Consent should always be specific, informed and unambiguous in every case. The opt-in copy must therefore be restricted to the sending of advertising and may not contain any other information or instructions. Something like "email address for newsletter and prize notifications" is not sufficient. 

Likewise, the person concerned (data subject) should be able to clearly understand the scope of the consent, i.e. which company is advertising about which products or services. 

Finally, before submitting their consent, the party concerned is to be informed of their right to revoke consent at any time. A notification that the user can unsubscribe at any time and which methods are available for this purpose can either be mentioned immediately or explained in the privacy policy – as a minimum the unsubscribe link and the email address should be provided. 

The privacy policy should include, among other things, the legal bases, a note on the newsletter (sender, type of emails, right to unsubscribe at any time, unsubscribe methods, and in the case of the opt-out for advertising to existing customers - in Germany in accordance with § 7 para. 3 UWG (Act Against Unfair Competition) - a passage explaining that no costs will be incurred for unsubscribing, other than the transmission costs in accordance with the basic tariff, as well as information on data processing (what data is being collected, how the data is processed, how it is used and for how long it is saved; any third parties must be specifically named).

We have provided some example texts for you to use in this article: Best Practices for Opt-in.

No, but feel free to look at our own document for inspiration: The Emarsys Data Processing Agreement.

The legal basis for the processing of personal information after newsletter registration is consent received in accordance with Art. 6 (1) (a) GDPR, or in the case of an email address obtained in connection with the sale of goods or services (in Germany), § 7 para. 3 UWG (Act Against Unfair Competition). 

The legal basis for the logging of user behavior and the registration process could be a legitimate interest in accordance with Art. 6 (1) (f) GDPR. In this case the legitimate interest is a newsletter offering that is both high in quality and technically secure.

§ 7 para. 3 UWG (Act against Unfair Competition) is based on the e-Privacy Directive. Consequently, there are comparable regulations within the EU. It will continue to be applicable. The principle of a uniform legal system applies. 

If the requirements under § 7 para. 3 UWG are met, then the data processing related thereto will also be permissible under the GDPR. This is a special regulation in accordance with Art. 95 GDPR. However, future interference and a resulting legal decision cannot be ruled out. Let’s wait and see where the e-Privacy Regulation will eventually lead. The draft contains a clause relevant to this issue.

If the website is specifically tailored to a country (e.g. by using the ".de" domain), then yes. A web page is otherwise, by definition, globally accessible and a translation into every language in the entire world would be completely exaggerated.

Any consent that has been legally obtained up until this point will continue to remain valid. Or, at least consent that was obtained in accordance with the German and Austrian laws as the regulations governing consent in these countries were already practically in line with the GDPR. 

Minors, in particular, can present a stumbling block in this regard; in the future, parental consent will be required for children under the age of 16. However, this age can also be reduced by Member States, such as in Austria (14 years) and the United Kingdom (13 years). This also applies to existing data. 

In addition, the prohibition of coupling is to be taken into account. While the new regulations are somewhat ambiguous, the requirements will become more stringent than they have been in the past. Popular versions such as "give me your permission and you’ll be entered into this competition" should perhaps be converted into "all of our newsletter subscribers will automatically be entered into a competition…". 

The result will be similar from the advertiser’s point of view, but the phrasing presents less of a risk from a legal point of view.

From a technical viewpoint, information such as location, IP address and timestamp required as part of the demonstration of consent can be easily documented by the inclusion of a double opt-in. 

However, the archiving of privacy policies and consent agreements should be carried out separately. For example, when making changes, you should keep past versions of your relevant web pages (e.g. as screenshots saved as PDFs or images) to track the changes. 

In addition, you could send a copy of each confirmation mail that is sent as part of the double opt-in to an internal email archive using the BCC function.

Yes. It is incumbent upon the controller to fulfil his disclosure obligation, regardless of whether the records were gathered before or after the GDPR came into force. However, in accordance with Art. 15 (1) (g) GDPR, information about the source of the data is only required to be provided in cases where the personal data is not collected from the person concerned (the data subject).

No. In terms of GDPR, nothing has changed in this regard.

A double opt-in is not explicitly required by GDPR. However, it must be possible to provide evidence that the person to whom the email address belongs, i.e. the person who has authority to use the email address, was the person who actually registered and not someone else. 

The double opt-in provides the only feasible and "watertight" means of collecting this evidence. 

In this regard offline is no different to online. The alternative would be to archive every flyer or every signature. In addition, when digitizing handwritten email addresses errors often creep in – without a double confirmation of consent, spam is inevitable. We therefore strongly recommend that where email addresses have been received via an offline source, that these are promptly followed up with a confirmation email.

No, see previous answer. The privacy policy should state that you are logging whether an email has been opened, how you track this, and which links were clicked on. The data is collected for analysis purposes and to adapt email content to individual reader preferences.

The registration data to be stored are the IP address, the timestamp, a URL/screenshot of the registration form and – in the case of a double opt-in – the exact confirmation email received. How records are kept can be individually chosen, but, in the event of a complaint, the complete records must be readily available so as to be presented in a timely manner.

It should be sufficient to point this out during the registration process by adding a note that subscribers need to be over the age of 16. By registering, the subscriber then confirms that he or she is at least 16 years old. 

