Legally Compliant Website: The Practical Guide

A legally compliant website is not a one-off configuration; it is an ongoing state. You reach it when data protection, mandatory disclosures, technical security and maintenance interlock cleanly. The Bitkom Wirtschaftsschutz 2024 study shows how serious the situation is: 81% of German companies were affected by data theft, espionage or sabotage within twelve months. This guide spells out what really matters: the legal foundations, the typical cookie-banner pitfalls, the technical duties under Art. 32 GDPR, and the ongoing tasks of a good website agency.

What makes a website legally compliant?

A website is legally compliant when all relevant requirements are met at the same time: GDPR, TTDSG, the new Digital Services Act (DDG), and competition-law duties. Art. 5 GDPR anchors six core principles, from lawfulness and purpose limitation through to data minimisation. Skip a single building block and you have a problem.

Many websites handle individual points flawlessly and fail on the rest. A perfectly drafted privacy policy is no protection if a tracking script sends data to a US server on page load. A polished cookie banner is worthless if the "reject" option is technically ignored. Compliance is not a checkbox; it is a state that can be verified.

Mandatory disclosures as the foundation

On top of that come formal obligations. § 5 of the Digital Services Act (DDG), which replaced § 5 TMG in May 2024, requires a full legal notice (Impressum) for every commercial online presence. Every website also needs a privacy policy under Art. 13 GDPR. Both have to be easy to find, up to date and accurate.

In B2B projects at Evelan I keep seeing the same pattern: two duties sit cleanly, three tip over. The Impressum is correct, the privacy policy is generic. Or the texts are spotless, but the server configuration falls in twenty minutes during a pen-test. Legal compliance is therefore not a purely legal topic. It is a cross-cutting discipline between law, technology and process.

Which data protection duties apply to every website?

As soon as a web presence processes personal data, the GDPR applies, and that happens in practice every time. Even an IP address in a server log is personal data. Art. 13 GDPR lists 13 mandatory items that every privacy policy must contain, from the controller and legal basis through to data-subject rights.

Legal basis and consent

The key question is always: on what legal basis are data processed? Art. 6(1) GDPR names six options; in practice three dominate. Consent (lit. a), contract (lit. b) and legitimate interest (lit. f). For contact forms, legitimate interest plus information often suffices. For tracking cookies, newsletters and third-party web fonts you need active consent; otherwise the processing is simply unlawful.

Processors and fines

Processor relationships are often overlooked too. Anyone using tools such as Mailchimp, HubSpot or an external host concludes a data processing agreement (DPA) under Art. 28 GDPR. Without a DPA, the basis is missing. The annual reports of the BfDI (Germany's Federal Data Protection Commissioner) show year after year that missing or outdated DPAs are among the most common findings.

The penalty range is severe. Art. 83(5) GDPR allows fines of up to 20 million euros or 4% of global annual turnover in the previous financial year, whichever is higher. The GDPR Enforcement Tracker by CMS Hasche Sigle collects publicly known proceedings across Europe and now counts several thousand cases. Mid-sized companies usually land in the four- to six-figure range. So this hits more than just large corporations.

One frequently underestimated risk is international data transfer. As soon as a website embeds Google Analytics, Google Fonts via CDN, YouTube embeds, the Meta Pixel, Calendly or a US CRM, personal data potentially leaves the EU. Following the CJEU ruling C-311/18 Schrems II of 16 July 2020, Privacy Shield is invalid; its successor, the EU-US Data Privacy Framework, has been in force since July 2023 but is legally contested. In practice that means standard contractual clauses, a transfer impact assessment and, where in doubt, doing without the service. Anyone who documents nothing here will fail the first supervisory review.

When is a cookie banner GDPR-compliant?

A cookie banner is GDPR-compliant when it obtains genuine, free and informed consent before any non-essential script loads. The benchmark is § 25 TTDSG combined with Art. 7 GDPR. Since December 2021, § 25 TTDSG has required active consent for any access to information on a user's device. Pre-ticked boxes are invalid.

