Please note that all my articles are for informational purposes only and not legal advice. I assume no liability for the content of my articles. The articles may be out of date, the legal situation may have changed, or the specific situation in a case may need to be assessed differently. A binding consultation can only be given by me directly in the individual case. Take advantage of my free brief consultation!
Today I would like to point out a danger of a warning, which is – still – both legally and technically disputed, but which is already imminent. Imminently, because courts have already affirmed a violation of competition (or data protection) if you operate a website without SSL encryption and either process user data on it (for example, for a forum, comments and the like) or, above all, and probably few people are aware of this, you have a contact form on the site where someone can enter their data to contact the website owner.
Some already derived such an obligation for contact forms from Section 13 of the German Telemedia Act. Its 7th paragraph states:
(7) Service providers shall, insofar as this is technically possible and economically reasonable, ensure within the scope of their respective responsibility for telemedia offered on a businesslike basis by means of technical and organizational precautions that
1.
no unauthorized access is possible to the technical equipment used for their telemedia offerings, and
2.
this
a)
against violations of the protection of personal data and
b)
against disturbances, also as far as they are caused by external attacks,
are secured. Precautions according to sentence 1 must take into account the state of the art. A measure pursuant to sentence 1 is, in particular, the use of an encryption method recognized as secure.
Since the GDPR has been in force, an obligation is also derived from data protection aspects. There are even 5-figure claims for damages circulating. Here, with warnings, the now notorious lawyer colleague Sandhage from Berlin has distinguished himself. It even hit a fellow attorney and the opinion of the colleague was shared by the LG Würzburg in a decision from September 2018.
Since an SSL certificate, and be it only the use of Let’s Encrypt, is part of today’s state of the art, it is hard to argue that the use of one was not possible. Online stores, sites with user-generated content or user data should therefore take no chances, use SSL throughout and also gain increased user confidence and better SEO scores.
Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.