprint and privacy policy be updated?
There is no fixed deadline, but a clear trigger: every change to data or technology. As soon as the legal form changes, a new tool is added, or a service provider is swapped, the texts must be adjusted. This also applies retroactively when laws change, as with the switch from TMG to DDG.
Two occasions for an update
In practice, this means two occasions. First, every concrete event, such as a new feature or a move. Second, a regular routine check, ideally once a year. It examines whether the described tools are still active, whether new ones have been added, and whether the legal situation has changed.
The gradual changes in particular get overlooked. A marketing team adds a new tracking pixel without anyone touching the privacy policy. Weeks later the text no longer matches reality. Anyone who assigns responsibilities clearly avoids this gap. With ongoing support, we take over this check and update the texts as soon as anything on the website changes.
Why does professional implementation make the difference?
Imprint, data protection, and cookie topics seem simple but are among the most common legal weak points of a website. A single forgotten mandatory detail or a wrongly integrated tool is enough for a warning letter. Laws change, and the renaming from TMG to DDG and from TTDSG to TDDDG shows this clearly.
Three building blocks, one solution
We treat these three areas as connected building blocks. The imprint is created to match the legal form. The privacy policy mirrors exactly the tools in use. The cookie banner collects consent in a technically effective way. If a tool changes, the text is updated along with it.
The lever lies in timing
The biggest lever lies in timing. If the imprint and data protection are only created shortly before launch, they rarely match the finished technology. We therefore clarify the mandatory details and the tools in use early in the project, in parallel with development. That way no gap arises between what the website does and what it says about itself.
For you, this means one thing above all: relief. You do not have to work your way through legal texts. Our web design agency in Hamburg takes over the legally clean implementation from the start and keeps it current.
From Evelan's Practice
A north German car rental company came to us with an outdated website. Online booking was planned, along with a range of external services: a map service for the stations, a payment service provider, and several analytics tools. The old imprint named only an email, and the data protection text described not a single one of these tools.
We completed the provider identification under §5 DDG, adapted the privacy policy to every integrated third-party application, and wired up the cookie banner so that payment and analytics scripts only start after consent. The result: a booking flow that processes data cleanly, without the operators having to readjust themselves with every new tool. No relaunch needed, just a legally sound foundation.
Conclusion: A legally compliant imprint as the foundation of every serious website
A complete imprint under §5 DDG and a privacy policy that matches the website's functions are the legal basis of every commercial website. They protect against warning letters and fines, and they build trust with visitors. Anyone who plans both from the start builds on solid ground. Anyone who patches it afterward usually pays extra. Imprint, data protection, and cookie consent only mesh reliably when text and technology fit together and are maintained.
This article provides general information on the legal situation and does not replace legal advice in an individual case. For a binding review of your specific situation, please consult a law firm specialized in IT and data protection law.
Frequently Asked Questions
Purely private sites without a commercial purpose do not need a complete imprint under §5 DDG. However, as soon as a business intent is recognizable, for example through advertising, affiliate links, or a commercial offer, the imprint duty applies. In case of doubt, the line should be drawn narrowly.
Verwandte Evelan-Artikel
- Legally Compliant Website: The Practical Guide
- What Does the GDPR Require of Websites? Duties, Risks, Practice
- Implementing the Cookie Banner Requirement Correctly
- How to Close the Biggest Security Gaps on Your Website
