Virginia Romo Illustration


This is the blog where Virginia Romo posts her latest illustrations, projects and impressions.

GDPR / DSGVO. Step by step in my jungle.

GDPR-DSGVO Virginia Romo Blog

Dear fellow illustrators, I am spending these bank holidays taking care that my business complies with the GDPR which comes into effect on May 25th. And it is being such a jungle of data, pages, tips, links, tables, etc. that I've decided to write this post about it, outside of this blog's usual subject. Just in case the little path I've opened in this jungle with my pocket machete could help some fellow illustrator.

By the way, Illustrators in Germany: at the IO Forum there is a thread on this subject right now. Those of you who are not members do not have access to the forum but you must become a member. I'm serious. Not just for this reason. If you're not a member yet: become one.

Also: I found very valuable information from my colleague Meike Teichmann on her Facebook group "Coaching für Illustratoren". I recommend it to you.

As you can imagine, the text in this blog post has no legal validity and I assume no responsibility for the accuracy or correctness of the information provided below. It is simply the map of my particular path. Which is very particular: I live in Germany but my website is in English and most of the services I use to make my business work are American or Australian, so its documentation is in English. I mention this because you will see that in the data I am going to use there are links in German and English. But I guess there are more people in a similar case and I hope it helps someone. If you need assistance with this text or with the references I'm going to make, I recommend the DeepL translator.

Here we go.

(I wanted to write a short post, like: Helpful links and that's it. But this GDPR is a long story, folks. So I'm going to write an avalanche of information and I'm going to put all the links at the bottom, aside, for those of you who don't have time to read all this text because you have to go fill out your TOMS.)

If you, dear illustrator, are wondering if you are affected by GDPR, the answer is yes. The GDPR affects any business that handles personal data. And we all do this when we put data from a business card into our e-mail, the e-mail program itself automatically saves in our computer the addresses to which we write, we all have our lists to contact former or potential customers... We are all affected.

By the time you are reading this text you have already read a thousand times what the GDPR consists of and what points are important etc. If not: this in English, and this in German (and this in Spanish, for my compatriots). It is funny to see how different appearances those official web sites have in every country, by the way.  Here I am only going to expose the actions I have taken. Particularly in these respects:


  • https://
  • Legal notice
  • Privacy Policy
  • Cookies-opt out
  • Anonyme IP addresses for Google Analytics
  • Contact form
  • Newsletter


  • Verzeichnis von Verarbeitungstaetigkeiten Verantwortlicher
  • TOM
  • DPA
  • Newsletter

I would recommend you to start by making a list of all the things you're going to read applied to your personal case: what data you handle, what you do with it, what services you use... Write down as you read, what actions you have to take personally. If you find all this hair-raising, here is a link that has helped me sift through what needs to be done and what doesn't (in German). Oh, and start now if you have not yet. This is going to take you days.



If you have a website you need to make sure that its address starts with "https" and not "http". If you use Squarespace, this is easily done by going to Settings > Security & SSL and choosing the "HTS Secure" option. Unfortunately Squarespace does not offer the TLS option, only SSL which is less recommended.

If you, like me, use Squarespace to build your website but you get your domain from another provider, then you need to check the SSL option there too. Right now I am waiting for my changes to take effect and my website still shows a warning up there, left of the web address. If yours does it too although you have done everything right and you are wondering what is missing, can help you make a diagnose.



Your website needs to have a visible link on every page that leads directly to the legal notice and another that also leads directly to your privacy policy. You can google what exactly each of these two pages has to include. If that gives you a headache: you can commission a lawyer specialised in personal data protection to write down the texts for your pages. Especially the privacy policy is very particular for everyone, depending on the services you use and the personal data you manage (shop? Google Analytics? newsletter?...). That is why there is no site where you can download a generic privacy policy text. But finding such a lawyer in Europe on 10th of May 2018 will be quite difficult. They're all taking night shifts. Two links that can help you to generate a temporary data privacy text are e-recht24 (in German) and TermsFeed (in English).



I get a little bit confused here: cookies from google, other cookies... All other cookies than chocolate ones, not my thing. Anyways, a special part of the data privacy issue are cookies. You need to inform visitors to your site that you use them and offer them the option of not using cookies for this particular visitor. Then: Remember to update the pop-up that warns you about cookies by offering the opt-out there as well. In Squarespace: Settings > Advanced > EU Cookie Banner.



For those of you who like me use Squarespace and Google Analytics: Until now I just had my Google Analytics Account Number in Settings > Advanced > External Services. But this offers the visitor no choice about the cookies and captures the whole IP address of your visitor. It seems that you can control the topic of cookies from Google itself (not the anonymisation though), using Google Tag Manager, but then you have to inject certain lines of code to the Header and Body of your page. Squarespace (if you don't use developer mode) only allows you to inject code into the header, as far as I found out. So Google Tag Manager doesn't solve my problem either. My solution has been to connect my page to Google Analytics by injecting the code you will find in your Google Analytics site (admin > property > tracking info > tracking code) but with a couple of lines more to offer the Opt-out Cookies and anonymise the IP address. The code in Squarespace is injected by going to Settings > Advanced > Code Injection. This has been my solution. I don't put my hand in the fire (or near a lighter) that this is the best method.

Then: Remember to update the pop-up that warns you about cookies by offering the opt-out there as well. In Squarespace: Settings > Advanced > EU Cookie Banner.



