Make WordPress Website GDPR (DSGVO) Compliant

For all the German folks out there, this is a DSGVO article in Englisch. To read the summary of GDPR by Original Consilium Europa Regulation Document click this link DSGVO aka GDPR pdf Englisch.


DSGVO in Germain is GDPR in English. GDPR is General Data Protection Regulation is a law on data protection and privacy for people within the European Union (EU DSGVO Compliance). It applies to any data collected from the citizens of EU from anywhere in the world. GDPR aims to give EU citizens control over their personal data and to regulate the approach of international business.

As a consequence of this new law, all websites which have EU visitors or customers must comply with the GDPR, which means practically all businesses that want to sell products or services to the European market. It also applies to WordPress websites that have European customers or visitors.

If your website is not GDPR compliant, series of actions which could lead in to fine of €20 million is possible. Don’t need to be afraid of this news, GDPR is clearly explained in this article. You can understand what GDPR is  and how to make your WordPress website GDPR complaint.

Legal Disclaimer: The contents of this articles should not be considered as legal advice. Due to the dynamic nature of websites, no single plugin or platform can offer 100% legal compliance. When in doubt, it’s best to consult a specialist internet law attorney.

GDPR Summary (DSGVO Zusammenfassung)

Let us see a simple summary of GDPR. There are two main aspects of the GDPR: “personal data” and “processing of personal data.” Here’s how it relates to running a WordPress site:

  • personal data pertains to “any information relating to an identified or identifiable natural person” – like name, email, address or even an IP address; it is better to think that any piece of data can be considered personal data,
  • whereas processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user.

Standard WordPress sites collect user data such as:

  • user registrations
  • comments
  • contact form entries
  • analytics and traffic log solutions
  • any other logging tools and plugins
  • security tools and plugins

GDPR Law (DSGVO Gesetz)

GDPR empowers data subjects with certain rights. Any request related to those rights, then you have to respond to the request within 30 days.

Right to be informed

Users have the right to know what and why personal data is collected, how it be saved and how long it is saved.

  • Right of access
  • Users have the right to access the data that has been recorded by the data controller upon request.
  • Right to rectification
  • Users have the right to have their inaccurate or incomplete data updated or rectified.
  • Right to be forgotten
  • Users have the right to have their personal data completely erased, and also prevent further collection of their data.
  • Right to restrict
  • Under certain circumstances, users can request to restrict or suppress the use and processing of their data.
  • Right to portability
  • Users have the right to request their data and may use this data in any way they see fit and even transfer it to another data controller.
  • Right to object
  • Users have the right to object to the use of personal data that includes personal interests.
  • Right not to be subject to automated decision-making
  • Users have the right to opt out of automated decision making when it can produce an adverse legal impact or anything similar.

GDPR Checklist (DSGVO Checkliste)

GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights. These responsibilities are listed in the checklist below. Failure to comply assigns the regulators to impose fines on organizations.

  • 1) Lawful, fair and transparent processing
  • The companies that process personal data are asked to process the personal data in a lawful, fair and transparent manner.
  • 2) Limitation of purpose, data, and storage
  • The companies are forbidden from the processing of personal data outside the legitimate purpose and that no personal data, other than what is necessary, be requested, and data should be deleted once the purpose is fulfilled.
  • 3) Data subject rights
  • A data subject has the right to ask for correction, object to processing, lodge a complaint, or even ask for the deletion or transfer of his or her personal data.
  • 4) Consent
  • When the data collected is intended to be used beyond the legitimate purpose, a consent which is withdrawable any moment, from the data subject (parents/guardian if under 16) is required.
  • 5) Personal data breaches
  • A Personal Data Breach Register has to be maintained, and when there is a data breach, the data subject should be informed within 72 hours of identifying the breach.
  • 6) Privacy by Design
  • Privacy and protection aspects should be ensured by default in organisational and technical mechanisms of the companies.
  • 7) Data Protection Impact Assessment
  • To estimate the impact of changes or new actions, a Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.
  • 8) Data transfers
  • The controller of personal data has the obligation to ensure the protection and privacy of personal data when that data is being transferred outside the company, to a third party or other entity within the same company.
  • 9) Data Protection Officer
  • When there is significant processing of personal data in an organization, a Data Protection Officer who advises the company about compliance with EU GDPR requirements should be assigned.
  • 10) Awareness and training
  • Awareness must be created among employees about key GDPR requirements to protect personal data and data breaches.

Ultimate GDPR plugin

The good news is that all these above-said rights and checklists can be managed using Ultimate GDPR Plugin which is an all-in-one GDPR solution for your website. It is a complete GDPR compliance toolkit plugin for WordPress. It can meet all your GDPR requirements such as:

Personal Data Access

Dedicated form for Users to access currently stored personal data.

Right to be Forgotten

Dedicated form for Users to request deletion of stored data.

Privacy Policy Pages

Set up redirects for your Terms and Conditions and Privacy Policy pages until consent is given.

Cookie Consents 

Create a customizable box for Cookie Consent and block all cookies until cookie consent is given.

Add Consest Box

Automatically add consent boxes for various forms on your website.

Data Breach

Send global email notifications about data breach.


Pseudonymize some of the user data stored in the database and make all of the user’s information safe even in case of a breach.

Multi Language Support

It offers a range of language versions that have been carefully and accurately translated by professionals. Available languages include: German, French, Spanish, Norwegian, Russian, Polish, Italian, Dutch, Croatian, Romanian, Hungarian, Slovak, Czech, and Danish.

One-click Cookie Detector

Discover what cookies your website is using in seconds

Third-party Cookies Support

It has a Service Manager which will block any cookie you need.

Advanced Cookies Management Panel

Take control of your cookies straight from your dashboard.

Enhanced integration with Google Analytics

You can ensure your website is compliant and playing nicely with Google Analytics for the best possible insight into your traffic

More features (like Data access or Deletion)

There are features like Browse user requests for data access/deletion, and it has even got integrations with leading WordPress plugins like WooCommerce BuddyPress, Formidable Forms and many other plugins. To make your WordPress website GDPR complaint and to make use of all these features buy Ultimate GDPR now!

GDPR for Photographers (DSGVO Fotografie)

For Photographers GDPR is much different. The GDPR does not apply “in the course of a purely personal or household activity.” If you are just clicking the pictures of your family and posting it on Instagram, it is considered as a household activity. GDPR applies to the same picture when you are an enthusiast or a professional. This post is mainly for WordPress website if you are, a photographer read more about GDPR for Photographers to know in detail.

2 thoughts on “Make WordPress Website GDPR (DSGVO) Compliant”

Leave a Comment

Your email address will not be published. Required fields are marked *