Contact form & data protection
Contact form without data protection notice anti-competitive
Following a ruling by the Cologne Higher Regional Court in 2016, operators of websites with a contact form should re-examine the data protection declarations on their websites and amend them if necessary to avoid receiving a warning. In the case before the Higher Regional Court of Cologne, it was not clear to visitors to a website with a contact form how and for what purpose personal data is stored - either directly when filling out the contact form or elsewhere in the privacy policy. This resulted in a warning for the website operator.
Data protection notices, or a privacy policy, are available on most websites - when using contact forms, however, it must be clear and obvious from these data protection notices what the personal data provided will be used for - there is an obligation to provide information in accordance with data protection regulations. With effect from December 1, 2021, amended regulations on data protection law will apply with the entry into force of the Telecommunications Digital Services Data Protection Act (TDDDG). Similar to the GDPR, the TDDDG also aims to protect personal data in the best possible way. Sections 12 to 16 of the German Telemedia Act (TMG), which were previously applicable, are no longer applicable with the changes introduced by Article 3 of the TDDDG.
The TDDDG combines regulations on data protection and the protection of privacy in telecommunications and telemedia from the Digital Services Act (DDG) and the Telecommunications Act (TKG). The law was originally enacted as the TTDSG, but was renamed the TDDDG on May 14, 2024 in response to the European Union's Digital Services Act (DSA). For your contact form, this means that you may only process the personal data from your contact form with express consent. The user may determine the content, scope and type of processing.
How to make your contact form legally more secure
Website operators should therefore check their website's privacy policy for relevant information and add to it if necessary. In order to ensure that the relevant information on the use of personal data is actually perceived by the website visitor and actively accepted by the user, it has become established to request electronic consent before sending the contact form - for example, by means of a checkbox in which the use of personal data is explained and which must then be actively ticked by the visitor.
How exactly the information on the storage of personal data and the associated data protection notices on the website must look depends, of course, on the type of storage and use of this personal data. Website operators should therefore have this information created and regularly checked by legal experts, especially as errors in data protection notices, as can be seen in the current case, are now being interpreted as market conduct regulations - which is likely to further increase the risk of warnings from competitors for website operators. The information provided on data protection must therefore be complete, correct and easy to find in the right place.
Even though we have carefully researched the information for this article, it does not constitute legal advice and merely serves as an overview of the issues involved. For a comprehensive assessment of all possible legal details and problems, please contact your legal advisor. We recommend that you contact our lawyer Jörn Tröber, who specializes in IT law, competition law and data protection law, to draft, review and, if necessary, supplement your legal notices on your website.
Do you need professional help with your contact form?
As part of our online marketing support or the creation of your website, we will be happy to advise you in detail on the topic of "contact form and data protection" or customize your contact form on your website directly. Make an appointment today for a non-binding initial consultation!
Data protection declaration on websites
According to the Telecommunications Digital Services Data Protection Act (TDDDG), website operators, as so-called "service providers", are obliged to inform visitors to their website about the type, scope and purpose of the collection and use of personal data. This is usually done via a data protection declaration, which is provided on the website. It is advisable to regularly review (and, if necessary, amend) this privacy policy. If visitors to a website are not informed correctly, in good time or only incompletely about the topic of data storage by the operator, this can lead to warnings - which can be expensive for website operators.
