On May 25, 2018 the new GDPR (General Data Protection Regulation) that is valid EU-wide came into effect. For many companies from the promotional products industry this means that they will have to examine their data protection measures and bring them up to a higher level. A complex undertaking that raises many issues: What is personal data? When is one allowed to call existing customers? How do service providers have to handle order-related data? Which penalties could result from violations? eppi magazine clarified these and similar issues with the lawyers Dr. Kristina Schreiber and Dr. Stefan Maaßen, LL.M.
Why is the GDPR introducing changes to the data protection law?
A new data protection law was long since overdue: On the one hand because the currently applicable law is outdated in many aspects due to the technological changes that have occurred in the meantime. If you read the old text, you will notice in many places that the legislation still has data processing in “hanging files” in mind rather than the implementation of digital media. This is different nowadays. On the other hand, the new law finally introduces uniform conditions throughout Europe and thus aligns the competitive conditions in the European countries. The new GDPR is applicable directly and uniformly for the whole of the EU. The conditions are however still not exactly the same: The national lawmakers can (and in some cases must) stipulate specifications, supplements and deviations.
Double opt-ins, deletion obligations, documentation and retention obligations, audit-compliant e-mail archiving… What is currently being widely discussed, has already been mandatory in many EU states for years. Will the coming into force of the GDPR really bring about significant changes for companies?
Many of the content-related obligations that are imposed on the companies through the GDPR are not significant changes. However, comprehensively observing the data protection law has not always been the companies’ highest priority hitherto. Furthermore, the formal obligations have been significantly extended: The keyword “accountability” signifies the comprehensive obligation of each company to be able to prove that the double opt-in, deletion obligations and much more are observed. Here each individual is responsible for managing his internal organisation sufficiently – this increases the documentation requirements. In addition, considerably more obligations are subjected to fines than was previously the case: For example, a fine can be imposed if merely a “processing record” is missing, which – this has been sufficiently taken into consideration over the past months – can be much higher than in the past.
Will the former data privileges for companies that operate exclusively in the B2B area remain intact?
The GDPR doesn’t differentiate between companies that operate in the B2B area and those operating in the B2C sector. The focus is on personal data. Which is regularly processed in the B2B area, i.e. the contact partners are saved by the contract partner. However, there are criteria in the GDPR which indicate that a lower level of data protection is acceptable than in the B2C sector. This is demonstrated for instance inasmuch that the respective necessary protection level is also to be measured according to the risk of data loss for the affected parties and that this is regularly higher for the loss of private data than by the professional contact data becoming known. Furthermore, a weighing up of the interests often determines the reliability of the specific data processing (“company vs. affected parties”). Here the interests of the affected persons are also regularly taken less into account in ruling out the processing of professional information as opposed to private information.
You say that the focus of the GDPR is personal data: What is personal data exactly?
Personal data is all information that is related to a specific or specifiable person. So, we always need a (possible) personal reference which however can be understood in the broad sense. It suffices if the company itself or with the help of third parties, which the company can potentially oblige to assist them, can identify an individual person. In concrete terms: Name, age, bank account or a name-related e-mail address are per se personal data, even if it is professional contact data. And even as a “series of numbers” the mere IP address is personal data if there can be a claim to assign this to a specific person – the Internet provider for example can regularly assign the number to a specific person (and has to do this in the course of situations that are related to criminal prevention or copyright law). Hence, in practice in case of doubt one should always assume it is a question of personal data, except if there are reliable reasons that negate a personal reference.
Do companies of all sizes have to fulfil all GDPR demands or are there restrictions?
In principle companies of all sizes have to fulfil all of the demands of the GDPR. There are only individual alleviations – i.e. if a company has less than 250 employees the obligation to maintain an employee directory can be abstained from, but only if personal data is not regularly processed – this exception does not apply as soon as the employee data and salaries payment is carried out electronically. In practice it is indicated that the GDPR provisions will not apply as strictly for small and medium-sized companies; the EU Commission has already published guidelines that are more pragmatically formulated than the demands for the bigger companies.
The legislation demands transparency: Companies are thus called upon to publish a comprehensible and complete data privacy statement. What does this have to contain and where does it have to be published?
