Contact forms on websites must always be properly encrypted.
The Bavarian State Office for Data Protection Supervision (BayLDA) announced back in October 2017 that it would carry out extensive checks on this.
Website operators are required to check the encryption of contact forms.
Otherwise, they risk not only warnings from competitors in the event of data protection violations, but also high fines from the data protection authorities.
Incorrect contact forms – the threat of warnings
The obligation to encrypt contact forms on websites is nothing new.
However, the BayLDA has launched a more intensive review with the “Cybersecurity Initiative for the Protection of Personal Data“.
According to the press release, contact forms in particular will be subject to increased scrutiny in future.
The reason for this is that personal data can quickly be accessed if the encryption is inadequate.
But not only Bavarian companies should now take action.
The BayLDA’s actions may also bring other supervisory authorities in the state onto the scene.
Federal Office for Security recommends encryption methods such as SSL or TLS
Companies are generally advised to introduce the encryption procedures recommended by the German Federal Office for Information Security (BSI).
The cryptographic protocol Transport Layer Security (TLS) is used for the secure transmission of information in data networks and thus to protect the confidentiality, integrity and authenticity of the transmitted information.
The BSI provides further information on this (version: 2018-01).
Free SSL certificates are often sufficient
An SSL certificate is usually sufficient for adequate HTTPS encryption.
This is often even available free of charge.
However, this certificate is only sufficient for encrypting data.
If the identity of the website is also to be verified, these free certificates are not sufficient.
If the website visitor needs to be sure that the desired operator is behind the visited website, the website operator should use a paid version of the SSL certificate with identity verification.
Legal requirements in this area also stem from the German Telemedia Act (TMG).
According to this, website operators must use a “recognized encryption method for the protection of personal data“.
Furthermore, Section 13 para.
7 TMG:
Service providers must, insofar as this is technically possible and economically reasonable, take technical and organizational precautions within the scope of their respective responsibility for telemedia offered on a commercial basis to ensure that
- no unauthorized access to the technical equipment used for their telemedia services is possible and
- these
- against personal data breaches and
- against disruptions, even if they are caused by external attacks,
are secured.
Precautions in accordance with sentence 1 must take into account the state of the art.
A measure pursuant to sentence 1 is, in particular, the use of an encryption method that is recognized as secure.
A violation can be punished as an administrative offense according to § 16 Abs.
3 TMG with a fine of up to EUR 50,000.00.
GDPR also harbors new risks from May 2018
Inadequate encryption is not the only thing that can go wrong and is checked by the state data protection authorities.
The new General Data Protection Regulation (GDPR), which comes into force at the end of May 2018, will bring further changes for data processing companies and website operators.
The catalog of requirements to be observed is long.
To avoid mistakes here, an audit by an external data protection consultant can help.