Use Vimeo GDPR compliant. Follow these instructions:

The GDPR compliant use of Vimeo

First of all, we have to clarify whether consent is required in order to integrate Vimeo GDPR compliant.

Due to the fact that the integration of Vimeo is not necessary for the operation of the website, the integration requires consent.

In principle, the integration of Vimeo can only be carried out on the basis of consent, since other legal bases are not suitable.

Since the use of Vimeo can potentially transfer data to a third country without an adequacy decision, processing requires the user's consent (Art. 49(1) a GDPR), whereby the risks of data transfer must be pointed out so that the user can make a well-informed decision.

An agreement according to Art. 26 GDPR must be concluded with Vimeo Inc.. The essential points must be made available to the data subject, in particular who the data subject can contact to exercise their rights.

1. Obtain explicit consent for Vimeo from users by opt-in

Before Vimeo becomes active on the website and begins to collect user data, the user must first give their explicit consent. If the user refuses to consent, which must also be possible - Vimeo must not be activated. No data is allowed to be forwarded to the 3rd party. This opt-in procedure is mandatory in order to comply with data protection regulations.

2. Always offer the option to revoke the consent (opt-out) for Vimeo

Even if the user has agreed to the use of Vimeo, he or she must still be given the opportunity to reverse this decision and deactivate tracking at any time. For this reason, it is necessary to provide an opt-out procedure that is easy for the website visitor to access at any time. The user must be able to revoke his consent. The option to revoke must be just as easy as the option to consent.

3. Mention Vimeo in the privacy policy completely, simply and transparently

The privacy policy on your website must be comprehensive, transparent and accurate. It should be readable and understandable by anyone, even without legal training. It is important to include a section on Vimeo that clearly describes what data is collected, for what purpose it is used and who is responsible for it, as well as whether data is shared and what legal basis applies.

Privacy Statement for the Service VimeoBeim Zugriff auf manche Teildienste unserer Website werden zusätzliche personenbezogene Daten verarbeitet. Dabei verarbeitete Datenkategorien: technische Verbindungsdaten des Serverzugriffs (IP-Adresse, Datum, Uhrzeit, abgefragte Seite, Browser-Informationen) und Daten zur Erstellung von Nutzungsstatistiken. Zweck der Verarbeitung: Auslieferung von Inhalten, die von Dritten bereitgestellt werden, Auswahl von Online-Werbung auf anderen Plattformen, die mittels Real-Time-Bidding anhand des Nutzungsverhaltens automatisch ausgewählt werden und Übermittlung und Darstellung von Video-Inhalten. Die Rechtsgrundlage für die Verarbeitung: Ihre Einwilligung nach Art. 6 (1) a DSGVO. Eine Übermittlung von Daten erfolgt: in gemeinsamer Verantwortung an Vimeo Inc., 555 West 18th Street, New York, NY 10011, USA. Dies kann auch eine Übermittlung von personenbezogenen Daten in ein Land außerhalb der Europäischen Union bedeuten. Die Übermittlung der Daten erfolgt auf Basis Ihrer Einwilligung gemäß Art. 6 Abs 1 lit a iVm Art. 49 Abs 1 lit a DSGVO. Sie wurden bereits vor Erteilung Ihrer Einwilligung informiert, dass die USA über kein den Standards der EU entsprechendes Datenschutzniveau verfügt. Insbesondere können US Geheimdienste auf Ihre Daten zugreifen, ohne dass Sie darüber informiert werden und ohne dass Sie dagegen rechtlich vorgehen können. 

4. Additional Information for Vimeo and GDPR

In addition to the above information, the data protection information must also contain the mandatory information from Art. 13 or 14 GDPR: Name and contact details of the controller, if necessary the contact details of the data protection officer, the purposes for which the personal data are to be processed, the legitimate interests, if the processing is based on Article 6 (1) f GDPR, the duration of the processing, information on the rights of the data subjects including the right to lodge a complaint with a supervisory authority, the possibility of simply revoking consent given, and information as to whether the Provision of the data is required by law or contract or what the possible consequences of non-provision would be. In the event that the data is used for automated decision-making, including profiling, meaningful information about the logic involved and the scope and impact on the data subject must be provided. The processing of the data must also be documented in the list of processing activities in accordance with Art. 30 GDPR. The information required for this can already be found in the privacy statement, which can be created from the previous information.

5. Formulate the consent in an understandable manner and present it clearly. Do not use dark patterns.

Before the user agrees or rejects the use of Vimeo, he must be informed in detail about the respective purposes. Therefore, a precisely formulated consent text is of great importance. This should also be placed so that it is immediately recognizable for the user. The user's consent must be active. Individual services must not be preselected.

6. Use a Consent Management Provider CMP (cookie banner/cookie popup/cookie bar)

Different names, but usually the same purpose. CMP supports you with consent (opt-in and opt-out, data protection declaration and other GDPR topics. Technical support is recommended with regard to the GDPR and consent management in order to avoid errors.