EU GDPR compliant newsletter registration

In consideration of subscription pages for newsletters, it becomes clear that in their current form most such pages do not comply with the requirements of the EU’s General Data Protection Regulation (GDPR). The EU GDPR will take effect on May 25, 2018. The requirements must already have been implemented at that time. What has to be implemented by the deadline in order to avoid problems?

This blog article summarizes the six most important issues for you. The article will also provide the appropriate reasons and references to the corresponding clauses in the GDPR, for people who want the precise explanations.

Basically, you will need a mandatory checkbox that links to your data protection declaration. The checkbox must be integrated into your subscription page. The checkbox may not be checked by default. People interested in the newsletter must check the box for themselves as part of completing their subscription registration.

Reason: Article 13 of the EU GDPR requires that the people affected by the acquisition of their personal data must be completely informed. This impacts the data on the newsletter subscription form, for example.

Article 4, clause 11 defines consent as one “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“

To register for a subscription in compliance with the EU GDPR, the following information must be provided.

• The newsletter provider’s contact information
• The data protection officer’s contact information
• The purpose of processing the data and the legal foundation
• The duration over which the personal data will be stored and the criteria for storage
• The rights to be informed, to correct, to delete and to object to the acquisition of the data
• The right to withdraw approval
• The right to complain to the overseeing authority

Tip: I would recommend storing the declaration of data protection in a special form, because the scope of the obligation of information is very large.

Some circumstances will require an additional checkbox on the subscription page so that people interested in the newsletter can indicate their willingness to be tracked. The checkbox will be required if you standardly measure the opening of mails and clicks on links by person and if you distribute custom cookies through your email messages. This checkbox will also be required when measuring personal access to the provider’s own web site.

This will not be required if the measurements are recorded anonymously because personal data will not be acquired and the EU GDPR does not apply in that case.

Reason: In general, personal tracking is possible when the sender has a “justified interest” in doing so (see Article 6, Clause 1 f as well). The basis for this is Recital 47 of the EU GDPR, which allows processing personal data. This applies for advertisement because it ultimately literally states: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.“

Naturally, the email sender has a justified interest in their ability to offer custom content to customers and interested people and to design communication that will be relevant and interesting to such people. Tracking personal data is necessary for that reason to improve relationships with specific recipients.

Of course, Article 21 of the EU GDPR must also be considered in this context, which can be paraphrased as:

(1) The data subject shall have the right to object, , […] at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6 including profiling based on those provisions. […]

(2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

This means that interested people must have already been notified about their right to object upon subscription. The checkbox indicated above will provide this assurance.

You should be aware that sending your newsletter cannot be linked with the recipients consent to be tracked. Article 7, Clause 4 of the EU GDPR defines the prohibition against connecting for the approval as:

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.“

This means that fulfillment of the service (in our case, sending newsletters) does not absolutely require recording the number of messages opened and links clicked on a personal basis. For that reason, transmission may not be linked with approval for tracking.

It could theoretically be argued that personalized, individual content only becomes possible through personal tracking. However, this line of reasoning should be careful, because each sender can also send newsletters to recipients that have never (or not yet) opened messages or clicked on links.

Your subscription forms should only request the personal data that you truly need because Article 25, Clause 2, Sub-clause 1 of the GDPR requires

“…responsible parties [U1] to take appropriate technical and organizational measures to guarantee that, using a process of pre-determination, only the personal data required for a particular purpose is being processed.”

Naturally, you can determine what is required. Does your newsletter use a personalized salutation for the recipient? Then, you need the recipient’s name. Does your content vary based on gender? Then, knowing the recipient’s gender is important. Would you like to send the recipient something for their birthday? Then, of course, you need to know their date of birth.

It is also important that the provision of such information be optional and voluntary, not mandatory, with the exception of the email address.

Give the recipient the ability to toggle tracking on or off. Integrating a link to the profile page or preference center into each newsletter, where a checkbox can toggle tracking makes this option possible.

Reason: As already noted for Tip 1, Article 13 requires the right to withdraw approval. It must also be noted that when approval is withdrawn, the existing tracking data may no longer be used for advertising in accordance with Article 21, Clause 3.

“Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.“

Recommendation: If you want to be really sure, it would be best to automate the deletion of the tracking data from advertising newsletters retroactively when approval is withdrawn. By making this sacrifice, you will no longer have any data that could potentially be used later for direct advertising.

To ensure that personal data that will be transferred through the Internet will be transferred securely and encrypted, subscription and un-subscription forms, as well as preference centers, should only provide web pages using the HTTPS protocol, because Article 32, Clause 1 of the der EU GDPR states that: fordert  “ […] appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data […]“

Unencrypted transmission of personal data through the Internet will no longer be allowed, because of the lack of an appropriate level of protection.

In order to have proof in the event of legal complications, I recommend making a screenshot with time stamp of each change to your subscription page, declaration of data protection, double-opt-in messages and the subscription logic behind the forms and making electronic copies. Archive the screenshots and copies. Every time that the subscription is changed, archive the modified versions again.

Reason: Article 7, Clause 1 of the EU GDPR states that: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.“

The better you are prepared for proofing your case, the higher are your chances in case of disputes.