EU-General Data Protection Regulation (GDPR)
How to get your newsletters ready for GDPR – plus check list
GDPR will apply from May 25, 2018 to all EU-based companies that work with personal data.
This typically includes the name, mailing address, date of birth, email address, IP address and cookies.
In this respect, the new EU General Data Protection Regulation coincides with the previously valid German Federal Data Protection Act (BDSG). In other areas, however, GDPR will replace and supplement the BDSG.
That’s why companies should review and adapt their data protection measures in time. This includes large corporations, online shops, medium-sized companies, start-ups and even clubs. Not so easy to keep track of all to-dos!
But don’t worry: We’ll give you all the relevant information on how GDPR affects email marketing and what needs to be done.
1. Companies in & without the EU
- Companies in the EU: The GDPR applies to everyone and thus also to companies that act from the EU as the person responsible or contract processor – irrespective of the location where the processing takes place. If the natural person whose personal data are processed does not work or reside within the EU or is a third-country national, this has no effect on the application of the GDPR. It applies equally.
- Companies outside the EU: The GDPR also applies to third parties and therefore also to companies that are not based in the EU but in a third country outside the EU and process data from persons located in the EU. If their data processing serves to offer goods or services – free of charge or against payment – to persons resident in the EU or to observe and evaluate their behavior, these companies are also subject to the regulations of the GDPR. The behavior is observed and evaluated, for example, by using profiling techniques to analyze or predict personal preferences, behaviors and attitudes, which are queried, for example, when sending newsletters in online marketing. But there is no reason to panic. All companies (also outside the EU) that use our CleverReach® software for their online marketing fulfill the requirements of the GDPR.
2. Email Marketing Software
You need a contract for order data processing with your respective service provider in accordance with the new legal situation. From May 25th on, you are also obliged to document to whom you pass on personal data.
The good news: As a CleverReach® customer, you will have the opportunity to digitally update the GDPR-compliant new conclusion of your order processing contract with us by this deadline! Watch out for a respective mail including a link in your mailbox.
If you have any further question, please contact our support.
3. Address data base
To be allowed to continue using email addresses you’ve collected so far, you should check whether these “old” consents meet GDPR criteria.
If not, rectify and obtain consent again if necessary.
4. Newsletter subscriptions
From now on, the user’s consent must always be given actively and after being informed of their right of withdrawal – preselected checkboxes are not permitted. A legally compliant method is double opt-in, that many companies already use (automatically preset in our software for all applications). It also applies:
- For a newsletter subscription, you are only allowed to ask for your recipient’s data that you actually need for sending your newsletter, i.e. their email address and contact name.
- Document the consent of your users – email, date, time – preferably electronically (Tip: this function is also available in CleverReach®!)
5. Newsletter unsubscribes
Ensure that the withdrawal of data use is possible at any time and without disadvantages for the recipient. Unsubscribing from the newsletter must be as easy as subscribing (e.g. unsubscribe option in the template).
Please also note: Your recipients have the so-called “Right to be forgotten”– they may request to delete their personal data, unless there is a legitimate reason to continue storing them.
If you are already using the CleverReach® software, you are well positioned against this background, because:
- Unsubscribe links are automatically integrated in our forms, and
Just in time for the deadline, there will also be a deletion function that newsletter recipients can manage themselves.
6. FAQ: Questions on GDPR
- Further information and guidelines on GDPR – and especially on email marketing – can also be found in an interview with our Chief Legal Officer Konrad Frerichs.
- We haven’t answered all your questions? Have you encountered problems, conflicts, doubts about certain processes or interfaces during the implementation of the new data protection regulations regarding your newsletter marketing? We regularly update our customers GDPR FAQs. If you have any further question, please contact our support.
Question: What does a newsletter registration form have to contain in the future to be GDPR-compliant?
A registration form must meet the following requirements (as with current case law):
a) exact description of what the person concerned agrees to (i.e. exact type and purpose of data collection)
b) right of withdrawal and storage time of data
c) Consent must be voluntary and explicit and not linked to any other benefits
e)The consent with the respective text must be saved and displayed in the form as well as in the Double-Opt-In mail – this also has to be recorded (when you’re using a CleverReach form, CleverReach records all subscription data)
f) Data economy: Only the email address may be entered as mandatory information (at least for the newsletter form).
Question: Does a link with the data protection declaration have to be displayed in the form and/or actively confirmed via a tick?
Yes (see point d) of the previous question).
Question: Since we use your tracking functions – do we have to mention this already in the registration form or is this sufficient in the data protection declarations?
From our point of view, it is sufficient to refer to this in the data protection declaration.
Insurance through your legal advisor is recommended.
This is hard to generalize, as each customer has different requirements. Accordingly, we cannot provide standard texts. From our point of view, however, the following information should be part of the declaration:
a) Exact, transparent and easy-to-understand explanation of what happens to the data (where they are stored, that CleverReach has been commissioned as a service provider and an agreement on order data processing exists)
b) The exact purpose and type of data collection
c) right of withdrawal
d) Storage time and location
e) any tracking measures, if opens/clicks are evaluated in a personalized way. The person concerned must know that their open and click behavior is tracked (if used)
f) Right to obtain information on data and deleting/blocking
Please note that we do not provide general legal advice and can only make recommendations for which we assume no liability.
We recommend consulting your legal advisor on this topic, since you are responsible for acting in accordance with GDPR.
Any questions? Submit inquiry
Get started for free with CleverReach®!
- up to 2,500 recipients
- and send up to 10,000 emails per month for free!
Our free price plan has no limited running-term. There is no setup fee and no contractual obligations.
If you need to send more mailings you can choose between our prepaid plan and our flat rate. Our price plan calculator will tell you which plan is the best for you!