We have already answered some general questions on GDPR in this blogpost:
Below we have collected some additional questions specific to users of the Emarsys Platform.
If you have any additional questions concerning data protection, please raise a support request so that we can add them to our documentation.
Emarsys is not a law firm specializing in data security legislation, and we do not offer legal advice. We want to help you to understand how this legislation can affect you as an Emarsys customer, and this article assumes that you are using the Emarsys Marketing Platform properly, according to our documentation.
You should always refer to a qualified legal source when it comes to checking whether or not you are compliant in any given situation.
General
- Do you provide a recommendation or a template for the necessary contents (consent, can be cancelled at any time, use of data, etc.) for newsletter subscriptions?
- Do you offer a template for a Data Processing Agreement document?
- What is the legal basis I should refer to with regard the processing of personal data for the newsletter?
- Does the GDPR affect the scope of §7 para. 3 of the Act Against Unfair Competition (UWG) (advertising to existing customers without consent)?
- Does the privacy policy need to be translated into all target audience languages?
Consent
- Do old consents have to be renewed, i.e. do they have to be obtained again?
- How do I document the circumstances under which consent was given in order to be able to provide evidence of opt-in at any given time?
- Must information such as "data source" etc. also be collected retroactively?
- In terms of the double opt-in procedure, is it permissible to resend a confirmation email if confirmation was not provided?
- Is the offline double opt-in mandatory? For instance, for a flyer in a shop - in this type of situation consent is automatically implied when submitting the email address. Do these customers need to receive a confirmation email?
- Does open and click tracking require separate consent?
- How exactly should the opt-in process ensuring consent be documented?
- Does a newsletter subscription have to ask for the subscriber’s date of birth in order to ensure that the subscriber is over the age of 16?
- Must consent from existing subscribers who are under the age of 16 be updated?
- If I am running a re-permissioning campaign to recapture consent, can I do so with a collective consent request, e.g. consent for Web Extend, Predict and email with just one click?
Data protection office and supervising authority
- Who is required to have a data protection officer?
- What are the duties of a data protection officer?
- Who is the lead supervisory authority?
- How can a supervisory authority be contacted?
Geographical location
- As a Swiss company, do we need to comply with the new requirements?
- Is the GDPR applied uniformly in all EU countries or are there national differences?
- Where are the Emarsys servers located?
Response and behavior tracking
- Will consent be required for Web Extend tracking?
- Does open and click tracking require separate consent?
- For how long will response data be retained?
- Which data is allowed to be transferred to the Emarsys Platform and in what form?
Coupling
- Can vouchers be advertised in the confirmation email (e.g. "Confirm now and receive a voucher for XYZ")?
- Does the € 5 incentive offered for signing up for a newsletter constitute "coupling"?
- What exactly will the prohibition of coupling disallow? What will continue to be allowed?
Data management
- If the storage of IP addresses is not permitted, then how can they be documented for the purposes of evidence of consent?
- Can information that is not necessarily required for email marketing, such as gender or title, still be used?
- Does the customer in fact have to be offered the option of being able to delete all personal data stored on different systems with just "one click"?
- Am I allowed to continue collecting pseudonymized data (tracking) in order to continue to understand how my website is used?
- Can I use customers' back-end data for analysis, e.g. to determine the quality of a customer segment, if I then only contact those customers who opted-in for personalisation?
- A customer is requesting information about their stored data – what is the easiest way to transmit this information to the customer and what form should the information take?
Do you provide a recommendation or a template for the necessary contents (consent, can be cancelled at any time, use of data, etc.) for newsletter subscriptions?
Consent should always be specific, informed and unambiguous in every case. The opt-in copy must therefore be restricted to the sending of advertising and may not contain any other information or instructions. Something like "email address for newsletter and prize notifications" is not sufficient.
Likewise, the person concerned (data subject) should be able to clearly understand the scope of the consent, i.e. which company is advertising about which products or services.
Finally, before submitting their consent, the party concerned is to be informed of their right to revoke consent at any time. A notification that the user can unsubscribe at any time and which methods are available for this purpose can either be mentioned immediately or explained in the privacy policy – as a minimum the unsubscribe link and the email address should be provided.