But this may not be the case if an offer is aimed at children. In this case it may be necessary to obtain verification as well as the consent of a parent or guardian. How exactly this is to be achieved without overstepping the mark and while still fulfilling its intended purpose, remains to be seen (e.g. requesting a copy of an ID document by email?).

Yes. As of the 25th of May, 2018, the basic conditions of the GDPR will need to be met. If the consent of a minor has been provided without the consent of their legal guardian, the GDPR conditions have not been fulfilled. In other words, this means that the consent will no longer be valid as from the effective date (25th of May) and will subsequently need to be corrected.

A separate, express consent is not required for Web Extend and Predict. For your re-permissioning campaign, you can link to a form in which the newsletter opt-in and the consent in terms of data protection are requested separately, i.e. by means of two separate check marks.

See Art. 37 (1) GDPR: "The controller and the processor shall designate a data protection officer in any case where:

1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10."

Paragraphs 2 and 3 are most likely to apply. If there is any doubt, a data protection officer must be appointed.

See Art. 39 (1) GDPR: "The data protection officer shall have at least the following tasks:

1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
4. to cooperate with the supervisory authority;
5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter."

In accordance with Art. 56 (1) GDPR, the supervisory authority of the main branch or of the individual branches of the controller or processor is the responsible authority. 

However, in accordance with Art. 56 (2) GDPR, authorities of other EU Member States may also act if they receive a complaint or become aware of a violation and the subject matter relates only to a branch located in their Member State or it only significantly affects data subjects in their Member State.

There is no formal procedure for contacting a supervisory authority and this can be done via the contact options specified by the supervisory authority (see for example their websites).

Yes, because data processing by Emarsys takes place in the EU and so the GDPR is applicable. In addition, hardly any Swiss website operators offer services exclusively to customers based in Switzerland and not to customers based in the surrounding countries, which, in accordance with Art. 3 (2) (a) GDPR, means that the General Data Protection Regulation would apply anyway.

Essentially, a single set of rules will apply to all EU Member States. However, some Member States will require supplemental national laws. Even Germany has a new Federal Data Protection Act that broadens the policy to some extent. This is less about marketing and more about video surveillance, scoring and credit checks or the processing of personal data. 

All in all, there are many so-called flexibility clauses in the GDPR that provide a certain level of maneuverability for the national legislature.

All Emarsys servers that deal with the processing of customer data are located in the EU. For more information on how Emarsys handles data, see: Data Security in Emarsys.

While the GDPR itself does not require this, it must still be mentioned in the privacy policy and the customer must have agreed to the terms outlined in the privacy policy (e.g. when registering for the newsletter or when visiting the website for the first time in the cookie pop-up window). This could, however, change with the future EU e-Privacy Regulation. If, when and in what form this policy will be implemented is currently still unknown.

There is no fixed limit but you have an obligation to provide information on how long data will be kept for. Typically, this notification will be included in the privacy policy. 

At the same time, you must set up processes to ensure that data that is no longer required or for which there is no longer any legitimate use is deleted properly and in a timely manner. 

Data onboarding makes it possible to use the platform in all its facets. But let's answer this question from a different point of view: what are the restrictions with regard to data transfer? 

Special categories of personal data in accordance with Art. 9 GDPR require extraordinary measures. Special categories include, for example, data on political or religious views or data concerning health, sexual  preferences or ethnicity. All other data can be processed without any problems, provided that the general conditions, such as the consent of the person concerned (data subject), have been met. 

The form of transmission is irrelevant from a legal standpoint but generally takes place electronically.

No, because this would mean that the confirmation email itself becomes an advertisement and advertising can only be sent after the confirmation of registration.

Strictly speaking, yes. After all, it entices the user to grant advertisement consent. 

But everyone does it and this rule should probably not be applied in an unrealistically strict manner here. 

That this benefit is not available to those who refuse to opt-in does not constitute a disadvantage so significant that it would affect the voluntary nature of their consent. It is, however, important not to overstep the mark. The newsletter registration must remain front and centre.

This question cannot be answered in general terms. It will always come down to the unique circumstances of each individual case. 

Coupling the opt-in with a competition entry may be allowed if there are alternative ways to enter, i.e. if the participant has the opportunity to enter the competition by post, for example, or some way other than just by email. If this option is not available, then coupling is not permitted. 

The alternative must also be clearly stated on the form. If there is no alternative provided, it cannot be coupled, and a separate checkbox must be provided for the newsletter subscription. 

In general, the following applies: the more offered "in return" for registering, the more likely it becomes that it will not be permissible.

It is not categorically true that IP addresses cannot be stored. Though this is indeed considered as personal information in terms of the GDPR, The controller's interest in the processing of the IP address (for example for evidence of consent) will outweigh this in accordance with Art. 6 (1) (f) GDPR.

This is also a complex issue. If the controller has a legitimate interest (for the marketer, for example, an improved matching with the interests of the customer) and the interests of the data subject (the customer) do not outweigh this, this may continue to be permissible in accordance with Art. 6 (1) (f) GDPR.

No. After receiving a request, the controller must delete the data within 30 days and send confirmation of this to the person concerned (data subject).

Yes, see above.

Yes. If the customer has been adequately informed about this (e.g. in the privacy policy) and has consented to this, then this is permissible.

There is no legally prescribed form. Art. 15 (3) sentence 3 of the GDPR only requires the following: 

"Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form." 

The easiest way to do this would be by email, perhaps with an attached Excel spreadsheet.