The GDPR places higher requirements on the registration process when collecting personal data (mail addresses) for advertising. In principle, according to Art. 6, personal data may only be processed if (among other things):
- consent has been given
- there is a legitimate interest of the data subject
In direct contact
Hardly anyone is likely to have requested a written declaration of consent for the collection of addresses (that would be quite absurd, especially in a business context). I.e., in a business environment, one can usually rely on the expectations of both parties, which is: “If I give a potential business partner my business card, then I expect him to collect my data for later relationships. If I give my business card, it is also clear that he may record this data. This is true for classic business cards as well as mail signatures, .VCF files, etc. This is also in line with the explanations to Art. 6 of the GDPR. Consent can therefore also be given by “implied” action, as we have described above.
For the person responsible, this means that he or she may collect the data. Ideally, he does this in a CRM and immediately specifies the reason for recording, thus also fulfilling the requirement for traceability and transparency.
Just as this plays out in physical business transactions, it also applies to the electronic handling of data. The EU has set the hurdles rather high here when it comes to collecting data via electronic channels. German practice has also set high standards for the procedure here. Existing law already required an opt-in-like procedure (= the data subject actively discloses his or her data). This must be done by an active act (can also be implied) and must be verifiable. In principle, this can also be done by measures other than an opt-in. Notification and information must be clear and understandable. In other words, purposes that are too broad and only vaguely described are invalid. The intention as well as the sender must not be concealed. However, as mentioned, you have to distinguish here again whether you are dealing with a B2B or B2C relationship.
This is consistent because it requires the active action of the data subject in order for their data to be collected. Opt-out procedures are thus definitely off the table. This should also be implemented in Switzerland. Whether a normal opt-in or a so-called “double opt-in” is required here is irrelevant. Practice will evolve and also produce other methods that are equivalent.
Obligation to provide evidence
There is an obligation to provide evidence, which is intended to ensure the transparency of data processing. Accordingly, the responsible party must be able to prove how it collected the data. This will lead to the need to store even more data than today. Why? Thus, for each database entry, it is now necessary to record how the consent to edit was given. This duty is at the same time a support for the deepened profiling of the person concerned. For this makes it necessary that, for example, the concrete circumstances of the data collection are recorded. This is another example of contradictions and conflicts of interest created by the GDPR.
NB: It will then be interesting to see how the data protectionists intend to manage the contradiction between the deletion protocol and the deletion of the relevant user data. This is simply impossible, because if a complete deletion takes place, no log with the name of the person concerned can remain either. A case for the specialists of KRM!
Dealing with existing data sets:
There is NO clear answer here. According to recital 171, existing data may continue to be used if they were collected in accordance with the GDPR requirements. A period of 2 years was granted for this purpose, which is now expiring. Does this now mean that you have to write to all newsletter recipients to get all the information you need? In our opinion, such an approach is unnecessary and not expedient, at least in Switzerland, for various reasons (the absolute opt-in principle did not apply in Switzerland, for example). Furthermore, in a B2B context, there is usually a legitimate interest, as we have already explained above. The data subject already had a right of revocation at any time, i.e. he or she can demand the deletion of his or her data immediately and without justification. Practice further shows that many newsletter recipients actually delete their address. At the same time, it can make the revocation on most B2B websites itself, i.e. e.g. the “Unsubscribe” function allows it to revoke immediately.
What to do? Quite simply, you solve the problem by following the principles of information governance and identifying and actively managing address databases and address data sets. This is because “dead” addresses, i.e. those which can no longer be placed in a business context, should be destroyed. At the same time, there would be an opportunity to contact the persons concerned and renew the business relationship (with opt-in, of course!).
Important: Germany is not the EU!
Again, everything shown here is primarily a legal ideal. The practice for this must develop and which methods are permissible in the future will not only be decided by today’s procedures.
Quote from the deliberations of the Data Protection Conference (D):
The extent to which it will be possible in Europe to maintain the standards developed in Germany under the GDPR remains to be seen. If possible, EU-wide rules of conduct should be sought for this area. If this does not succeed for the essential areas of advertising, guidelines from the European Data Protection Board can be expected on this topic as well.
Legal background information:
Recital 32 (Consent):
Consent should be given by an unambiguous affirmative act indicating voluntarily, for the specific case, in an informed manner and unambiguously that the data subject consents to the processing of personal data relating to him or her, such as a written statement, which may also be given electronically, or an oral statement. This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by any other statement or conduct by which the data subject unambiguously indicates his or her consent to the intended processing of his or her personal data in the relevant context. Silence, boxes already checked or inaction by the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose or purposes. If the processing serves multiple purposes, consent should be given for all these processing purposes. If the data subject is requested to give consent electronically, the request must be made in a clear and concise manner and without unnecessary interruption of the service for which the consent is given.
The starting point for the balancing decision to be taken is recital (Recital) 47 of the GDPR, which states, inter alia: “Processing of personal data for the purposes of direct marketing may be considered as processing serving a legitimate interest.”
Recital 171 (transitional legislation):
Directive 95/46/EC should be repealed by this Regulation. Processing operations that have already started at the date of application of this Regulation should be brought into compliance with it within two years of its entry into force. Where the processing operations are based on consent pursuant to Directive 95/46/EC, it shall not be necessary for the data subject to give consent again if the nature of the consent already given complies with the conditions laid down in this Regulation, so that the controller may continue the processing after the date of application of this Regulation. Commission decisions and authorizations of supervisory authorities based on Directive 95/46/EC shall remain in force until amended, replaced or repealed.