Gilt die DSGVO auch für kleine Webseiten und Einzelunternehmer?

Ja. Sobald deine Webseite gewerblich ist und personenbezogene Daten verarbeitet (schon ein Kontaktformular oder Server-Logs reichen), gelten die Grundpflichten — unabhängig von der Unternehmensgröße.

Reicht ein kostenloser Datenschutz-Generator?

Als Ausgangspunkt oft brauchbar, aber nur, wenn das Ergebnis zu deiner tatsächlichen Technik passt und gepflegt wird. Riskant wird es, wenn Dienste auf der Seite laufen, die in der Erklärung fehlen — oder umgekehrt.

Was kostet ein DSGVO-Verstoß realistisch?

Die Spanne ist groß: von Abmahnkosten im drei- bis vierstelligen Bereich bis zu behördlichen Bußgeldern. Teurer als jede Vorsorge ist es fast immer — zumal die häufigsten Fehler (Tracking ohne Consent, US-Schriftarten, lückige Rechtstexte) günstig zu beheben sind.

Übernimmt Runline die DSGVO-Umsetzung meiner Webseite?

Die technische Seite: ja — EU-Hosting, lokale Schriftarten, Consent-Management, saubere Formulare und 2-Klick-Einbettungen sind bei uns Standard. Die juristische Endprüfung deiner Rechtstexte gehört in anwaltliche Hände; dafür liefern wir die vollständige technische Dokumentation zu.

GDPR Checklist: Is Your Website Safe from Cease-and-Desist Letters in 2026?

A cease-and-desist letter over your website is frustrating, costly — and almost always avoidable. This checklist walks you through the points that apply to virtually every commercial website in Germany in 2026.

Important: This article is a carefully compiled practical guide, but not legal advice. For binding advice on your specific situation, please consult a qualified attorney.

1. Encryption (SSL/HTTPS)

No website can do without HTTPS today: mandatory as soon as you have even a single contact form — and a trust signal for both visitors and Google. Check: does your browser show the padlock icon on every page?

2. Legal Notice

Complete and reachable from every page in one click: name, address, contact details, and additional mandatory information depending on your legal structure. Common mistakes: outdated addresses, missing authorized representatives, "Legal Notice coming soon" placeholders.

3. Privacy Policy

It must describe what actually happens on your site: hosting, forms, analytics tools, embedded services (maps, videos, appointment booking), newsletters. A copy-pasted boilerplate that doesn't match your actual tech stack is itself a liability. Every time you add a new feature: update the Privacy Policy accordingly.

4. Cookie Consent Done Right

Non-essential cookies and tracking may only run after active consent. In practice: analytics tools like Google Analytics must not fire until the user clicks "Accept" — not before. "Continued use constitutes consent" is not sufficient. You can verify this in your browser: are tracking requests being sent before you give your consent?

5. Forms: Collect Only What You Need

Data minimization is a core principle: limit required fields to the bare essentials, include a consent checkbox with a link to your Privacy Policy, and transmit data encrypted. Practical bonus: spam protection (e.g., honeypot) keeps you and your visitors safe.

6. Third-Party Services and Data Transfers

Every embedded service (fonts, maps, videos, chat, appointment booking) can transfer data — sometimes to third countries. Ground rules: host fonts locally instead of loading them from US servers, activate embeds only after a click ("2-click solution"), and sign Data Processing Agreements (DPAs) with your service providers.

7. Hosting and DPA

EU-based hosting simplifies a lot and is a genuine selling point with your own clients. You need a DPA with your hosting provider — and with other processors such as newsletter or CRM providers. With reputable vendors, this is a standard document you sign once and file away.

8. Data Subject Rights and Deletion Policy

You must be able to respond to requests like "What data do you hold on me?" or "Please delete my data." For small businesses, a simple, documented process is usually enough: where is which data stored, who is responsible, how long is it retained.

The Quick Checklist

HTTPS active on all pages
Legal Notice complete, reachable in 1 click
Privacy Policy matches your actual tech stack
Tracking only after consent (self-verified!)
Forms: data minimization + consent checkbox
Fonts hosted locally, embeds via 2-click solution
EU hosting, DPAs signed and filed
Responsibility for access/deletion requests clarified

Prefer these points as a printable PDF next to your keyboard? The checklist page has the full version for free. And if you want to know where your site stands today: Website Audit checks the technical basics in 30 seconds.

Frequently Asked Questions

Does GDPR apply to small websites and sole traders?

Yes. As soon as your website is commercial and processes personal data (even a contact form or server logs are enough), the basic obligations apply — regardless of business size.

Is a free Privacy Policy generator enough?

Often a useful starting point, but only if the output matches your actual tech stack and is kept up to date. It becomes risky when services running on your site are missing from the policy — or vice versa.

What does a GDPR violation realistically cost?

The range is wide: from warning letter costs in the three-to-four-figure range to regulatory fines. It almost always costs more than any precaution — especially since the most common mistakes (tracking without consent, US-hosted fonts, incomplete legal texts) are inexpensive to fix.

Does Runline handle the GDPR implementation for my website?

The technical side: yes — EU hosting, local fonts, consent management, clean forms, and 2-click embeds are our standard. The final legal review of your legal texts belongs in the hands of a lawyer; we provide the complete technical documentation to support that.

How solid is your site's technical setup?

The free website audit checks SSL, consent signals, and more — results instantly.

Audit my site now

GDPR Checklist: Is Your Website Safe from Cease-and-Desist Letters?