Data protection is the right to decide for yourself who collects, stores and uses which data about you. It is not about hiding something, but about control: you decide what you reveal about yourself. In the EU this right is legally protected by the General Data Protection Regulation (GDPR).
Chapter One
You leave
traces.
Take back control.
Understanding
data protection,
properly explained.
Understanding privacy
in the classroom.
Understanding privacy
in the classroom.
— What data you leave behind online, who collects it and how you take back control.
Every day you leave traces — most of them without noticing. Which sites you visit, where you are, what you browse with. The good news: you can take back control. That is exactly what we'll do here, calmly, step by step. Data protection doesn't mean hiding — it means deciding for yourself.
Every online activity produces data — visible data you provide deliberately and metadata that arises along the way. This page puts into context what websites and apps technically capture (from the user-agent through cookies to fingerprinting), what rights the GDPR gives you, and how to effectively reduce data leakage. Matter-of-fact, without alarmism, with an eye on what you can actually do.
Who actually sees what I do online? This lesson gets students from year 7 up confident with their data: they learn what traces they leave, how tracking works, what rights they have and how to protect their privacy. With a quiz, discussion prompts and a live demo that shows what the browser reveals.
~ Take a breath. We'll tackle this together.
~ With the technology in context and verifiable steps.
~ Recommended lesson: 2 school periods of 50 min.
Chapter Two
What data do
you leave behind?
Visible data and
metadata.
Your data trail
online.
There are two kinds of data. The first you reveal deliberately: your name, your email, a photo. That's called visible data. The other arises along the way, without you doing anything: where you are right now, which phone you have, when and how long you look at something. That's metadata — and far more of it tends to pile up than people think.
Personal data falls roughly into content data (deliberately submitted visible data such as name, address, inputs) and metadata (accompanying data such as IP address, user-agent, location, timestamps, dwell time, click paths). Metadata is often considered "harmless", yet it is highly revealing: from connection and behavioural data you can reconstruct movement profiles, interests and social relationships.
You leave two kinds of data behind. Visible data you enter yourself — name, email, profile picture. Metadata arises automatically — your location, your device, the time, how long you look at something. The tricky part: metadata often reveals more about you than the visible data, even though you never deliberately disclosed it.
An example: you don't post a single word about where you live — but your phone reveals it anyway, through your location. Those are exactly the traces we'll look at next, concretely.
Merely opening a page already transmits a wealth of signals: IP address (rough geolocation), browser and device characteristics, referrer, accepted languages. Combined, they form a recognisable fingerprint — even without a single cookie. The next chapter demonstrates this purely client-side.
You reveal less than is collected. Most of it is metadata — traces that arise along the way.
Metadata is not incidental. "We kill people based on metadata" (former NSA director Michael Hayden) is the pointed reminder of just how revealing accompanying data can be.
Concept hierarchy:
Personal data ⊃ content data (visible data) + metadata.
Typical metadata: IP address, user-agent, location, timestamp, referrer, dwell time.
A special role is played by special categories under Art. 9 GDPR (health, religion, political opinion, sexual orientation, biometrics): in principle their processing is prohibited and permitted only under narrow exceptions.
Why metadata is so revealing: it is structured, easily machine-readable and correlatable over time. From location pings over several days you can reconstruct home, workplace and daily rhythm; from connection metadata (who, when, how often) social graphs emerge — without ever knowing the content of a message. That is exactly why data minimisation (
Art. 5(1)(c)) is a core principle: what isn't collected can't be analysed, leaked or linked.
📚 Learning objectives
- You distinguish visible data from metadata.
- You name three pieces of metadata that arise automatically while browsing.
- You explain why metadata often reveals more than you think.
- Personal data: anything that relates to an identifiable person.
- Metadata: accompanying data that arises along the way (when, where, with what).
- IP address: the "house number" of your device online — reveals the location roughly.
From the metadata of your phone's location alone, it is often possible to tell where you live, go to school and whom you meet regularly — without reading a single message.
❓ QuizWhat is an example of metadata?
Answer C: "The time and place a photo was taken."
A (the image content itself) and B (a message you wrote) are visible data. Only C describes accompanying data that arises along the way.
For the teacher — options: A: "The subject in the photo." / B: "The text of a message." / C: "Time and place of the shot."
🎯 Extended learning objectives (Bloom's taxonomy)
- K1 — Knowledge: students name examples of visible data and metadata.
- K2 — Comprehension: students explain how metadata arises.
- K3 — Application: students correctly classify everyday examples.
- K4 — Analysis: students discuss why metadata is especially worth protecting.
- 2 min: read the lead text together.
- 4 min: collect on the board: "What data do I already reveal today?"
