An overview of the elements and functions contained in the Mercury Template that are relevant to data protection.
A distinction has to be made between web users and OpenCms editors.
All OpenCms editors with a login for the system are to be considered “known.” When setting up their login, these users should sign a legally binding declaration of consent for the processing of their data. This may already be in place for employees, but a corresponding document should be provided for volunteers.
The following considerations regarding data protection apply ONLY to web users. These are to be regarded as anonymous visitors to the website. In terms of data protection, it may be particularly relevant to what extent this anonymity is “undermined” by technical measures in the background.
The cookie banner sets cookies in the “Necessary” group or in all groups.
The cookie banner does NOT use JavaScript from external servers.
If configured for a website, the cookie banner is automatically integrated into all pages and is executed when each page is loaded.
The cookie banner is displayed until the web user has selected an option. As long as nothing has been selected, no cookie is set and cookies are automatically considered rejected.
When the web user clicks on one of the buttons displayed, a cookie called privacy-options is stored. This cookie stores the options selected by the user.
The cookie banner is displayed until the privacy-options cookie has been set.
If the privacy-options cookie is NOT set, cookies are considered rejected.
This function sets cookies in the “Necessary” group or in all groups.
This function does NOT use JavaScript from external servers.
This function changes the value of the privacy-options cookie. This allows the decisions originally made in the cookie banner to be changed retrospectively.
If the privacy-options cookie is NOT set, cookies are considered to be rejected.
The following groups of cookies can be controlled via the cookie banner and the privacy policy cookie switch function:
These cookies are essential for the operation of the site and store, for example, the selection of which cookies may be used.
Content from video platforms, social media platforms, or map providers is blocked by default. If cookies from external media are accepted, access to this content no longer requires manual consent.
In order to further improve our offering and our website, we collect anonymized data for statistics and analysis. With the help of these cookies, we can, for example, determine the number of visitors and the effect of certain pages of our website and optimize our content.
Note: This group is only displayed if an analytics service is actually configured for the pages.
The Matomo analytics service is able to track visits to the website without cookies simply by executing JavaScript. This option must be activated separately; for details, see the description of Matomo integration.
If Matomo tracking via JavaScript is active, this is displayed in the “Privacy Cookie Switch” function. The user then has the option to actively object to tracking via JavaScript (“opt-out”). To do this, the user must click a checkbox. In this case, a cookie is stored indicating that the user does not want to be tracked with JavaScript.
The opt-out option described here is only displayed if tracking via JavaScript is configured and the user has rejected statistics cookies.
Matomo also offers the option of evaluating the browser's “Do Not Track” header and refraining from tracking page views in this case. This must be set on the Matomo server. If this is set, the matomo.jst property in OpenCms must be set to the value true: dnt. In the “Privacy Cookie Switch” function, a message is then shown to the user that their page views are not being tracked.
The following content elements of the Mercury template may be legally relevant from a data protection perspective:
This element sets cookies in the “External Content” group.
This element uses JavaScript from external servers.
The execution of the Google Map is controlled by the cookie banner. The maps are therefore NOT displayed if the web user has not consented to external cookies.
Cookies are set when loading the maps via Google. It can be assumed that these include tracking functions for the web user.
External JavaScript files are loaded from Google's servers for this element. These are executed in the context of the page. This theoretically enables extensive tracking of the web user's activities on the displayed page. The extent to which the external JavaScript is actually used for tracking is not known.
This element sets cookies in the “External Content” group.
This function does NOT use JavaScript from external servers.
The execution of OpenStreetMap maps is controlled by the cookie banner. The maps are therefore NOT displayed if the web user has not consented to external cookies.
The OpenStreetMap maps are delivered via the service provider maptiler https://www.maptiler.com/. According to the provider maptiler (see below), no user tracking is carried out with the data.
When loading the OSM maps, several cookies (exactly 3 as of February 2020) are set.
The complete JavaScript app for displaying the data is based on open source components and is integrated into OpenCms. Only the map material is loaded from the maptiler servers.
According to maptiler, no user data is stored long-term.
https://www.maptiler.com/privacy-policy/index.html
Quote from the above mentioned website:
We don’t track the end-users to sell them targeted advertisements or, even worse, to sell such data to third parties. IP addresses of the MapTiler Cloud visitors are stored in memory only for a limited time needed for security checks; a maximum is 20 minutes, and then automatically destroyed.
Maps can be displayed in the POI element. The type of map used (Google or OSM) depends on the settings configured for the maps. If OSM is configured, OSM is used. If Google is configured, Google is used unless OSM is also configured.
The maps in the POI behave identically to the respective specific location map element in terms of data protection law.
