Digital market development is not a new issue for companies and the self-employed. Unfortunately, the same cannot necessarily be said about data protection for agencies. What do agencies and freelancers have to consider in terms of data protection law? And what about WordPress order processing? An overview.
The basic data protection regulation (GDPR) has been in force for almost 2 years - it also employs all those who WordPress work in the environment of . However, the topic of data protection has existed since 1971, and there is a growing tension between data protection and the responsible digitalisation of business processes. It is therefore all the more important to know the central rules.
Note: This basic article does not replace legal advice. To check your measures and your website, you should always contact a law firm specializing in online law and data protection.
When must an agency appoint a data protection officer?
There have been heated discussions here in the past. However, we can now lay down the following key points for agencies:
- The Agency employs more than 20 staff members who process personal data
- The Agency shall carry out processing operations Data protection impact assessment need to be assessed
- The agency is active in the field of market or opinion research
- The Agency shall in particular process sensitive personal data
With the wish to reduce bureaucracy, the CDU/CSU parliamentary groups had introduced the demand in the legislative consultation to increase the limit of the obligation to appoint a company data protection officer (Section 38 BDSG) to 50 persons. Finally, an agreement was reached in mid-2019 on a limit of 20 employees.
The fundamental question here is whether raising the limit was sensible, since data protection must be observed by every company. Even a 1-person company.
What must be observed in terms of data protection law for agency software?
Many agencies work with agency software, ticketing systems or workflow management to automate processes and maintain an overview. Typically, these software solutions process personal data of customers and other partners. Therefore the data protection regulations also apply here.
In principle, agencies must ensure that there is an adequate level of protection for imported software products. Besides an authorization and deletion concept, further technical-organizational measures (TOM) in accordance with Article 32 GDPR in order to use the software in a data protection-compliant manner.
Economic adequacy must be taken into account. For example, the TOMs of a small agency cannot, for economic reasons, meet the same standards in all areas as the measures of a large corporation.
In most cases, this software is a cloud service. These are for example:
- Google Suite or
- Atlassian Jira Service Desk
to name but a few. A contract processing should definitely be concluded with these providers, as personal data is processed by the tools in accordance with instructions.
When concluding an order processing (before the start of the cooperation), agencies or developers must technical and organisational measures of the service.
The order processing contract should also contain, inter alia, the following topics: assistance in asserting the rights of data subjects, quality standards, subcontractors, if any.
Is WordPress development an order processing?
Many agencies despair of the assessment whether they are processing data as a processor on behalf of a client or as a (self-) responsible party. In fact, the assessment is quite simple: the controller is the person who determines the purposes and means of the processing of personal data (Article 4(7GDPR )). On the other hand, an agency acts as a processor under Article 4(8GDPR ) when it processes personal data on behalf of the principal.
But the problem is that agencies and freelancers often offer integrated services. In such cases, it is not always possible to check very clearly whether there is not a mixture of responsibilities. The prevailing opinion of data protection officers is currently that, in case of doubt, an order processing is completed. Incidentally, this puts the agency in a better position in terms of liability than without a contract for commissioned processing.
What should you consider when WordPress hosting?
Web hosting is also part of the data protection for agencies. Besides the availability of a SSL Certificate it is of high importance that the hosting takes place in a data center which is certified. For example, ISO/EN 27001, because the same requirement of Article 32 GDPR applies here : agencies and developers must ensure availability, integrity and confidentiality through an appropriate level of security.
In addition to the preventive measures, an appropriate Backup strategy can be implemented. In practice, daily incremental backups and weekly full backups, which are stored for up to 90 days, have proven themselves.
However, backups should not be stored in one location. As a rule, data centers offer the possibility to access several fire compartments.
WordPress site for data protection
In principle, websites must comply with the principles of the basic data protection regulation. Therefore apply:
- The principle of data minimisation
- The respect of legal bases for the processing of personal data
- The same applies to compliance with a reasonable purpose of the processing
Traditionally, every website should have a comprehensive and accurate privacy statement to meet the information requirements.
In addition, the legal bases for the various processing operations must be established, especially with regard to the use of third-party cookies. This requirement can be implemented very easily with a Cookie Consent Manager. With regard to this, the following aspects WordPress should be considered:
Likewise, for certain processing operations (registrations, contact forms, etc.) Declarations of consent which fulfil the conditions laid down in Article 7GDPR .
Data protection for agencies: When does one need consent?
In principle, the basic data protection regulation is to be understood as a prohibition subject to authorisation. This means that in the first instance no personal data may be processed at all. However, since personal data often have to be processed, the European legislator has defined so-called permission-based offences - in Article 6, first paragraph lit. a to f GDPR .
Consent is always required if one of the permitted offences under Article 6 paragraph 1 lit. b to f GDPR is not relevant. Such consent must meet the conditions of Article 7 fulfill. Among other things, it specifies:
- "Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his personal data
- "The person concerned has the right to withdraw his or her consent at any time. Revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until revoked. The data subject shall be informed before consent is given. The revocation of consent shall be as simple as the granting of consent".
Thus, consent must always be informed, transparent, verifiable, voluntary and revocable.
Additionally there is a so-called Recital 32 to GDPR. The examples given therein are intended to facilitate the drafting of a consent for business practice. However, solutions developed in-house - as well as those belonging WordPress Plugins to it - should be regularly checked legally for their admissibility, for example by a suitable law firm.