Practitioner websites regularly process health data — which under Article 9 GDPR count as a special category of personal data. This means higher duties of care than for ordinary websites. This 20-point checklist across 6 areas honestly shows you where your website stands — and where the risk of legal warnings lurks.
1 · Legal notice & mandatory details
These four points must be right
✓ Legal notice contains full name, address, phone and email
✓ Professional title and licensing authority stated under the HPG (German Alternative Practitioners Act) (e.g. public health office [city], issued on [date])
✓ VAT ID or note on small-business exemption present
✓ Legal notice reachable from every page in at most 2 clicks
2 · Privacy policy
Mandatory — and especially so for practitioners
✓ Privacy policy is present and linked from every page
✓ Article 9 GDPR is explicitly mentioned (health data as a special category)
✓ All tools in use are listed (fonts, analytics, contact form, appointment booking …)
✓ Data subjects' rights explained (access, erasure, objection, data portability)
3 · Google Fonts & external resources
The most common technical reason for a legal warning
✓ Google Fonts hosted locally — not via the Google CDN (a CDN call transmits IP addresses to the USA)
✓ No YouTube embeds without a consent banner
✓ No Google Maps embedding without consent
✓ Social media buttons only as plain links — not as plugins that send data on load
4 · Cookies & tracking
Less is safer
✓ Only technically necessary cookies (these are allowed without a banner)
✓ Google Analytics / Meta Pixel only with active consent — no automatic loading without consent
✓ Cookie banner (if present): "Reject" as prominent as "Accept"
5 · Contact form & communication
This is where sensitive data flows
✓ Website runs entirely over HTTPS (valid SSL certificate)
✓ Contact form includes a note on data processing
✓ No pre-ticked consent checkboxes
6 · Hosting & contracts
Often forgotten, quickly done
✓ Data processing agreement (DPA) concluded with the hosting provider
✓ Hosting provider is based in the EU — or has a valid DPF certification (for US providers)
Evaluation: how many boxes did you tick?
Count all the ticked points together — 20 are possible at most.
18 – 20 points — legally sound
Your website meets the core obligations. Well done — keep it up to date whenever you make changes.
12 – 17 points — a solid base with gaps
A good foundation, but a few open points with a risk of legal warnings. Acting now pays off.
0 – 11 points — urgent action needed
There are concrete gaps here. Better to close them now than after a legal warning — many points can be fixed quickly.
What you can do right now
The four most common gaps — and how to close them
Host Google Fonts yourself: Download the fonts and embed them locally instead of loading them via the CDN. No more calls to Google when the page loads.
Conclude a DPA with your host: Most providers (Hetzner, IONOS, Strato) offer a DPA template — usually a simple form in your account.
Check your privacy policy: Search for "Article 9 GDPR" in your current policy. If you find nothing, the crucial passage on health data is missing.
Complete your legal notice: The licensing authority (public health office + date) is mandatory for practitioners — and is often forgotten.
More background — and the checklist as a PDF
Why Article 9 GDPR is so delicate for practitioners, and why standard privacy texts are not enough, is explained in the in-depth article GDPR for Practitioners: What Article 9 Means. This checklist is also available as a printable, tickable PDF.
Important note
This checklist covers the most common obligations but does not replace legal advice in individual cases. GDPR, HWG and hosting are included as standard in every website I build, at no extra charge.
GDPR-compliant from the start — not as an afterthought.
In a free initial consultation we look together at whether and how I can help you. No pressure, no obligation.
Book a free initial consultation