In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR.
The key takeaways are:
- General Principles Under GDPR for Direct Marketing
- DSK has a rather broad understanding of the term “marketing” that also includes customer satisfaction surveys as well as emails for Christmas or birthday parties.
- Direct marketing activities require a balancing of interests whereby comprehensive and transparent information on the processing of personal data as required under Arts. 13 and 14 will help justify the marketing. The balancing of interests should particularly take into account the reasonable expectations of the data subject.
- Direct marketing is generally permissible if the processing for marketing is fair, proportionate in relation to the marketing purpose, and transparent.
- Special categories of personal data pursuant to Art. 9 GDPR can only be used for marketing purposes based on explicit consent.
- The provisions on the change of purpose pursuant to Art. 6 para 4 GDPR apply if personal data initially not obtained for marketing purposes is to be used for marketing purposes. The data controller must conduct a compatibility test to assess whether the marketing purposes are compatible with the initial purpose.
- Examples of Marketing Activities
The following typical examples of marketing activities are generally deemed justifiable:
- Sending non-individualized marketing material relating to similar products/services previously purchased.
- Categorizing certain consumer groups by adding common criteria (added by Orrick: for example, age or interests).
The following typical examples of marketing activities are generally difficult to justify:
- More intrusive measures, such as automated selection procedures for the creation of detailed profiles, behavioral prognoses and analyses that lead to additional findings; in such case, the DSK considers this to be a profiling, which requires consent, not only a balancing of interest.
- The creation of a profile based on marketing material from third-party resources, e.g., social networks.
- In the case of a data disclosure to third parties for marketing purposes and the use of address data sourced from third parties, the DSK refers to recital 47 of the GDPR and thus recommends considering whether there is a relationship between the data subject and the data controller and further refers to the requirements pursuant to Art. 6 para 4 GDPR.
- Special Requirements for Individual Communication Channels
The DSK further argues that the use of personal data for marketing is not justifiable based on the balancing of interest test, should the individual marketing method not comply with applicable unfair and deceptive trade practice law. For example, the German Law against Unfair and Deceptive Trade Practices (“UWG”) stipulates specific requirements for marketing on the different channels, e.g., telephone, email, and mail. If a marketing activity does not fulfill these requirements, it would not be permissible under the GDPR either.
The German UWG generally deems the following ways of marketing to be justifiable:
- Email marketing towards existing customers if the email address was obtained within a business relationship and if the customer has been properly informed pursuant to Art. 13 GDPR.
- Telephone marketing towards other market participants if their implied consent can be presumed.
The German UWG generally deems the following ways of marketing to be prohibited:
- Telephone marketing towards consumers without their explicit consent.
- Email marketing to customers without consent or a previous business relationship (see exception above).
- Any marketing communication where the identity of the sender, on whose behalf the communication is transmitted, is concealed or kept secret.
- Required Notices
The DSK acknowledges the practical difficulties of providing all necessary information at the time when personal data is obtained, particularly in regard to analogous marketing (added by Orrick: for example, certain marketing raffles or sweepstakes). Hence, the DSK now supports layered privacy statements as initially proposed by the Article 29 Data Protection Working Party (“WP 260”).
According to this approach, initially providing a set of minimum information is sufficient if the remaining information required under Arts. 13 and 14 GDPR is provided afterwards. Minimum information to be provided under Art. 13 paras 1 and 2 GDPR includes the following:
- Identity of the controller; contact data of the controllers’ DPO; indication of the legitimate interest if the processing is based thereon; recipients or categories of recipients of personal data; transfer to third countries; right to object pursuant to Art. 21 GDPR; information on access to further mandatory information.
- The data controller must be a specific natural or legal person and provide his/her complete address. Short names (e.g., XY-Group) are not sufficient to fulfill the information requirements.
- Consent to the Processing of Personal Data for Direct Marketing Purposes
The DSK elaborates on consent as a justification for data processing for marketing purposes. Generally, consent must be freely given, specific, and informed. Regarding direct marketing, informed consent requires providing the following information:
- the nature of the intended marketing activity (letter, email, telephone, etc.);
- the advertised products or services;
- and the advertising company.
In these situations, consent can generally be obtained lawfully and is verifiable:
- Handing over a business card can be deemed as providing consent to receiving marketing if there is no indication that someone hands over the business card of another person.