This element sets cookies in the “External Content” group.
This element uses JavaScript from external servers.
The execution of YouTube media is controlled by the cookie banner. The videos will therefore NOT be displayed if the web user has not consented to external cookies.
Cookies are set when loading media via YouTube. These may include tracking functions for the web user. YouTube is part of the Google group.
External JavaScript files are loaded from YouTube/Google servers for this element. These are executed in the context of the page. This theoretically enables extensive tracking of the web user's activities on the displayed page. The extent to which the external JavaScript is actually used for tracking is not known.
When a page with media content from YouTube is initially loaded, no code from YouTube is executed. Instead, a preview image is displayed. Exception: In the detail view, an “Autoplay” option can be activated.
The preview image can be your own image or automatically loaded from the YouTube server.
If the image is loaded from the YouTube server, this could be relevant for the web user's data protection. To load the image, a connection to the YouTube server is established, which could theoretically be used to track the web user's activities on the displayed page. The extent to which this connection is actually used for tracking is unknown.
If your own preview image is used, no data is transferred to Google when the page is loaded.
Only when the web user clicks on the preview is the external media content activated.
When embedding YouTube media, the embed code with YouTube's extended data protection mode is used, see https://support.google.com/youtube/answer/171780?hl=en.
Quote from the above mentioned website:
The Privacy Enhanced Mode of the YouTube embedded player prevents the use of views of embedded YouTube content from influencing the viewer’s browsing experience on YouTube. This means that the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize the YouTube browsing experience, either within your Privacy Enhanced Mode embedded player or in the viewer’s subsequent YouTube viewing experience.
If ads are served on a video shown in the Privacy Enhanced Mode of the embedded player, those ads will likewise be non-personalized. In addition, the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize advertising shown to the viewer outside of your site or app.
This element probably sets cookies in the “External Content” group.
This element probably uses JavaScript from external servers.
The execution of the media is controlled by the cookie banner. The media will therefore NOT be displayed if the web user has not consented to external cookies.
Cookies may be set when loading media via flexible content with embed code. These may include tracking functions for the web user. Whether cookies are actually set depends on the embed code used.
External JavaScript files from third-party servers may be loaded for this element. These are executed in the context of the page. This theoretically enables extensive tracking of the web user's activities on the displayed page. Whether JavaScript is actually loaded and whether it is used for tracking depends on the embed code used.
When a page with media content is initially loaded, the embed code is usually not yet executed. Instead, a preview image is displayed. Exception: In the detail view, an “Autoplay” option can be activated.
Therefore, no data is transferred to external servers when the page is loaded. Only when the web user clicks on the preview the external media content is activated.
This element sets cookies in the “External content” group.
This element uses JavaScript from external servers.
The execution of Google Calendar is controlled by the cookie banner. Google Calendar will therefore NOT be displayed if the web user has not consented to external cookies.
Cookies are set when the Google Calendar is loaded. It can be assumed that these include tracking functions for the web user.
External JavaScript files are loaded from Google's servers for this element. These are executed in the context of the page. In theory, this enables extensive tracking of the web user's activities on the displayed page. The extent to which the external JavaScript is actually used for tracking is not known.
When a page with a Google Calendar is initially loaded, a preview image or text preview can optionally be displayed first. When the page is loaded, no data is initially transferred to Google's servers. Only when the web user clicks on the preview is the external code activated in this case.
This element may set cookies in the “External Content” group.
This element may use JavaScript from external servers.
The execution of flexible content is OPTIONALLY controlled by the cookie banner. If the option External cookies required is selected in the flexible content, it will NOT be displayed if the web user has not consented to external cookies.
Cookies may be set when loading a page with flexible content with embed code. These may include tracking functions for the web user. Whether cookies are actually set depends on the embed code used.
External JavaScript files from third-party servers may be loaded for this element. These are executed in the context of the page. This theoretically enables extensive tracking of the web user's activities on the displayed page. Whether JavaScript is actually loaded and whether it is used for tracking depends on the embed code used.
When initially loading a page with flexible content, a preview image or text preview can optionally be displayed first. When the page is loaded, no data is transferred to external servers. In this case, only when the web user clicks on the preview is the external code activated.
This element probably sets cookies (when clicked).
This element probably uses JavaScript from external servers (when clicked).
The execution of social media functions is NOT controlled by the cookie banner.
For this element, external JavaScript files are loaded from third-party servers when the web user clicks on a social media icon. These are executed in the context of the page. In theory, this enables extensive tracking of the web user's activities on the displayed page. If JavaScript is actually loaded and whether it is used for tracking depends on the social media provider used.
