Data Protection for Agencies and WordPress Developers

Nils Möllers Updated on 21.10.2020
5 Min.
Data protection for agencies
Last updated on 21.10.2020

Digital market development is not a new issue for companies and the self-employed. Unfortunately, the same cannot necessarily be said about data protection for agencies. What do agencies and freelancers have to consider in terms of data protection law? And what about WordPress order processing? An overview.

The basic data protection regulation (GDPR) has been in force for almost 2 years - it also employs all those who WordPress work in the environment of . However, the topic of data protection has existed since 1971, and there is a growing tension between data protection and the responsible digitalisation of business processes. It is therefore all the more important to know the central rules.

Note: This basic article does not replace legal advice. To check your measures and your website, you should always contact a law firm specializing in online law and data protection.

When must an agency appoint a data protection officer?

There have been heated discussions here in the past. However, we can now lay down the following key points for agencies:

  1. The Agency employs more than 20 staff members who process personal data
  2. The Agency shall carry out processing operations Data protection impact assessment need to be assessed
  3. The agency is active in the field of market or opinion research 
  4. The Agency shall in particular process sensitive personal data

With the wish to reduce bureaucracy, the CDU/CSU parliamentary groups had introduced the demand in the legislative consultation to increase the limit of the obligation to appoint a company data protection officer (Section 38 BDSG) to 50 persons. Finally, an agreement was reached in mid-2019 on a limit of 20 employees.

The fundamental question here is whether raising the limit was sensible, since data protection must be observed by every company. Even a 1-person company.

What must be observed in terms of data protection law for agency software?

Many agencies work with agency software, ticketing systems or workflow management to automate processes and maintain an overview. Typically, these software solutions process personal data of customers and other partners. Therefore the data protection regulations also apply here.

In principle, agencies must ensure that there is an adequate level of protection for imported software products. Besides an authorization and deletion concept, further technical-organizational measures (TOM) in accordance with Article 32 GDPR in order to use the software in a data protection-compliant manner.

Economic adequacy must be taken into account. For example, the TOMs of a small agency cannot, for economic reasons, meet the same standards in all areas as the measures of a large corporation.

In most cases, this software is a cloud service. These are for example:

  • monday.com
  • Google Suite or
  • Atlassian Jira Service Desk

to name but a few. A contract processing should definitely be concluded with these providers, as personal data is processed by the tools in accordance with instructions.

Google GDPR
Google provides its own resources for its cloud services

When concluding an order processing (before the start of the cooperation), agencies or developers must technical and organisational measures of the service.

The order processing contract should also contain, inter alia, the following topics: assistance in asserting the rights of data subjects, quality standards, subcontractors, if any.

Is WordPress development an order processing?

Many agencies despair of the assessment whether they are processing data as a processor on behalf of a client or as a (self-) responsible party. In fact, the assessment is quite simple: the controller is the person who determines the purposes and means of the processing of personal data (Article 4(7GDPR )). On the other hand, an agency acts as a processor under Article 4(8GDPR ) when it processes personal data on behalf of the principal.

But the problem is that agencies and freelancers often offer integrated services. In such cases, it is not always possible to check very clearly whether there is not a mixture of responsibilities. The prevailing opinion of data protection officers is currently that, in case of doubt, an order processing is completed. Incidentally, this puts the agency in a better position in terms of liability than without a contract for commissioned processing.

What should you consider when WordPress hosting?

Web hosting is also part of the data protection for agencies. Besides the availability of a SSL Certificate it is of high importance that the hosting takes place in a data center which is certified. For example, ISO/EN 27001, because the same requirement of Article 32 GDPR applies here : agencies and developers must ensure availability, integrity and confidentiality through an appropriate level of security.

In addition to the preventive measures, an appropriate Backup strategy can be implemented. In practice, daily incremental backups and weekly full backups, which are stored for up to 90 days, have proven themselves.

Backup strategy
Automatic backups increase security

However, backups should not be stored in one location. As a rule, data centers offer the possibility to access several fire compartments.

WordPress site for data protection

In principle, websites must comply with the principles of the basic data protection regulation. Therefore apply:

  • The principle of data minimisation
  • The respect of legal bases for the processing of personal data
  • The same applies to compliance with a reasonable purpose of the processing

Traditionally, every website should have a comprehensive and accurate privacy statement to meet the information requirements.

WordPress  Data protection site
WordPress Define the site privacy policy in

In addition, the legal bases for the various processing operations must be established, especially with regard to the use of third-party cookies. This requirement can be implemented very easily with a Cookie Consent Manager. With regard to this, the following aspects WordPress should be considered:

Likewise, for certain processing operations (registrations, contact forms, etc.) Declarations of consent which fulfil the conditions laid down in Article 7GDPR .

WordPress  Plugin Management
Practical: Plugins and update Themes centrally in the hosting backend

Data protection for agencies: When does one need consent?

In principle, the basic data protection regulation is to be understood as a prohibition subject to authorisation. This means that in the first instance no personal data may be processed at all. However, since personal data often have to be processed, the European legislator has defined so-called permission-based offences - in Article 6, first paragraph lit. a to f GDPR .

GDPR  Text
The text of the GDPR on eur-lex.europa.eu

Consent is always required if one of the permitted offences under Article 6 paragraph 1 lit. b to f GDPR is not relevant. Such consent must meet the conditions of Article 7 fulfill. Among other things, it specifies:

  • "Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his personal data
  • "The person concerned has the right to withdraw his or her consent at any time. Revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revoked. The data subject shall be informed before consent is given. The revocation of consent shall be as simple as the granting of consent".

Thus, consent must always be informed, transparent, verifiable, voluntary and revocable.

Additionally there is a so-called Recital 32 to GDPR. The examples given therein are intended to facilitate the drafting of a consent for business practice. However, solutions developed in-house - as well as those belonging WordPress Plugins to it - should be regularly checked legally for their admissibility, for example by a suitable law firm.

Questions on data protection for agencies

Do you have questions about data protection for agencies and freelancers? Please use the comment function. You want to be informed about new articles on the topic of online law? Then follow us on Twitter, Facebook , or subscribe to our newsletter.

Nils Möllers is the founder and managing director of Keyed GmbH from the Münsterland region - as a certified data protection officer and expert for data protection in marketing, in corporate groups and in franchise systems. Nils Möllers also advises companies in the area of IT security, accompanying ISO27001.

Related articles

Comments on this article

Write a comment

Your email address will not be published. Required fields are marked with * .