Background

The content of the 20-page Guidance is broadly consistent with the previous version from November 2018. The most significant difference between the two documents is that the updated version does not contain any statements on the permissibility of data processing for third-party advertising purposes. The Guidance explicitly 'does not address the issue of address trading, as separate consultations will be held on this topic'. In this regard, it will be interesting for data brokers to watch out for bespoke regulatory guidance.

Perception of direct marketing in Germany

Direct marketing has become known in recent years in connection with fines in Germany. In July 2020, the Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued a fine of €1,240,000 against AOK Baden-Württemberg (a statutory health insurance company) due to an infringement of the obligations of secure data processing. From 2015 to 2019, AOK Baden-Württemberg hosted raffles on different occasions. Within this context, AOK collected the participants' personal data, including contact details and health insurance affiliation. AOK intended to use this data for advertisement purposes, provided that the participants had consented accordingly. Through technical and organisational measures, which included internal guidelines and data protection trainings, among others, AOK wanted to ensure that only data of raffle participants who had given their prior and valid consent would be used for advertisement purposes. The LfDI Baden-Württemberg found that the measures implemented did not comply with legal requirements. As a consequence of bad implementation, the personal data of more than 500 raffle participants were therefore used for advertisement purposes without their consent.

In addition to regulatory measures, the sensitivity of individuals affected by direct marketing is also high: they are usually quick to complain about (allegedly) unlawful advertising and do not hesitate to involve consumer protection organisations in addition to the authorities. In Germany, there are several players and a number of legal means that can be used in the context of unlawful marketing. The group of those who are entitled to issue warnings under competition law is regulated in Section 8(3) of the Act against Unfair Competition of 3 July 2004 as amended ('UGW'): competitors, legally capable associations for the promotion of commercial or independent professional interests, qualified institutions pursuant to Section 4 of the Injunctive Relief Act of 26 November 2001 as amended, and chambers of industry and commerce. Claims against the promoting company can be asserted not only by way of legal proceedings, but also in extra-judicial proceedings.

The Guidance: Key provisions

At the outset, the Guidance defines the term of direct marketing. It is further made clear that the Guidance solely deals with 'data processing for the purposes of "traditional" direct marketing' (like telephone calls, e-mails/SMS/MMS/in-app messages), and not with the topic of online advertising. It addresses, along with other issues, select questions regarding the permissibility of data processing for direct marketing purposes, the associated transparency obligations, requirements for the effectiveness of consent, and the implementation of advertising objections. Some of the relevant topics from the Guidance are discussed in more detail in the following.

Competition law and its interaction with the GDPR

The UWG sets out rules on email marketing. The UWG serves the implementation of the Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market ('the Unfair Commercial Practices Directive') and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), and thus applies alongside the GDPR.

The UWG generally deems the following ways of marketing to be justifiable:

• electronic marketing towards existing customers, if e.g. the email address was obtained within a business relationship, the customer has been properly informed pursuant to Article 13 of the GDPR, and the requirements under Section 7(3) of the UWG are met; and
• telephone marketing towards other market participants (meaning business-to-business contacts, not consumers) if their implied consent can be presumed.

The UWG generally deems the following ways of marketing to be prohibited (unacceptable nuisance):

• telephone marketing towards consumers without their explicit consent;
• electronic marketing to customers without consent or a previous business relationship (see exception above); and
• any marketing communication where the identity of the sender, on whose behalf the communication is transmitted, concealed, or kept secret.

Marketing profiling (sending of advertising after order and selection)

According to the DSK, marketing profiling based on a selection criterion (e.g. postal codes or alphabet) and 'without additional insight' should generally be possible without consent. A strict requirement for consent is only seen in the case of 'more intrusive measures such as automated selection procedures for the creation of detailed profiles, behavioural predictions or analyses that lead to additional insights'. The creation of a profile using external data sources (e.g. information from social networks) for the purposes of direct advertising (advertising scores) would allegedly mean that data subject's interests override the advertiser's commercial interests, hence that the data subject's consent must be obtained.

