Hello to all consent sufferers,
Imagine you are out shopping in the city and suddenly find the perfect pair of shoes. You enter the shop, ready to spend money. But the shop assistant tells you that she can only ask for your shoe size once you have read and accepted the data privacy statement (DSE).
WHAT?! REALLY, NOW?! - Of course not!
By entering the shop, you have made a declaration of intent for the possible initiation of a legal transaction. In legal transactions, this is also known as "implied behaviour".
Wikipedia writes:
"Conclusive or implied action (Latin concludere "to conclude", "to draw a conclusion") (also conclusive behaviour, tacit declaration of intent or implied action) exists in legal transactions if someone expresses their will through non-verbal behaviour and the honest recipient may infer from this an intention to be legally bound, so that a contract can be concluded even without an express declaration of intent."
You enter the shop to buy shoes - so you are willing to initiate a transaction and conclude a corresponding contract. And to ensure that the shoes fit, you realise from the outset that your shoe size is a required personal data. It's actually logical, isn't it?
So why are there contact forms with mandatory checkboxes on many websites? You can only send the enquiry if you activate the checkbox and thus confirm that you
- consents to the processing of his/her data for the purpose of responding to the enquiry or
- has read the DSE and accepts or agrees to it.
What's the point? Perhaps website operators or agencies decide in favour of consent out of ignorance or fear of warnings. They may simply assume that this is the easiest and safest way.
But be careful, you can be quite wrong. Because consent is a tricky thing. On the one hand, it must be documented that consent has been lawfully obtained. And on the other hand, data subjects have the right to withdraw consent at any time.
The processes must therefore be tracked and documented and, in the event of a cancellation, the data must be deleted immediately in accordance with the GDPR (active systems, backups, etc.). So what sounds so seductively simple actually has a number of pitfalls and causes quite a lot of effort.
What does the GDPR say?
Article 6 of the GDPR provides for a whole series of "authorisation conditions" under which the processing of personal data is permitted. The articles relevant to our contact form are
Art. 6, para. 1, lit. a: Consent of the data subject
Art. 6, para. 1, lit. b: fulfilment of a contract or implementation of pre-contractual measures
Art. 6, para. 1, lit. f: Legitimate interest of the controller
Art. 6, para. 1, lit. a: Consent of the data subject
There are processing operations for which consent must be obtained. This includes, for example, the use of certain marketing or tracking/analysis tools, etc. According to the Bavarian data protection supervisory authority, "consent is required for contact forms if special categories of personal data pursuant to Art. 9 para. 1 GDPR are processed. This may be the case, for example, if the form is used to request health data for appointments with a doctor, if the contact form is used to register with a religious organisation or political party or if the user can upload attachments that allow conclusions to be drawn about religion, ethnic origin, sexual orientation, etc. [1]."
[1] Extract from the 2017/2018 activity report of the LDA Bavaria from March 2019 -
This does not apply in the case of a contact form that does not contain any particularly sensitive data. The use of a contact form can therefore be based on other legal bases for most applications.
Art. 6, para. 1, lit. b: fulfilment of a contract or implementation of pre-contractual measures
Art. 6, para. 1, lit. f: legitimate interest of the controller
The other option is to base the use of a contact form on the legitimate interest of the website operator. It is obvious that the website operator has an obvious and justified interest in answering an enquiry sent to them.
The legislator does stipulate that a balancing of interests must be carried out when processing data based on this legal ground. When using a contact form, however, it is logical to assume that the interests of the parties involved coincide: One party makes an enquiry and expects a response, the other wishes to answer the enquiry.
Beware of mixing with contractual bases
So let's be clear: a "mandatory checkbox" is unnecessary for most contact forms. With the DSE, we are merely fulfilling our duty to provide information in accordance with the GDPR. No interested party or customer is obliged to actually read the information and certainly not to agree to it or accept it.
However, there is another reason - not related to data protection - not to use these checkboxes:
The definition of a mandatory field for recognising and agreeing to the DSE may give the impression that the DSE is an integral part of the contract - similar to the GTC. But it is NOT!
In December 2018, the Berlin Court of Appeal heard the case of an online shop that demanded the customer's consent to the provider's "data protection agreement" via a checkbox during the ordering process. The Court of Appeal ruled (case reference 23 U 196/13) that a large part of the data protection provisions violated the law on general terms and conditions because they were incompatible with the fundamental ideas of the GDPR.
The Court of Appeal ruled that the distinction between generally binding contractual terms and conditions and non-binding information must be based on the understanding of the "average customer with no prior legal training". Due to the wording of the provider's terms and conditions and the "data protection agreement" to be accepted separately, the average customer would consider the provider's terms and conditions and the obligation to consent to be "contractual terms and conditions" that they would have to accept if they wanted to place an order. The court therefore subjected the entire text to a GTC review.
It is therefore advisable to maintain a clear distinction between pure information and contractual components in order to avoid unpleasant encounters with lawyers and courts.
Conclusion
The important thing is:
- HTTPS encryption according to the current state of the art is an absolute prerequisite for the use of a contact form.
- In order to minimise data, only the really relevant fields should be defined as mandatory fields in the contact form. What these are must be considered on a case-by-case basis. For an online retailer of refrigerators, for example, the age of the enquirer is not a relevant date. For an e-cigarette shop, however, it may be. According to the motto "as much as necessary, as little as possible" only those entries should be defined as mandatory fields that are actually required to answer the enquiry.
- You should also place a link to the DSE in the contact form so that interested parties can easily access the desired information. Something like this: "You can find more information on the processing of personal data in our privacy policy"
- In the DSE itself, a corresponding note must be added to the contact form, which provides information about which data is processed for what purpose by whom, on what legal basis this is done and how long it is stored.
Further links and information
Further information and assistance can be found in Art. 6, para. 1, GDPR and in the Recital 47 of the GDPR. In the meantime, there are also quite comprehensible and practical publications in the specialist literature. The Bavarian State Office for Data Protection Supervision refers to a publication in a press release at https://www.lda.bayern.de/media/pm2018_15.pdf. On the page of the data protection guru you can find a (still current) quite entertaining Podcast. Or you can simply ask your trusted data protection expert.
Legal information
I have compiled the information in this essay to the best of my knowledge and belief and have included my judgement. Whilst I have made every effort to ensure that all information is up to date, I do not guarantee the completeness or accuracy of the information.
The contents are for information purposes only and are not binding. It expressly does not constitute legal advice within the meaning of the German Legal Advice Act (RBerG) and is therefore no substitute for advice from a lawyer. I assume no liability for errors or omissions and shall not be liable for any damages in contract, tort or otherwise arising out of the use of or reliance on this information or any actions or decisions taken as a result of the use of this information.