According to the GDPR you are allowed to keep personal data only as long as you need it for the purpose it was given to you by the data owner. If someone gives you her data through the contact form in your web, you are only allowed to use this data to come back to her and answer to that first message. Afterwards you should delete said data. If you don't want to do it (or are afraid, like me, that Outlook keeps it without me doing anything), then you need to provide a check box next to the form where the visitor who is leaving her data confirms that she agrees with you using it in the future, after a first answer.  On your contact form page you should also have a link to your privacy policy page.

You would need such a checkbox too for the comment function in the blog, but: how?



Make sure that participants accept the subscription by using the "double opt-in" method where they have to confirm their e-mail address.

Besides, from May 25th onward you can't exchange freebies for subscriptions (now that I had just started doing it, mea culpa: and something else I have to deal with). Or at least it can't be done as simply as it is now. More information on this topic is welcome in the comments.

Campaign Monitor, my newsletter provider, has organised a webinar for May 16th. I will join it and hopefully learn there all I need. That is why for the moment, I have other priorities. If you send your mails with Campaign Monitor too and have not heard about this webinar, look in your spam mailbox, you will probably find their invitation there.




Okay, web: ready. Now comes the documentation to be generated and kept in your possession in case the authorities (or a person whose data you handle? I'm not sure if you need to show this to anyone who asks, if anyone knows this information for sure, please leave a comment).

For those of you in a hurry: here is a link to how to fill out such a record, in German: "Verzeichnis der Verarbeitungstaetigkeiten ausfüllen". And here comes another.

The idea (explained here) is that for each process in which personal data is handled there should be a document describing this process from the party responsible for the data ("data controller") and another from the party who is commissioned to process it ("data processor"). For example: I am responsible for the data of the dear people who subscribe to my newsletter and I have to describe which process I follow with this data. I do this in a "record of processing activities. controller" (hier eine blanko Vorlage: Verzeichnis von Verarbeitungstaetigkeiten Verantwortlicher). But if I am a virtual assistant who is commissioned by a client to process personal data in order to, for example, write invitations, then I have to generate a "record of processing activities. processor" (hier eine Vorlage: Verzeichnis von Verarbeitungstaetigkeiten Auftragsverarbeiter). At least that is the way I understand it, but I read some information that leads me to think we (illustrators) might need to fill out this kind of processor-report when we commission someone else to process data for us (again: newsletter) but I don't see the logic in this approach and I see the process (i.e. newsletter) covered in the first kind of report. But again: I read confusing information about this, if you know it better and have trustful resources, please leave a comment below.

Anyways, you need to write those reports FOR EACH PROCESS. Think: business cards, automatically saved email addresses, searches you do on XING or Linkedin and the results of which you write down.... In the case of illustrators, we usually only need to fill out the document for data controllers (Verantwortlicher). I write "only" and I laugh my head off. Because it is a lot of records we have to define and each record needs further documentation. Keep reading.

One of the big themes of the GDPR is the user's right to be forgotten. That is why, in the process report, you must write when you delete the data. I find difficult to come up with a system to delete obsolete data. How do I delete obsolete addresses from my outlook? I cannot see at a glance when I used an address the last time. And the time limits are different for say a normal mail or one including contractual or invoicing data. Well, I guess we all will find a way. One day.



In any case, additional to the report, you need a TOM for every process. That means: what measures do I take to ensure that the process I have described in the report handles personal data in accordance with the law and ensures the rights of the owners of such data. In this page you can read (in German) what a TOM includes and after that description there is a Word template, look for it. No need to fill in every box, of course. Only the measures that we actually take.



In addition, sometimes part of the data process contemplates giving the data to persons or companies outside our business (i.e.: newsletter provider). If that is the case, at the end of the report a reference must be made to the document that guarantees that these third parties comply with the GDPR. That document is called DPA: Data Processing Agreement. And here we come to another particularly dense part of the jungle.

It took me a long time to know what to do with those DPAs. First, where do you get them from and then where do you go with them? Well, each company does or does not make the DPA available to its customers in a different location in their site. A great help to find the ones you need was this page at BloMojo (in German). It seems that you don't need to print them, sign them, save them on paper.... There's a Google DPA in German out there that you have to print, sign and send to Google in Ireland but the document is from 2012. And as I read in this Dr. Schwenke link, starting May 25th, DPAs per mouse click are valid, even in Germany. Actually in the box in the process report where you are asked about the DPA you can write a link, as seen in this example. I save them as PDF if possible, just in case.

However, each company does it its own way. Some are like Trello, where you have to ask their support to send you a DPA and they do it in a matter of hours: as a PDF that you can sign electronically, they receive it and send it back to you signed by both parties as a PDF. In hours! But most of them just have a button somewhere that says "download DPA" and that is the link you write in your report. Others such as Google Drive do not offer DPAs. The only option is to dispense with their services.

Squarespace has its DPA here.


Well, this is it (for now). I wouldn't be surprised if I had to edit this post in the next few days or hours as I find out more and more. I hope it has helped some of you to take a couple of steps forward. If that is the case and you don't know what to do with your gratitude, please consider donating to the association Friends of Amani Germany, of which I am a member and founder (and whose website and TOMS and DPAs and all the rest I also have to take care of).

So I'm going to get on with my GDPR update, which has only just begun. Good luck, my friend, it's almost over!


List of links for people in a hurry:

The text in this blog post has no legal validity and I assume no responsibility for the accuracy or correctness of the information provided above.