Data processing that falls under the GDPR are inadmissible, insofar as they are not based on a Legal basis based (Art. 5(1)(a) GDPR). The legal basis may be
- for trivial data from Art. 6,
- for personal data requiring special protection from Art. 9 GDPR (and if necessary additionally from Art. 6 GDPR, insofar as Art. 9(2)(…) does not constitute a basis for processing, but only lifts the prohibition of Art. 9(1), e.g. in the case of Art. 9(2)(e) GDPR) and
- for transfers to third countries from Art. 46 et seq. GDPR result.
In the field of marketing, the main focus is on the legal bases of the Consent (Art. 6(1)(a)) and of the legitimate interest (Art. 6(1)(f) GDPR) come into consideration. The question therefore arises for which activities in the marketing area a company (or a group of companies) can invoke a legitimate interest and from when or for what consent must be obtained (with the corresponding consequences for the possibly also technical implementation and the requirements for voluntariness, among other things).
There are good arguments for using the Scope of legitimate interest in the area of direct marketing not to be drawn too narrowly. It can also cover profiling measures, for example, i.e. data processing for the personalization of advertising measures, in my view also when personal data collected offline and online are combined for profiling. The prerequisite in each case is that
- the data processing is limited to the extent appropriate to the purpose;
- the responsible person carries out a sufficiently concrete balancing of interests that addresses the circumstances of the project without the balancing getting out of hand,
- the weighing of interests is documented and
- that it explains the data processing in sufficient detail and clearly in a privacy statement.
Responsible have quite the right to exhaust the legitimate interest. Thus, in April 2014, the (then) Article 29 Working Party (now the European Data Protection Board) on legitimate interest (Opinion 06/2014, WP217) recorded,
- 7 lit. f be not just a “last resort for special cases in which the other legal bases do not apply; and
- the weighing of interests not the function to save the person concerned from any negative impactbut only from disproportionate burdens. In other words, not every negative impact makes the pendulum swing in favor of those affected.
Legitimate interest within the meaning of Art. 6(1)(f) GDPR
In determining the legitimate interest, the following factors must be taken into account on the one hand all legally not proscribed interests also commercial interests that speak in favor of the processing in question, which may be interests of the controller(s) and third parties, but also of the data subjects themselves. This must be set against any conflicting interests of the data subjects.
Subsequently, these interests are and weigh them up against each other. Thereby, according to the mentioned WP217 consider not only the intensity of intervention and the likelihood that negative impacts will occur, but a number of other factors, such as the following:
Increasing the weight on the part of the person responsible
- The persons concerned have agreed to the processing reasonable to expecte.g. existing customers within the scope of a corresponding business relationship, but also, for example, on the basis of a data protection declaration;
- the interests that speak for the processing have a Fundamental rights reference;
- the machining also lies in a public interest;
- the interests move in the environment of other processing bases; for example, processing is not necessary for a contract, but it is relevant (cf. below on purpose compatibility, which takes up this idea);
- the interests are socially recognized;
- the interests become through the GDPR particularly recognized, according to the interests
- in direct advertising (see below);
- in the transfer of data for internal Group administrative purposes;
- in ensuring network and information security.
According to recital 47, the following are particularly important legitimate expectations of the data subjects. The German Conference of Independent Federal and State Data Protection Authorities (DSK) has been in the Brief Paper No. 3 (“Processing of personal data for advertising”) has emphasized this and at the same time made it clear that the controller must determine the outcome of the balancing of interests Influence through appropriate data protection notices can:
If the data controller provides transparent and comprehensive information about the intended use of the data for advertising purposes, the expectation of the data subject is generally that his or her customer data will be used accordingly.
Increase of the weight on the part of the persons concerned
- The persons concerned are children or otherwise vulnerable as, for example, in the case of elderly or sick people;
- a Fundamental rights reference of interests;
- Editing Personal data requiring special protection (however, the invocation of a legitimate interest is severely limited here anyway);
- the processed data are Sensitive or susceptible to misuse, e.g. account data, communication content data, location data, highly personal data such as life logging data;
- a particularly strong market position, from the point of view of the Article 29 Working Party, which is, however, questionable in my opinion.
Certain processing operations are governed by the GDPR The use of these technologies is then more restricted than others or is considered particularly risky, e.g. machining,
- where the person concerned Degraded to object respectively discriminates would;
- where the person concerned spied out would;
- the Particularly extensive are;
- Very extensive profiling;
- the Combination of personal data from different sources with different purposes, provided that this goes beyond the reasonable expectations of the data subjects;
- Data processing operations in which the data subject participates in the Prevented from exercising a right or using a service will.
Suitable guarantees
It must also be taken into account whether or which “appropriate safeguards” are in place (Art. 6(4)(d). GDPR). By “guarantees”, the GDPR generally technical and organizational measures for the protection of the data subjects, e.g.
- Encryption or pseudonymization;
- Restrictions on access to processed data;
- Privacy-by-design and privacy-by-default measures;
- contractual safeguards
- Ensuring the rights of data subjects;
- Ensure a right to object and a simple opt-out solution;
- Conducting a data protection impact assessment;
- Transparency measures (see above on the legitimate expectations of data subjects);
- Documentation of processing and balancing of interests.
These considerations play an essential role in the balancing of interests, which gives the responsible party a certain Room for maneuver gives.
On the legitimate interest in direct marketing
The GDPR recognizes in recital 47 that the interest in direct marketing is legitimate:
The processing of personal data for the purposes of direct marketing may be considered as processing serving a legitimate interest.