The requirement for transparency is really an important cornerstone of the new data protection law. Everyone should safely and clearly know – “keyword: consumer protection” – what happens with his own data. This initially also applies for the Internet: Every homepage operator must simply, comprehensibly and comprehensively explain how he handles information about the homepage visitors. The previous data protection declarations thus have to be regularly expanded, falling back on “standard components” should be questioned with caution. Significant changes here are the obligation to state the legal basis and the contact data as well as a comprehensive instruction about the rights of the different persons affected. It must be possible to call up this data privacy statement as was the case to-date from every point of the internet offer within a maximum of “two clicks”. Incidentally, extensive information obligations also apply: Every collection of data has to be accompanied by extensive information on the manner of the subsequent data processing. “Instruction leaflets” are to be compiled for a wide range of situations, which are to be conveyed to the affected people via the usual communication channels. This means in concrete terms: Video monitoring has to be explained through a notice on-site, in the scope of a prize draw a “supplement” may be necessary or at least a summary of the “first level information” with a reference to an easily accessible Internet page where further information is stated. It is always important that the information is easily accessible for the affected people. This can lead to a wide variety of demands in individual cases.
Does the data privacy statement have to be provided with every order or every order transaction or does a general reference to the place where the data privacy statement can be found suffice?
Principally, the information has to be provided on every initial contact. The mere reference to a place where the details are located can only suffice in an exceptional case. This of course does not mean that an “instruction leaflet” is necessary for each e-mail contact for long-lasting business relations. The need to inform is only applicable in the case of data being collected and if existing personal data is to be processed for a new purpose.
The data storage underlies the principle of purpose. What does that mean in concrete terms?
In concrete terms this means that collected personal data in principle can only be processed (i.e. also saved) for the purpose for which it was collected. The question “why and for what do I need the data” must be determined and adhered to from the very start of the data processing. For example, you are not allowed to use the contact data from a prize draw without further ado to inform the prize draw participant about the company’s latest offers or to send them a newsletter. However, the GDPR no longer views this precept of purpose linking as strictly as in the previous data protection law. A processing for a “compatible” purpose may be permitted in future, i.e. if the person has provided a valid consent to receive advertising about very similar products of the same supplier.
The legislation demands that the data collected is principally deleted after the purpose has been fulfilled. How long can the data belonging to an order, i.e. the dispatch of 1,000 personalised ballpoint pens to individual recipients, be stored?
Even if the original purpose “consignment of personalised ballpoint pens“ is fulfilled with the dispatch, storage rights and obligations from other laws make a further storage of the data sets in whole or at least in part necessary. In this way, for example there is a legitimate – data protection law approved – interest in storing these until the expiry of the given time limits for possible guarantee claims, the tax and commerciallyrelated storage provisions of up to ten years also have to be complied with. But here it is important to take into account that these storage rights and obligations often don’t apply for all of the data, so that possibly parts of the data sets, i.e. the mobile phone number of the recipient – if technically possible – can be deleted prior to the other data.
If the data is to be deleted in principle after serving its purpose: Am I not allowed to use it internally for other purposes such as sales activities?
The further usage of personal data for other purposes constitutes a change of purpose. This is only possible if permission for this is found in the data protection law itself, which can lie beyond the legal obligations such as that of the tax-related data retention obligation, i.e. in a separate form of consent or when it is in the company’s legitimate interest. This has to be carefully checked in each individual case, the following guideline applies: Similar purposes (keyword: “compatibility”) are more readily combinable with each other than a usage for a totally different purpose, sending advertising to the professional address is less burdensome and thus more likely to be permitted than a telephone call to a private telephone number. The important thing here: The GDPR explicitly states that direct marketing constitutes a legitimate interest. This opens up many possibilities, if the weighing up of interests is carried out and documented carefully.
Will it then be simpler or more difficult to carry out direct marketing measures that are compatible with the data protection laws in future?
At the present moment in time the only thing that is certain is that the data protection admissibility will become more uncertain: Whereas there were hitherto paragraphs on permissible advertising measures, in future there will only be the reference to a necessary weighing up of interests. During the initial stage of the application this will particularly bring uncertainties with it as to how the authorities and courts will evaluate the weighing up of the interests. The rule of thumb is that orientating oneself on the former requirements is a good starting point.
Can newsletters also be sent out to the existing customer base without double optins?
Regarding newsletters, the double opt-in is less important than the pre-condition of obtaining consent, but centrally for the companies’ obligation of accountability such as for example the consent and fulfilment of the information obligations. Without ensuring such measures have been taken, dispatching a newsletter can possibly be acceptable if a legitimate interest applies because it is being sent to existing customers, who have a close association to similar products already purchased. Hereby one also has to keep in mind that a further EU regulation (the so-called ePrivacy regulation) is currently running through the legislation approval pipeline. Should this come into force its provisions will have to be taken into account.
Are certain advertising measures easier to conduct than others?