This line is confirmed at the highest judicial level. In case Planet49 (C-673/17), the CJEU ruled on 1 October 2019 that pre-selected checkboxes do not constitute valid consent. The German Federal Court of Justice followed with the Cookie-Einwilligung II ruling (I ZR 7/16) on 28 May 2020. Anyone still using opt-out banners in 2026 is ignoring seven years of case law.

The supervisory authorities have made the standard concrete. The Guidance of the German Data Protection Conference on telemedia of 20 December 2021 requires a "Reject" button on the first banner level, designed with the same visual weight as the "Accept" button. Dark patterns, for example green accept and grey reject, count as inadmissible influence. Pre-ticked checkboxes in the detail view are invalid.

Typical weak spots in practice

Concretely that means: no tracking pixel before the click. No Google Fonts via CDN without consent. No YouTube embed in "public" mode if even the trailer opens a connection to doubleclick.net. Across roughly 60 mid-market projects we audited at Evelan over the past few years, faulty consent handling was by far the most frequent compliance breach, more common than flawed privacy policies.

Six criteria for a robust consent solution

A technically robust consent solution meets six criteria at once. First, it loads itself without trackers. Second, it offers "Accept", "Reject" and "Settings" at the same hierarchy level. Third, it differentiates by categories such as strictly necessary, statistics, marketing and external content. Fourth, it logs every decision with a timestamp and the banner version. Fifth, scripts are loaded server-side only after consent. Sixth, consent can be revoked at any time via a visible "Cookie settings" link. Tick all six and you are ahead of the field.

Which technical safeguards does the GDPR require?

The GDPR obliges every controller to implement "appropriate technical and organisational measures", the so-called TOMs. Art. 32 GDPR names four concrete protection goals: confidentiality, integrity, availability and resilience of systems. Encryption and pseudonymisation are explicitly listed. A breach triggers not only a fine but also a notification duty under Art. 33 GDPR.

The threat landscape is objectively high. According to the Bitkom Wirtschaftsschutz 2024 study, 81% of German companies were affected by data theft, espionage or sabotage in the past twelve months. The damage to the German economy adds up to 266.6 billion euros, Bitkom reports. The BSI Lagebericht (annual IT security report from Germany's federal cyber security agency) has consistently rated the overall situation as "higher than ever before" since 2022. Ransomware remains the dominant attack pattern.

Minimum standard for websites

What does that mean in practice for a website? A minimum standard covers six building blocks. First: TLS 1.3 with a valid certificate and HSTS header. Second: up-to-date software, that is CMS, plugins, libraries and server OS, without any significant patch backlog. Third: role-based access with strong passwords and two-factor authentication in the backend. Fourth: a backup concept that runs at least daily and is tested regularly. Fifth: logging that makes attack attempts visible. Sixth: a Web Application Firewall or comparable defence against automated attacks.

If you want orientation, you can get it for free from the BSI's Alliance for Cyber Security. It publishes minimum standards for web applications, checklists for secure configurations and patch-management recommendations. These sources are freely available and do not replace an audit, but they provide a solid basis for discussion between management, IT and data protection officers.

Data protection impact assessment

Worth mentioning is the duty to carry out a data protection impact assessment (DPIA) under Art. 35 GDPR. It applies to processing operations likely to result in a high risk to data subjects, for example extensive tracking, profiling or sensitive industry data. Many mid-market companies underestimate that a website with personalised advertising, lead scoring and CRM integration crosses this threshold quickly. A DPIA is non-trivial, but it protects against fines and incidentally delivers a complete inventory of the tools in use. Anyone who has done one cleanly has already completed 80% of the later compliance work.

When is a website agency worth it?

A professional agency pays off wherever law, technology and maintenance have to interact over the long term, which is in practice every commercial web presence. The requirements coming from the GDPR, TTDSG, DDG and case law are not static. Whoever views them in isolation overlooks the interactions. From roughly 60 mid-market projects at Evelan I can see one thing clearly: compliance gaps almost never come from bad intent; they come from diffused responsibility.

Typical triggers where agency work delivers measurable value are relaunches, new tracking or marketing tools, integrations with third-party systems, international scaling, and any audit or data processing agreement that is up for fresh review. Authority enquiries or complaints are another moment where having a technical partner who can reconstruct the records of processing activities directly from the code is invaluable. Nobody wants to start researching what their website actually sends, and to whom, in the middle of a crisis.