The privacy policy should include, among other things, the legal bases, a note on the newsletter (sender, type of emails, right to unsubscribe at any time, unsubscribe methods, and in the case of the opt-out for advertising to existing customers - in Germany in accordance with § 7 para. 3 UWG (Act Against Unfair Competition) - a passage explaining that no costs will be incurred for unsubscribing, other than the transmission costs in accordance with the basic tariff, as well as information on data processing (what data is being collected, how the data is processed, how it is used and for how long it is saved; any third parties must be specifically named).
We have provided some example texts for you to use in this article: Best Practices for Opt-in.
Do you offer a template for a Data Processing Agreement document?
No, if you would like to take a look at our data processing agreement, please contact your Client Success Manager.
What is the legal basis I should refer to with regard the processing of personal data for the newsletter?
The legal basis for the processing of personal information after newsletter registration is consent received in accordance with Art. 6 (1) (a) GDPR, or in the case of an email address obtained in connection with the sale of goods or services (in Germany), § 7 para. 3 UWG (Act Against Unfair Competition).
The legal basis for the logging of user behavior and the registration process could be a legitimate interest in accordance with Art. 6 (1) (f) GDPR. In this case the legitimate interest is a newsletter offering that is both high in quality and technically secure.
Does GDPR affect the scope of §7 para. 3 of the Act Against Unfair Competition (UWG) (advertising to existing customers without consent)?
§ 7 para. 3 UWG (Act against Unfair Competition) is based on the e-Privacy Directive. Consequently, there are comparable regulations within the EU. It will continue to be applicable. The principle of a uniform legal system applies.
If the requirements under § 7 para. 3 UWG are met, then the data processing related thereto will also be permissible under the GDPR. This is a special regulation in accordance with Art. 95 GDPR. However, future interference and a resulting legal decision cannot be ruled out. Let’s wait and see where the e-Privacy Regulation will eventually lead. The draft contains a clause relevant to this issue.
Does the privacy policy need to be translated into all target audience languages?
If the website is specifically tailored to a country or region (e.g. by using the ".de" domain), then yes. A web page is otherwise, by definition, globally accessible and a translation into every language in the entire world would be completely exaggerated.
Do old consents have to be renewed, i.e. do they have to be obtained again?
Any consent that has been legally obtained up until this point will continue to remain valid. Or, at least consent that was obtained in accordance with the German and Austrian laws as the regulations governing consent in these countries were already practically in line with the GDPR.
Minors, in particular, can present a stumbling block in this regard; in the future, parental consent will be required for children under the age of 16. However, this age can also be reduced by Member States, such as in Austria (14 years) and the United Kingdom (13 years). This also applies to existing data.
In addition, the prohibition of coupling is to be taken into account. While the new regulations are somewhat ambiguous, the requirements will become more stringent than they have been in the past. Popular versions such as "give me your permission and you’ll be entered into this competition" should perhaps be converted into "all of our newsletter subscribers will automatically be entered into a competition…".
The result will be similar from the advertiser’s point of view, but the phrasing presents less of a risk from a legal point of view.
How do I document the circumstances under which consent was given in order to be able to provide evidence of opt-in at any given time?
From a technical viewpoint, information such as location, IP address and timestamp required as part of the demonstration of consent can be easily documented by the inclusion of a double opt-in.
However, the archiving of privacy policies and consent agreements should be carried out separately. For example, when making changes, you should keep past versions of your relevant web pages (e.g. as screenshots saved as PDFs or images) to track the changes.
In addition, you could send a copy of each confirmation mail that is sent as part of the double opt-in to an internal email archive using the BCC function.
Must information such as "data source" etc. also be collected retroactively?
Yes. It is incumbent upon the controller to fulfill his disclosure obligation, regardless of whether the records were gathered before or after the GDPR came into force. However, in accordance with Art. 15 (1) (g) GDPR, information about the source of the data is only required to be provided in cases where the personal data is not collected from the person concerned (the data subject).
In terms of the double opt-in procedure, is it permissible to resend a confirmation email if confirmation was not provided?
No. In terms of GDPR, nothing has changed in this regard.
Is the offline double opt-in mandatory? For instance, for a flyer in a shop - in this type of situation consent is automatically implied when submitting the email address. Do these customers need to receive a confirmation email?