As before here the same clearly applies – always providing that there is no explicit consent allowing advertising measures: Mailings sent by post can be allowed, telephone calls in the B2B sector possibly too, regular mailings per e-mail are not allowed.
Let’s look at a few concrete examples: An exhibitor receives an enquiry for a sample at a trade show: He sends the sample to the person, but doesn’t get the order. Is he allowed to inform the trade show visitor about other offers from his own company without having the latter’s explicit consent?
If the person has not given his consent to receiving information about other offers, this may be permitted according to data protection law because the company has shown a “legitimate interest”. Each individual case always has to be evaluated (and documented), but generally the following applies: This is more likely to be the case for offers that fall under a similar category to the requested sample than for totally different products. The form of address is also significant: This may be admissible via post, but addressing the company per telephone would be critical according to competition law alone (in addition to the data protection aspects), and certainly not permissible per e-mail. Should the company be addressed, the obligation to supply information as well as a reference to the right to opt-out have to be observed.
A distributor invites customers to attend a trade fair: Is he allowed to invite those visitors, who have registered to attend, to a follow-up show next year without their explicit consent?
Here we are talking about a closely linked purpose so that permission via a legitimate interest is more likely than in other constellations: On weighing up the interests the fact that the visitors registered to attend in the previous year and thus have confirmed their interest in such events speaks in favour of an overriding interest of the distributor. However, one has to heed – also in terms of competition law – the form of address. The same applies here too: Sending the invitation by post is less questionable than using electronic means.
A buyer orders T-shirts on the Internet for a trade fair campaign and leaves his contact data: Can one subsequently contact this customer per telephone or e-mail for other product areas of the company (i.e. workwear)?
In terms of data protection law this could possibly be justified from a “legitimate interest” angle, especially if the customer is acting in the scope of his professional duties. Whereby, contacting the customer per telephone would only be permissible, at least in terms of competition law, if there is a close connection between the Tshirts for the trade fair campaign and for instance the workwear, i.e. this would not really be the case for musical instruments. The further apart the offers are from the ordered item, the more careful one has to be and the more likely it is that arguments for the inadmissibility of the advertising are found according to data protection law aspects. An e-mail address only comes into question – in terms of competition law alone – if a business transaction has been concluded.
A company sends out a calendar with a personalised name to 1,000 customers. Is it even allowed to do so?
Many customers are delighted to receive a personalised give-away, but others aren’t. It can be permissible from a data protection point of view if there is a “legitimate interest” for the respective company. This can be approved in individual cases – as a direct marketing measure – if the calendar can be sent to the customer like a letter, in other words can be dispatched without any special effort, which for example having to be sent as a package would entail. Furthermore, it has to be taken into consideration which pictures the calendar contains and what form the contact to the customer takes on: All of the interests involved have to be carefully weighed up, documented and accompanied by a reference to the opt-out option.
A distributor processes the order for this company and sends out a calendar to the recipient: What has to be heeded in terms of the GDPR?
This clearly falls under the “processing of an order”, since the distributor has been instructed to act on behalf of the company. Here it is important that the order processing contract has been drawn up in accordance with the new GDPR law and that the provisions thereof are observed.
The distributor passes on the data to a supplier of calendars, a printing company or a dispatch company. What has to be taken into account?
Passing on data is always possible and allowed if the respective company has been instructed to act on behalf of the distributor, with whom an order processing contract has been drawn up according to art. 28 of the GDPR, the requirements of which are observed and as long as the company that has commissioned the distributor has approved this “sub—contracting”. Such an approval is foreseen by the GDPR – albeit in a stricter form compared to the existing law – and is thus laid down in the order processing contract. To facilitate matters it can be agreed that informing the contracting company suffices as long as the latter does not object. If a GDPR-conform chain of order processing contracts exists, the contracting company is liable vis-à-vis the affected persons externally and may be held harmless internally across the chain. Hence, the distributor may possibly have to take responsibility for the errors of his sub-contractor. The distributor is also responsible towards the fine-imposing supervisory authority for carefully selecting and monitoring his sub-contractor and where applicable for intervening in the event of data security shortcomings or the likes.
What happens if companies that are located beyond the jurisdiction of the GDPR – i.e. production companies in the Far East – are used for processing the data?
If companies from so-called “non-member states”, i.e. countries outside of the EU, are commissioned as contractors, it has to be safeguarded in the scope of the order processing contract that a sufficient level of data protection is also secured in the target country through adequate guarantees. There are various tools for this purpose, i.e. adequacy decisions of the EU Commission may exist or one can fall back on the EU standard contract clauses for the contract data processing, which have to be agreed upon.
The GDPR also includes a documentation requirement: What does this entail?