Ongoing maintenance as the success factor

Ongoing maintenance is the part most underestimated internally. Security updates ship weekly, browsers change cookie policies, the EDPB publishes new guidelines, the ePrivacy dossier keeps moving. A specialised agency monitors these flows, translates them into concrete tickets, and prioritises. Without this continuous integration, even the best web presence loses legal certainty within 12 to 24 months.

Cost-effectiveness versus risk

Economically it adds up quickly. A single GDPR incident leading to a fine under Art. 83 GDPR or a warning letter often costs a mid-market company significantly more than three years of a maintenance contract. On top comes reputational damage, which weighs heavier than the fine itself. In sensitive sectors, healthcare, finance, tax consulting, a single incident can permanently damage customer trust.

A good agency therefore acts as a long-term partner, not as a one-off project supplier. It handles ongoing website maintenance, updates legal texts when case law shifts, and runs quarterly security reviews. This is plain industrial work, not a glamour topic. But it determines whether compliance still stands after 18 months or quietly erodes.

How does a website stay legally compliant over time?

A website stays legally compliant over time when it is run as a process, not as a finished project. Concretely that means: a maintenance plan with fixed intervals, documented responsibilities, and monitoring of case law and authority guidance. Skipping a single quarter is enough to open gaps, especially if new tools are added or marketing scripts go live in parallel.

A three-tier maintenance rhythm

In practice, a three-tier rhythm has proven its worth. Monthly: automated security and availability checks, plus updates for CMS, plugins and libraries. Quarterly: a full compliance review covering cookie behaviour, DPA inventory, privacy policy against the current legal position, Impressum, and a pen-test light. Annually: a larger audit block with external penetration testing, a TOM review under Art. 32 GDPR, and an update of the records of processing activities.

Early warning system for legal change

Equally important: an early warning system for legal change. Whoever missed the 2024 switch from TMG to the DDG has an outdated Impressum. Whoever ignores the next CJEU ruling on international data transfer risks the next Schrems wave. A specialised website agency, an external data protection officer or an industry newsletter like the one from the BfDI is not a luxury here; it is part of due diligence.

Practical sources for this monitoring are the press releases of the German state data protection authorities, the guidelines of the European Data Protection Board (EDPB), the consumer-law forum of the Wettbewerbszentrale and specialised media such as Legal Tribune Online or heise online. Anyone who skips a single quarter typically misses two or three decisions relevant to websites. A small routine works well: a fixed appointment once a month, one hour, a summary in an internal wiki. That is enough to avoid surprises and replaces any expensive emergency consulting after the fact.

Clear responsibilities

Responsibilities should be put in writing. Who is the controller within the meaning of the GDPR, who is the data protection officer, who is the technical point of contact for the agency, who decides on authority enquiries? In many mid-market projects we find these roles agreed verbally. That works exactly as long as no managing director changes and no external IT contract is terminated. One page of documentation in the processing overview protects more than any expensive software licence.

Related Evelan articles

• What does the General Data Protection Regulation really require?
• Implementing the cookie banner obligation correctly
• Why a legally sound Impressum is indispensable for every website
• How to avoid the biggest security gaps in modern websites
• With the right agency, website maintenance becomes a success factor

Sources

• EUR-Lex: General Data Protection Regulation EU 2016/679 (2016)
• Gesetze im Internet: TTDSG § 25 Protection of Privacy on Terminal Equipment (2021)
• Gesetze im Internet: DDG § 5 General Information Duties (2024)
• CJEU: Judgment C-673/17 Planet49 (2019)
• BGH: Judgment I ZR 7/16 Cookie-Einwilligung II (2020)
• Datenschutzkonferenz: Guidance for Providers of Telemedia (2021)
• Bitkom: Wirtschaftsschutz Study 2024 (2024)
• BSI: Annual Report on IT Security in Germany (2024)
• BfDI: Annual Data Protection Report (2024)
• CMS Hasche Sigle: GDPR Enforcement Tracker (2024)