A double opt-in is not explicitly required by GDPR. However, it must be possible to provide evidence that the person to whom the email address belongs, i.e. the person who has authority to use the email address, was the person who actually registered and not someone else.
The double opt-in provides the only feasible and "watertight" means of collecting this evidence.
In this regard offline is no different to online. The alternative would be to archive every flyer or every signature. In addition, when digitizing handwritten email addresses errors often creep in – without a double confirmation of consent, spam is inevitable. We therefore strongly recommend that where email addresses have been received via an offline source, that these are promptly followed up with a confirmation email.
Does open and click tracking require separate consent?
No, see previous answer. The privacy policy should state that you are logging whether an email has been opened, how you track this, and which links were clicked on. The data is collected for analysis purposes and to adapt email content to individual reader preferences.
How exactly should the opt-in process ensuring consent be documented?
The registration data to be stored are the IP address, the timestamp, a URL/screenshot of the registration form and – in the case of a double opt-in – the exact confirmation email received. How records are kept can be individually chosen, but, in the event of a complaint, the complete records must be readily available so as to be presented in a timely manner.
Does a newsletter subscription have to ask for the subscriber’s date of birth in order to ensure that the subscriber is over the age of 16?
It should be sufficient to point this out during the registration process by adding a note that subscribers need to be over the age of 16. By registering, the subscriber then confirms that he or she is at least 16 years old.
But this may not be the case if an offer is aimed at children. In this case it may be necessary to obtain verification as well as the consent of a parent or guardian. How exactly this is to be achieved without overstepping the mark and while still fulfilling its intended purpose, remains to be seen (e.g. requesting a copy of an ID document by email?).
Must consent from existing subscribers who are under the age of 16 be updated?
Yes. As of the 25th of May, 2018, the basic conditions of the GDPR will need to be met. If the consent of a minor has been provided without the consent of their legal guardian, the GDPR conditions have not been fulfilled. In other words, this means that the consent will no longer be valid as from the effective date (25th of May) and will subsequently need to be corrected.
If I am running a re-permissioning campaign to recapture consent, can I do so with a collective consent request, e.g. consent for Web Extend, Predict and email with just one click?
A separate, express consent is not required for Web Extend and Predict. For your re-permissioning campaign, you can link to a form in which the newsletter opt-in and the consent in terms of data protection are requested separately, i.e. by means of two separate check marks.
Who is required to have a data protection officer?
See Art. 37 (1) GDPR: "The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10."
Paragraphs 2 and 3 are most likely to apply. If there is any doubt, a data protection officer must be appointed.
What are the duties of a data protection officer?
See Art. 39 (1) GDPR: "The data protection officer shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter."
Who is the lead supervisory authority?
In accordance with Art. 56 (1) GDPR, the supervisory authority of the main branch or of the individual branches of the controller or processor is the responsible authority.
However, in accordance with Art. 56 (2) GDPR, authorities of other EU Member States may also act if they receive a complaint or become aware of a violation and the subject matter relates only to a branch located in their Member State or it only significantly affects data subjects in their Member State.
How can a supervisory authority be contacted?
There is no formal procedure for contacting a supervisory authority and this can be done via the contact options specified by the supervisory authority (see for example their websites).
As a Swiss company, do we need to comply with the new requirements?
Yes, because data processing by Emarsys takes place in the EU and so the GDPR is applicable. In addition, hardly any Swiss website operators offer services exclusively to customers based in Switzerland and not to customers based in the surrounding countries, which, in accordance with Art. 3 (2) (a) GDPR, means that the General Data Protection Regulation would apply anyway.
Is the GDPR applied uniformly in all EU countries or are there national differences?
Essentially, a single set of rules will apply to all EU Member States. However, some Member States will require supplemental national laws. Even Germany has a new Federal Data Protection Act that broadens the policy to some extent. This is less about marketing and more about video surveillance, scoring and credit checks or the processing of personal data.
All in all, there are many so-called flexibility clauses in the GDPR that provide a certain level of maneuverability for the national legislature.
Where are the Emarsys servers located?
