Contact forms and the GDPR

GDPR in 2022

Contact forms and the GDPR: The General Data Protection Regulation (GDPR) has been in force since May 25, 2018. Since then, a few things have to be observed to protect personal data. In particular, on websites that offer the option of contacting us through a corresponding contact form, adjustments must be made for the GDPR.

But what exactly do you have to do on the website?

GDPR for contact forms – what is the real problem:

As soon as the contact form on a website is filled out and sent, this happens:

The website is used to contact the email server that sends the message.

The server saves all data in a log file. The data entered by the user of the contact form are now stored in various applications, for example:

– At the website host in the server logs, e.g. E.g .: 1und1, HostEurope, etc.
– With the e-mail dispatch service such as E.g .: Office365, GMail, etc.
– For the e-mail reception service, e.g. E.g .: Office 365, GMail, Gmx, etc.

Control over the use of this data was therefore only possible to a very limited extent or not at all. Unauthorized third-party use (sending newsletters, etc.) of the data was therefore not excluded.

The new General Data Protection Regulation is intended to put a stop to these procedures.

Therefore, the account form must be made GDPR compliant and this is done as follows:

1. The website must have an SSL certificate (HTTPS)
2. The website must send the mails via SMTP or TLS
3. A data protection declaration must be included with the following information:

a) what is done with the data,
b) how long the data will be kept, etc.,
c) a reference to the data protection declaration is strongly recommended,

4. Note on consent to the data protection declaration in the form.
5. Data processing contracts are to be concluded with the provider / host, the e-mail service, etc.

So now to the instructions for GDPR-compliant contact forms:

To 1:
SSL encryption must be installed on the website. Here you have to get the SSL certificate. There are different certificates, free and free but also paid, e.g. from most providers and hosts. These can then be easily ordered and integrated into the website. The individual pages must then be converted to this certificate on the WordPress website. All individual websites are to be changed from http to https. Incidentally, this also applies to internal and external images and links.

To 2:
The e-mails must be sent via TLS “Transport Layer Security”. This technical change, if it has not yet been made, must be requested from the e-mail provider.

To 3:
A data protection declaration must be accessible via a link that is always clearly visible on each individual website. This link must be accessible from all individual sub-pages of the website. Preferably in the footer of the website. The link must not be covered by popups, forms or other windows.

To 4:
A note on the consent to data protection must be inserted in the contact forms, such as:

” Please note:
The form can only be sent with the consent to the data protection declaration! By using this form, you consent to the storage and processing of your data by this website. “

to 5:
A so-called data processing contract must be concluded with the hoster and e-mail provider. Most hosters already offer these online for printing on their websites. These providers are then to be listed in their own data processing directory.

and  is that all for my GDPR-compliant website?

auf keinen Fall

However, with these measures, important aspects are already integrated into the website.

We have listed more information on our following page, here is the link: GDPR websites

If you do not want to or cannot carry out all these measures and changes to the GDPR yourself, we will be happy to help you. As professionals, we are happy to take on this work for you!

JoeWP WordPress Agency - Request

Do you want your website to be DFSGVO compliant?

Do you want to start right now? Discuss your project with us!