Legislation surrounding SSL certificates

Yes, every website is required to secure personal data and confidential information against loss or any form of misuse. It literally says in the Personal Data Protection Act (Wbp), "The controller shall implement appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures, taking into account the state of the art and the costs of implementation, shall guarantee an appropriate level of security in view of the risks involved in the processing and the nature of data to be protected..."

Security liability covers all areas of data processing. You can read the full text of the Personal Data Protection Act at: personal data protection act.

The Wbp is enforced by the Dutch Data Protection Authority. If the CBP finds that the legal obligations are not met, it can impose a fine of up to €4,500. In addition, victims of Internet crime resulting from your poorly secured website can hold you liable and claim damages. These are not infrequently awarded when it can be shown that personal data via your website can be easily intercepted.

No. CBP recommends the installation of an SSL certificate when personal data is sent over the Internet. This states verbatim: In order to comply with the security standard of Article 13 Wbp, responsible parties should, given the current state of the art and the standard development in previous rulings by the CBP, comply with the following five obligations when publishing on the Internet:

• Prevent the unnecessary publication of personal data
• Screen specific pages containing personal data from search engines
• Use passwords or other appropriate method to delineate the target audience
• Secure data transport using the SSL protocol
• Secure machine(s) and underlying databases against unauthorized access by third parties

Yes. The Wbp requires every website to process personal data properly and carefully. So even if visitors fill out a contact form, this involves sending confidential data and you must take all necessary measures to secure this data against any form of misuse.

Yes. It is your website so, according to the Wbp, you are responsible at all times for the security of the data sent via your website. Processing data via a website on a server abroad requires extra care, because you may only process data on a foreign server if the level of protection is adequate. Even with proven protection abroad, you need to ask explicit permission, or approach the Ministry of Justice for a permit. By the way, an adequate level of protection is assumed in all EU countries.

Yes. The more sensitive the information and the more valuable this information is to criminal third parties, the stricter the security requirements. The Wbp establishes a clear correlation between security efforts and the sensitivity or value of the information. For websites that send a lot of sensitive or valuable information, we always recommend an Extended Validation SSL Certificate.