6

I am looking for an answer that is supported by the GDPR, so please try to quote GDPR parts as you answer.

The internet is on fire (developers especially) now that the GDPR is on strength. There are some doubts from my perspective which I would like to clear out with the discussions that arise from this questions.

  1. Do we need a user's consent when being contacted by a contact form?

Many (almost all to be exact) lawyers advise companies to seek consent from the user on the contact form. This sounds ridiculous, as what happens when the user sends you a direct email (without using contact form) with a bunch of his personal data (which you, as a business, did not ask from the user)? How could you know what data the user might send? He might even send the data on purpose and sue your company for not having included in the privacy policy that your business is processing the data that the user has sent. How does this make sense? Isn't the action of voluntarily sending an email to anyone a direct consent (you are aware that you sent the email from your own email address and you yourself have decided to reveal some or all of your personal data to the person/business you are sending an email to)?

  1. Managing consent

If the answer to the first question is "YES", that how do we manage the consents? Consents must be fully manageable so the user can withdraw it at any time. So, do we store each and every email in a database? Storing it in an Excel table would not be a wise way according to the GDPR, as you literally cannot protect Excel worksheet from being read (yes, for all those around who think that protecting the workbook with a password is enough, no it is not, there are hundreds of tools that will crack the password and open the workbook). And then again, GDPR is not meant to drive the business to its own doom. It is not meant to harden that way that the business does its own core business, but it is meant to protect the data of the subjects.

I suppose the information above is enough for a start of good discussion as to whether the user's consent should be asked when filling out a contact form.

Improve this question
3
  • 1
    What happens if I send data that isn't mine? You don't have consent from the person whose data you're processing - clearly against GDPR. If your lawyer is telling you to do something for legal purposes, maybe you should listen to them? Or if you don't like their advice, get a better one.
    – user4657
    Commented Jun 14, 2018 at 10:50
  • 1
    I started this discussion as one lawyer is reading GDPR one way, the other lawyer second way, the third lawyer his way and so on... Is it not against the law to pretend to be another person and use another person's personal data to hide your own identity? And yet another question, what if I send tons of other people's personal data (name, surname, medical data etc. that I gathered through the internet) to some company. Could I then sue the company for not being able to properly manage that data??
    – Alen Šimunic
    Commented Jun 14, 2018 at 10:56
  • 1
    Excel password protection used to be very weak. They are now reasonably strong (provided the password isn't "secret" or something equally stupid). I think you will find Excel password protection will be plenty for small quantities of non-sensitive data.
    – Martin Bonner supports Monica
    Commented Jun 15, 2018 at 12:13

4 Answers 4

Reset to default
6

My interpretation of the GDPR when it comes to a contact form is as long as your privacy notice states that what data you collect in the contact form and what legal basis that data is used for you are fine.

Someone submitting a contact form in my opinion is their consent to reply back to them regarding the data in which they have submitted.

Another good clause to have in your privacy policy is to basically state if the user submits information about another natural person that they have consent from that natural person for that data and what it would be used for.

The internet is the internet. People have been trolling it for years. People have also submitted false information for years. The best a business can do is simply outline what their site does, what data is collected and what it will be used for. That along with what legal basis it’s processed for and following it makes you GDPR compliant in that regard. As to withdrawing consent and the rights given by the GDPR that’s all specific to what infustructure a business has in place.

As a developer I know the headaches of the GDPR. Most of it resides in the fact data is not centralized and thus can’t easily be retrieved, modified, or removed. Once you’ve tackled that aspect providing the user their rights under GDPR isn’t to far off.

Improve this answer
2
  • 2
    One addition; You say submitting a form is giving consent. Art. 7(3) GDPR gives a right to withdraw consent at any time. It shall be as easy to withdraw as to give consent. So it would be fine to use the same contact form to withdraw consent. The privacy policy should probably include a text stating such a withdrawal is processed within one working day.
    – wimh
    Commented Jun 15, 2018 at 20:42
  • 1
    Keep in mind also “The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.” With that bit it would seem to me that once consent is given the initial process in the case of an email is still valid until you have properly processed that first email. Further emails however would be in valid after the data subject withdrew consent.
    – Shinrai
    Commented Jun 18, 2018 at 0:54
4

Beware, a lot of GDPR quotes ahead.

Do we need a user's consent when being contacted by a contact form?

