GDPR in newsletter marketing – How to create legal certainty

Data processing for newsletter marketing only on the basis of existing law

The legal framework that governs the processing of personal data, for example in newsletter marketing, is created by data-protection law with the General Data Protection Regulation (GDPR) and competition law. These provisions regulate how enterprises deal with data – from collection, use and evaluation to erasure – and at times impose steep sanctions in the event of a breach of the rights of EU citizens to data protection.

“Not only under data-protection law but also under competition law, there is always a need for a legal basis for the entire data processing process,” explains lawyer and certified data-protection officer Dr. Stephan Gärtner, co-founder and partner of the Berlin-based STANHOPE law firm. Accordingly, for example, companies can store and use personal data for their newsletter marketing only if the intended addressees are qualified contacts (leads). “The qualification of leads means that a legal basis has been created on which the data can be used in this manner. This is done either through active consent to advertising or when companies rely on what is referred to as a ‘legitimate interest,’” Gärtner points out.

Newsletter marketing & GDPR: Distinguishing between B2B and B2C contacts

The legal basis for data processing will largely depend on the type of leads to be qualified. “While B2C contacts usually require consent for advertising due to the provisions of data-protection law, many more cases are conceivable in B2B traffic in which companies can point to a legitimate interest and do not need to obtain consent,” says Gärtner.

Important: Under both competition and data-protection law, data subjects must already be transparently informed at the time of collection – for example in the form of a customer data protection declaration – about the data collected and the use to which the data are put. This principle applies equally to consent and to the legitimate interest.

“In this context, however, lots of companies make the mistake of unnecessarily restricting their use of the data they collect,” Gärtner notes. “If, for instance, the privacy policy is limited to the sending of B2B newsletters, everything that goes beyond that, i.e. an evaluation of reading behavior, follow-up e-mails and even the use of external shipping tools such as Mailchimp or Hubspot, is precluded. Hence, at the time the data are collected, all options associated with the planned use, even beyond mere newsletter campaigns, should be made transparent,” the data-protection expert advises.

Borderline case: Profiling

Another factor crucial to selection of the legal basis for data processing is whether so-called “profiling” should be used in the context of analyzing personal data. Under Article 4 (4) GDPR, profiling includes any type of automated processing of personal data that involves the use of such personal data to analyze, assess or predict certain personal aspects. “While it is true that companies can also fall back on their legitimate interest where profiling is concerned, they can do so only subject to particularly strict conditions. The further one seeks to push evaluations of individualized usage evaluation, the more difficult it becomes to invoke the legitimate interest,” Gärtner emphasizes.

Contract processing of data for cooperation with external agencies

If newsletter marketing is to be performed via an external agency, it is usually necessary to conclude an order for the contract processing of data (ADV) for the agency to be able to carry out its activities. Within the framework of a formal contract, the parties specify the disclosure and intended processing of the data in compliance with the specifications of data-protection law and other legal provisions. “If the external agency is based outside the European Union, the ordering party must obtain a guarantee that the service provider will also comply with European data-protection law,” the 36-year-old adds.

What are the penalties for non-compliance with statutory provisions in newsletter marketing?

Companies that fail to comply with the specifications of the GDPR may face what are at times considerable sanctions. At most, infringements may result in fines of up to EUR 20 million or four percent of the total worldwide revenue for the previous financial year, whichever is more.

“In practice, proportionality considerations by supervisory authorities play a key role in setting sanctions. The hurdle you have to clear to be forced to pay a fine at all is relatively high, particularly if you are cooperative when you make a mistake. To date, record fines, such as the EUR 14.5 million imposed against Deutsche Wohnen, or the EUR 50 million against Google in France, have been rather isolated cases,” says Gärtner.

In addition to possible monetary fines, however, unpleasant warnings can also occur. Although the individual amounts are usually significantly lower, these can add up, depending on the frequency of the warnings. “In addition, there is also possible damage to a company’s image due to data-protection violations with a negative impact on customer confidence and further business development,” says Gärtner.

Taking advantage of the opportunities GDPR provides for newsletter marketing

“The GDPR offers companies a great opportunity to establish a close relationship of trust with their customers by producing transparency directly during data collection,” Gärtner is convinced. The quality of the data collected also increases as a result. Hence, high-quality, qualified distributors can effectively target customers interested in products or services and achieve higher conversion rates.

“And yet many of the beneficial instruments of the GDPR have not yet been used, or have been used only insufficiently,” Gärtner explains. “For instance, the GDPR offers lots and lots of opportunities to create comprehensive legal certainty with simple means in coordination with the supervisory authorities, such as in the context of cross-border data processing or when cooperating with non-EU companies.”