Digital market development is not a new issue for companies and the self-employed. Unfortunately, the same cannot necessarily be said about data protection for agencies. What do agencies and freelancers have to consider in terms of data protection law? And what about WordPress order processing? An overview.
The basic data protection regulation (GDPR) has been in force for almost 2 years - it also employs all those who WordPress work in the environment of . However, the topic of data protection has existed since 1971, and there is a growing tension between data protection and the responsible digitalisation of business processes. It is therefore all the more important to know the central rules.
When does an agency need to appoint a data protection officer?
There have been heated discussions here in the past. However, we can now lay down the following key points for agencies:
- The Agency employs more than 20 staff members who process personal data.
- The Agency carries out processing operations which need to be assessed by a data protection impact assessment.
- The agency is active in the field of market or opinion research
- The Agency shall process personal datawhich are particularly sensitive
With the desire to reduce bureaucracy, the CDU/CSU parliamentary groups had demanded that the limit of the appointment obligation for a company data protection officer (Section 38 BDSG) be increased to 50 persons. In the end, agreement was reached in mid-2019 on a limit of 20 employees.
Basically, the question arises here whether the raising of the limit was sensible, since data protection must be complied with by every company. Even by a 1-person company.
What has to be considered with agency software in terms of data protection?
Many agencies work with agency software, ticket systems or workflow management to automate processes and maintain an overview. Typically, personal data of customers and other partners is processed in these software solutions. Therefore, data protection regulations also apply here.
In principle, agencies must ensure that an appropriate level of protection exists for the software products introduced. In addition to an authorisation and deletion concept, further technical-organizational measures (TOM) in accordance with Article 32 GDPR must be complied with in order to use the respective software in a data protection-compliant manner.
The economic appropriateness has to be taken into account. For example, the TOM of a small agency cannot meet the same standards in all areas as the measures of a large corporation due to economic aspects.
In most cases, this software is a cloud service. These are for example:
- Google Suite or
- Atlassian Jira Service Desk
to name just a few. A contract processing agreement should definitely be concluded with these providers, as the tools process personal data in accordance with instructions.
As part of the conclusion of a contract processing (before the start of the cooperation) agencies or developers must check these technical and organizational measures of the service.
The order processing contract should also contain, inter alia, the following topics: Support services in case of assertions of data subjects' rights, quality standards, existence of subcontractors, if any.
Is WordPress development an order processing?
Many agencies despair of the assessment of whether they process data as processors or as (own) controllers. Actually, the assessment is quite simple: The controller is the one who determines the purposes and means of the processing of personal data (Article 4(7) GDPR ). On the other hand, an agency acts as a processor according to Article 4(8) GDPR if it processes personal data on behalf of the client.
But the problem is that agencies and also freelancers often offer holistic services. In this case, it is not always possible to clearly check whether there is a mixture of responsibilities. The prevailing opinion of the data protection commissioners is currently that, in case of doubt, commissioned processing is concluded. Incidentally, this puts the agency in a better position in terms of liability than without a contract on commissioned processing.
What should you consider when WordPress hosting?
The topic of data protection for agencies also includes web hosting. In addition to the availability of an SSL certificate, it is very important that the hosting takes place in a data center that is certified, for example, according to ISO/EN 27001. For example, according to ISO/EN 27001, because here the same requirement of Article 32 GDPR applies: agencies and developers must guarantee the availability, integrity and confidentiality through an appropriate level of security.
In addition to preventive measures, a suitable backup strategy should also be implemented. In practice, daily incremental backups and weekly full backups, which are stored for up to 90 days, have proven successful.
Nevertheless, backups should not be stored in one location. As a rule, data centers offer the possibility to fall back on several fire compartments.
WordPress website for data protection
In principle, websites must comply with the principles of the General Data Protection Regulation. Thus apply:
- The principle of data minimisation
- The observance of legal bases for the processing of personal data
- Likewise, the observance of an appropriate purpose of the processing
In addition, the legal basis for the various processing operations must be created, especially with regard to the use of third-party cookies. This requirement can be implemented very easily with a Cookie Consent Manager. With regard to WordPress , the following aspects should be considered:
Likewise, for certain processing operations (registrations, contact forms, etc.), consent forms should be drawn up which comply with the conditions laid down in Article 7 GDPR .
Data protection for agencies: When do you need consent?
Basically, the General Data Protection Regulation is to be understood as a prohibition with permission. This means that first of all no personal data may be processed. However, since personal data must often be processed, the European legislator has defined so-called permission criteria - in Article 6 (1) a to f GDPR .
Consent is always required if one of the permissible circumstances pursuant to Article 6 (1) b) to f) GDPR is not relevant. Such consent must meet the conditions set out in Article 7. Among other things, it states:
- "If the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data"
- "The data subject has the right to withdraw consent at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The data subject shall be informed of this before giving consent. The withdrawal of consent shall be as simple as giving consent."
Thus, consent must always be informed, transparent, verifiable, voluntary and revocable.
In addition, there is a so-called recital 32 to GDPR . The examples mentioned therein are intended to facilitate the design of consent for business practice. However, self-developed solutions - as well as the associated WordPress Plugins - should regularly be legally reviewed for their admissibility, for example by a suitable law firm.