Data protection in online marketing and social media within the framework of the DSVGO

On 25 May 2018, the transitional period for the implementation of the EU General Data Protection Regulation (GDPR) expired and affected companies must have implemented it from this date.

However, there are also significant simplifications for companies operating internationally in the online sector.

Fundamental

The GDPR only applies when personal data are processed. Among other things, the storage, evaluation or even the granting of an access request by a third party is considered processing.

The GDPR applies to all companies operating in the EU, regardless of where they are based, so it also applies, for example, to US companies such as Facebook or WhatsApp, since they process personal data of EU citizens.

In addition to high fines, it is also new that every data subject and not only the aggrieved person can issue a warning to a company, which means that competitors or consumer protection agencies now also have the right to do so. With the introduction of the GDPR, companies have the obligation to prove what they do with personal data.

Since practical experience in dealing with the GDPR is still lacking, there is a great deal of uncertainty among companies until case law has dealt with the decisive questions and recommendations for action will crystallise accordingly.

In the following, selected areas of online marketing and social media will be briefly discussed in order to sensitise companies to the various issues. The individual explanations do not claim to be complete and should be examined on a case-by-case basis.

Legal permission or consent

According to the GDPR, the processing of personal data (as was also the case under the previously applicable data protection laws) is generally prohibited. In practice, however, it is simply impossible not to process personal data, which is why there are exceptions to this principle, provided that a law provides for an exception or the consent of the respective data subject has been obtained.

Article 6(1) of the GDPR defines when processing of personal data is lawful. This is the case in particular if the data subject has given consent (lit. a), the processing is necessary for the performance of a contract (lit. b) or the processing is necessary for the performance of a legal obligation (lit. c).

Online marketing

1. direct marketing as a legitimate interest

Marketing measures can be regarded as a legitimate interest pursuant to Art. 6 para. 1 lit. f. However, the individual's interest worthy of protection must not outweigh the economic interest of the company in the individual case. How exactly these two conflicting interests are weighted cannot be said in general terms, but there are some aspects that suggest that the legitimate interest in online marketing outweighs the individual's interests worthy of protection.

One can come to this conclusion,

• when online marketing measures are to be expected by the user;

• if the company informs the user in detail and transparently (in particular also about the protection of their personal data);

• if only non-specific data is processed (e.g. only email addresses);

• if the user can object to the data processing and

• if the impairment for the user is only minor.

However, whether the interests are actually weighed in this way in the end and online marketing is thus interpreted as a legitimate interest of a company cannot yet be conclusively assessed, as this is not clear from the GDPR.

2. social media

Monitoring

Companies are increasingly using social media monitoring to filter out the latest trends and opinion tendencies and thus align their marketing measures and strategies with their target group.

Individual statements by users in social networks (social listening) are analysed anonymously, interpreted and used accordingly. Such a procedure is only legal if the social media profile of the respective user is publicly accessible, i.e. can be viewed by anyone, or individual posts can no longer be assigned to a natural person.

However, the data subjects must be informed of this after their data has been stored for the first time. The obligation to inform pursuant to Art. 14 GDPR must also be complied with in the case of social media monitoring.

According to Article 22(1) of the GDPR, the data subject has the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning him or her or similarly significantly affects him or her. In practice, this means that social media monitoring requires consent.

Marketing

If social media profiles are used in the marketing of a company, the imprint obligation applies, regardless of the social media platform used.

When integrating social media plug-ins on websites, caution is required from a data protection perspective, as the respective social media platforms, or their providers, gain unrestricted access to the data of the users of the company website. In principle, care should be taken to ensure that the user must activate such plug-ins himself.

The inclusion of social widgets and social media content on a company's website are permitted as long as they are publicly accessible posts.

Social media platforms as data processors

Social media platforms generally assume the role of data controller. However, depending on the constellation, they can also act as data processors in cooperation with companies. For example, if the respective social media platform processes user information on behalf of an advertiser, then the advertiser would generally be responsible for compliance with the data protection provisions, which obliges the advertiser to create an appropriate legal basis for the processing of the data by the social media platform (e.g. consent of the user). In addition, if the provider of the social media platform acts as a commissioned data processor, the companies should include in the respective contracts with the provider of the social media

platform to agree on a corresponding addendum.

3. tracking codes

It can be assumed (but not certain) that the use of analysis tools and pixel technologies (so-called tracking codes) constitute a legitimate interest and that users must expect this type of data processing.

In principle, such tracking codes can only be used in a data protection compliant manner with an opt-out function. However, most providers of the respective tracking codes do not currently offer solutions for this, which is why companies would have to find their own solutions.

The problem is that tracking codes track data as soon as a website is called up and not only after the user has given his or her consent. However, the opt-out function would have to take place before the data is tracked and transmitted. This problem can be circumvented in various ways (e.g. an upstream landing page with all information and opt-out function), but in most cases the user journey would be anything but pleasant. However, it is clear that simple information in the respective privacy policy about the tracking codes used is not sufficient, but it must not be missing if such technologies are used. In the privacy policy, in which the user is informed about the use of such tools, a link must be included to give the user the possibility to switch off the tracking. In order to avoid data protection violations, an additional code snippet should be included when using Google Analytics, which ensures that the IP addresses of the users are shortened and thus anonymised when tracking.

It should also be mentioned that uploading email addresses and automatically adding users to groups for targeted advertising (e.g. Custom Audiences on Facebook) without the user's prior consent (opt-in) is not in line with data protection regulations.

4. consent (opt-in)

The new requirements for the consent of the data subject are a key component of the GDPR. If the legitimate interests of a company are not clearly outweighed or if there are concerns about the permissibility of the data processing, the active and clearly confirming consent of the data subject is mandatory. Electronic consent (tick box) is permitted.

Companies must explain to the data subject in detail what data is affected by the collection and what specific purpose the data processing serves. If the focus is on several different purposes, this must be explained and each of these purposes must be consented to separately. Consent must be given voluntarily and the data subject must have been fully informed, including about the rights to which he or she is entitled (informed consent).

In addition, the so-called prohibition of tying must be observed: The conclusion of a contract may not be made dependent on the user's consent to data processing.

Conclusion

The GDPR enables companies to use personal data for marketing purposes, provided that these data can be accessed in publicly accessible lists or directories and the applicable data protection rights are complied with. However, the lawfulness is only given if the business interests outweigh those of the user and do not restrict the user's rights.

Consent, no matter for which form of data processing, should always be the last choice, as the legal exceptions are defined and consent must also always be designed in a data protection-compliant manner, which could present companies with greater challenges in individual cases.

However, consent must always be obtained for both email marketing and special categories of data, as this is required by law.

The GDPR is very comprehensive and should be observed and implemented in its entirety. This article only highlights a small excerpt from the provisions and partly reflects the personal opinion of the author. Every company is advised to have its own data protection strategies and implementation efforts individually legally examined in order to be compliant with the applicable laws.

This article was written by RA Sergio Leemann.