All Emarsys servers that deal with the processing of customer data are located in the EU. For more information on how Emarsys handles data, see: Data Security in Emarsys.
Will consent be required for Web Extend tracking?
While the GDPR itself does not require this, it must still be mentioned in the privacy policy and the customer must have agreed to the terms outlined in the privacy policy (e.g. when registering for the newsletter or when visiting the website for the first time in the cookie pop-up window). This could, however, change with the future EU e-Privacy Regulation. If, when and in what form this policy will be implemented is currently still unknown.
For how long will response data be retained?
There is no fixed limit but you have an obligation to provide information on how long data will be kept for. Typically, this notification will be included in the privacy policy.
At the same time, you must set up processes to ensure that data that is no longer required or for which there is no longer any legitimate use is deleted properly and in a timely manner.
Which data is allowed to be transferred to the Emarsys Platform and in what form?
Data onboarding makes it possible to use the Platform in all its facets. Let's answer this question from a different point of view: what are the restrictions with regard to data transfer?
Special categories of personal data in accordance with Art. 9 GDPR require extraordinary measures. The form of transmission is irrelevant from a legal standpoint but generally takes place electronically.
In the Emarsys Platform, Emarsys does not support the usage of any sensitive personal data and does not include any technical measures that support the processing of special categories of personal data. Sensitive personal data means information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, criminal convictions or offences, bank account and credit card data, genetic data and bio-metric data for the purpose of uniquely identifying a natural person.
Can vouchers be advertised in the confirmation email (e.g. "Confirm now and receive a voucher for XYZ")?
No, because this would mean that the confirmation email itself becomes an advertisement and advertising can only be sent after the confirmation of registration.
Does the € 5 incentive offered for signing up for a newsletter constitute "coupling"?
Strictly speaking, yes. After all, it entices the user to grant advertisement consent.
But everyone does it and this rule should probably not be applied in an unrealistically strict manner here.
That this benefit is not available to those who refuse to opt-in does not constitute a disadvantage so significant that it would affect the voluntary nature of their consent. It is, however, important not to overstep the mark. The newsletter registration must remain front and center.
What exactly will the prohibition of coupling disallow? What will continue to be allowed?
This question cannot be answered in general terms. It will always come down to the unique circumstances of each individual case.
Coupling the opt-in with a competition entry may be allowed if there are alternative ways to enter, i.e. if the participant has the opportunity to enter the competition by post, for example, or some way other than just by email. If this option is not available, then coupling is not permitted.
The alternative must also be clearly stated on the form. If there is no alternative provided, it cannot be coupled, and a separate checkbox must be provided for the newsletter subscription.
In general, the following applies: the more offered "in return" for registering, the more likely it becomes that it will not be permissible.
If the storage of IP addresses is not permitted, then how can they be documented for the purposes of evidence of consent?
It is not categorically true that IP addresses cannot be stored. Though this is indeed considered as personal information in terms of the GDPR, The controller's interest in the processing of the IP address (for example for evidence of consent) will outweigh this in accordance with Art. 6 (1) (f) GDPR.
Can information that is not necessarily required for email marketing, such as gender or title, still be used?
This is also a complex issue. If the controller has a legitimate interest (for the marketer, for example, an improved matching with the interests of the customer) and the interests of the data subject (the customer) do not outweigh this, this may continue to be permissible in accordance with Art. 6 (1) (f) GDPR.
Does the customer in fact have to be offered the option of being able to delete all personal data stored on different systems with just "one click"?
No. After receiving a request, the controller must delete the data within 30 days and send confirmation of this to the person concerned (data subject).
Am I allowed to continue collecting pseudonymized data (tracking) in order to continue to understand how my website is used?
Yes, see above.
Can I use customers' back-end data for analysis, e.g. to determine the quality of a customer segment, if I then only contact those customers who opted-in for personalization?
Yes. If the customer has been adequately informed about this (e.g. in the privacy policy) and has consented to this, then this is permissible.
A customer is requesting information about their stored data – what is the easiest way to transmit this information to the customer and what form should the information take?
There is no legally prescribed form. Art. 15 (3) sentence 3 of the GDPR only requires the following:
"Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form."
The easiest way to do this would be by email, perhaps with an attached Excel spreadsheet.