When a page with Shariff social media content is initially loaded, no external code is executed. In this case, only when the web user clicks on a social media icon external code is activated.
Depending on the configuration, this element uses cookies in the “Necessary” group.
This element does NOT use JavaScript from external servers.
The execution of the form is NOT controlled by the cookie banner.
The form uses cookies if it contains an input field of the type “file upload.” If this is the case, a technically necessary session cookie is set to temporarily store the user's upload. If the form does not contain an input field of the type “file upload,” no cookie is set by the form. The form does not execute any JavaScript that is relevant to data protection.
Relevant to data protection in connection with the form is what information is requested by the form and thus transmitted. This is decided by the OpenCms editor who configures the form. However, in gerneral personal data such as name, address, or telephone numbers are requested by the form.
The form element offers various options in its configuration for how the information collected is to be handled:
If an external captcha is used with the form, please note the privacy policy of the external captcha provider used.
This plugin does not set any cookies.
This plugin does not use JavaScript from external servers.
The execution of this plugin is NOT controlled by the cookie banner.
This plugin uses JavaScript, but it is loaded directly from your server. This JavaScript then contacts the servers of the Friendly Captcha provider to validate the captcha. In theory, this enables extensive tracking of the web user's activities on the displayed page. The extent to which tracking actually takes place is not known.
According to its own statement, Friendly Captcha does not store any personal user data, see:
https://friendlycaptcha.com/privacy/gdpr/
Quote from the above mentioned website:
Friendly Captcha runs without HTTP cookies, tracking or user interaction, making it the ideal choice for enterprises seeking secure, user-friendly bot protection, and GDPR compliance.
This plugin sets cookies in the “External Content” group.
This plugin uses JavaScript from external servers.
The execution of Google reCAPTCHA is controlled by the cookie banner. The captcha is therefore NOT displayed if the web user has not consented to external cookies. This means that in this case, a form secured with a captcha cannot be submitted by the web user.
Cookies are set when the captcha is loaded via Google. It can be assumed that these include tracking functions for the web user.
External JavaScript files are loaded from Google's servers for this plugin. These are executed in the context of the page. This theoretically enables extensive tracking of the web user's activities on the displayed page. The extent to which the external JavaScript is actually used for tracking is not known.
A link to the privacy policy page can be automatically inserted into forms. This allows the administration to enforce that all forms always contain a link to the privacy policy page.
Detailed information on configuration can be found on the Privacy policy link in forms page.
This element does not set any cookies.
This element does not use JavaScript from external servers.
The execution of the optional booking function for the event is NOT controlled by the cookie banner.
The event booking function does not use cookies and does not execute JavaScript that is relevant to data protection.
The optional booking function for an event links it to an online booking form. The linked form must be configured separately. In principle, the data protection information provided for the form therefore also applies to events that use online booking.
Relevant for data protection in connection with the booking function for events is which information is requested by the form and thus transmitted. This is decided by the OpenCms editor who configures the form. As a rule, however, personal data such as name, address, or telephone numbers are requested by the form.
The form element offers various options in its configuration for how the collected information is handled:
This element does not set any cookies.
This element does not use JavaScript from external servers.
The execution of the newsletter is NOT controlled by the cookie banner.
The newsletter does not use cookies and does not execute JavaScript that is relevant for data protection.
To subscribe to a newsletter, a web user must provide their email address and then confirm it via a link.
The following is stored for the newsletter:
If a web user unsubscribes from a newsletter, their email address is deleted from the list of subscribers along with the other data mentioned above.
When a newsletter mailing is sent, the recipients to whom it was sent are not stored. The mailings are also not evaluated.
The following dynamic functions of the Mercury template may be legally relevant from a data protection perspective:
This feature sets cookies in the “Necessary” group.
This feature does NOT use JavaScript from external servers.
The dynamic function Login form for users (Login) uses a technically necessary session cookie to permanently identify logged-in users. However, the cookie is only set after successful login. No JavaScript is executed that is relevant for data protection.
When using this function, the user must have an account in OpenCms. In this case, this user is no longer considered a web user, but is treated by the system like an OpenCms editor.
By revoking editorial permissions in OpenCms user management, it is possible to grant such users access to certain content, but prevent them from changing or creating content themselves.
OpenCms does not keep detailed statistics on the logins of individual OpenCms editors. It only records when an OpenCms editor last logged in.
This feature sets cookies in the “External Content” group.
This feature uses JavaScript from external servers.
The execution of the DISQUS function is controlled by the cookie banner. The DISQUS function will therefore NOT be displayed if the web user has not consented to external cookies.
This function only affects pages on which the Disqus function element is used.
When the page is loaded, cookies are set by the DISQUS function. These may include tracking functions for the web user. It is not known in what form the cookies set are used for tracking the web user.
