Data protection for agencies

Data protection for agencies and WordPress developers

Digital market development is not a new topic for companies and the self-employed. Unfortunately, the same cannot necessarily be said about data protection for agencies. What do agencies and freelancers need to consider in terms of data protection law? And what about order processing with WordPress? An overview.

The General Data Protection Regulation (GDPR) has been in force for almost 2 years - it also concerns all those who work in the WordPress environment. However, the topic of data protection has been around since 1971, and there is an increasing tension between data protection and the responsible digitalization of business processes. This makes it all the more important to know the central rules.

Note: This basic article does not replace legal advice. To review your measures and your website, you should always contact a suitable law firm specializing in online law and data protection.

When does an agency have to appoint a data protection officer?

There have been heated discussions here in the past. However, we can now state the following key points for German agencies:

  1. The agency employs more than 20 employees who process personal data
  2. The agency carries out processing operations that must be assessed by means of a data protection impact assessment
  3. The agency is active in the field of market or opinion research 
  4. The agency processes particularly sensitive personal data

With the desire to reduce bureaucracy, the CDU/CSU parliamentary groups had introduced the demand in the legislative consultation to increase the limit for the obligation to appoint a company data protection officer (Section 38 BDSG) to 50 people. In the end, a limit of 20 employees was agreed in mid-2019.

In principle, the question arises as to whether the increase in the limit was sensible, as data protection must be observed by every company. Even by a 1-person company.

What needs to be considered in terms of data protection law with agency software?

Many agencies work with agency software, ticket systems or workflow management to automate processes and maintain an overview. These software solutions typically process the personal data of customers and other partners. Therefore, data protection regulations also apply here.

In principle, agencies must ensure that there is an appropriate level of protection for the software products introduced. In addition to an authorization and deletion concept, further technical and organizational measures (TOM) in accordance with Article 32 GDPR must be observed in order to use the respective software in compliance with data protection regulations.

Economic appropriateness must be taken into account. For example, the TOM of a small agency cannot meet the same standards in all areas as the measures of a large corporation for economic reasons.

In most cases, this software is a cloud service. These are for example:

  • monday.com
  • Google Suite or
  • Atlassian Jira Service Desk

to name just a few. An order processing agreement should definitely be concluded with these providers, as the tools process personal data in accordance with instructions.

Google DSGVO
Google provides its own resources for its cloud services

As part of the conclusion of an order processing agreement (before the start of the collaboration), agencies or developers must check these technical and organizational measures of the service.

The data processing agreement should also include the following topics, among others: Support services for asserting the rights of data subjects, quality standards, any subcontractors.

Is WordPress development order processing?

Many agencies despair when it comes to assessing whether they are processing data as a processor or as an (in-house) controller. The assessment is actually quite simple: the controller is the person who decides on the purposes and means of processing personal data (Article 4(7) GDPR). By contrast, an agency acts as a processor in accordance with Article 4(8) GDPR if it processes personal data on behalf of the client.

However, the problem is that agencies and freelancers often offer comprehensive services. In this case, it is not always possible to clearly check whether there is a mixture of responsibilities. The prevailing opinion among data protection officers is currently that, in case of doubt, a data processing agreement should be concluded. Incidentally, this puts the agency in a better position in terms of liability than without an order processing contract.

What should you bear in mind with WordPress hosting?

Data protection for agencies also includes web hosting. In addition to the availability of an SSL certificate, it is very important that the hosting takes place in a data center that is certified. For example, according to ISO/EN 27001, because the same requirement of Article 32 GDPR applies here: Agencies and developers must ensure availability, integrity and confidentiality through an appropriate level of security.

In addition to preventive measures, a suitable backup strategy should also be implemented. In practice, daily incremental backups and weekly full backups, which are stored for up to 90 days, have proven effective.

Backup strategy
Automatic backups increase security

Nevertheless, backups should not be stored in one location. As a rule, data centers offer the option of using several fire compartments.

What should a WordPress site fulfill for data protection?

In principle, websites must comply with the principles of the General Data Protection Regulation. The following therefore apply:

  • The principle of data minimization
  • Compliance with legal bases for the processing of personal data
  • Likewise, compliance with an appropriate purpose of the processing

Traditionally, every website should have a comprehensive and correct privacy policy in order to fulfill the information obligations.

WordPress privacy page
Set the page for the privacy policy in WordPress

In addition, the legal basis for the various processing operations must be created, especially with regard to the use of third-party cookies. This requirement can be implemented very easily with a Cookie Consent Manager. The following aspects should be considered with regard to WordPress:

Declarations of consent should also be drawn up for certain processing operations (registrations, contact forms, etc.) that meet the conditions set out in Article 7 GDPR.

WordPress Plugin Management
Practical: Update plugins and themes centrally in the hosting backend

Data protection for agencies: when do you need consent?

In principle, the General Data Protection Regulation is to be understood as a prohibition with reservation of permission. This means that no personal data may be processed in the first instance. However, as personal data often has to be processed, the European legislator has defined so-called permissions - in Article 6(1) (a) to (f) GDPR.

DSGVO text
The text of the GDPR on eur-lex.europa.eu

Consent is always required if one of the permissions under Article 6(1)(b) to (f) GDPR is not relevant. Such consent must meet the conditions set out in Article 7. Among other things, it is stipulated therein:

  • "If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of their personal data"
  • "The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before consent is given. The withdrawal of consent must be as simple as the granting of consent."

Consent must therefore always be obtained in an informed, transparent, verifiable, voluntary and revocable manner.

In addition, there is a so-called Recital 32 to the GDPR. The examples mentioned therein are intended to facilitate the design of consent for business practice. However, self-developed solutions - just like the associated WordPress plugins - should be regularly checked for legal admissibility, for example by a suitable law firm.

Questions about data protection for agencies

Do you have questions about data protection for agencies and freelancers? Feel free to use the comment function. Would you like to be informed about new articles on the topic of online law? Then follow us on Twitter, Facebook or via our newsletter.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *