Foreign companies expanding into Germany consistently underestimate how different the legal requirements are. A website that's fully compliant in the UK or the US can generate warning letters and fines within weeks of going live in Germany. This isn't bureaucratic edge-case territory - it's routine. German competitors actively monitor new websites for compliance gaps and send cease-and-desist notices (Abmahnungen) through lawyers, often demanding €1,000-€5,000 in legal fees plus injunctions.
This checklist covers what every business website operating in Germany needs, regardless of where the company is based.
The Non-Negotiables: What Every German Website Requires
1. Impressum (Legal Imprint)
Germany's Telemedia Act (TMG) requires every commercial website to display a complete legal notice. "Commercial" means essentially any website that promotes a product, service, or professional activity - not just shops.
The Impressum must include:
- Full legal name and business form (e.g., "Ventas Webdesign CLG" not just "Ventas")
- Full postal address (a P.O. box doesn't count)
- Direct contact option - phone number or email address; just a contact form is not sufficient
- Registration details if applicable: commercial register number, VAT ID
- For regulated professions (lawyers, doctors, accountants): professional association and licence number
It must be reachable from every page within two clicks, typically via a footer link. A page buried three levels deep doesn't satisfy the requirement.
2. Privacy Policy (Datenschutzerklärung)
GDPR requires a privacy policy that explains what personal data you collect, why you collect it, how long you keep it, and who you share it with. For a standard business website, this typically covers:
- Contact form data (name, email, message content)
- Server log files (IP address, browser type, timestamp)
- Analytics tools (Google Analytics, Matomo, etc.)
- Any embedded third-party content (YouTube, Google Maps, social media buttons)
- Newsletter subscriptions if applicable
Generic privacy policy generators produce text that often doesn't match what your site actually does. If your privacy policy mentions tools you don't use, or doesn't mention tools you do use, that's a compliance problem. It needs to be specific to your site.
3. Cookie Consent
This is where most websites fall short. The requirements under the German version of the ePrivacy Directive are strict: non-essential cookies or tracking scripts may not load until the user has actively consented. "Actively" means clicking an accept button. Pre-ticked checkboxes don't count. "Continued browsing constitutes consent" doesn't count. A banner that just explains cookies without offering a reject option doesn't count.
What triggers the consent requirement:
- Google Analytics - yes, even with anonymize_ip
- Google Fonts loaded from Google's servers (not self-hosted)
- YouTube embeds
- Google Maps iframes
- Facebook Pixel, LinkedIn Insight Tag, any advertising pixels
- LiveChat or Intercom scripts
- Hotjar or any session recording tool
Technically necessary cookies - session management, shopping cart, login state - don't require consent. But only those.
The Complete GDPR Compliance Checklist
- Impressum reachable within 2 clicks from every page, with full legal name, postal address and direct contact
- Privacy policy present and accurately reflects every tool that processes user data on your site
- Cookie consent banner blocks non-essential scripts until the user accepts; reject option is visible and equal to accept
- Google Fonts self-hosted (not loaded from fonts.googleapis.com)
- Google Analytics only fires after consent; Data Processing Agreement (DPA) active in Google account settings
- Contact form has a GDPR consent checkbox that users must actively tick before submitting
- Data Processing Agreements (AVV) in place with every third-party tool that processes EU user data: Google, your email provider, your CRM, your form tool
- SSL certificate active; all HTTP traffic redirects to HTTPS
- External embeds (YouTube, Maps, Instagram) either require consent before loading or use privacy-enhanced mode
- No pre-ticked checkboxes on any form; consent is always an active, unambiguous action
- Data deletion process documented internally - you need to be able to delete a user's data within 30 days if they request it
Data Processing Agreements: The Part Everyone Forgets
GDPR requires a written Data Processing Agreement (DPA, or Auftragsverarbeitungsvertrag / AVV in German) with every service provider that processes EU personal data on your behalf. For a typical business website, that means:
- Google Analytics / Google Tag Manager - available in Google account settings under "Data Processing Amendment"
- Your web hosting provider - most German hosts include this automatically; check with international providers
- Your email marketing tool (Mailchimp, Brevo, etc.) - typically available as a standard agreement
- Your CRM if it stores contact enquiries from the website
- Your contact form plugin if it sends data to an external service
Missing DPAs are a common finding in data protection audits and a straightforward basis for complaints to supervisory authorities. They're also straightforward to fix - most major providers have standard DPA templates ready to sign.
What Happens If You Get It Wrong
German data protection enforcement is among the most active in Europe. In 2024 and 2025, fines for GDPR violations by SMEs ranged from €2,000 for a missing cookie consent to €50,000+ for systematic data processing without a legal basis. Warning letters from competitors (Abmahnungen) over missing or incomplete Impressum entries are even more common - and the legal costs alone often exceed €1,000 even if you settle immediately.
International companies are not exempt. Courts in Munich and Hamburg have ruled on cases involving websites of US and UK companies operating in Germany, finding that GDPR and TMG obligations apply when the website targets German users.
Common Questions
Does a business website in Germany need an Impressum?
Yes. Every commercial website targeting German users requires a legally valid Impressum with full company name, postal address and direct contact details. This applies to foreign companies too, if the website targets German users.
Is cookie consent required for all German websites?
For any site using Google Analytics, Google Fonts from external servers, YouTube embeds, social media pixels or similar tracking tools: yes. The consent must be active (a click), not passive (continuing to browse). Pre-ticked boxes are invalid.
Can I use Google Analytics on a German website?
Yes, but only after the user consents, and with a Data Processing Agreement active in your Google account. Running Google Analytics without prior consent violates GDPR regardless of whether you have anonymize_ip enabled.
Does GDPR apply to foreign companies with websites targeting Germany?
Yes. GDPR and German TMG requirements apply whenever you process data of EU users or target German users with your website. Location of the company is not the deciding factor.
Building GDPR compliance into a website from the start takes a few hours. Fixing it after a warning letter or audit costs multiples of that - in legal fees, remediation work, and disruption. We include compliance as a standard part of every site we build. If you want us to review your current site, get in touch.