External JavaScript files are loaded from the DISQUS provider's servers for this element. These are executed in the context of the page. This enables extensive tracking of the web user's activities on the displayed page. It is not known whether this is actually used for tracking the web user.
When a page with the DISQUS function is initially loaded, a text “Show comments” can optionally be displayed first. When the page is loaded, no data is transferred to external servers. Only when the web user clicks on the text is the external code activated in this case.
Further information on data protection with DISQUS is available on the provider's website:
https://help.disqus.com/en/articles/1717103-disqus-privacy-policy.
This feature sets cookies in the “External Content” group.
This feature uses JavaScript from external servers.
The execution of the Hyvor Talk function is controlled by the cookie banner. The Hyvor Talk function will therefore NOT be displayed if the web user has not consented to external cookies.
This function only affects pages on which the Hyvor Talk function element is used.
When the page is loaded, cookies are set by the Hyvor Talk function. These may include tracking functions for the web user. It is not known in what form the cookies set are used for tracking the web user.
External JavaScript files are loaded from the Hyvor Talk provider's servers for this element. These are executed in the context of the page. This enables comprehensive tracking of the web user's activities on the displayed page. It is not known whether this is actually used for tracking the web user.
When a page with Hyvor Talk functions is initially loaded, a text “Show comments” can optionally be displayed first. When the page is loaded, no data is transferred to external servers. Only when the web user clicks on the text is the external code activated in this case.
Further information on data protection with Hyvor Talk is available on the provider's website:
https://talk.hyvor.com/docs/gdpr.
This feature sets cookies in the “External Content” group.
This feature uses JavaScript from other servers.
The execution of the Walls.io function is controlled by the cookie banner. The Walls.io function will therefore NOT be displayed if the web user has not consented to external cookies.
This function only affects pages on which the Walls.io function element is also used.
When the page is loaded with external cookies enabled, various cookies are set by the Walls.io provider. These may include tracking functions for the web user. It is not known in what form the cookies set are used for tracking the web user.
External JavaScript files are loaded from the Walls.io provider's servers for this element. These are executed in the context of the page. This enables comprehensive tracking of the web user's activities on the displayed page. It is not known whether this is actually used for tracking the web user.
Further information on data protection with Walls.io is available on the provider's website:
https://walls.io/privacy
This plugin does not set any cookies.
This plugin does not use JavaScript from external servers.
The execution of this plugin is NOT controlled by the cookie banner.
The Eye-Able Assistant uses JavaScript, but this is loaded directly from your server. No external servers are contacted for Eye-Able and no cookies are set.
The following analytics and statistics services of the Mercury template may be legally relevant from a data protection perspective:
This feature sets cookies in the “Statistics” group.
This feature uses JavaScript from other servers.
The execution of the Matomo analytics component is controlled by the cookie banner.
If the web user has not consented to statistics cookies, Matomo is still able to track the visit by executing JavaScript. This option of tracking via JavaScript must be activated separately.
If configured and active, this function is automatically integrated on all pages and is therefore executed when each page is loaded.
When the page is loaded, Matomo sets cookies. These are used to track the web user.
If the web user has rejected statistics cookies but tracking via JavaScript is enabled, no cookies are set for statistical purposes. However, in this case, session cookies or opt-out cookies may be set.
JavaScript files from other servers are loaded for this element. These are executed in the context of the page. This enables comprehensive tracking of the web user's activities on the displayed page.
Matomo can be hosted on its own server. In this case, no data is transferred to external service providers. Alternatively, Matomo can also be purchased from a service provider.
This feature sets cookies in the “Statistics” group.
This feature uses JavaScript from other servers.
The execution of the Google Analytics component is controlled by the cookie banner. This function is deactivated if the web user has not consented to statistics cookies.
If configured and active, this function is automatically integrated into all pages and is therefore executed when each page is loaded.
When the page is loaded, Google sets cookies. These are used to track the web user.
External JavaScript files are loaded from Google's servers for this element. These are executed in the context of the page. This enables comprehensive tracking of the web user's activities on the displayed page.
This feature sets cookies in the “Statistics” group.
This feature uses JavaScript from other servers.
The execution of the Piwik PRO analytics component is controlled by the cookie banner. This function is disabled if the web user has not consented to statistics cookies.
If configured and active, this function is automatically integrated into all pages and is therefore executed when each page is loaded.
When the page is loaded, Piwik PRO sets cookies. These are used to track the web user.
For this element, external JavaScript files are loaded from the Piwik PRO servers. These are executed in the context of the page. This enables comprehensive tracking of the web user's activities on the displayed page.