GDPR · Checklist · Data protection

Is your practitioner website
GDPR-safe?
20 points to tick off.

sandhan-design.com

Practitioner websites regularly process health data — which under Article 9 GDPR count as a special category of personal data. This means higher duties of care than for ordinary websites. This 20-point checklist across 6 areas honestly shows you where your website stands — and where the risk of legal warnings lurks.

1 · Legal notice & mandatory details

These four points must be right

✓ Legal notice contains full name, address, phone and email

✓ Professional title and licensing authority stated under the HPG (German Alternative Practitioners Act) (e.g. public health office [city], issued on [date])

✓ VAT ID or note on small-business exemption present

✓ Legal notice reachable from every page in at most 2 clicks

2 · Privacy policy

Mandatory — and especially so for practitioners

✓ Privacy policy is present and linked from every page

Article 9 GDPR is explicitly mentioned (health data as a special category)

✓ All tools in use are listed (fonts, analytics, contact form, appointment booking …)

✓ Data subjects' rights explained (access, erasure, objection, data portability)

3 · Google Fonts & external resources

The most common technical reason for a legal warning

✓ Google Fonts hosted locally — not via the Google CDN (a CDN call transmits IP addresses to the USA)

✓ No YouTube embeds without a consent banner

✓ No Google Maps embedding without consent

✓ Social media buttons only as plain links — not as plugins that send data on load

4 · Cookies & tracking

Less is safer

✓ Only technically necessary cookies (these are allowed without a banner)

✓ Google Analytics / Meta Pixel only with active consent — no automatic loading without consent

✓ Cookie banner (if present): "Reject" as prominent as "Accept"

5 · Contact form & communication

This is where sensitive data flows

✓ Website runs entirely over HTTPS (valid SSL certificate)

✓ Contact form includes a note on data processing

✓ No pre-ticked consent checkboxes

6 · Hosting & contracts

Often forgotten, quickly done

✓ Data processing agreement (DPA) concluded with the hosting provider

✓ Hosting provider is based in the EU — or has a valid DPF certification (for US providers)

Evaluation: how many boxes did you tick?

Count all the ticked points together — 20 are possible at most.

18 – 20 points — legally sound

Your website meets the core obligations. Well done — keep it up to date whenever you make changes.

12 – 17 points — a solid base with gaps

A good foundation, but a few open points with a risk of legal warnings. Acting now pays off.

0 – 11 points — urgent action needed

There are concrete gaps here. Better to close them now than after a legal warning — many points can be fixed quickly.

What you can do right now

The four most common gaps — and how to close them

Host Google Fonts yourself: Download the fonts and embed them locally instead of loading them via the CDN. No more calls to Google when the page loads.

Conclude a DPA with your host: Most providers (Hetzner, IONOS, Strato) offer a DPA template — usually a simple form in your account.

Check your privacy policy: Search for "Article 9 GDPR" in your current policy. If you find nothing, the crucial passage on health data is missing.

Complete your legal notice: The licensing authority (public health office + date) is mandatory for practitioners — and is often forgotten.

More background — and the checklist as a PDF

Why Article 9 GDPR is so delicate for practitioners, and why standard privacy texts are not enough, is explained in the in-depth article GDPR for Practitioners: What Article 9 Means. This checklist is also available as a printable, tickable PDF.

Important note

This checklist covers the most common obligations but does not replace legal advice in individual cases. GDPR, HWG and hosting are included as standard in every website I build, at no extra charge.

Sandhan Jürgen Westphal
Sandhan Jürgen Westphal

Web designer for holistic practitioners, coaches and therapists across the German-speaking region (DACH). All websites are built with complete GDPR documentation — including the Article 9 GDPR module, EU hosting and a legally compliant contact form. As standard, at no extra charge.

GDPR-compliant from the start — not as an afterthought.

In a free initial consultation we look together at whether and how I can help you. No pressure, no obligation.

Book a free initial consultation