However, this does not answer the question of how far this interest extends or to what extent data processing for the purpose of direct marketing can be based on a legitimate interest.
First of all, it must be assumed that the legitimate interest not only the transmission of advertising (e.g., the sending of an e‑mail, which, however, according to Art. 3 (1) lit. o UWG or the applicable local market conduct law, as a rule, requires consent), but also previous data processing can capture, namely in particular also a profiling. This results from the special right of objection pursuant to Art. 21 Para. 2 GDPR:
If personal data are processed for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this shall also apply to profiling insofar as it is related to such direct marketing.
Such a right of objection only makes sense if the processing in question is not based on consent; in that case, the right of revocation pursuant to Art. 7 (3) GDPR.
Also informative is the aforementioned WP217. The Art. 29 Group holds in it for the time being,
[…] controllers may have a legitimate interest in getting to know their customers’ preferences so as to enable them to better personalise their offersand ultimately, offer products and services that better meet the needs and desires of the customers. In light of this, Article 7(f) may be an appropriate legal ground to be used for some types of marketing activities, on-line and off-line, provided that appropriate safeguards are in place […].
It is also clear from this that legitimate interest may include profiling for advertising purposes.
As Interim result it follows that the legitimate interest within the meaning of Art. 6(1)(f) GDPR
- in direct marketing is considerable on the whole,
- also covers profiling, e.g. profiling of customers for the purpose of personalized marketing measures,
- under the reservation that the responsible person takes appropriate guarantees.
This also makes sense in terms of the result: it is difficult to see which interests of the customer are unduly interfered with if marketing measures are tailored to his (presumed) interests, especially since the customer can at any time exercise the unconditional right of objection under Art. 21 para. 2 GDPR can make use of. The limit would probably be reached where the customer’s self-determination is undermined. In this case, however, the relevant market conduct law intervenes, e.g. the law on fair trading (in Switzerland Art. 3 Para. 1 lit. h UWGwhich prohibits aggressive advertising; similarly, § 4a of the German UWG). It is obvious to use this limit as a guideline in data protection law as well. This leaves the general risks when extensive databases are created (e.g., the increased potential for damage in the event of unauthorized access). However, this is not a reason for prohibition, but increases the requirements for suitable safeguards where necessary.
Online tracking
In the area of online tracking, the scope of legitimate interest is currently under discussion in Germany. The aforementioned conference of the independent federal and state data protection authorities (DSK) represents the positionThe use of tracking mechanisms, e.g. cookies that are not technically necessary, should be subject to a Consent required:
In any case, prior consent is required for the use of tracking mechanisms that make the behavior of data subjects on the Internet traceable and for the creation of user profiles. This means that informed consent within the meaning of the German Data Protection Act is required. GDPRThis means, for example, before cookies are placed or information stored on the user’s terminal device is collected.
This position has met with justified criticism (e.g. the GDD). The (German) literature (e.g. here) is also more liberal; in tendency, online tracking and the formation of corresponding Profiles based on a legitimate interest to the extent that the data collected in the process are Processed only in pseudonymous form be amended. As a result, the provisions of sections 13 and 15 of the German Telemedia Act will be continued.
This stricter stance affects the area of online trackingbut, in my opinion, should be limited to persons who are not existing customers are. For existing customers, the general balancing of interests must apply, which is why data collected online can also be collected in personal form and, if necessary, merged with other personal data. However, it is also true for the area of online tracking of non-customers that the balancing of interests cannot be done so schematically and must also take into account suitable safeguards, among other things. The following should be noted:
- The interest in advertising measures is basically justified. Art. 6 para. 1 lit. f GDPR therefore comes into question as a legal basis.
- When applying this provision, all interests must be weighed and balanced against each other. The weighing of interests must not disregard guarantees in the specific case (such as transparency measures or the performance of a data protection impact assessment).
- The GDPR gives increased weight to the interest in direct advertising measures in Recital 47.
- In the absence of an opening clause, these requirements leave no room for stricter requirements by the member states.
- A reference to German law may not affect the rights conferred by the GDPR The aim is not to undermine the uniformity of the law throughout the Union.
As a result, in my opinion, data controllers are not excluded in principle from invoking a legitimate interest in the area of online advertising even if they do not process the corresponding data in pseudonymous form; although great legal uncertainty remains.
Excursus: Purpose compatibility
Another legal basis can be found in Art. 5(1)(b) and Art. 6(4) GDPR lie: The (Further) processing for compatible purposes Is covered by the legality of the original purpose; “in this case. keine andere gesonderte Rechtsgrundlage erforderlich” (Recital 50; however, this is disputed; cf. esp. Herbst in Kühling/Buchner).
Thereby a Weighing according to Art. 6(4) GDPR which takes into account, among other things, the factors mentioned in Art. 6(4) lit. a‑d. As a result, the considerations in determining legitimate interest and those in the compatibility test are therefore similar. The difference is that purpose compatibility may also legitimize the processing of special categories of personal data (as Art. 6(4)(lit. c) GDPR makes clear). However, this presupposes that the processing of such personal data was lawful for the original purpose, which – at least for companies in Switzerland – often requires consent. The question here is therefore not so much whether processing is “compatible” with the original purpose, but whether the consent was formulated in a sufficiently broad manner.
As a result, purpose compatibility therefore hardly leads to legitimizing processing that is not already legitimized by a legitimate interest.