Designing the contact form DSGVO compliant | decareto

Created 21. March 2023

Designing your own website to be data protection compliant has been mandatory for all website owners since the publication of the General Data Protection Regulation (DSGVO) in 2018. This also applies to contact forms and all other forms on websites.

While a contact form is an optimal solution to get in touch with the website owner in a quick and also easy way for visitors, there are some things to consider here.

How to design the contact form DSGVO compliant, what exactly you need to pay attention to, what the content of a contact form looks like and why it is so important to adhere to the DSGVO for contact forms as well, we will explain in this article. 

How do I make my contact form compliant with the DSGVO?

The contact form is designed in compliance with the DSGVO by observing data minimization. According to this, personal data may only be used for the stated purpose, before deleting this data again directly afterwards. In addition, the website should be encrypted with an SSL certificate.

Data minimization

According to Article 5, Section c) of the General Data Protection Regulation, website owners are obliged to ask only for personal data that is needed for the stated purpose. If this is fulfilled, the users' personal data must be deleted from the server again. The section of the DSGVO talks about "data minimization". 

Information about the purpose for which you collect, process or store the data in the contact form or in any other form, you must list in detail in the privacy policy of your website.

SSL certificate

The General Data Protection Regulation also states in Article 5, Section f) that website owners must protect personal data from unauthorized and unlawful access. Likewise, Article 32, Section 1 of the DSGVO states that the owner must take "appropriate technical and organizational measures" on the website to ensure this protection. 

You can do this by encrypting your website with an SSL certificate. You can recognize encrypted websites either by the lock symbol in the URL bar or by the URL if it begins with "https" instead of "http". 

Is a contact form mandatory according to the DSGVO?

According to the DSGVO, a contact form is not mandatory, but contact forms do offer some advantages. For example, visitors are enabled to contact you quickly without having to open an email program, copy the corresponding email address and then compose the email first.  

The easier it is to contact the website owner, the more likely visitors are to take advantage of it. Thus, users just need to leave their details and request for a reply in the contact form and they can send the message through the website.

You can also, for example, ensure that the concern is sent directly to the right person by letting your visitors pick from topics what the concern is. In this way, you prevent the message from having to be sent back and forth several times before it reaches the right person in the company.

You can also give users the option to attach attachments directly to their message. This can be advantageous, for example, in the case of an inquiry to an architect in the form of sketches or in the case of an application in the form of attachments.

What data may be requested in contact forms? 

Only personal data that is actually required for the purpose of answering the inquiry may be requested in contact forms. For data protection reasons, this only includes the name, e-mail address and the person's request - everything else is not a mandatory field.

If you wish, you can also let the user select what the subject of his request is. This ensures that the message is forwarded directly to the person in your company who is also responsible for this subject area. 

Of course, you may ask the user for more than the above-mentioned data, but these must then not be mandatory fields. The fields that are not mandatory, i.e. marked without an asterisk, are optional and are filled in by the user exclusively on a voluntary basis. 

What must be observed when using the contact form on a website?

When using the contact form on a website, data minimization (Art. 5 DSGVO) must be observed. This means that only the fields that are required for the specified purpose may be marked as mandatory. In addition, contact forms should be structured and clear.

After the purpose has been fulfilled, i.e. the visitor's request has been processed, the personal data must be deleted again and may not be used for corporate marketing or commercial purposes. Commercial purposes can be, for example, the inclusion in the newsletter distribution list without the user's consent.

In addition, before submitting the contact form, users must agree that their data may be collected and processed only for the stated purpose. Information about the exact data processing, the purpose, the length of storage, etc. must be found in the privacy policy.

What must be in a contact form?

In a contact form there must be fields that the visitor fills in when he has a request. These fields are for the name, email address and message. Optionally, a field can be set for the phone number or the subject, this must just not be a mandatory field.

According to the DSGVO, you may not ask for more personal data in contact forms than you need for the purpose - for example, processing the request. Thus, for example, you do not need the visitor's phone number if you answer their request in the form of an email. 

Why is the DSGVO important for the contact form?

The DSGVO is important for the contact form and must be followed, otherwise warnings, penalties or fines could follow. If the contact form does not comply with the lawful handling (collection, processing, storage) of personal data, this could have consequences.

Likewise, it is important to comply with the DSGVO when using the contact form, otherwise user data protection cannot be guaranteed. Visitors to your website have the right to lodge a complaint against you with a supervisory authority as soon as they notice that their data is not being lawfully protected by you and that the DSGVO has therefore been breached. 

What's the bottom line on the DSGVO-compliant contact form?

When it comes to designing a contact form for your website, it is always important to do so with the DSGVO in mind. This includes, for example, only collecting and processing the data that is also important for the stated purpose and only storing this data for as long as it is necessary for the respective request.

The data that is important in most cases is no more than the name and e-mail address. The storage of information is only necessary until the purpose has been fulfilled or the user's request has been clarified.

In addition, in order to optimally comply with data protection, the website must preferably be encrypted by an SSL certificate to prevent unauthorized persons from accessing important information or user data. By doing so, you grant an encrypted and secure exchange of data between you and your visitors.

If you have any further questions about how to make a contact form compliant with the DSGVO or would like to know whether your contact form already complies with the DSGVO, then either write us an email or test our DSGVO scanner for seven days free of charge.

Author: Eckhard Schneider

Back to overview