GDPR – what do you really need to know?
In principle, all companies that have their registered office within the European Union (EU) or serve or supply customers from the EU are affected by the GDPR. The EU General Data Protection Regulation replaces Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data from 1995. The six legal bases for the processing of personal data are an essential part of the GDPR:
- Consent: Every company needs the consent of the customer or subscriber to store their data. Sending emails without explicit consent is therefore in breach of the EU Data Protection Directive.
- Contract fulfilment: It is necessary to conclude a contract with the customer in which he/she agrees to the data processing. For existing clients, an updated consent must be obtained from the client.
- Fulfilment of a legal obligation: There are also data that must be processed without specific consent because they are required by law. This includes, for example, employment records, occupational health and safety records or accident reports.
- Vital interests: Only concerns companies such as emergency services that receive a patient list and consequently do not need written consent.
- Public interest: This legal basis includes official interests, such as tax offices, or also parties. Here, too, there is no obligation to give consent due to the public interest situation.
- Legitimate interest: This legal basis is probably the least clear. For example, there are certain scenarios, albeit vague, in which data may be processed without consent. These may include, for example, customer or service relationships, or fraud prevention procedures. In case of doubt, a lawyer should be consulted first when applying this legal basis.
Thanks to these legal foundations, the EU data protectors want to curb the unnecessary collection of customer data and create legal certainty for all those who are allowed to process data even without consent. Conversely, this means that only if the data is really important, for example, in order to be able to fully use the experience of an online offer or to be able to carry out billing, is it data worth collecting. But even this data may only be obtained by the company in a legally sound manner. That is, they need the consent of the customer or interested party. This can be done, for example, through a registration form with a double opt-in and a reference to the company’s data protection regulations.
Whether the company’s data protection regulations also need to be adapted depends on the offer and the data obtained. In any case, if not already done, every company should undergo a GDPR check. Lawyers can help here, but also many online agencies, which have often acquired know-how on the subject, but of course cannot guarantee legal correctness.
GDPR and the subscription economy
Digital subscription offers are particularly affected by the GDPR. The reasons for this are obvious: for a flawless user experience, the subscription company needs data such as email address, name, postal address and even payment data for the purchase transaction. The company needs consent for all of this data – not only from the customer, but also from the interested party who, for example, has merely signed up for the newsletter distribution list via the website.
Specifically, you need consent to use personal data for the following scenarios:
- Existing customers (buyers): Consent is assumed to be given, but existing contracts should be checked.
- Former customers: Companies are no longer entitled to store the data of former customers – unless they have consent.
- Active email subscribers without verifiable consent: Companies must demonstrate that the newsletter distribution list offers added value for the recipients. Otherwise, they must delete them.
- Inaktive E-Mail-Subscriber: Diese Daten müssen gelöscht werden.
- New customers / email subscribers: In order to prove to data protection authorities that consent has been given, the wording of the declaration of consent should also be saved for each customer. Only an Excel list with customer data with the exemplary heading “Consented customers” is not sufficient here.
In addition, companies must also conclude updated contracts with employees and agencies and other suppliers. The new data protection law distinguishes between the data controller (usually the company that needs the data) and the contract processor (usually an employee or agency acting on behalf of the company).
GDPR – the most important tasks at a glance
At first glance, the new data protection law provides more obligations than rights. After all, compliance with the GDPR entails a lot of homework on the part of the company:
- Which customer data are obtained?
- Which customer data is really needed (keyword proportionality)
- Do you keep an order processing directory to be able to prove who has access to which customer data in your company and beyond?
- How is the data secured (for example, is business data used on private smartphones)?
- Does the data protection consent need to be updated? (e.g. registration and contact forms)
- Are all online and offline data sources GDPR compliant?
- Is there a data protection notice on the website?
- The user must have the possibility to object to receiving advertising
- The user must be granted a right to be forgotten. So how quickly can the company implement a deletion request?
- Are the data protection guidelines up to date?
These are only the most important examples of measures that are necessary to operate a GDPR-compliant offering.
Using the GDPR as a competitive advantage
A European subscription company, and not only those, are often in direct competition with American or Asian companies. Similar to the “Made in Germany” seal, European data protection can certainly be used as a competitive advantage. After all, the General Data Protection Regulation was developed primarily with customer friendliness in mind. Companies that advertise with the GDPR are therefore considered particularly secure and trustworthy by users.
However, every company must stay tuned and understand the GDPR as a dynamic process. For 2019, further measures will be taken to optimise the data protection law. First and foremost is the so-called ePrivacy Regulation, or ePV for short. Its contents have not yet been finalised, but it is considered the next stage of the GDPR. All online providers, such as websites, online tracking tools or offers that use electronic direct marketing, including newsletter and subscription providers, will be affected.