New EU General Data Protection Regulation: more comprehensive reporting requirements for e-mail marketing

From May 2018 onwards, the EU General Data Protection Regulation (GDPR) will largely replace the current German Federal Data Protection Act (BDSG). This will also result in changes to some requirements for e-mail marketing. In certain cases, data use for the sending of commercial e-mails will be easier in the future. Considerably more extensive fines have been introduced for cases of unlawful data use, however.

SC-Networks, specialist in data protection-compliant e-mail marketing, presents the most important changes here:

A guest contribution by lawyer Klaus Foitzick, Managing Director of activeMind AG

Current regulations for e-mail marketing

At present, only what is known as “list data” may be used for advertising purposes, unless an existing customer gives their express consent otherwise; this includes the customer’s name, title, address and year of birth. Under certain circumstances, the e-mail address for such a list may also be stored.
While the storage of an e-mail address for marketing purposes is legally permissible, this does not mean that it may also be used for advertising purposes. German data protection law and unfair competition law state, in particular, that e-mail advertising without prior express consent is permitted only if:

  1. own products are advertised which are “similar” to the product originally purchased by the customer; and
  2. the customer was informed of the intended advertising when their e-mail address was collected.

Because this regulation is extremely vague (what is considered “similar”?), many companies obtain consent from the person concerned despite legal allowance. This, in turn, is only effective if:

  1. the object has been described precisely and exhaustively;
  2. the person cannot “skip over” the declaration of consent because it is hidden between other explanatory texts;
  3. it is voluntary – that is to say, in particular, that it is not unlawfully enforced for the purpose of obtaining a service (case-by-case examination if necessary!);
  4. it is explicit – i.e. it relies on the active participation of the person concerned (no pre-checked checkboxes!); and
  5. it can be proven that it was completed by the person concerned (in accordance with the double-opt-in procedure).

The survey must also be recorded by the advertising company, so that proof of compliance with the above criteria can be obtained at any time.

Advertising as a legitimate interest in the EU General Data Protection Regulation (GDPR)

At first glance, the EU General Data Protection Regulation does not include complex and vague provisions – as in the case of the German data protection act, which contains provisions allowing personal data to be used without consent (Listenprivileg). Instead, the use of data for direct marketing purposes is permitted where this is regarded as being carried out for a legitimate interest of the company (see the last sentence of recital 47 GDPR).

This legitimate interest of the company must, however, be weighed against the interests of the person concerned. The former usually prevails when the person concerned “can reasonably foresee the possibility of processing [for advertising purposes]”. This will, in many cases, be the case if the person concerned was informed (in accordance with Article 13 (1c) GDPR) of the purposes of the data collection and of the relevant legal basis (Article 6 (1f) GDPR) at the point of data collection.

Unfair competition law remains unchanged and must also be observed, however. In other words: the General Data Protection Regulation does not change the fact that only the company’s own products and “similar” products may be advertised.

For the time being, therefore, legally-compliant consent remains crucial for e-mail marketing. From the German point of view, how this is obtained will not be fundamentally changed by the GDPR. In particular, the company is still obligated to be able to prove consent (Article 7 (1) GDPR).

Remains unchanged: the removal of consent shall prohibit use

The General Data Protection Regulation also will not alter the fact that the sending of promotional e-mails shall become inadmissible if the person concerned has objected to advertising. In fact, the removal of consent to direct advertising is explicitly regulated in Article 21 (2) and (3) GDPR. Accordingly, the recipient must:

  1. be able to remove consent to the receipt of e-mails at any time; and
  2. be informed of this fact when their e-mail address is collected.

Article 13 GDPR also formulates much more comprehensive reporting requirements than current data protection law, for example with regard to the legally-compliant implementation of a data protection declaration on a website.

Threat of higher fines

Last but not least, e-mail marketing companies should be aware that fines under the GDPR may be significantly higher. At present, lack of a legal basis for e-mail data processing is punishable with a fine of up to EUR 300,000. In contrast, the EU General Data Protection Regulation provides for fines of up to EUR 20,000,000 for the unlawful collection or processing of an e-mail address, or up to 4 % of the annual turnover of the previous financial year in the case of a company.