Targeted advertising is more interesting for both the company and the advertising recipient. However, advertising targeted at the addressee also raises data protection issues, and a tension arises between address-related marketing and data protection.
The General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018, has changed many things in the area of direct advertising, but only to a limited extent. There is a feeling that the stricter sanctions of up to 20 million Euros or 4 % of the worldwide turnover of the previous year (Art. 84 GDPR) and data protection and its requirements will now be examined more closely.
A closer look reveals, however, that the admissibility requirements for personalized direct advertising have become clearer and also more relaxed in some areas compared to the „old“ data protection law (BDSG old version). The stricter German admissibility rules for personalised advertising have been brought into line with EU standards. The GDPR has thus not only partially revised the admissibility of personalised advertising, but, above all, has created additional requirements.
What is new?
Due to additional obligations imposed by the GDPR, we can speak of a paradigm shift in data protection law. Prior to the GDPR, priority was given to regulating whether the processing of data for personalised advertising was permissible or not. The GDPR, on the other hand, now primarily provides for additional and extensive transparency and documentation obligations.
Although the violation of accountability (Art. 5 (2) GDPR) may result in the sending of advertising being permissible in principle, a fine is nevertheless imposed for failure to comply with the transparency and/or documentation obligations.
The duties to inform the data subjects pursuant to Artt. 13 and 14 GDPR must also be fulfilled. Here it is easy to see how and whether the advertiser has dealt with data protection law. It is precisely this transparency that is communicated and perceived externally, also and above all by the recipient.
Failure by the Controller, i.e. by the advertiser, to fulfill these obligations does not necessarily make direct advertising illegal, but draconian fines are threatened. Article 83 (1): […] is effective, proportionate and dissuasive in each individual case.
When does competition law apply?
The “Gesetz gegen unlauteren Wettbewerb” (UWG; “Unfair Competition Act”) and data protection law apply in parallel and legally independently of each other. When assessing the admissibility of direct advertising, the first step is to decide whether consent is required under § 7 UWG. In the second step, the assessment is made in accordance with the admissibility requirements under data protection law (e.g. Art. 6 (1) (a), (f) GDPR). These include recital 47 in conjunction with Art. 6 (1) lit. f GDPR: […] The processing of personal data for the purpose of directadvertising can be regarded as processing in the interests of a legitimate interest.
In the UWG, the permissibility of advertising measures is subject to various conditions which depend on the communication medium of direct advertising. For example, letter mail advertising, both in the B2C and B2B sectors, is permissible without consent (Section 7 (2) No. 1 UWG). And this will continue until the recipient objects (opt-out procedure). For electronic mail (e-mail), on the other hand, both under Section 7 (2) no. 3 UWG and under data protection law, prior consent (Art. 6 (1) lit. a GDPR) by the recipient is mandatory. However, § 7 para. 3 UWG also provides for an exception to the consent requirement for e-mail advertising, but this requires strict implementation of the requirements set out in § 7 para. 3 UWG. This applies to both B2C and B2B recipients.
Address-related advertising is more appealing and promising. The GDPR has not completely abolished the consent requirement either. However, the UWG also provides for exemptions from the consent requirement if the conditions specified therein are met. A blanket classification is not possible. Good marketing also requires preparation and dealing with the requirements from a data protection point of view.
It is advisable to carry out an inspection in accordance with § 7 UWG (1st inspection stage) and in accordance with GDPR (2nd inspection stage) both during campaign planning and before dispatch. Proof of this check must be provided in accordance with Art. 5 Para. 2 of the GDPR (accountability), and the processing operations must be documented in the list of processing activities in accordance with Art. 30 of the GDPR. In order to avoid injunctions pursuant to Art. 8 UWG and/or complaints by data subjects (Art. 77 GDPR). and sanctions pursuant to Art. 83 GDPR, these should be carried out with great care.
In other words: While there have been simplifications in the assessment of admissibility, the GDPR – as with all data processing – has created new expenses due to formalities and documentation. This applies in particular to the transparency obligations. The effort involved in preparing, designing and implementing these formal obligations in particular is often underestimated in practice. If the requirements of the GDPR are taken into account from the outset and not condensed to the question „May I?“, they can be easily implemented.
Also in the area of marketing, a holistic approach must be taken with regard to the GDPR, and the usual limitation to the question „May I?“ in the old data protection law must be abandoned.
Autorin: Regina Mühlich, Geschäftsführerin der AdOrga Solutions GmbH, Datenschutzexpertin, Auditorin für Datenschutz & Qualitätsmanagement, Sachverständige für IT und Datenschutz, Compliance Officer.
Datenschutz ist kein Produkt. Datenschutz ist ein Prozess.
Wenn Sie Fragen haben, kontaktieren Sie uns: consulting@AdOrgaSolutions.de.
Seit 2007 Lösungen für professionellen und fachkundigen Datenschutz.
Datenschutz & Marketing – Wie Sie Recht und Praxis partnerschaftlich zusammenbringen
Dr. Eckhardt Jens, (2019), 1. Auflage, TKMmed!a
(10. November 2020)