Germany: Data Protection in Direct Marketing: Seizing Opportunities, Avoiding Risks

Direct marketing is an integral part of customer communication for many companies. Whether by e-mail, via social media or as a classic post – addressing (potential) customers in a targeted manner can be very effective.

But be careful: If you disregard legal requirements, you risk warnings or the loss of important communication channels. This article shows what you should pay attention to so that your marketing remains legally compliant and data protection compliant.

What is actually considered advertising?

Advertising in the legal sense is any action, toleration or omission that is aimed at promoting the sale of goods or services. This includes not only classic advertising emails, but also event information in order confirmations or reminders of due services.

In short, almost every customer approach beyond the mere fulfilment of a contract is advertising – and is therefore subject to corresponding rules from competition and data protection law.

Which channels are allowed?

Whether e-mail, telephone or social media – not every communication channel may be used for advertising purposes without further ado.
The Act against Unfair Competition (UWG) provides clear guidelines here:

• E-mail, telephone, SMS, social media or fax: Advertising via these channels is only permitted if the recipient has expressly consented in advance.
• Postal advertising or personal contact on site: These are also allowed without consent, as long as there is no objection.
• Email follow-ups: Permitted without consent under very strict conditions – for example, if you inform existing customers about similar products.

In practice, this means that you are only allowed to advertise to a very limited extent without consent. Even when collecting data, companies should therefore think about how they can keep the consent rate as high as possible, for example through clear communication, understandable formulations and indications of advantages for customers.

Consent and documentation

Companies must be able to prove at all times that customers have actually consented to receive advertising.
For e-mail advertising, the double opt-in procedure has established itself as the standard. However, it is not the technical procedure that is decisive, but the complete documentation of consent:

• Who consented, when and via which channel?
• What was informed about (e.g. advertiser, purpose of the advertisement, possibility of withdrawal)?
• Where are these certificates stored in the system?

Written or documented verbal consent is required for telephone advertising – for example, in the form of a CRM entry with the date and time.
Clean proof keeping protects you in the event of a dispute and creates transparency for customers.

Data processing for advertising purposes

As soon as a permissible communication channel exists, personal data may be processed for advertising purposes – usually on the basis of legitimate interest (Art. 6 para. 1 lit. f) GDPR). Direct marketing is explicitly recognized by the GDPR as such a legitimate interest. It is important that you create transparency by providing complete mandatory information under data protection law and clearly inform recipients about their right to object.

What to look for in newsletter tools

Many providers of mailing systems advertise with the note “GDPR-compliant”. Do not rely solely on such statements, but in particular:

• Is there a data processing agreement according to Art. 28 GDPR?
• Is the server located in the EEA?
• Is no data transferred to unsafe third countries?
• Is it possible to simply delete data?
• Does the provider not use your or customer data for its own purposes?

This will ensure that you are legally on the safe side with your tool.

Tracking – only with consent

Whether it’s the opening rate in the newsletter or click behavior on the website – tracking can provide valuable insights. But beware: Since tracking tools store or read data on end devices, prior consent is required according to § 25 TDDDG. The subsequent processing of personal data in the context of tracking also usually requires consent in accordance with Art. 6 (1) (a) GDPR. Both consents can be obtained together – e.g. via a cookie banner.

Tip: Before using them, consider whether you are actually using the evaluations. If not, do without tools such as Google Analytics and Co. If they do, the same selection criteria apply as for newsletter tools.

CRM systems as a success factor

A well-structured CRM system is the basis for successful direct marketing – and helps to keep an eye on legal requirements.

Make sure that your system:

• Consents and objections documented,
• implements revocations and objections,
• can automatically send mandatory information under the GDPR,
• simplifies the handling of the rights of data subjects (information, objection, revocation, deletion),
• enables easy access to and deletion of data, and
• contains a deletion concept that also provides for automated processes.

In this way, you create transparency, avoid errors and are on the safe side in the event of inquiries from the supervisory authorities.

Result

Direct marketing and data protection are not mutually exclusive – on the contrary.
Those who rely on clean processes, clear consents and data protection-compliant systems from the outset can address their customers in a targeted manner – in a legally compliant, professional and trustworthy manner. We will be happy to support you in this.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.