- 3 min: sort visible data vs. metadata (two columns).
- 3 min: discuss the "Did you know…" fact about location metadata.
- 3 min: quiz + discussion.
Question: "What could someone find out about you who has only a week of your location data?"
🔗 Cross-referenceWhich data technically arises in transit when you click is explored in more depth by the sister site Internet verstehen.
Chapter Three
What does this
page know about you?
What your browser
reveals.
What does this
page know about you?
Here it gets tangible. Tap the button — and this page shows you what it already learns about you the moment you open it. Don't be alarmed: it all stays on your screen. Nothing is stored, nothing is sent. That's exactly the point: all of this is visible to any website, without your data leaving your device.
One click reads out, purely client-side, the environment and device information the browser exposes: user-agent, language, screen and window geometry, time zone, colour scheme, pointer/touch capability, cookie status, Do-Not-Track. No network request is made — the CSP only permits connect-src 'self' anyway. The irony is intentional: we show what is exposed without ever "phoning home".
Now it gets exciting! Press the button — the page reveals what it knows about you just from being opened. Don't worry: it all stays on the screen, nothing is sent. That's exactly the lesson: this much is visible to every website, all on its own.
What does this page know about you — right now?
Promise: everything below is shown only on your screen. Nothing is stored and nothing is sent to a server — this page literally cannot "phone home".
How this works without a server: every value comes from local objects —
navigator, screen, window, Intl and matchMedia. No fetch, no XHR, no beacon, no image ping. Real trackers combine exactly these signals into a stable fingerprint — which recognises you again even if you delete all your cookies.
Passive vs. active: the HTTP request alone already delivers passive signals (
IP address, user-agent, Accept-Language, Referer). Active methods go further and query subtle quirks via JavaScript — Canvas and WebGL rendering, installed fonts, the AudioContext signature. Each characteristic contributes entropy; in sum the browser often becomes near-unique (cf. the EFF project "Panopticlick" / "Cover Your Tracks"). Countermeasures are anti-fingerprinting browsers (Tor Browser, hardened Firefox) that standardise or add noise to values so that many users look the same.
📚 Learning objectives
- You experience concretely which data a page visit reveals.
- You understand the term fingerprinting.
- You grasp that recognition works entirely without cookies too.
How can a website recognise you without setting a cookie?
Answer B: "It combines many device characteristics into a fingerprint."
A (it asks for your name) is far too conspicuous. C (not at all) is wrong — that's exactly what the demo shows. B describes fingerprinting.
Options: A: "It asks for your name." / B: "It combines device characteristics into a fingerprint." / C: "Not at all — impossible without a cookie."
⏱ Timing (≈ 15 min) — the heart of the lesson
- 4 min: open the demo on the projector, marvel together, have students read out the characteristics.
- 4 min: discuss: "Which of these would I never have volunteered?"
- 4 min: explain fingerprinting — the fingerprint stays, even without cookies.
- 3 min: quiz + answer.
Let the class guess first what the page probably knows before you press the button. The "aha" moment beats any slide. Stress: nothing is sent — the page keeps its own data-protection promise.
🖨 Mini worksheet- Note three characteristics the page knew about your device.
- Explain in one sentence what fingerprinting is.
- Why does deleting cookies help only a little against fingerprinting?
Chapter Five
You have
rights.
The GDPR
on your side.
What the law
guarantees you.
Here comes the encouraging news: you are not helpless against data collectors. Across the whole of Europe there's a strong law, the GDPR. It gives you concrete rights. You may, for example, ask at any time what data a company holds about you — and demand that it be deleted. And it costs you nothing.
The General Data Protection Regulation (GDPR, in force since May 2018) grants data subjects enforceable rights against controllers: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21). Requests are informal, generally free of charge and must be answered within one month; supervisory authorities enforce them if necessary.
Good news: in Europe a strong law protects you, the GDPR. It gives you real rights. You may ask what data a company has stored about you, have incorrect details corrected, and even demand that your data be deleted. This is also called the "right to be forgotten".
- 📋 AccessYou may ask: "What data do you have about me?" The company must tell you — free of charge.
- ✏️ RectificationIf data is wrong, you must be able to have it corrected.
- 🗑️ ErasureThe "right to be forgotten": data must be deleted on request when there is no reason left to keep it.
- ✋ ObjectionYou may object at any time to the use of your data for advertising.
- 📦 Data portabilityYou may take your data with you — in a common format to another provider.
- ⚖️ ComplaintSomeone not playing by the rules? Turn to your country's data protection supervisory authority.
It's this simple: an informal email to the company is enough ("Please tell me, under Art. 15 GDPR, all the data you have stored about me"). If no one replies, the data protection authority can help.
