The question of whether a website nowadays, at least if it processes customer data in any way, must be SSL-encrypted is not completely uncontroversial. As I have shown here,however, the absence of encryption carries a risk of warning, because courts have already regarded a lack of encryption, e.g. from subpages with contact form, as a GDPR violation.
In times of free SSL certificates and relatively simple technical integration, a waiver is therefore rather foolish.
In turn, however, it is also true that, on the basis of the clear rules in Article 5 lit f. GDPR and in Article 32 GDPR on the general handling of data, one should again not advertise the fact of the existence of encryption. A sentence such as “SSL-encrypted!” or similar could be admonished as advertising with self-evident sals afflipoppurposes in accordance with Section 3 paragraph 3 UWG in accordance with Section 3 Of the Appendix to Section 3 UWG. Initial warnings are already circulating against online retailers. Whether putting “of course” before advertising mitigates the problem or leads to a different interpretation of consumer deceit is debatable. I would simply refrain from mentioning the special, even more highlighted, mention of an SSL enalude as well as other nonsense in the style of “We only sell original goods!”, “14 days of right of withdrawal” or “eBay fees we pay!”.
Advertising has become quite a treadmill, even for online providers. A lawyer’s advice can save a lot of trouble here later.