Information obligations

The DSK addresses the difficulties that often arise in practice when companies have to provide all the necessary information at the time of collection of personal data, especially with regard to offline marketing (e.g. certain raffles or sweepstakes by mail). Therefore, the DSK supports layered privacy notices. According to this approach, initially providing a set of minimum information is sufficient if further information required under Articles 13 and 14 of the GDPR is provided afterwards.

Documentation of consent and the German double opt-in approach

Informed consent must include the following information:

• the type of marketing activity intended (such as letter, email, or telephone);
• the products or services being advertised; and
• the advertising company sending the marketing message, as well as the companies who will be sending marketing material.

Another special requirement applies in Germany: the double opt-in procedure. This is not stipulated in the law, but has developed over the years in case law. The electronic declaration of consent requires verification that it was the data subject and/or the owner of the email address who declared their intent. The procedure must be able to provide proof of consent precisely with regard to the means of communication used for advertising. The mere saving of an IP address and the assertion that consent was given from this IP address is not sufficient according to the case law of the Federal Court of Justice ('BGH'). However, the double opt-in procedure is not sufficient to justify telemarketing with numbers originating from a website. What is meant in this context is the extraction of data from an online imprint ('legal notice') for the purpose of marketing. Although this data is generally accessible, it is not published voluntarily, but instead due to the legal obligation to identify the provider. In the absence of voluntary publication, the weighing of interests pursuant to Article 6(1)(f) of the GDPR regularly leads to the fact that the promotional use of data collected in this way is not permitted. In this case, the controller needs the consent of the data subjects.

Time validity of the consent

The discussion on whether consent, once given, has an expiration date frequently arises. In the Guidance, the DSK notes that the GPDR does not contain any specific requirements regarding the duration of the effectiveness of consent. Accordingly, how long consent is valid depends on the context, the scope of the original consent, and the expectations of the data subject. Both the wording and the aforementioned circumstances could result in both an unlimited and limited period of validity of the consent. The BGH had already clarified before the applicability of the GDPR in its ruling of 1 February 2018 (III ZR 196/17) - under competition law, which was virtually identical to today - that consent granted does not expire in principle: "Neither Directive 2002/58/EC nor Section 7 of the Unfair Competition Act provides for a time limit on consent once it has been granted". Therefore, it is currently a solid legal position that consent does not expire by lapse of time.

Pursuant to Article 5(1)(b) of the GDPR, mainly for transparency reasons, the DSK, as well as the EDPB, recommends that consent should be renewed at regular intervals to ensure that the data subject remains well informed about how their data is being used and how they can exercise their rights. In light of the aforementioned case law, we doubt whether this would actually be required legally, or a helpful service to data subjects and e-mail recipients.

What companies should do

• Check whether your marketing campaigns include customers and business partners in Germany. In this case, the previously mentioned requirements apply, especially the double opt-in procedure for electronic marketing. This is different to many other jurisdictions, including the fact that direct marketing rules are actually enforced in practice.
• The Guidance remains a good starting point for aligning your marketing campaigns with the rules and requirements of the GDPR and the UWG. Legal advice specific to your campaign and database may enable a risk-based approach, particularly in cross-border marketing activities.
• Give particular attention to measures, such as automated selection procedures to create detailed profiles, behavioural predictions, and analyses that lead to additional insights. Such measures may be considered profiling, which requires consent, not just a balancing of interests. Profiling based on marketing material from third-party sources, such as social networks, likely also requires consent.
• Having GDPR-compliant marketing campaigns in place is crucial for businesses, as a failure to comply with these requirements might result in fines and other measures issued by GDPR regulators, as well as might impact your company's market acceptance and reputation.

Thorsten Ihler Partner
[email protected]
Melanie Ludolph Associate
[email protected]
Fieldfisher, Hamburg

1. Available at: https://www.datenschutzkonferenz-online.de/media/oh/OH-Werbung_Februar%202022_final.pdf (only available in German)