The documentation requirements that are standardised in the GDPR are extensive. The aim is to prove that the data protection provisions are comprehensively observed and have to be continuously proven. Every company that processes personal data is subject to this so-called “accountability”. The starting point is the so-called processing record which continually records all current processing steps that involve personal data. Thus the record has to be revised once any relevant change is made. However, this is not the whole extent of the documentation requirements – the consents, the legitimate interests, the order processing contracts, suitable guarantees for the non-member state transfer, the satisfiability and the fulfilment of the rights of the affected person and similar issues also have to be documented.
Does the regulation differentiate between the sensitivity of the data collected?
For example is data which enables the clothing size to be allocated to individual names considered to be more sensitive than data containing the individual names and positions within a company? Yes, there are considerable differences with regards to the sensitivity: The higher the risk that the affected person is revealed the higher the protection requirement. Since the clothing size reveals more information about a person than his professional position, the clothing size has to be protected more. Generally the following applies: The data protection law includes all personal data. How high the protection requirement is in each individual case depends on how important the information is for the respected person.
Sales employees often learn personal facts from their customers (i.e. birthday, number of children, etc.). Should one refrain from storing this personal information in the software?
Overall one should refrain from storing it. It can only be saved if there is a legitimate company interest for a specific date and this is not outweighed by a conflicting customer interest. What will always play a key role here in the future: The legitimate interest and the weighing up of interests has to be documented. The GDPR prevents as far as possible a comprehensive collection of data.
To what extent are companies obliged to protect themselves against illegal access by hackers or other data abuse?
Companies have to guarantee an “appropriate” data security. What is considered appropriate depends on the data concerned – i.e. the risk for the affected person if the data is revealed without authorisation – the state of technology and the implementation costs. In short: Bank data has to be protected better than an address data base with professional e-mail addresses.
What does one have to do if a slip-up occurs?
In such a case one has to report the incident as soon as possible, at the latest 72 hours after it becomes apparent to the responsible supervisory authorities, unless a risk for the affected persons can be ruled out. The notification always has to occur within 72 hours, even if not all of the circumstances are known at this point in time. In certain cases the affected persons have to be notified about the incident.
Which penalties can companies expect in the event of breaches against individual points of the GDPR?
And who actually controls all of this? Different consequences can result from violations against the GDPR. In addition to compensation claims by the affected persons, the perpetrators can be fined. Depending on which obligations of the GDPR are violated, fines ranging from 10 mil. Euros or 2% of the annual worldwide turnover to even 20 mil. Euros or 4% of the annual worldwide turnover – whichever is the highest – can be imposed. The observance of the data protection law is controlled by the designated supervisory authority in each respective federal state. Affected persons can complain to the bodies and thus initiate legal proceedings. The competitors of market-relevant violations can also make claims and prevent these from reoccurring by obtaining a preliminary injunction; however this is already also possible today. There are thus ultimately three gateways for the monitoring – the affected parties, the competitors (among others also associations) and the supervisory authorities.
The GDPR comes into effect on May 25, 2018: What happens if companies haven’t fulfilled all of the points of the GDPR by then?
From May 25, onwards the supervisory authorities can enforce the observance of all of the provisions of the GDPR. However, in reality not every company can be monitored (immediately) in terms of its observance of the data protection law; it is however unclear which companies the supervisory authorities will focus on and how they will proceed in terms of the selection of the companies to be audited. If a company strives to implement the provisions of the GDPR, but hasn’t succeeded in covering all points yet, this will no doubt have less far-reaching consequences than if a company hasn’t even started to implement the provisions on May 25. Beyond the supervisory authority taking possible action, one should take into consideration that the affected persons have extended rights from this point in time onwards, which they can impose at any time and that competitors and associations can file complaints about marketrelevant violations against the GDPR.
Finally, an assessment: Is the GDPR an absolute red-tape monster or does it in your opinion bring relief and improvements in the area of data protection?
The GDPR definitely entails significantly increased documentation and accountability obligations, which will initially involve a lot more effort. However, this does also bring opportunities with it for companies to examine their own processes, align their data security measures and synergies, i.e. by adopting new digitalisation strategies. Also beyond this, compared to the existing law, the GDPR has one decisive advantage: In many points it is more practice-oriented, for example in the case of the explicit ability to take the implementation costs into consideration when monitoring the appropriate level of data security and the acknowledgement of direct marketing measures and considering communications within the company group to be a legitimate interest of a company.
// Dr. Mischa Delbrouck spoke with Dr. Kristina Schreiber and Dr. Stefan Maaßen.