Drupal / General Data Protection Regulation (GDPR)

Drupal Websites and GDPR
Drupal and General Data Protection Regulation (GDPR) - Background image Nick Hillier on Unsplash

Drupal & the General Data Protection Regulation (GDPR)

On May 25th, 2018 the EU General Data Protection Regulation (GDPR) enters into force.

This also applies to the operation of websites based on Drupal as a content management system.

As a manufacturer and hoster of many websites based on Drupal, we have looked closely at the GDPR and set out the key measures that website operators should take to comply with the General Data Protection Regulation.


In 2016, an EU-wide Personal Data Protection Directive was adopted. This directive will be implemented in Germany within the framework of the General Data Protection Regulation (GDPR) and will enter into force on May 25, 2018.

The regulation regulates the handling of personal data in companies with the aim of safeguarding them and to establish uniform rules for dealing with them. This concerns virtually all businesses, since most collect and process personal data in some form (for example, through a contact form on the website).

Extended rights for consumers

Consumers have the right to inspect the processing of their personal data, to object to the processing or even to demand the complete deletion of their data (“right to be forgotten” Art. 17, GDPR).

This also applies to third parties to whom personal data has been passed on to (for example Google, Piwik, Mailchimp, Cleverreach, CRM, ERP, Helpdesk, Backups, Hosting Providers, etc.).

Personal data is defined as all data that can be assigned to an identified person (Art. 4, GDPR, Num. 1). This also includes online identifiers such as IP addresses and cookies.

More obligations for companies

To guarantee the the consumers their rights, companies are required to list and secure all collection and processing operations.

This includes among others the secure configuration of deployed software and the restriction of access to personal data to the necessary members of staff.

For example, Drupal websites should always have the latest security updates installed, and it should be checked which users have access to personal information (such as data entered into contact forms, orders, user accounts, etc.).

In addition, businesses need to inform their consumers about the scope and reasons for data collection and provide them with enough ways to contact them so that they can make inquiries about their data.

This could e.g. be implemented through the use of an appropriate cookie usage warning and a legally secured privacy policy.

Possible penalties

Violations of the General Data Protection Regulation will be punishable by fines of up to EUR 20 million or up to 4% of the worldwide annual turnover of affected companies as of May.

Changes for the operation of websites

In order to operate Drupal websites in accordance with the GDPR we recommend implementing the following measures.

Technical protection

The following technical measures should be taken to optimise security and establish compliance with the General Data Protection Regulation:

  • Allow only encrypted access to websites
    • Installing one SSL certificate (HTTPS)
    • sFTP or SSH instead of FTP
  • Timely or automatic installation of security updates
  • Encryption of backups

Creation of a directory of all data processing operations

Within the framework of the GDPR, companies are required to systematically record all data collection and processing operations as well as subsequent processing by third parties.

Usually, the following personal data is collected on Drupal websites, which must be recorded within the framework of the GDPR:

  • Connection data (cookies, IP addresses, etc.)
  • Tracking data (Google Analytics, Matomo (Piwik), etc.)
  • Newsletter data (Mailchimp, Cleverreach, Campaign Monitor, etc.)
  • Social media data (Facebook, Twitter, Google, etc.)
  • Web forms (contact form, feedback, complaint, etc.)
  • User data (login data, purchase data, processing data, etc.)

For each collected data point at least the following information must be listed:

  • Designation
  • Data category(ies)
  • Affected people
  • Purpose / Rationale of the collection
  • Legal Basis
  • Data sources
  • Information of those affected
  • Recipient / transfer third countries
  • Deletion
  • Restriction of processing
  • Precautions


  • Newsletter
Data categories
  • Base data
  • Credentials
  • Usage Data
Affected persons
  • Newsletter recipients
  • Personalized contact
  • Proof of registration
  • Optimization of content
Legal basis
  • Art. 6, GPDR, Num. 1
Data sources
  • Registration website
  • Express consent through double opt-in
Information of those affected
  • Description of Scope and Purpose of Processing
  • Possibility of withdrawal
  • Note on Privacy Policy
  • Note on shipping service provider Mailchimp
Recipient / transfer third countries
  • At deregistration or request for cancellation
Restriction of processing
  • Storage as business mail 6 years
  • Access only via encrypted connection
  • Encrypted backups
  • Access to personal data only by processors (marketing staff) and system administrators
  • Link to information on company-wide protection of personal data

Reviewing and, if necessary, adaptation and safeguarding of all data processing processes

In order to act in accordance with the General Data Protection Regulation, companies must review all data processing operations and, if necessary, adapt and secure them.

For websites, typically a large number of processing operations are performed, which must be adapted and safeguarded within the framework of the GDPR.

The following measures are usually taken establish compliance of Drupal websites:

  • Customization of user permissions
  • Exclusion of unnecessary personal data
  • Encryption / anonymization / pseudonymization of personal data in backups and exports
  • Verification of data transmission to third parties
    • Encrypted transmission
    • Anonymization / pseudonymisation
    • Exclusion of unnecessary personal data

Creation of processing processes for inquiries (e.g. information about personal data)

Under the GDPR data subjects are entitled to request information about stored personal data, as well as to request their correction, their restriction or their complete deletion.

Procedures must be created and documented for these processes so that the inquiries can be processed within the deadlines (usually 1 month) (Art. 12, GDPR ff.).

For Drupal websites, a request for information could be e.g. Edited as follows:

  • Data collection from user account
  • Data collection from newsletter registration
  • Data collection from contact form
  • Data collection from emails *
  • Data collection from support inquiries *
  • Data collection from contracts *
  • Documentation of all data *
  • Transmission of the data to the person concerned *

* These steps are related to the process, but do not directly affect the collection and processing of the website.

Preparation of the necessary legal information

The General Data Protection Regulation stipulates that data subjects are sufficiently informed about the collection and processing of personal data (Art. 13 GDPR ff.).

For web pages, this includes the following points:

  • Adjusting privacy policy
  • Display of information at the time of data collection
    • Notification to users about cookie policies and practices (“Cookie notice”)
    • Indication of the scope and purpose of explicit data entry (for example in the contact form or when ordering)
    • Reference to contact person for personal data (Data Protection Officer)
  • Creation of contact options for information, rectification, revocation and deletion of personal data

For legal issues, we can recommend the law firm Kolonko & Dammeier from Frankfurt, Germany with whom we cooperate closely in all legal issues.

Creation of contact options for information, rectification, revocation and deletion of personal data

In order to provide affected persons with sufficient possibilities for information, correction, revocation and deletion of personal data within the scope of the GDPR, special contact possibilities should be provided on websites for these processes.

Support by 1xINTERNET

We are happy to assist you in the implementation of the GDPR with regard to its website and related processes.

For legal issues, we work together with the law firm Kolonko & Dammeier from Frankfurt, Germany.

Contact us via the contact form, send us an e-mail, or call us.




The information presented here is for non-binding information purposes only and does not constitute legal advice.

For legal advice, please contact your lawyer. We recommend you to the law firm Kolonko & Dammeier from Frankfurt, Germany, with whom we cooperate on legal issues.