“Due to the data protection regulations, it is no longer possible for us to use data for sales purposes” - "We in the Compliance department don’t need to take data protection into account; we have the right to inspect all data." Such statements relating to the impact of data protection could hardly be more contradictory, and yet both views are very widespread. But how does sales work despite data protection and what doesn't work in compliance control measures because of data protection? This article provides a look at both sides of the matter.
Data protection and sales
Despite the strict requirements of the General Data Protection Regulation (GDPR), there is still a lot that can be done in sales, even when one intends to proceed in accordance with the law. The indisputable basis for the use of personal data for advertising purposes in terms of the data protection laws is that the data subject has given consent to the processing of the data (Art. 6 (1) lit a GDPR). This basis is often established at the start of a business relationship. When an order is placed online in the case of a mail order purchase, for example, but also when opening an account with a bank, the customer is asked to consent to the use of personal data for advertising purposes. It is important that the consent is clearly distinguishable from other matters and not necessarily linked to the opening of an account or start of a business relationship. The consent must meet the requirements of Art. 7 GDPR, i.e. it must be possible to withdraw the consent at any time and it must be documented.
If a customer has not consented to the use of personal data for advertising purposes, then this does not mean that advertising use is generally excluded. As a legal basis in accordance with the data protection regulations, a so-called "legitimate interest" (Art. 6 (1) lit f GDPR) of the company can also be applied here. In this case, the interests of the company to advertise its goods or services and the need to protect the legitimate interests of the persons for whom the advertising is intended are to be set against each other. Recital 47 to the GDPR provides information on various aspects to be taken into account when weighing up the interests of both sides. Among other things, it states that “Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client of the controller" (Recital 47, sentence 2). This alone could lead to the conclusion that advertising directed at existing customers is permissible. Sentence 7 even states that "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." This would mean that the use of personal data for advertising purposes can also be justified on the basis of a legitimate interest of the company advertising its goods or services.
Furthermore, the general principles relating to the processing of personal data in accordance with Art. 5 (1) GDPR are also to be taken into account when weighing up the interests of both sides, this means in particular that personal data:
- must be processed fairly
- must be relevant to the purposes for which they are processed
- must be processed in a manner that is transparent to the data subject and easy to understand (in particular, the naming of the source of the data) (cf. Brief paper No. 3 published by the Bavarian Data Protection Authority "Processing of Personal Data for Advertising Purposes” - https://www.lda.bayern.de/media/dsk_kpnr_3_werbung.pdf (in German only)
A withdrawal of the consent and any objection to advertising, which were justified on legitimate interest grounds, must always be taken into account. Not taking them into account would result in customers becoming very annoyed and ultimately also constitutes a violation of the GDPR.
In addition, when using personal data for advertising purposes, the provisions of the German Act against Unfair Competition (UWG) must also be observed, which stipulates the requirements applying to the admissibility of advertising intended for consumers and companies (Section 7 UWG).
Reference will also be made to the detailed descriptions in the "Guidance provided by the regulatory authorities on the processing of personal data for the purposes of direct advertising in accordance with the General Data Protection Regulation (GDPR) when using data for personal advertising" at the Data Protection Conference (https://www.datenschutzkonferenz-online.de/media/oh/20181107_oh_werbung.pdf).
Compliance and data protection
The legal requirements for compliance controls can basically be derived from a wide variety of laws. Stipulations as to which controls precisely are to be carried out, however, are frequently not laid down in the legal regulations. For this reason, the existence of a legal obligation (Art. 6 (1) lit c GDPR) does not qualify as a legal basis for data protection when carrying out compliance controls for a large number of control activities. Here again, the processing or use of personal data can be based on a legitimate interest. An example of this with respect to fraud prevention is also given in Recital 47, in which sentence 6 provides information on "The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller."
The necessity of carrying out and documenting the weighing up of interests makes it clear that data protection must also be observed in the Compliance department. Recital 47 clearly states that only personal data that is “absolutely necessary” may be processed for compliance purposes. This, therefore, does not constitute a right of inspection for all the data available in the company.
To be able to base the processing of personal data on a legitimate interest, three requirements must be met.
1. The controller responsible for processing the personal data or a third party has a legitimate interest in processing the data.
2. The processing is necessary to safeguard the legitimate interest.
3. The interests or fundamental rights and freedoms of the data subject, which make the protection of the personal data necessary, are not overriding.
Only when all three requirements are met can a processing of personal data be based on a legitimate interest.
A legitimate interest of the company in this case is to ensure there is sufficient compliance. What now needs to be considered is whether or not the intended processing of the data is appropriate for achieving the purpose. The data protection principles of data minimisation and the least stringent means (control with the smallest amount of intervention) must be observed. Finally, when considering the interests of the data subject, it must be determined whether, and if so, what negative impact this could have on this person, and whether, in view of these effects, the intended processing of the data is still appropriate and overriding. For weighting purposes, the type of data, the amount of data and the data subjects, the source of the data, the time required to process the data and also the integrity of processing can be taken into account.
If, when weighing up the various interests, the processing is successfully classified as permissible under the data protection regulations, then the general procedures for safeguarding the data (e.g. "need-to-know principle", obligation to delete data after expiry of the retention obligation) must also be applied if the data is to be used further.
Whistle-blowing" will also be looked at extensively as a part of compliance in guidance that will be provided at the Data Protection Conference (https://www.datenschutzkonferenz-online.de/media/oh/20181114_oh_whistleblowing_hotlines.pdf).