The EU General Data Protection Regulation (EU GDPR) has been in force for some time and there is a certain amount of uncertainty everywhere. First and foremost, marketers are asking themselves one crucial question: What does the GDPR mean for my email marketing?
The EU GDPR applies specifically to the automated processing of personal data. Personal data is any information relating to an identified or identifiable natural person. A person is identifiable if he or she can be identified by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics. In email marketing, this is already given by the email address.
The General Data Protection Regulation regulates whether data processing is permitted or not. This is not fundamentally new. What is new, however, is that the GDPR also provides for extensive documentation, organizational and transparency obligations. On the one hand, this should lead to the responsible parties dealing with the consequences of data processing under data protection law, and on the other hand, the extensive documentation and transparency obligation should facilitate control by the legislator.
To whom are you allowed to send advertising emails?
1. Anyone who has consented to the processing of their data. Consent must be given by a clear confirmatory act. Since certain requirements of the GDPR must also be met here and you must prove at any time that you have received this consent, by using the so-called double opt-in procedure (DOI) when registering for the newsletter. This means that you can integrate a "Keep me informed" button into your website without any further restrictions, but you should use the DOI when registering for the newsletter and document the consent in a traceable manner at all times. Pre-checked boxes or other procedures that do not require active, informed action by the data subject are not permitted.
2. Any person whose email address you have obtained in connection with the sale of a product or service - but beware: you may only use the address for direct marketing of your own similar goods and services if the customer has not objected to the use. In addition, when you collect the address and every time you use it, i.e. in every newsletter, you must inform the person concerned that they can object to the use at any time. You should also be careful with so-called tying. Tying means that you make the provision of a contractual service dependent on whether the customer has consented to the processing of his data, i.e. the sending of advertising emails. Although this is not prohibited in principle under the new General Data Protection Regulation, such tying is taken into account when assessing the voluntariness of consent.
It should now be clear to you which people you can send promotional emails to without complications. But how do you get new addresses without violating the provisions of the General Data Protection Regulation?
By email:
Under the GDPR, of course, you can't send unsolicited emails to potential new customers. You can't. However, you are allowed to send emails to individual addresses if there is a so-called "legitimate interest". In this email, however, you should include a link to your privacy policy and state the reason for contacting.
By phone:
You can still call potential customers, of course. Cold calling by phone is not covered by the GDPR. However, before you store a prospect in your database, you should obtain his consent. So ask him on the phone if he would like to receive your newsletter and send him an email with a link to the newsletter subscription (double opt-in) directly after the phone call. The email should also state why you called, what you agreed in the conversation and why you are sending this email afterwards.
Networking:
Collecting business cards at events and conferences is a tradition in sales. Simply sharing the contact information you collect with mailing lists and using it for marketing purposes is not allowed under the GDPR. What you are still allowed to do, however, is to send personal emails to individual addresses or make phone calls, as there is a legitimate interest in maintaining contact after the business card has been exchanged.
Via social media:
The General Data Protection Regulation does not prevent you from finding potential customers on social networks and contacting them there. After such an initial contact, you can obtain consent for further contact maintenance and the sending of a newsletter or marketing emails. But beware. If in doubt, you must of course be able to prove that you have obtained this consent. As in all other cases, good documentation is particularly important here.