Data cleansing – an absolute obligation for every sender

It is not only necessary to keep order in the home or office, but also in the database. Because over time a lot of things accumulate here. Data that is no longer necessary for the operative business costs you unnecessary performance and therefore money.

In addition, there is the legal aspect, because for data protection reasons you are obliged to data minimization. Only the data that is required for the exercise of the business relationship, that the person concerned has voluntarily made available to you, or for which there is a justified interest, may be stored. Information that is no longer required must therefore be removed. If the person concerned objects to the use of data, this must even be done immediately.

In the following, we explain to you what is important for a tidy database and how you are also legally on the safe side when it comes to data cleansing.

As a result of the proactive information obligation under the GDPR, the requirements for transparent handling of personal data have increased significantly. Accordingly, a company must be in a position to provide the data subject with information about each processing purpose and its legal basis. So please point out that the data is also used to document the legal basis.

The storage period for personal data must be specified and this must also be communicated proactively to the person concerned. How long the data in question may be stored depends, in principle, on the respective purpose and the legal basis. A distinction must be made between the use of the data, in our case the sending of newsletters, and proof of consent, as the periods of time differ. The storage period of the proof depends on how long any legal claims can be asserted.

Whether in e-mail marketing or other disciplines, the principle of data minimization applies. Therefore, only the data that is actually necessary to contact the customer or interested party, to provide the desired service or to answer enquiries should be collected. They should therefore not simply request all the information that might be needed in the future, especially not obligatory. Conversely, you must also delete data that you no longer need.

Important: The cleansing also applies to duplicates! So if you have recipients in the database more than once, it is not enough to clean up just one record. It is therefore best to regularly remove duplicates yourself, then you do not run the risk of overlooking data here.

Irrespective of this, users can also make a request for the deletion of their own personal data in accordance with GDPR Article 17, which you must always comply with. This applies if a user objects to the sending of advertising or the processing of his data and thus the purpose for which the data was collected is null and void.

Attention, this does not mean that you must or may simply delete everything without exception. In this case you should have the obligation to provide evidence in mind.

If it should be necessary to prove legally at a later date that you had a permission and you can no longer do so because of the deletion, it becomes problematic. It may also be necessary to retain other data, e.g. if you run an online shop. This includes, for example, booking documents that must be kept for ten years according to the German Commercial Code. However, tax-related documents such as invoices, delivery notes and contracts, which must also be stored for ten years, are also included and may only be deleted after this period.

Therefore, the GDPR also regulates the storage of evidence for the assertion, exercise or defence of legal claims. However, this only applies to the data that is required as evidence. In the case of e-mail marketing, this would be the email address and the permission. All other personal data of the respective customer must be deleted. This includes, for example, profile field contents or tracking data. In addition, the data for permission verification must be stored technically and organisationally in such a way that operational use is excluded and that they are only available for verification purposes. According to the CSA’s recommendation, the data for the proof requirement should be kept for three years before the data set is finally deleted afterwards. Furthermore, as long as a possible legal claim can still be asserted, the data should be retained.

When cleaning the database, you should never touch the blacklist, even if personal data (e-mail addresses) is collected there. Because there are still dunning lawyers who would like to use it to finance their livelihood. They take advantage of the fact that you have to have a permission to send advertising mails. Their scam consists of contradicting the receipt of the newsletter on the one hand and on the other hand trying to get the sender to send more mailings. This is because these lawyers intend to take advantage of a possible lack of documentation and if the permission to send the newsletter is not presented, a claim for damages will be filed. Therefore, it is all the more important to document all permissions for the newsletter dispatch. In addition, a blacklist can be used to prevent them from cheating their way back into the distribution list. Here you also have a legitimate interest in archiving this data for self-protection. Ideally, you should include a reason with every entry so that you can explain why this address is on the blacklist.

Tip: In the EMM you will find several possibilities for automated data cleansing. We would be happy to advise you on this and help you keep your database clean.

In addition to the legal reasons, performance improvement and error prevention also speak in favour of regular data cleansing. This is also no longer just about recipient-related data. For this, take a look at your profile fields and target groups in particular. Do you still need all of them? Especially with target groups, which are sometimes only created for a single mailing, a lot of data accumulates quickly. You should therefore remove target groups that are no longer required from your client. Especially if you work with several people together in the client, confusion and discrepancies in the target group selection can quickly occur. You should therefore avoid the risk of addressing the wrong recipients.

Other areas that should be cleaned up from time to time are Mailing lists, web forms, triggers (actions), import and export profiles, media pool contents and outdated reference tables. The last two areas in particular can take up a lot of space in the database.

It’s also worth taking a look at the mailing overview from time to time. Over time, some mails accumulate here that were simply created for testing purposes and then vegetate away. For the sake of clarity it makes sense to delete such test variants from time to time.

If you manage several clients, make sure that they are also consistent. Especially when colleagues leave or change, it can happen very quickly that accesses are forgotten. Therefore, check regularly whether all clients still have a real user and if there is a change of user, the access data should be reassigned. In this way you avoid unnecessary security risks.

If you need assistance with the cleanup, we will be happy to help!