Updates from the CSA: Email footers and data retention

This means it will not be enough to just link to that information on a web page.

The legal notice must contain the following details:

• Name of supplier, and in the case of companies, corporate name and legal form.
• Authorized representatives (in the case of legal entities).
• Postal address at which the sender can be summoned (i.e. not a P.O. box).
• Email address.
• Telephone and fax number, if applicable.
• If available, commercial, cooperative, association, or partnership register number.
• If available, VAT identification number and/or business identification number.
• In the case of journalistic and editorial content, the name of the publisher.

Further obligations to provide information in accordance with national laws are not affected.

You can find an example of a compliant legal notice for a limited liability company as well as additional background information here:

•  “eco Directive for Permissiblee-Mail Marketing” on pages 29 et sqq.
• “CSA Admission Criteria” under number 2.4

Since GDPR introduced the 'right to be forgotten', customers can contact you and request that all the data you hold on them be deleted.

However, Art. 17 para. 3 e does explicitly allow for some data to be retained, for example in order to protect you from litigation. The CSA, for example, expects businesses to keep at least the following data for the duration of the statute of limitations (e.g. in Germany 3 years after the latest sending):

• The declaration of consent.
• The contact email address.
• The “place” (e.g. registration form) and time of the data collection and the DOI.

You can read the CSA's own advice here:

• Obligation to Delete vs. Burden of Proof