Visforms and GDPR

Visforms and the General Data Protection Regulation GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) came into force in Germany. This has led to considerable uncertainty, especially among website operators. The uncertainty concerns the influence that the GDPR has on the operation of a website as a whole and the use of forms in particular.

Note: It's a widely held view that due to GDPR, it's better/easier/safer to not use forms at all on a website. However, in our opinion, this statement is completely wrong and results from half-truths mixed with ignorance.

Every time you use the website, personal data is collected that is subject to the GDPR

The definition of the GDPR is so broad that practically any information that is transmitted to a website must be interpreted as personal data. In this sense, personal data is transmitted every time a website is used and also stored, for example, in server log files. The provisions of the regulation must be complied with in all these cases. This is necessary even if the website is only viewed.

Every website is affected

In particular, every website therefore requires a data protection declaration. The content of the data protection declaration must be tailored to the specific implementation of your website. The data protection declaration must contain the extensive mandatory information specified in the regulation.

Note: The use of forms on the website is only a difference of degree. In principle, the use of forms does not require other or additional measures to make a website GDPR-compliant.

It is not the purpose of the GDPR to prevent the collection of personal data. Because the collection of personal data is in many cases a desired and necessary thing.
Rather, it is about the following:

  • Personal data should not be collected, stored or linked indiscriminately or without the knowledge and consent of the individual.
  • Personal data should not be evaluated in a targeted manner in the sense of profiling.
  • The user must know what data is collected, stored and how it is used.
  • Personal data must be protected in an appropriate manner. The more sensitive the data is, the higher the requirements for protecting it from misuse.
  • Users have the right to delete and correct their data.

Unencrypted sending of form data via email

In particular, whether unencrypted sending of form data by email is still permitted is a headache for many website operators. The GDPR speaks of a protection appropriate to the sensitivity of the personal data through measures that correspond to the state of the art.

Email encryption is certainly not state-of-the-art at the current time. Because a standard user is not even able to read an encrypted email addressed to him. There may be special cases in which the form data collected is really so sensitive that it should not be sent in an unencrypted email. However, this really only applies to exceptional cases and Visforms even offers you alternatives.

Instead, we think it is a sensible solution to explicitly point out the following in the data protection declaration:
For reasons of practicability and speed, data and information are exchanged via unencrypted email.
Many law firms, which certainly handle relatively sensitive personal data, find this sufficient.

Download the data via PDF

Instead of transferring transmitted data in a non-encrypted email, you can alternatively use the PDF generator. It allows creating and downloading PDFs in the back of the website. The data is then automatically encrypted and protected on SSL-encrypted websites.

The privacy policy

Factually correct data protection declaration

The most important aspect of making your website GDPR-compliant is a factually correct and appropriate data protection declaration. This is possible by analyzing what data is collected on your website and how it is stored and processed, if any.

We assume that the data collected from you is meaningful and balanced and proportionate to the application on your website.

Check necessary information

With regard to a form on your website, the following questions arise:

  • What data is collected?
  • How is the transmitted data made available to the website operator?
  • How is the user informed?
  • Is data stored and if so for how long?

You must provide this information to the user in your privacy policy. Visforms offers you numerous variants to design this process. This also includes the protection of sensitive personal data.

Check data transfer

You also need to check whether you have configured Visforms in such a way that data may be passed on after the user has submitted the form. See the Data-passing-when-using-visforms section further down on this page.

After you have created a factually correct privacy policy, the next step is to ensure that the user accepts it before they can submit the form. See the link-to-privacy-statement-and-acknowledgment section below on this page.

The form

The form requires a link to the data protection declaration and a confirmation that the data protection declaration has been accepted. This can be easily implemented using a field of the “Checkbox” type, for example.

  • Create a field of type checkbox.
    A suitable field label would be “Privacy notice acknowledged”.
  • Make the field mandatory.
    Assign the word “yes” as “Value”.
    Make sure the “Checked” option is unchecked.
  • Enter a short explanatory text in the field configuration on the “Advanced” tab under “Custom text”.
    An example text would be something like “The storage and further processing of your personal data collected above takes place in accordance with our data protection declaration”.
  • Put a link to the word “Privacy Policy” that points to your privacy policy.
  • Set the “Custom Text Position” option to “Above Label”.

