AdOrga Solutions GmbH - Datenschutz

Tar­ge­ted ad­ver­ti­sing is more in­te­res­t­ing for both the company and the ad­ver­ti­sing re­ci­pi­ent. However, ad­ver­ti­sing tar­ge­ted at the ad­dres­see also raises data pro­tec­tion issues, and a tension arises between address-related mar­ke­ting and data protection.

The General Data Pro­tec­tion Re­gu­la­ti­on (GDPR), which will enter into force on 25 May 2018, has changed many things in the area of direct ad­ver­ti­sing, but only to a limited extent. There is a feeling that the stric­ter sanc­tions of up to 20 million Euros or 4 % of the world­wi­de tur­no­ver of the pre­vious year (Art. 84 GDPR) and data pro­tec­tion and its re­qui­re­ments will now be ex­ami­ned more closely.

A closer look reveals, however, that the ad­mis­si­bi­li­ty re­qui­re­ments for per­so­na­li­zed direct ad­ver­ti­sing have become clearer and also more relaxed in some areas com­pared to the „old“ data pro­tec­tion law (BDSG old version). The stric­ter German ad­mis­si­bi­li­ty rules for per­so­na­li­sed ad­ver­ti­sing have been brought into line with EU stan­dards. The GDPR has thus not only par­ti­al­ly revised the ad­mis­si­bi­li­ty of per­so­na­li­sed ad­ver­ti­sing, but, above all, has created ad­di­tio­nal re­qui­re­ments.

What is new?
Due to ad­di­tio­nal ob­li­ga­ti­ons imposed by the GDPR, we can speak of a pa­ra­digm shift in data pro­tec­tion law. Prior to the GDPR, prio­ri­ty was given to re­gu­la­ting whether the pro­ces­sing of data for per­so­na­li­sed ad­ver­ti­sing was per­mis­si­ble or not. The GDPR, on the other hand, now pri­ma­ri­ly pro­vi­des for ad­di­tio­nal and ex­ten­si­ve trans­pa­ren­cy and do­cu­men­ta­ti­on obligations.

Alt­hough the vio­la­ti­on of ac­coun­ta­bi­li­ty (Art. 5 (2) GDPR) may result in the sending of ad­ver­ti­sing being per­mis­si­ble in prin­ci­ple, a fine is nevert­hel­ess imposed for failure to comply with the trans­pa­ren­cy and/or do­cu­men­ta­ti­on obligations.

The duties to inform the data sub­jects pur­su­ant to Artt. 13 and 14 GDPR must also be ful­fil­led. Here it is easy to see how and whether the ad­ver­ti­ser has dealt with data pro­tec­tion law. It is pre­cis­e­ly this trans­pa­ren­cy that is com­mu­ni­ca­ted and per­cei­ved ex­tern­al­ly, also and above all by the recipient.

Failure by the Con­trol­ler, i.e. by the ad­ver­ti­ser, to fulfill these ob­li­ga­ti­ons does not ne­ces­s­a­ri­ly make direct ad­ver­ti­sing illegal, but dra­co­ni­an fines are th­rea­ten­ed. Article 83 (1): […] is ef­fec­ti­ve, pro­por­tio­na­te and dis­sua­si­ve in each in­di­vi­du­al case.

When does com­pe­ti­ti­on law apply?
The “Gesetz gegen un­lau­te­ren Wett­be­werb” (UWG; “Unfair Com­pe­ti­ti­on Act”) and data pro­tec­tion law apply in par­al­lel and legally in­de­pendent­ly of each other. When as­ses­sing the ad­mis­si­bi­li­ty of direct ad­ver­ti­sing, the first step is to decide whether consent is re­qui­red under § 7 UWG. In the second step, the as­sess­ment is made in ac­cordance with the ad­mis­si­bi­li­ty re­qui­re­ments under data pro­tec­tion law (e.g. Art. 6 (1) (a), (f) GDPR). These include recital 47 in con­junc­tion with Art. 6 (1) lit. f GDPR: […] The pro­ces­sing of per­so­nal data for the purpose of di­rect­ad­ver­ti­sing can be re­gard­ed as pro­ces­sing in the in­te­rests of a le­gi­ti­ma­te interest.

