Orientation Guide From The German Data Protection Supervisory Authorities For Direct Marketing
Since the GDPR has been in force, almost every company has, among other things, dealt with issues of the permissibility of direct marketing and other marketing activities under data protection law. At their data protection conference on Nov. 07-08, 2018, the German data protection supervisory authorities issued a new "orientation guide" on this topic (as of November 2018). In this 14-page document, they visibly strive to provide a little more clarity regarding the processing of personal data for the purposes of direct marketing activities, such as advertising letters, e-mail advertising and advertising calls. In addition to issues about the permissibility of data processing for marketing purposes, the orientation guide also deals, among other things, with duties to provide information, consent requirements and guidelines for objections to marketing as well as data erasure.
FURTHER CONCEPT OF MARKETING
The supervisory authorities assume a broad concept of marketing, according to which every statement with the aim of promoting sales is to be included. Examples of marketing include satisfaction inquiries made of customers after a transaction, or birthday and Christmas mailings.
BALANCING OF INTERESTS AS A LEGAL BASIS - DIRECT MARKETING AS A LEGITIMATE INTEREST
In view of the abolition of special regulations in the marketing sector (Section 28 (3) to (4) of the old Federal Data Protection Act - BDSG-old), the orientation guide rightly moves the balancing of interests under point f) of Article 6 (1) GDPR as the legal basis for data processing for (direct) marketing purposes to the forefront. According to this, such data processing is permissible if it is necessary to safeguard the legitimate interests of the controller or a third party and does not override the interests of the data subject. In each case, a balancing of interests in a specific individual case is to be carried out, whereby – according to recital 47 of the GDPR – direct marketing is recognized as a (substantial) legitimate interest of the controller within the meaning of point f) of Art. 6 (1) GDPR. On the part of the interests of the data subjects, what should be decisive is, among other things, what they subjectively expect in a particular case, but also what can and should objectively be reasonably expected. If data processing for marketing purposes in certain areas of the social sphere is typically accepted, this indicates permissible data processing. When determining the expectations of the data subjects, the supervisory authorities believe the privacy notices under Art. 13 and Art. 14 GDPR also plays a significant role. If the controller has provided transparent and comprehensive information on intended data processing for direct marketing purposes, there are, in principle, some indications that the data subject expects that their data may be used for the corresponding (direct) marketing purposes without, however, the provision of such information alone giving rise to the extension of the permissibility of data processing for marketing.
MARKETING SELECTIONS AND PROFILING
In the opinion of the supervisory authorities, data processing for (direct) marketing purposes should no longer be justified on the basis of a balancing of interests if detailed profiles, behavioral forecasts, etc., with additional information about the data subjects are created by automated selection procedures. Such "more intrusive" marketing selections are classified by the supervisory authorities – without further justification – as profiling, which requires – also without further justification – prior consent. This should be the case even if a profile or marketing score is created using external data sources, such as information from social networks, for direct marketing purposes.
However, as is clear from the provisions of Art. 21 (2) GDPR on the right to object to direct marketing, which explicitly includes profiling insofar as it is associated with direct marketing, marketing selections and marketing scoring are not in principle profiling requiring consent (within the meaning of Art 4 No. 4 and Art. 22 GDPR). On the contrary, marketing selections – even if they are more comprehensive and/or more detailed or lead to profiling – are generally to be assessed based on the balancing of interests in point f) of Art. 6 (1) GDPR.
LAW AGAINST UNFAIR COMPETITION (UWG) AS A BENCHMARK FOR THE GDPR?
Not surprisingly, the supervisory authorities point out that Section 7 UWG, i.e., the prohibition under competition law of unacceptable nuisance, must also be observed in direct marketing activities such as e-marketing or marketing calls. However, what is surprising and not appropriate is that the supervisory authorities are simply indiscriminately adopting the assessments of Section 7 UWG and the antitrust case law that has been issued for this purpose, on a one-for-one basis, into data protection law. Thus, in the opinion of the supervisory authorities, a direct marketing activity prohibited under Section 7 UWG, such as marketing calls to consumers without prior express consent, should mean, in the balancing of interests under point f) of Art. 6 (1) GDPR, that any (including preparatory) data processing for this purpose cannot be justified under data protection law, because the interests of the data subjects are always overriding due to the unlawful purpose of data processing under competition law. Insofar as the provisions of the UWG are themselves based on overriding European law, this may be true. A general transfer of all principles of the UWG is prohibited, however, because the GDPR as a European regulation is to be interpreted uniformly throughout Europe and thus does not permit a one-to-one transfer of such benchmarks of the German UWG which are not based on European law. For the same reason, the case-law relating to the interpretation of other requirements of the GDPR made in the German UWG cannot simply be consulted. This applies, for example, to the requirements for the structure of declarations of consent under data protection law, according to Art. 4 No. 11 and Art. 7 GDPR, in which the orientation guide refers to the FCJ case law on declarations of consent under competition law, as well as to the question of the validity of declarations of consent under data protection law, and the question of how long customer data may still be used for (direct) marketing purposes after the last active transaction or direct marketing contact, for which the orientation guide refers to one (!) (outdated) competition law judgment of the Regional Court Munich I, although the FCJ has since determined for the consent under Section 7 UWG that consent once given will not expire with time.
DUTIES TO PROVIDE INFORMATION
With regard to the significant increase of duties to provide information in the GDPR pursuant to Art. 13 and Art. 14 GDPR, the supervisory authorities again draw attention to the fact that, right from the start, data subjects must be informed comprehensively and transparently by means of corresponding privacy notices about planned or potential data processing for (direct) marketing purposes during data collection, e.g., purchase or service contracts, prospectus requests, etc. This also includes a reference to the data subjects’ right to object to marketing at any time pursuant to Art. 21 (2) GDPR, which should be repeated again in each marketing broadcast. Regarding the details of the duties to provide information and issues concerning the structure of privacy notices, the supervisory authorities rightly refer to the corresponding guidelines of the Article 29 group in their Working Paper (WP) 260. Unfortunately, they deviate from these guidelines on some points to the detriment of controllers / advertisers. This applies in particular to the minimum scope of privacy notices with limited notification options, such as order postcards, orders taken over the phone, etc., which is expanded in an incomprehensible and impracticable manner.
Overall, the orientation guide provided by the German data protection supervisory authorities on direct marketing provides some important points. However, it is not tenable in all respects, especially because it is still too greatly influenced by the old BDSG and seen from a "German perspective". An interpretation of the GDPR according to uniform European standards is necessary. In addition, supplementary information on rather neglected issues, such as the change of purpose or the prohibition of coupling, and other examples, e.g. specific marketing activities, such as newsletter marketing activities in the B2B sector, etc., would have been helpful. In view of the fact that the expectation of the marketing recipients in this specific case is of crucial importance, companies will therefore not be able to avoid checking planned (direct) marketing measures in each case to ensure they are legally permissible under data protection law. The strict framework prescribed by the supervisory authorities can always be questioned. In part, the new European law offers more flexibility than the German authorities want to grant it.
Link to article