It can therefore be stated that the declaration of consent under the GDPR does not contain any fundamental innovations for email marketing. Declarations of consent that have already been given and are valid under current law should therefore continue to apply when the GDPR comes into force. This can also be seen from a recent decision by the Düsseldorf Circle , a joint body of all German data protection supervisory authorities. According to this, consents that have been given so far will continue to apply provided that they comply with the conditions of the EU General Data Protection Regulation.
According to the authorities, legally valid consents to date generally meet these conditions. However, for the existing consents to continue, the age limit of at least 16 years (protection of the child's welfare according to Article 8 GDPR) and the voluntary nature (prohibition of linking) would have to be taken into account. The prohibition of linking in particular could lead to problems with older consent declarations, as it is far less strict under existing law.
As already mentioned, the prohibition of linking afghanistan number dataset is given much greater weight in the GDPRprohibition of linking in data protection . According to this, consent is considered involuntary if it is given with regard to personal data that is not required for the actual performance of the contract. The linking of service and data protection consent should therefore be inadmissible if the user is not given a choice when registering for a service.
The new prohibition on linking is important for email marketing in that in practice, registration for the newsletter is often linked to other mandatory information (e.g. name, gender, age, etc.) in addition to the email address. According to the EU General Data Protection Regulation, there is a risk that linked consents are not permitted and that obtaining them may be subject to sanctions (fines) by supervisory authorities. To avoid risks, the mandatory fields when registering for the newsletter should therefore be kept to a minimum in the future .
proof of consent
If data processing is based on consent, the company must be able to prove that the data subject has consented to the processing of his or her personal data (Article 7 (1) GDPR).proof of consent
Even if the obligation to provide evidence is already mandatory under existing law, it is now explicitly mentioned for the first time in the GDPR. However, there is no indication of how sufficient proof is provided. For email marketing, this means that in the future, evidence instruments such as the double opt-in procedure and the logging of registration processes will still be required. Without verifiable proof, consent is virtually non-existent, as it cannot be sufficiently proven in court.
validity of the consent
The validity period of consent declarations has always been controversial. To say it right away: Consent is valid for 6 monthsThis is not explicitly regulated in the GDPR or in the final draft of the ePrivacy Regulation . However, Article 9 of the ePrivacy Regulation provides specific guidelines on revocation and related information.
In the future, users must be informed of this revocation option at periodic intervals of six months . This is not a problem if you regularly use a newsletter , as every advertising email contains unsubscribe links. However, if email addresses remain unused for a longer period of time, users must be informed every six months that the declaration of consent given can be revoked.
If this deadline is missed, there is a risk that declarations made will automatically lose their validity. For the first time, this obligation to provide information could be used to derive a period of validity for declarations of consent under data protection law for email marketing.
Exceptions for newsletters to own customers remain in place
Under current law, sending advertising emails to your own customers without consent is already permitted if the requirements of Section 7 Paragraph 3 of the German Act Against Unfair Competition are observed. However, this exception is subject to very strict conditions, which in practice are often ignored or deliberately overstretched.
However, the European legislator has decided to retain this exception and has laid down a similar provision for existing customers in Article 16 paragraph 2 of the draft ePrivacy Regulation . According to this, consent to email marketing is still not required if the email address was collected in connection with the sale of a product or service in accordance with the GDPR and is used for direct advertising for the company's own similar products or services . The customer must be clearly informed that they can object to such use free of charge and in a simple manner. The right of objection must be observed when obtaining the information and each time a message is sent.
The current practice will therefore remain largely the same. The challenge will remain that companies must observe the right of objection "upon obtaining" the email address. Whether this notice can be "hidden" within a data protection declaration or must be provided separately is something that case law must determine through interpretation. It should also be noted here that the ePrivacy Regulation is still in the draft stage and possible changes to the text of the law cannot be ruled out.