Legal bases — every processing needs one (Art. 6(1) GDPR):
- (a) — consent: freely given, informed, active, withdrawable at any time (e.g. tracking, newsletter).
- (b) — contract: necessary to perform it (e.g. delivery address for an online purchase).
- (c) — legal obligation: e.g. retention for tax purposes.
- (f) — legitimate interest: after weighing against your fundamental rights (e.g. IT security) — no carte blanche for tracking.
Data-subject rights precisely (Art. 15–22):
Art. 15 access (incl. a copy) ·
Art. 16 rectification ·
Art. 17 erasure ("right to be forgotten") ·
Art. 18 restriction ·
Art. 20 data portability (machine-readable format) ·
Art. 21 objection (to direct marketing at any time, without reasons) ·
Art. 22 protection from purely automated individual decisions.
Deadlines: in principle 1 month, extendable by two more; requests are informal and generally free of charge.
Whom to turn to: first the controller (contact in the imprint / privacy policy, often an address for the data protection officer). If that fails, the competent supervisory authority — in Germany the respective state data protection authority, in Austria the Data Protection Authority (DSB). The complaint is free of charge; a judicial right of action and damages under
Art. 82 exist in addition. Fines can be up to €20 million or 4% of global annual turnover.
📚 Learning objectives
- You name at least three GDPR rights.
- You explain the "right to be forgotten".
- You know whom to turn to in case of violations.
A request for access under Art. 15 GDPR is free of charge and must usually be answered within one month — no matter how big the company is.
❓ QuizWhat does the "right to be forgotten" mean?
Answer B: "You can demand that a company delete your data."
A (the internet forgets on its own) is not true. C (you may change your name) is something else. B is Art. 17 GDPR.
Options: A: "The internet deletes everything by itself." / B: "You can demand the deletion of your data." / C: "You may change your name."
⏱ Timing (≈ 15 min)
- 4 min: go through the rights cards together.
- 5 min: draft a sample access request together.
- 3 min: clarify "Whom do I turn to?" (supervisory authority).
- 3 min: quiz + discussion.
- Write a short, polite access request to a fictitious company.
- Name two rights the GDPR gives you.
- Where do you turn if a company doesn't respond?
Why you shouldn't put sensitive data into AI tools in the first place is covered by the page KI verstehen.
Chapter Six
This is how you
stay in control.
Calm and
data-sparing.
Rules for
everyday life.
You don't need to go offline now or eye everything with suspicion. With a few simple habits you protect your data well — and stay relaxed. It's not about paranoia, but about conscious choices. Even small steps make a big difference.
The right attitude is data thriftiness, not abstinence. Concrete measures — a privacy-friendly browser with tracking protection, a tracker blocker, restrictive app permissions, "Reject" on banners, sparing details — significantly reduce the attack surface. Data protection is risk management: what isn't collected can't be misused or leaked.
You are not at the mercy of your data. With a few rules you stay safe and keep control. And remember: your friends' data isn't yours either — ask before you post photos of other people.
- Choose "Reject" on cookie banners. Necessary cookies are almost always enough.
- Use a tracker blocker. It stops many followers automatically in the background.
- Check app permissions. Does the flashlight app really need your location?
- Be sparing with details. Mandatory fields yes, everything else may stay empty.
- Tidy up regularly. Delete old accounts you no longer need.
- Reject banners. "Only necessary" is your good right.
- Check permissions. Which app may access location, camera, contacts?
- Less is more. Not every profile needs your real name and birthday.
- Protect other people's data. Only post photos of others with their consent.
- When in doubt, ask. A teacher, your parents or someone you trust.
- Harden your browser. Turn on tracking protection, block third-party cookies, add anti-fingerprinting if available.
- Use a tracker blocker. List-based content blockers reduce requests to third parties.
- Live data thriftiness. Disposable addresses, pseudonyms, fill in mandatory fields only.
- Minimise permissions. Location/camera/mic only "while using", not "always".
- Choose alternatives. Privacy-friendly search engines, messengers with end-to-end encryption.
Privacy by Design & by Default (Art. 25 GDPR): data protection should be thought through technically, not bolted on afterwards. The most privacy-friendly setting is the default; only what the purpose strictly requires is collected (data minimisation). Building blocks are pseudonymisation (replacing real names with identifiers) and anonymisation (irreversibly removing the personal reference — then the GDPR no longer applies).
