We are frequently asked during consultation whether a website must have SSL/TSL encryption if that website has a contact form.
The answer is: YES
Even before the entry into force of the General Data Protection Regulation(GDPR), the operator of a website(service provider as defined by § 2 no. 1 of the German Telemedia Act (TMG)) was obliged to use a recognised encryption method when using contact forms to transmit personal data. §Section 2 No. 1 of the German Telemedia Act (TMG)) was obliged to use a recognised encryption method when using contact forms to transmit personal data. This obligation resulted from section 13 TMG. A violation of Section 13 (7) of the German Telemedia Act (TMG) constitutes an administrative offence that can be punished with a fine pursuant to Section 16 (3) of the TMG.
Recognised encryption methods are the SSL and TSL protocols. The SSL protocol(Secure Sockets Layer) is an encryption method for confidential, authentic and integrity-protecting end-to-end data transmission. The TLS protocol(Transport Layer Security) is a security protocol based on the SSL protocol.
Since the entry into force of the GDPR, the obligation to encrypt a website with a contact form also results from the principle of data integrity and confidentiality. Article 32 (1) (a) of the GDPR states that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risk to the rights and freedoms of natural persons, technical and organisational measures must be taken by the operator of a website to ensure an adequate level of protection. The encryption of personal data is explicitly named as such an appropriate technical measure in Article 32 (1) (a) of the GDPR.
Encryption using an SSL or TLS protocol for contact forms on Internet pages is also recommended by the German Federal Office for Information Security (BSI) and is currently state of the art.
For this reason, websites that have a contact form must be SSL or TSL-encrypted, taking into account both the regulations of the TMG and the regulations of the DSGVO.
GoldbergUllrich Attorneys at Law 2018
Attorney at Law Michael Ullrich, LL.M. (Information Law)
Specialist lawyer for information technology law