If the user has not activated the corresponding checkbox in the form, he cannot submit the form.

If you save the transmitted data in the database, the user selection of the checkbox (which always has to be “yes”) is also saved automatically. You also have the option of including the user input of this checkbox field in the mails sent by Visforms.

Verification of the existence of the entered email address

Visforms allows you to verify that the entered email address actually exists. A verification code is generated by Visforms in the backend and sent to the specified email address. Visforms then checks whether the user has correctly entered the freshly sent code in the form.

After the form has been submitted

The data transmitted with the form (e.g. inquiries, orders, bookings) must be made accessible to you in some form so that you can continue to process them.

With Visforms you have two options here:

  • You can send the data (in full or in part) by email
  • You can save the data in the database and make it accessible to authorized persons for further processing.

Email configuration

The GDPR speaks of a protection appropriate to the sensitivity of the personal data through measures that correspond to the state of the art. Email encryption is certainly not state-of-the-art at the current time, since a standard user would not be able to read an encrypted email addressed to him.

Only you can decide whether the data you collect with your form is so sensitive that it should not be sent by email, or whether part of the data should not be sent by email.

All options can be realized with Visforms

  • You can specify whether a confirmation email and/or a user email should be sent at all.
  • You can completely customize which content is sent with which email.
  • You can design all texts individually and specify for all data transmitted with the form whether these should be sent with the email.

So everything is possible:

  • from a completely anonymous mail to yourself, just letting you know that a user submitted the form,
  • via an email that contains data that is not very sensitive from a data protection point of view, but that is important for you (the request text),
  • up to an email containing all the data transmitted with the form.

Design of the result text

A so-called result text is displayed to the user on the website after the form has been sent successfully. Visforms has the option to customize the result text. You can also use the form’s user input in the result text. Instead of sending the user the transmitted data by email, you can use the result text to give him a final overview of the data he has transmitted. The user can therefore view the data he has just transmitted without leaving the framework of the website.

Store data in database

Transmitted data can also be stored in the database for further processing.

Visforms offers you many possibilities to do this in a way that is GDPR compliant:

  • Saving the IP address can be switched on and off.
  • Data can be changed (right to rectification).
  • Access to data can be restricted to authorized group of people via Joomla ACL.
  • Data can be displayed selectively in the frontend.
    This becomes interesting if you do not want or cannot give the authorized person access to the administration of the website.
  • Access to the data view in the frontend can be limited to authorized persons via the Joomla ACL.
  • You can decide individually for each field whether it is displayed or not.
  • Data can be deleted manually.
  • Data can be automatically deleted after a self-determined period of time.
  • In the case of automated deletion, a log file can also be written that contains the ID of the deleted data record.
  • Each record has its own ID, which can be referred to in emails, for example.
    This allows you to prove that the corresponding data record was deleted.
  • Individually configurable CSV export, also for individual data sets.
    This feature can be used, for example, when requesting information.

Data transfer when using Visforms

When can data transfer occur when using Visforms?

Visforms spam protection plugin

Visforms includes its own spam protection plugin. It checks whether the form was filled out by a known spambot. The spam protection plugin is activated by default. It checks the IP address from which the form is submitted and the email address of the form user (if any). The check is carried out using the spambot databases selected in the form configuration.

For this purpose, the IP and the email address are transmitted to the respective provider of the online spambot database.
By default, checking against the databases of the following providers is enabled:

  • stopforumspam.com
  • spamCop.net
  • sorbs.net

You can also activate the check against the database of the following providers:

  • projecthoneypot.org

The data is used by the provider in accordance with their respective data protection regulations, which to our knowledge are currently available at the following URLs:

Google Services

If you use Google services within Visforms, data may be passed on to Google. You must deal with this data transfer to Google in a section of your data protection declaration.

Such services are:

  • The Google Recaptcha plugin.
    It is used if you have activated Google Recaptcha in the form.
  • The Google Maps API.
    It is used when you have a Location/Map type field in the form.

###Google Analytics Some users manually build Google Analytics into the process of submitting a Visforms form. In this case, too, data is passed on to Google. You must deal with this data transfer to Google in a section of your data protection declaration.

Some features listed here are only included in the Visforms Subscription Features.