Data protection for agencies and WordPress developers

Digital market development is not a new topic for companies and the self-employed. Unfortunately, the same cannot necessarily be said about data protection for agencies. What do agencies and freelancers need to consider in terms of data protection law? And what about order processing with WordPress? An overview.

The General Data Protection Regulation (GDPR) has been in force for almost 2 years – it also concerns all those who work in the WordPress environment. However, the topic of data protection has been around since 1971, and there is an increasing tension between data protection and the responsible digitalisation of business processes. This makes it all the more important to know the central rules.

When does an agency have to appoint a data protection officer?

There have been heated discussions about this in the past. However, we can now summarise the following key points for German agencies:

1. The agency employs more than 20 employees who process personal data
2. The agency carries out processing operations that must be assessed by means of a data protection impact assessment
3. The agency is active in the field of market or opinion research
4. The agency processes particularly sensitive personal data

With the desire to reduce bureaucracy, the CDU/CSU parliamentary groups had introduced the demand in the legislative consultation to increase the limit for the obligation to appoint a company data protection officer (Section 38 BDSG) to 50 people. In the end, a limit of 20 employees was agreed in mid-2019.

In principle, the question arises here as to whether the increase in the limit was sensible, as data protection must be complied with by every company. Even by a 1-person company.

What needs to be considered with agency software in terms of data protection law?

Many agencies work with agency software, ticket systems or workflow management to automate processes and maintain an overview. These software solutions typically process the personal data of customers and other partners. Therefore, data protection regulations also apply here.

In principle, agencies must ensure that there is an appropriate level of protection for the software products introduced. In addition to an authorisation and deletion concept, further technical and organisational measures (TOM) in accordance with Article 32 GDPR must be complied with in order to use the respective software in compliance with data protection regulations.

Economic appropriateness must be taken into account. For example, the TOM of a small agency cannot fulfil the same standards in all areas as the measures of a large corporation for economic reasons.

In most cases, this software is a cloud service. These are for example:

• monday.com
• Google Suite or
• Atlassian Jira Service Desk

to name just a few. An order processing agreement should definitely be concluded with these providers, as the tools process personal data in accordance with instructions.

Agencies or developers must check these technical and organisational measures of the service as part of the conclusion of an order processing agreement (before the start of the collaboration).

The data processing agreement should also include the following topics, among others: Support services for asserting the rights of data subjects, quality standards, any subcontractors.

Is WordPress development order processing?

Many agencies despair when it comes to assessing whether they are processing data as a processor or as an (in-house) controller. The assessment is actually quite simple: the controller is the person who decides on the purposes and means of processing personal data (Article 4(7) GDPR). In contrast, an agency acts as a processor in accordance with Article 4(8) GDPR if it processes personal data on behalf of the client.

However, the problem is that agencies and freelancers often offer comprehensive services. In this case, it is not always possible to clearly determine whether there is a mixture of responsibilities. The prevailing opinion of data protection officers is currently that, in case of doubt, a data processing agreement should be concluded. Incidentally, this puts the agency in a better position in terms of liability than without an order processing contract.

What should you bear in mind with WordPress hosting?

Data protection for agencies also includes web hosting. In addition to the availability of an SSL certificate, it is very important that the hosting takes place in a data centre that is certified. For example, according to ISO/EN 27001, because the same requirement of Article 32 GDPR applies here: Agencies and developers must ensure availability, integrity and confidentiality through an appropriate level of security.

In addition to preventative measures, a suitable backup strategy should also be implemented. In practice, daily incremental backups and weekly full backups, which are stored for up to 90 days, have proven effective.

Nevertheless, backups should not be stored in one location. As a rule, data centres offer the option of using several fire compartments.

What should a WordPress site fulfil for data protection?

In principle, websites must fulfil the principles of the General Data Protection Regulation. This therefore applies:

• The principle of data minimisation
• Compliance with the legal basis for the processing of personal data
• Likewise, the observance of an appropriate purpose of processing

Traditionally, every website should have a comprehensive and correct privacy policy in order to fulfil the information obligations.

In addition, the legal basis for the various processing operations must be created, especially with regard to the use of third-party cookies. This requirement can be implemented very easily with a cookie consent manager. The following aspects should be considered with regard to WordPress:

• Automated WP Core updates
• Regular plugin & theme updates
• Effective hacker & malware protection

Declarations of consent should also be created for certain processing operations (registrations, contact forms, etc.) that fulfil the conditions of Article 7 GDPR.

Data protection for agencies: When do you need consent?

In principle, the General Data Protection Regulation is to be understood as a prohibition subject to authorisation. This means that no personal data may be processed in the first instance. However, as personal data often has to be processed, the European legislator has defined what are known as authorisation situations – in Article 6(1) (a) to (f) GDPR.

Consent is always required if one of the grounds for authorisation pursuant to Article 6(1)(b) to (f) GDPR is not relevant. Such consent must fulfil the conditions set out in Article 7. Among other things, it is stipulated therein:

• “If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of their personal data”
• “The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before consent is given. The withdrawal of consent must be as simple as the granting of consent.”

Consent must therefore always be obtained in an informed, transparent, verifiable, voluntary and revocable manner.

In addition, there is a so-called Recital 32 to the GDPR. The examples mentioned therein are intended to facilitate the design of consent for business practice. However, self-developed solutions – just like the associated WordPress plugins – should be regularly checked for legal admissibility, for example by a suitable law firm.