Contact forms and the DSGVO 2018

The Basic Data Protection Regulation (DSGVO) has been in force since 25 May 2018. Since then, a number of things have had to be observed in order to protect personal data. Especially on websites that offer the possibility of contacting by means of an appropriate contact form, adjustments must be made for the DSGVO.

But what exactly is to be done on the website?

DSGVO for contact forms – what is the real problem:

As soon as the contact form on a website is filled in and sent, this happens:

Via the website, contact is made with the e-mail server that sends the message.

The server stores all data in a log file. The data entered by the user of the contact form is now stored in various applications, for example

At the website host in the server logs, for example: 1and1, HostEurope, etc.
For e-mail dispatch service such as Office365, G: Office365, GMail, etc.
For e-mail reception service, e.g: Office 365, GMail, Gmx, etc.

A control over the use of these data was thus so far only very limited or not at all possible. Unauthorized third-party use (sending of newsletters, etc.) of the data was therefore not ruled out.

The new basic data protection regulation should put a stop to this.

Therefore, the account form must be made DSGVO compliant and this works as follows:

1 The website must have an SSL certificate (HTTPS).
2. the website must send the mails via SMPT or TLS
3. a data security explanation must be merged with the following data:

What will be done with the data,
how long the data will be kept etc.,
a reference to the data protection declaration is mandatory,

4. a note on the consent to the data protection declaration in the form.
5. data processing contracts must be concluded with the provider/hoster, e-mail service etc..

Now to the instructions for DSGVO-compliant contact forms:

1: SSL encryption must be installed on the website. Here you have to get the SSL certificate. There are different certificates, free and free, but also paid ones, e.g. from most providers and hosters. These are then easy to order and integrate into the website. On the WordPress website, the conversion of the individual pages to this certificate must then be carried out. All your hosters, email marketing services, etc. have to be changed from http to https. This also applies to internal and external images and links.

2: The e-mails must be sent via TLS “Transport Layer Security”. This technical change, if it has not yet been made, must be requested from the e-mail provider.

Re 3: A data protection declaration must be available on each individual website via a link that is always clearly visible. This link must be accessible from all individual sub-pages of the website. Best in the footer of the website. The link must not be covered by pop-ups, forms or other windows.

Re 4: In the contact forms a reference is to be inserted to the agreement to the data security like e.g..:

“Please note:
The form can be sent only with the agreement to the data security explanation! By using this form you agree to the storage and processing of your data by this website”.

to 5: A so-called data processing contract must be concluded with the hoster and e-mail provider. Most hosters already offer this online for printing on their websites. These providers must then be listed in their own data processing directory.

Make the website DSGVO compliant?

We will gladly take over this work for you!