- Double-Opt-In Procedure is required for electronic consent in order to verify the data subjects’ statement.
Obtaining consent in the following situations is generally deemed difficult to justify or to prove:
- Double-Opt-In Procedure is not sufficient for justifying telephone marketing with numbers obtained from a website. In this case, the controller needs the data subjects’ consent in writing.
- Expiry Date for Data Obtained for Marketing Purposes
GDPR does not contain a specific period for using personal data for marketing purposes. However, the DSK indirectly indicates an expiry date for given consents by relying on a judgment of the district court in Munich. The court argues the following:
- Consent provided for email marketing given 17 months ago and not used yet is no longer a legal justification for direct marketing since the data subject cannot reasonably expect to be contacted after such a long period of time without receiving marketing information from the data controller.
- The DSK considers a period of 17 months to be reasonable for using contact data for marketing purposes. If the data controller has not made use of the data within this period of time, he can no longer process the data on the basis of his legitimate interests since the interests of the data subject prevail against the interests of the data controller.
- This period can be even shorter under specific circumstances.
- Special Circumstances for Validly Processing Personal Data for Direct Marketing
Direct marketing in the following circumstances is generally deemed justifiable:
- Processing mail address data obtained in the context of promotional competitions or catalog requests for marketing purposes is justifiable if the data controller fulfills his information duty towards the data subject.
- Publication of contact data in a telephone directory if the customer requested the publication.
Direct marketing in following circumstances is generally difficult to justify:
- Data obtained from an imprint, since such data is made public due to a legal obligation.
- Tell-a-friend marketing, since the processing is not deemed to be fair and transparent.
- Recommendation marketing, i.e., providing the opportunity for users to enter the email address of a friend so that the friend then receives an unsolicited recommendation email.
- Right to Object Pursuant to Art. 21 para 2, 4 GDPR
The DSK elaborates on the data controllers’ obligations in regard to the right to object pursuant to Art. 21 GDPR. For reasons of accountability, the DSK recommends including a reference to the right to object in every marketing communication. According to Art 21 para 4 GDPR, this right must be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information and shall, e.g., not be “hidden” in extensive terms and conditions.
In order to efficiently grant the data subject’s rights, the DSK requires the data controller to investigate a data subject’s actual intention, i.e., if he wants his data to be deleted or if he does not want to be targeted with marketing communication in the future.
- If the data subject does not want to be targeted with marketing communication in the future, he/she must be included in a blacklist for marketing purposes. Maintaining such a blacklist is admissible under the GDPR. Data subjects shall be informed if they are included in this list.
- If a data subject explicitly requires only the deletion of his data, he/she will not be included in the blacklist and can therefore be targeted with marketing in the future. Hence, he/she shall be informed that he/she might receive marketing again later on.
If a data subject exercises his/her right to object, the data controller must do the following:
- Handle the request immediately.
- Already commenced marketing campaigns do not need to be immediately suspended as the data subject reasonably expects that such campaigns cannot be stopped without further ado.
- In order to prevent unnecessary complaints, one shall issue an individual response for every data subject, including a confirmation of the objection and a period of time in which the data subject still might receive marketing communication.
- Check if you your marketing campaigns also involve customers and business partners in Germany. In this case, your marketing campaign must comply with the afore mentioned requirements.
- If not already done, this guidance is a good starting point to adapt your marketing campaigns to the rules and requirements of the GDPR. When in doubt, do not hesitate to obtain legal advice.
- Have a particular look at measures, such as automated selection procedures for the creation of detailed profiles, behavioral prognoses and analyses that lead to additional findings. Such measures may also be considered profiling, which requires consent, not only a balancing of interest. Also the creation of a profile based on marketing material from third-party resources, e.g., social networks, may require consent.
- In the case of a data disclosure to third parties for marketing purposes and the use of address data sourced from third parties, carefully assess whether there is a relationship between the data subject and the data controller. Conduct a compatibility test to assess whether the marketing purposes are compatible with the initial purpose and assess whether the requirements pursuant to Art. 6 para 4 GDPR are met.
- Having GDPR-compliant marketing campaigns in place is crucial for businesses, as failure to comply with these requirements might result in fines up to €20 million, or 4% annual global turnover—whichever is higher.