Use of Personal Data for Marketing Purposes made more difficult

The General Data Protection Regulation (GDPR) which will apply as of 25 May 2018 changes the conditions for the processing of personal data for marketing purposes. The data protection supervisors of the federal government and the federal states now offer a first practical orientation in this regard.

The Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) which currently applies offers extensive provisions, in particular in Sections 28 and 29, as to under which conditions personal data may be collected, processed and passed on to third parties for marketing purposes. These provisions will lapse without replacement as soon as the General Data Protection Regulation and the so-called “BDSG-new”, which was adopted on 12 May 2017, take effect at the end of May next year. Regarding the question as to how the GDPR would have to be interpreted and applied against the background of the standards that are still in place in Germany to this effect, the Data Protection Conference (DPC) of the independent data protection authorities of the federal government and the federal states have now published a “Kurzpapier no. 3” (effective 29 June 2017). Generally speaking, the implementation of the requirements of the GDPR that in part are more stringent constitutes a challenge for the companies with regard to content, organization and time expenditure. Therefore, such handouts and guidance from official sources are very welcome on the part of all parties involved. 

Pursuant to the Kurzpapier, unless the data subject has given valid consent, the basis for assessing whether marketing is admissible will solely be the balancing of legitimate interests pursuant to Art. 6 (1) lit. f GDPR, according to which the processing of personal data is only lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data …”. According to the DPC, recital 47 of the GDPR is relevant for the necessary consideration, which is in particular based on the “reasonable expectations of data subjects based on their relationship with the controller” in that whether at the time when data is collected, it can reasonably expect “that processing for that purpose may take place”. [i.p. marketing, author’s remark]. The last sentence of the same recital then reads “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” The DSK then correctly described that these “reasonable expectations” would in any event be largely determined by the information the data subject receives from the controller in the context of data collection or by information provided later. 

With that, the connection is made with the extensive information obligations pursuant to Art. 13 and 14 GDPR. Accordingly, the controller is obliged to inform the data subject at the time when personal data are collected amongst others on the category of the data collected, the legal basis for the collection, i.e. also on a potential weighing of interests as is the case here, a planned transmission to third parties or the duration of storage and in particular the purposes for processing as well as the rights of the data subject. If the stated purpose transparently and comprehensively was an intended use of the data for marketing activities, the GSK states the “expectation of the data subject would generally be that their data would be used accordingly”. Upon reversion, this means that a use of such data for marketing purposes will be excluded due to a lack of other specific consent of the data subject if the information obligations in this regard are not met. This again illustrates that information requirements’ considerable significance which is increased further by the GDPR - let alone the considerable fines from Art. 83. 

Furthermore, the right of the data subject from Art. 21 (2) GDPR to object at any time and extensively, whether such data subject might already be a client of the controller (recital 47) as well as the general principles from Art. 5 (1) GDPR would have to be considered in the weighing of interests. The latter would in any event not support profiling (marketing scores). With regard to the creation of user profiles, the intensity of the intervention would support of that the data subject’s interests in excluding data processing prevail.

Moreover, the DSK refers to the provisions from the Act Against Unfair Competition (UWG) which continue to apply and have to be observed. Section 7 (2) no. 2 and 3 UWG expressly prohibit promotional measures via telephone call, fax or electronic mail without the prior express consent of the addressee. Pursuant to section 3, there are exceptions only for existing customers which also have to be considered in the above-mentioned weighing of interests, according to recital 47. In this regard, there are no changes as a result of the GDPR. But attention: Consent given pursuant to current laws will in the future also have to meet the stricter requirements of the GDPR with regard to validly given consent in order to continue to take effect. Here, the Kurzbrief in particular refers to the prohibition of linking (Koppelungsverbot) from Art. 7 (4) GDPR.

Last but not least, data privacy activists dare say that further guidelines of the European Data Protection Committee on the topic of personal data for promotional use have to be expected. We will keep you informed. (See also: https.//www.lda.bayern.de/media/dsk_kpnr_3_werbung.pdf)

Dr. Daniel Michel, LL.M., Attorney at Law
Munich