Privacy made easy

Checklist: Send out GDPR-compliant newsletters

What you should know and implement regarding the EU General Data Protection Regulation (GDPR) and your email marketing.

Datenschutz und Sicherheit im E-Mail Marketing

How to get your newsletters ready for GDPR – Including free checklist!

GDPR will apply from May 25, 2018 to all EU-based companies that work with personal data.
This typically includes the namemailing addressdate of birth, email address, IP address and cookies.

In this respect, the new EU General Data Protection Regulation coincides with the previously valid German Federal Data Protection Act (BDSG). In other areas, however, GDPR will replace and supplement the BDSG.

That’s why companies should review and adapt their data protection measures in time. This includes large corporations, online shops, medium-sized companies, start-ups and even clubs. Not so easy to keep track of all to-dos!

But don’t worry: We’ll give you all the relevant information on how GDPR affects email marketing and what needs to be done.

Companies inside & outside the EU

  • Companies in the EU: The GDPR applies to everyone and thus also to companies that act from the EU as the person responsible or contract processor – irrespective of the location where the processing takes place. If the natural person whose personal data are processed does not work or reside within the EU or is a third-country national, this has no effect on the application of the GDPR. It applies equally.
  • Companies outside the EU: The GDPR also applies to third parties and therefore also to companies that are not based in the EU but in a third country outside the EU and process data from persons located in the EU. If their data processing serves to offer goods or services – free of charge or against payment – to persons resident in the EU or to observe and evaluate their behavior, these companies are also subject to the regulations of the GDPR. The behavior is observed and evaluated, for example, by using profiling techniques to analyze or predict personal preferences, behaviors and attitudes, which are queried, for example, when sending newsletters in online marketing. But there is no reason to panic. All companies (also outside the EU) that use our CleverReach® software for their online marketing fulfill the requirements of the GDPR.

Email Marketing Software

You need a contract for order data processing with your respective service provider in accordance with the new legal situation. From May 25th on, you are also obliged to document to whom you pass on personal data. The good news: As a CleverReach customer, you will have the opportunity to digitally update the GDPR-compliant new conclusion of your order processing contract with us by this deadline! Watch out for a respective mail including a link in your mailbox.

If you have any further question, please contact our support.

Address data base

To be allowed to continue using email addresses you’ve collected so far, you should check whether these “old” consents meet GDPR criteria.

If not, rectify and obtain consent again if necessary.

Newsletter subscriptions

From now on, the user’s consent must always be given actively and after being informed of their right of withdrawal – preselected checkboxes are not permitted. A legally compliant method is double opt-in, that many companies already use (automatically preset in our software for all applications). It also applies:

  • For a newsletter subscription, you are only allowed to ask for your recipient’s data that you actually need for sending your newsletter, i.e. their email address and contact name.
  • Document the consent of your users – email, date, time – preferably electronically (Tip: this function is also available in CleverReach!)
  • Link your updated privacy policy to your newsletter registration form to inform users of what is happening to their data.

Newsletter unsubscribes

Ensure that the withdrawal of data use is possible at any time and without disadvantages for the recipient. Unsubscribing from the newsletter must be as easy as subscribing (e.g. unsubscribe option in the template). Please also note: Your recipients have the so-called “Right to be forgotten”– they may request to delete their personal data, unless there is a legitimate reason to continue storing them. If you are already using the CleverReach software, you are well positioned against this background, because:

  • Unsubscribe links are automatically integrated in our forms, and

Just in time for the deadline, there will also be a deletion function that newsletter recipients can manage themselves.

FAQ: Questions on GDPR

  • Further information and guidelines on GDPR – and especially on email marketing – can also be found in an interview with our Chief Legal Officer Konrad Frerichs.
  • We haven’t answered all your questions? Have you encountered problems, conflicts, doubts about certain processes or interfaces during the implementation of the new data protection regulations regarding your newsletter marketing? We regularly update our customers GDPR FAQs.
If you have any further question, please contact our support.

Question: What does a newsletter registration form have to contain in the future to be GDPR-compliant?

A registration form must meet the following requirements (as with current case law):

a) exact description of what the person concerned agrees to (i.e. exact type and purpose of data collection)

b) right of withdrawal and storage time of data

c) Consent must be voluntary and explicit and not linked to any other benefits

d) The privacy policy must be confirmed to ensure the person concerned has noticed it.

e)The consent with the respective text must be saved and displayed in the form as well as in the Double-Opt-In mail – this also has to be recorded (when you’re using a CleverReach form, CleverReach records all subscription data)

f) Data economy: Only the email address may be entered as mandatory information (at least for the newsletter form).

Question: What exactly does the privacy policy have to say…. is there a model version?

This is hard to generalize, as each customer has different requirements. Accordingly, we cannot provide standard texts. From our point of view, however, the following information should be part of the declaration:

a) Exact, transparent and easy-to-understand explanation of what happens to the data (where they are stored, that CleverReach has been commissioned as a service provider and an agreement on order data processing exists)

b) The exact purpose and type of data collection

c) right of withdrawal

d) Storage time and location

e) Right to obtain information on data and deleting/blocking