Does an email newsletter form on a HTTP-only website constitute a GDPR violation?

Question

Problem:

I am part of a non-profit club that has a form on the website for signing up for an email newsletter.
The website (and thus form) is only available through through HTTP. HTTPS is not available on current infrastructure.
There is no other data the interested party shares with us through this form, only a field for their email.
The email distribution itself is later processed through a common service (such as Mailchimp, GetResponse or similar).

Question:

From a GDPR standpoint, will the club seen as negligent for accepting emails (which may be personally identifiable, and thus confidential?) over a knowingly insecure connection? Does it constitute a GDPR violation?

I'm voting to close this question as off-topic because it is essentially asking about the interpretation of legal rulings in a specific context. This is off-topic here and should be asked at law.stackexchange.com instead. — Steffen Ullrich, Aug 30 '17 at 11:14
@SteffenUllrich If that is the case, can you migrate it instead? — max, Aug 30 '17 at 11:15

score 0 · Answer 1 · answered Aug 30 '17 at 10:55

The act of collecting data on an insecure connection may not actually violate GDPR but to be safe you should go for ensuring personal data is always protected. GDPR's main concern is the processing of personal data and the exchange of personal data from a collector to a processor.

So for example, you mention that the emails get sent to mailchimp, you will need to ensure that this is done in a secure manner. This is where GDPR really plays: can you demonstrate that you are not storing the emails in an secure manner, canyou demonstrate those emails are being submitted to mailchimp in a secure manner.

Also remember that today solutions like Let's Encrypt allow you to easily get a web server certificate with no cost.

Does an email newsletter form on a HTTP-only website constitute a GDPR violation?

Problem:

Question:

1 Answers1