In the UWG, the per­mis­si­bi­li­ty of ad­ver­ti­sing measures is subject to various con­di­ti­ons which depend on the com­mu­ni­ca­ti­on medium of direct ad­ver­ti­sing. For example, letter mail ad­ver­ti­sing, both in the B2C and B2B sectors, is per­mis­si­ble without consent (Section 7 (2) No. 1 UWG). And this will con­ti­nue until the re­ci­pi­ent objects (opt-out pro­ce­du­re). For elec­tro­nic mail (e-mail), on the other hand, both under Section 7 (2) no. 3 UWG and under data pro­tec­tion law, prior consent (Art. 6 (1) lit. a GDPR) by the re­ci­pi­ent is man­da­to­ry. However, § 7 para. 3 UWG also pro­vi­des for an ex­cep­ti­on to the consent re­qui­re­ment for e-mail ad­ver­ti­sing, but this re­qui­res strict im­ple­men­ta­ti­on of the re­qui­re­ments set out in § 7 para. 3 UWG. This applies to both B2C and B2B recipients.

Address-related ad­ver­ti­sing is more ap­pe­al­ing and pro­mi­sing. The GDPR has not com­ple­te­ly ab­o­lished the consent re­qui­re­ment either. However, the UWG also pro­vi­des for ex­emp­ti­ons from the consent re­qui­re­ment if the con­di­ti­ons spe­ci­fied therein are met. A blanket clas­si­fi­ca­ti­on is not pos­si­ble. Good mar­ke­ting also re­qui­res pre­pa­ra­ti­on and dealing with the re­qui­re­ments from a data pro­tec­tion point of view.

It is ad­vi­sa­ble to carry out an in­spec­tion in ac­cordance with § 7 UWG (1st in­spec­tion stage) and in ac­cordance with GDPR (2nd in­spec­tion stage) both during cam­paign plan­ning and before dis­patch. Proof of this check must be pro­vi­ded in ac­cordance with Art. 5 Para. 2 of the GDPR (ac­coun­ta­bi­li­ty), and the pro­ces­sing ope­ra­ti­ons must be do­cu­men­ted in the list of pro­ces­sing ac­ti­vi­ties in ac­cordance with Art. 30 of the GDPR. In order to avoid in­junc­tions pur­su­ant to Art. 8 UWG and/or com­plaints by data sub­jects (Art. 77 GDPR). and sanc­tions pur­su­ant to Art. 83 GDPR, these should be carried out with great care.

In other words: While there have been sim­pli­fi­ca­ti­ons in the as­sess­ment of ad­mis­si­bi­li­ty, the GDPR – as with all data pro­ces­sing – has created new ex­pen­ses due to for­ma­li­ties and do­cu­men­ta­ti­on. This applies in par­ti­cu­lar to the trans­pa­ren­cy ob­li­ga­ti­ons. The effort in­vol­ved in pre­pa­ring, de­sig­ning and im­ple­men­ting these formal ob­li­ga­ti­ons in par­ti­cu­lar is often un­de­re­sti­ma­ted in prac­ti­ce. If the re­qui­re­ments of the GDPR are taken into account from the outset and not con­den­sed to the ques­ti­on „May I?“, they can be easily implemented.

Also in the area of mar­ke­ting, a ho­li­stic ap­proach must be taken with regard to the GDPR, and the usual li­mi­ta­ti­on to the ques­ti­on „May I?“ in the old data pro­tec­tion law must be abandoned.

Autorin: Regina Mühlich, Ge­schäfts­füh­re­rin der AdOrga Solutions GmbH, Da­ten­schutz­ex­per­tin, Au­di­to­rin für Daten­schutz & Qualitäts­management, Sach­ver­stän­di­ge für IT und Daten­schutz, Com­pli­ance Officer.

Daten­schutz ist kein Produkt. Daten­schutz ist ein Prozess.
Wenn Sie Fragen haben, kon­tak­tie­ren Sie uns:
Seit 2007 Lö­sun­gen für pro­fes­sio­nel­len und fach­kun­di­gen Datenschutz.

Wei­ter­füh­ren­de Literatur:
Daten­schutz & Mar­ke­ting – Wie Sie Recht und Praxis part­ner­schaft­lich zusammenbringen
Dr. Eck­hardt Jens, (2019), 1. Auflage, TKMmed!a

(10. No­vem­ber 2020)

Wie können wir Ihnen weiterhelfen?

Kontaktieren Sie uns: Wir sind gerne für Sie da!