No, Article 4(11) states:

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

If the user knows that he is using a contact form then clicking "submit" is a clear affirmative action.

the user sends you a direct email (without using contact form) with a bunch of his personal data (which you, as a business, did not ask from the user)

The user is the original controller of its own data. When he sends you data for which you haven't beforehand determined purposes and means of processing, then you're not a controller of that data, see Article 4(7):

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

You are not a processor either because you didn't ask about that data, there is no legal agreement between you and the controller, you're not acting legally "in his name". Article 4(8):

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

You are a so-called 'third party', Article 4(10):

‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

Which also makes you a 'recipient', Article 4(9):

‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

Now, as a third party you can process data without the data subject's consent for your legitimate interests. Article 6:

Processing shall be lawful only if and to the extent that at least one of the following applies: (...) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Which means that you can delete unwanted data (you have a legitimate interest to do not waste your server space with data you are not properly authorized to have) or even call the police (eg. someone sent you child pornography). However, you should inform data subject(s) of all things listed in Article 13 even if you're not a controller and describe your "legitimate interest" as there is a special rule in Article 13.1.(d):

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: (...) (d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

Your next question:

If the answer to the first question is "YES", that how do we manage the consents?

You have to manage them somehow even if the answer is "NO".

So, do we store each and every email in a database?

You email server IS a kind of database already. You should try to do anything in it. It's probably very secure (unless you use weak passwords) and has all search and filter functionalities you need.

UPDATE with some historical perspective:

To further justify my statement, I will recall the predecessor of GDPR, the Directive 95/46/EC which states in Recital 47:

(47) Whereas where a message containing personal data is transmitted by means of a telecommunications or electronic mail service, the sole purpose of which is the transmission of such messages, the controller in respect of the personal data contained in the message will normally be considered to be the person from whom the message originates, rather than the person offering the transmission services; whereas, nevertheless, those offering such services will normally be considered controllers in respect of the processing of the additional personal data necessary for the operation of the service;

So once again: if someone sent you some data via e-mail or web form, he/she was considered the controller.

Improve this answer
1

I am looking for an answer that is supported by the GDPR, so please try to quote GDPR parts as you answer

I think the GDPR does not directly answer your question. You question is very practical, but laws are theoretical. So it all depends how you interpret and match it.

This Q&A form might be very good, because different people can post their view, others can upvote. The answer with the most upvotes is likely the best answer. I basically do not disagree with Shinrai's answer, but I do have an alternative point of view.

Do we need a user's consent when being contacted by a contact form?

I do not think so, because using a contact form can be considered entering a contract. In that case you do not need consent at all.

A contract consists of an offer and acceptance of that offer. With a contact form, You offer a service to answer a question for free. (Or at least try to answer it). I can accept the offer by entering my name, email-address and the question itself, and press the "send" button. At this moment, Art. 6(1)(b) GDPR would apply;

  1. Processing shall be lawful only if and to the extent that at least one of the following applies:

    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

After entering the contact form (or before), you have to inform about the processing of personal data. This can include things like:

  • We will reply to you by email within X business days.
  • After we replied, we will keep your data for two more weeks in case you have a follow-up question.
  • We store the IP-address from which this form was posted to avoid misuse of this form.

You will have to delete data because of Art. 5(1)(e) GDPR ("storage limitation"). If you put a unique reference in each email message, it will be easier to delete all messages belonging to the same request.

(yes, for all those around who think that protecting the workbook with a password is enough, no it is not, there are hundreds of tools that will crack the password and open the workbook)

Keep in mind that current "best practices" are fine. So you do not even need to password protect a workbook if you store it on a properly protected network file server. But make sure you use good passwords, and install security updates. However you do probably have to use TLS for your contact form, as an unencrypted internet connection is readably by everyone when using an open access point.

Improve this answer
2
  • The problem with presuming a contractual basis for email submission is you are then yourself agreeing to anything submitted in the form. You are also contractually obligated to reply to the submitted form information every time the form is submitted. While most of the time this would be the case, it may not always be the case. Further I’m unaware of any legal jurisdiction that allows for an open ended contract. A generic contact form cannot properly provide a specific non open ended contract.
    – Shinrai
    Commented Jun 18, 2018 at 1:01
  • 1
    This part sounds far more useful than claiming there is a contract: "or in order to take steps at the request of the data subject prior to entering into a contract"
    – Ben Voigt
    Commented Jan 20, 2019 at 20:48
1

There are 6 "lawful bases" (i.e. plural of "basis") under which you are permitted to process personal data. Consent is only one. The others are:

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For a contact form the "contract" basis (b) is the most applicable: this is part of the processing you need to carry out in order to get to the point of having a contract. As such you don't need consent. Also consent is not applicable because you are requiring them to provide this information before you will get back to them. Under the GDPR "consent" has to be opt-in and not a precondition for service.

Your form should state that you are using this basis because they are asking you to contact them with a view to possibly entering into a contract.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .