Gui­dance on data pro­ce­s­sing for adver­ti­sing pur­po­ses under the GDPR

EN 
EN  DE  FR 

from

on

Indu­stries

Aut­ho­ri­ty

Laws

, , ,

Topics

, , ,
Take-Aways (AI)
  • The DSK empha­si­zes: When rely­ing on legi­ti­ma­te inte­rests (Art. 6 para. 1 lit. f GDPR), a con­cre­te balan­cing of inte­rests must always be car­ri­ed out, taking into account trans­pa­rent information.
  • Direct mar­ke­ting is sub­ject to nar­row­ly defi­ned cases in which legi­ti­ma­te inte­rests often pre­vail; pro­fil­ing, exter­nal data use or lon­ger time inter­vals speak against this.

The DSK (the Con­fe­rence of the Inde­pen­dent Data Pro­tec­tion Aut­ho­ri­ties of the Fede­ra­ti­on and the Län­der) has issued a Gui­dance on data pro­ce­s­sing for adver­ti­sing pur­po­ses under the GDPR published. The DSK sta­tes in it, among other things, the following:

  • In the event of an appeal to legi­ti­ma­te inte­rests within the mea­ning of Art. 6 para. 1 lit. f GDPR a balan­cing of inte­rests must be car­ri­ed out in the spe­ci­fic indi­vi­du­al case. The legi­ti­ma­te expec­ta­ti­ons of the data sub­jects must be taken into account, which can be influen­ced by the data con­trol­ler within cer­tain limits:

    The expec­ta­ti­ons of the data sub­ject are taken into account in direct mar­ke­ting mea­su­res. also by the infor­ma­ti­on accor­ding to Art. 13 and 14 DS-GVO inten­ded for the pur­po­ses of data pro­ce­s­sing. Does the con­trol­ler pro­vi­de trans­pa­rent and com­pre­hen­si­ve infor­ma­ti­on about any inten­ded pro­ce­s­sing of data for direct mar­ke­ting pur­po­ses, the expec­ta­ti­on of the data sub­jects is gene­ral­ly also that their cus­to­mer data will be used accor­din­gly. Howe­ver, trans­pa­ren­cy can make it pos­si­ble to com­ply with the sta­tu­to­ry balan­cing act pur­su­ant to Art. 6 (1) sen­tence 1 lit. f DS-GVO not be exten­ded arbi­tra­ri­ly, as the expec­ta­ti­ons on the objec­ti­ve stan­dard of rea­son must be measured.

  • I.d.R. the respon­si­ble per­son can rely in the fol­lo­wing cases on a over­ri­ding legi­ti­ma­te inte­rest invo­ked, pro­vi­ded that trans­pa­ren­cy has been created: 
    • if he sends an adver­ti­sing cata­log or an adver­ti­sing let­ter by post after an order has been pla­ced, regard­less of whe­ther the adver­ti­sing let­ter is sent to all cus­to­mers (wit­hout sel­ec­tion) or to indi­vi­du­al groups, pro­vi­ded that no addi­tio­nal know­ledge is gai­ned from the sel­ec­tion criteria;
    • the pro­mo­tio­nal use of e‑mail addres­ses coll­ec­ted direct­ly from the data sub­jects in the cour­se of a busi­ness rela­ti­on­ship (exi­sting customers);
    • when using postal address data ori­gi­na­ting from con­tests and sweepsta­kes, as well as due to cata­log and bro­chu­re requests;
    • when adver­ti­sing con­trac­tu­al infor­ma­ti­on is enc­lo­sed by letter;
  • In con­trast, the fol­lo­wing fac­tors indi­ca­te that a Inte­rest of the per­son con­cer­ned on the exclu­si­on of data pro­ce­s­sing via-weighs:
    • Pro­fil­ing mea­su­res such as auto­ma­ted sel­ec­tion pro­ce­du­res to crea­te detail­ed pro­files, beha­vi­oral pre­dic­tions or ana­ly­ses that lead to addi­tio­nal insights; here, the right of objec­tion under Art. 21 would suf­fice GDPR not out;
    • Crea­ti­on of a pro­fi­le using exter­nal data sources (e.g. infor­ma­ti­on from social net­works) for adver­ti­sing scores;
    • Pro­hi­bi­ti­ons under unfair com­pe­ti­ti­on law: In this case, the con­trol­ler can­not invo­ke a legi­ti­ma­te inte­rest under data pro­tec­tion law;
    • a lon­ger time has pas­sed sin­ce the last appli­ca­ti­on, pro­ba­b­ly about 1.5 years;
  • For other cases, see the gui­dance document.

The DSK also expres­ses itself

  • for infor­ma­ti­on on adver­ti­sing pur­po­ses within the mea­ning of Art. 13 f. GDPR. It express­ly sup­ports the two-step approach of the Data Pro­tec­tion Com­mit­tee (of the for­mer Art. 29 Data Pro­tec­tion Working Par­ty), which allo­ws limi­t­ed infor­ma­ti­on on cer­tain points to suf­fice in a first step (“laye­red” approach);
  • to Con­sent in data pro­ce­s­sing for direct mar­ke­ting pur­po­ses. Among others 
    • The fol­lo­wing points must be men­tio­ned in each case when con­sen­ting to direct mar­ke­ting: the type of inten­ded adver­ti­sing (let­ter, e‑mail, etc.).SMS, tele­pho­ne, fax); the pro­ducts or ser­vices to be adver­ti­sed; the adver­ti­sing companies;
    • busi­ness cards can con­sti­tu­te effec­ti­ve con­sent if they are left by the data sub­jects at trade fairs or other events express­ly for the pur­po­se of sen­ding infor­ma­ti­on or making fur­ther busi­ness cont­act (pro­vi­ded that the data sub­ject can pro­ve that con­sent was given;
    • the dou­ble opt-in pro­ce­du­re is requi­red for elec­tro­nic consent;
    • when it comes to con­sent regar­ding tele­pho­ne num­bers, writ­ten con­sent is usual­ly requi­red (or “regu­lar­ly the best pos­si­bi­li­ty for later provability”);
    • the pro­hi­bi­ti­on of cou­pling must be observed;
    • accor­ding to Ger­man case law, con­sent can lap­se through the pas­sa­ge of time, i.e. lose its effectiveness;
    • expli­cit con­sent is requi­red for the pro­mo­tio­nal use of spe­cial cate­go­ries of data.

Fur­ther points con­cern, among others, fri­end­ship adver­ti­sing, recom­men­da­ti­on adver­ti­sing and the objec­tion accor­ding to Art. 21.

Comm­ents on the gui­dance can be found at Car­lo Piltz (de lege data).