In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) ("DSK") published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR.
The key takeaways are:
General Principles Under GDPR for Direct Marketing
DSK has a rather broad understanding of the term "marketing" that also includes customer satisfaction surveys as well as emails for Christmas or birthday parties. Direct marketing activities require a balancing of interests whereby comprehensive and transparent information on the processing of personal data as required under Arts. 13 and 14 will help justify the marketing. The balancing of interests should particularly take into account the reasonable expectations of the data subject. Direct marketing is generally permissible if the processing for marketing is fair, proportionate in relation to the marketing purpose, and transparent. Special categories of personal data pursuant to Art. 9 GDPR can only be used for marketing purposes based on explicit consent. The provisions on the change of purpose pursuant to Art. 6 para 4 GDPR apply if personal data initially not obtained for marketing purposes is to be used for marketing purposes. The data controller must conduct a compatibility test to assess whether the marketing purposes are compatible with the initial purpose. 2. Examples of Marketing Activities
The following typical examples of marketing activities are generally deemed justifiable:
Sending non-individualized marketing material relating to similar products/services previously purchased. Categorizing certain consumer groups by adding common criteria (added by Orrick: for example, age or interests). The following typical examples of marketing activities are generally difficult to justify:
More intrusive measures, such as automated selection procedures for the creation of detailed profiles, behavioral prognoses and analyses that lead to additional findings; in such case, the DSK considers this to be a profiling, which requires consent, not only a balancing of interest. The creation of a profile based on marketing material from third-party resources, e.g., social networks. In the case of a data disclosure to third parties for marketing purposes and the use of address data sourced from third parties, the DSK refers to recital 47 of the...