LSM Agents

Compliance · DSGVO

DSGVO compliance for Next.js sites: audit, remediation, AVV — fixed price.

BGH judgment I ZR 186/17 of 27 March 2025: GDPR violations are now UWG-actionable. Competitors can issue Abmahnungen for your DSGVO breach. We audit your site, deliver a written remediation plan, and ship the fixes in 14 days at fixed price.

TL;DR

  • ·BGH ruling 27 March 2025: DSGVO violations are now UWG-abmahnbar — your competitor can issue a binding cease-and-desist for your privacy breach.
  • ·Common gaps we find: Google Fonts loaded from CDN, Analytics without consent, missing AVV with hosting provider, embedded YouTube without nocookie variant.
  • ·Maximum DSGVO fine: €20M or 4% of global turnover (whichever higher). UWG-Abmahnung is faster and creates the same business damage.
  • ·Our delivery: 7-day audit (€2,900) → 14-day fixed-price remediation → AVV pack with hosting + voice + analytics processors.

Who has to comply

DSGVO applies to every entity processing personal data of EU residents — regardless of where the entity is based. If your site has analytics, contact forms, comments, embedded video, third-party fonts, A/B testing, retargeting pixels, or any cookie that survives the session, you are processing personal data and DSGVO applies. Hobby projects with zero commercial intent are technically exempt under Art. 2(2)(c) but the bar is "purely personal" — a portfolio site for a freelancer is commercial.

What we find on real DSGVO audits

These are the ten most common defects on Berlin/DACH sites we audit. Each one is independently actionable by a competitor under UWG after BGH 03/2025.

  • Google Fonts loaded from fonts.googleapis.com instead of locally hosted
  • Google Analytics 4 firing without prior consent
  • Embedded YouTube using the standard youtube.com domain instead of youtube-nocookie.com
  • Hosting provider with no signed AVV / Auftragsverarbeitungsvereinbarung
  • Plausible / Fathom / GA loaded before the consent banner
  • Cookie banner with "Reject" hidden behind a layer of clicks (after VG Hannover + SHEIN €150M)
  • Privacy policy missing required Art. 13/14 disclosures (recipients, retention, data sources)
  • Contact form storing submissions without TTL or deletion policy
  • No DPIA for AI / voice / chatbot processing
  • Third-country transfers (US-based services) without SCC + supplementary measures

What enforcement actually looks like

Three risk vectors after BGH 03/2025. First: your data-protection authority (BfDI federally, LfDI per Land) can issue fines up to €20M or 4% of global turnover. Second: data subjects can claim damages individually under Art. 82 — typical award €100–€3,000 per case but class-style aggregation is increasing. Third — and the new one — competitors can file UWG-Abmahnungen, costing €1,500–€5,000 in legal fees plus mandatory remediation under threat of injunction. The third is the one that should keep you up at night because it doesn't require a regulator to act.

How we run a DSGVO project

  1. 01

    Audit (7 days): automated scanner + manual review of 12+ representative pages, all third-party requests captured at first paint and after consent. Output: written report scored by article + severity.

  2. 02

    Remediation plan: fixed-price quote against the report. Critical issues (no-consent third-party calls, missing AVV) prioritized.

  3. 03

    Build (10–14 days): code-level fixes — local font hosting, consent gating for analytics, nocookie variants, cookie banner replacement if needed.

  4. 04

    AVV pack: signed Auftragsverarbeitungsverträge with each subprocessor (hosting, analytics, email, voice/chat providers). Template and tracker provided.

  5. 05

    Privacy policy refresh: Art. 13/14 audit and rewrite. Common-language version + technical version.

  6. 06

    Monitoring: optional Operator-tier retainer with monthly third-party-request scan + AVV review on processor changes.

Source material

DSGVO — frequently asked questions

My site is small. Does DSGVO really apply?+

Yes. DSGVO has no SMB exemption based on size. The exemption is for 'purely personal or household activity' (Art. 2(2)(c)) — any commercial use, no matter how small, triggers full DSGVO scope.

Is loading Google Fonts from the CDN really a problem?+

Yes. LG München I 20 January 2022 (3 O 17493/20) ruled it a DSGVO violation and awarded €100 in immaterial damages to a single user. Hundreds of follow-on Abmahnungen were filed in 2022–2024. Always self-host fonts.

Do I need an AVV with my hosting provider?+

Yes — every processor (hosting, analytics, email-sending, voice synthesis, payment) must have a signed AVV under Art. 28. Larger providers (Vercel, AWS, Stripe) provide standard versions you can sign electronically. Smaller ones may need our template.

Can I just use a cookie banner and call it done?+

No. The cookie banner is one piece. You also need: lawful basis for each cookie, Art. 13 disclosures, processor AVVs, server-side enforcement (don't load the analytics script before consent — banner alone is theatre).

How long does remediation usually take?+

7-day audit + 10–14 days remediation = ~3 weeks end-to-end. Larger sites with custom CMSes or many third-party integrations can run 4–6 weeks.

How much does it cost?+

Audit only: €2,900 fixed. Audit + remediation: €4,900–€14,000 depending on issues found. Configure exact pricing in the calculator.

Configure your scope →

← Back to compliance overview