Encryption — two states:
In transit,
TLS/HTTPS protects the transmission against being read en route (the lock symbol in the browser). At rest secures storage on servers, drives and backups (e.g. AES-256). The strongest protection is end-to-end encryption: only sender and recipient can decrypt — not even the service provider in between (e.g. Signal, WhatsApp message contents). Encryption is one of the technical and organisational measures (TOMs) under Art. 32, alongside access control, logging and backup concepts.
International data transfers (Chapter V, Art. 44 ff.): if data is transferred to countries outside the EU/EEA, an adequate level of protection must exist there. For the USA, the CJEU struck down the then Privacy Shield in its 2020 ruling "Schrems II" (C-311/18) — because of US surveillance laws. Transfers have since relied on standard contractual clauses (SCCs) plus a transfer impact assessment and, where applicable, additional measures (e.g. encryption), now complemented by the EU-US Data Privacy Framework (2023) for certified companies. The practical upshot: where data sits and who can legally access it is part of data protection — not just how it is secured.
Data protection doesn't mean hiding, it means control. Today you've learned what traces you leave and how to shrink them. That's already the most important step — entirely without fear, and with a clear, calm view instead.
Complete anonymity is rarely realistic in everyday life — a much smaller data trail, on the other hand, is. Anyone who establishes data thriftiness as the standard and knows their rights reduces risk and dependence at once. Education beats resignation: "I don't care" is the only attitude trackers really need.
You now know more than most adults. Pass it on: explain it to friends and family. A conscious, relaxed approach to your own data is the best defence — and data protection means control, not hiding.
🍎 For teachers: lesson kit
This page works as a complete double lesson on "Data protection & privacy". All content is free to use (CC BY 4.0) — please credit "Webagentur Hochmeir e.U. (webhoch.com)" as the source. Recommended for lower and upper secondary (years 8–11).
📦 Complete teacher pack to print: 4 worksheets (with answers), a class test + grading rubric, homework at 3 difficulty levels, a parent-letter template and a curriculum overview. → To the teacher pack (DE) →
📅 Suggested double lesson (90 min)
- 10 min — warm-up: "Who actually knows what you do online?" — gather guesses.
- 15 min — Chapter 2: visible data vs. metadata, the invisible data trail.
- 20 min — Chapter 3: live demo "What does this page know about you?" on the projector + fingerprinting.
- 15 min — Chapter 4: cookies, tracking, decoding banners, dark patterns.
- 15 min — Chapter 5: GDPR rights, sample access request.
- 15 min — Chapter 6 & closing: protection rules, quiz review, discussion "control instead of hiding".
Differentiation: weaker groups stay in Simple mode; stronger ones switch to "In Detail" for the technology and legal position. Note: the content is general education, not legal advice.
Frequently asked
Frequently asked questions
The most important questions about data protection — compact, for quick reference.
A quick reference on data protection. Answers are encoded in the FAQPage schema for search engines and AI assistants.
More than most people think. There is visible data that you provide deliberately (name, email, photos), and metadata that arises along the way: your IP address, which device and browser you use, roughly where you are, when and how long you look at something, what you click. Simply visiting a website already reveals quite a bit about you.
Cookies are small text files that a website stores in your browser. Necessary cookies are harmless and useful (they remember your login, for example). The problematic ones are third-party tracking cookies: they follow you across many websites and build up an advertising profile of you. You can object to these or block them.
The General Data Protection Regulation (GDPR) is the EU law that, since 2018, governs how companies and authorities must handle personal data. It gives you strong rights: to access, rectification, erasure, objection and data portability. Violations can be punished with high fines.
The "right to be forgotten" (right to erasure, Article 17 GDPR) lets you ask a company to delete your personal data — for example when it is no longer needed or you withdraw your consent. You write to the company informally; it must usually respond within one month.
Through fingerprinting. Many small technical characteristics of your device are combined — browser, screen size, fonts, time zone, language setting — until they form a near-unique "fingerprint". This lets you be recognised again without anything being stored. That is exactly what the live demo on this page makes tangible — purely locally, without any data leaving the device.
No. The demo "What does this page know about you?" reads only local properties of your browser and shows them to you on screen. Nothing is stored and nothing is sent to a server. The site's security policy permits connections to its own domain only anyway. That is the message: this information is visible to any website, entirely without your data having to leave your device.
With a few habits: use a privacy-friendly browser, install a tracker blocker, choose "Reject" on cookie banners, give apps only the most essential permissions, be sparing with personal details (data minimisation) and regularly check which services have access to your data.
Three levers help most: turn off the advertising ID (ad ID) and restrict app tracking — on iOS under "Privacy & Security → Tracking", on Android under "Privacy → Ads". Allow location, camera, microphone and contacts only "while using the app" rather than permanently. And regularly review app permissions and revoke anything an app does not need for its purpose.