blueredix logo
SCAN On-demand vulnerability scans from €149
medium gdpr-privacy-policy-missing

Privacy policy (Datenschutzerklärung) page missing

GDPR Articles 13 and 14 require every website to publish a privacy policy describing what data is collected and why. Missing policies are an easy finding for both regulators and competitors.

What this means in plain English

The scanner couldn’t find a clearly named privacy-policy page linked from your homepage. We look for “Datenschutz”, “Datenschutzerklärung”, “Privacy”, “Privacy policy”, or “Privacy notice” in link text and URL slugs. GDPR Articles 13 and 14 require every controller of personal data to inform visitors about what is collected, why, on what legal basis, who it is shared with, and what rights they have. On a website, the conventional way to satisfy that obligation is a Datenschutzerklärung page linked from every page footer.

Why it matters

Two enforcement channels keep this rule alive.

Data protection authorities (LfDI at state level, BfDI for federal bodies) treat a missing privacy policy as a per-se violation of Article 13. There is no “but my site doesn’t really collect anything” exception. Server logs, contact forms, and the IP-based delivery of every static asset are already collection.

Competitors can file Mitbewerberabmahnungen on the basis of §3a UWG (unfair competition through breach of statutory duty). German civil courts have repeatedly affirmed that GDPR Articles 13 and 14 are “Marktverhaltensregeln” and therefore actionable in competition law.

The scope of required content has grown over the years. A modern Datenschutzerklärung typically covers:

  1. The controller’s identity (matches your Impressum) and a data-protection-officer contact if you have one.
  2. Categories of personal data collected.
  3. Purposes and legal bases for each processing activity.
  4. Recipients or categories of recipients. Every third-party tool you use (analytics, CDN, mail, hosting, payment, support) counts.
  5. Storage duration and deletion criteria.
  6. Data-subject rights (Art. 15 to 22 GDPR) and how to exercise them.
  7. Right to lodge a complaint with a supervisory authority and the contact for the competent authority.
  8. International transfers, especially to US providers under Schrems II.
  9. For each tracker, analytics tool, and embed: the specific legal basis and a description of what it does.

How to fix it

  1. Use a tested generator. The eRecht24 Datenschutz generator is the most-cited; the activeMind generator is also widely recommended. Generators are not a substitute for careful review, but they are a fast, defensible starting point.

  2. List every third-party service that gets your visitors’ data. The blueredix scanner detects many of them automatically (analytics, tag managers, marketing pixels). The privacy policy needs a paragraph for each.

  3. Publish at /datenschutz/ or /privacy/, link from the footer alongside the Impressum. The link should be visible without scrolling on desktop and never hidden inside a generic “More” menu.

  4. Set a calendar reminder to review annually. GDPR Article 13 is tightened by case law every couple of years, and the tools you use today may not be the tools you use next year.

The privacy policy describes what currently happens on your site. Adding a third-party tool means updating the policy before the tool goes live, not afterwards.

Further reading