In about a year, namely on May 25, 2018, the time has come: The new regulation will replace the previous EU data protection directive (Directive 95/46/EG). That's still a while away, but since the law will have far-reaching consequences for business models in the digital industry, shop operators and online marketers should best deal with the innovations today. Because the penalties for non-compliance with the new regulation can have major financial consequences for companies.

We have summarized some important innovations and effects for online retailers and those responsible for online marketing here. For specific legal questions, please contact your legal advisor!

What effects do the innovations have on tracking, mailings & Co.?

The processing of consumer data plays an important role for companies in the areas of sales, marketing and product development. When the General Data Protection Regulation (GDPR) comes into force in May 2018, companies will face a number of changes: The new regulation is intended to do justice to the age of digitization and big data. The fundamental right to informational self-determination of each individual is paramount. At the same time, the GDPR should give the German and European economy enough leeway to enable innovative digital business models and to utilize the data volumes in compliance with the Data Protection Act.

Companies, especially in the areas of online trading and online marketing, are facing fundamental changes - especially when addressing customers. Online dealers and address dealers in particular who store and process personal data for use in customer loyalty programs or for advertising measures must deal with the new rights of data subjects. In general, there are no separate articles in the GDPR for digital topics such as websites, social media and cookies. Therefore, the following guidelines, among others, apply until an ePrivacy regulation has been passed:

  • The person concerned must agree to the data processing

  • The data processing is necessary for the execution of the contract

  • The data processor has a legitimate interest as long as the rights of the data subject do not prevail

Definition of terms (Art. 4 No. 1 GDPR)

Of course, the new data protection regulation has an impact on online marketing measures and tracking processes. With the new General Data Protection Regulation, for example, the concept of personal data has been expanded: In future, online identifiers such as cookie IDs or IP addresses will no longer be classified as anonymous. A single piece of data can also be personal if it can be assigned to a person by consulting a special database. Because according to Art. 4 No. 1 GDPR, personal data is defined as all information “that relates to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person." The collection of personal data that may appear "anonymous" at first glance therefore violates the GDPR in the age of data retention.

Accountability (Art. 5 Para. 2 GDPR)

The so-called accountability is new: “The person responsible is responsible for compliance with paragraph 1 and must be able to prove compliance with it (“accountability”).” (Article 5 (2) GDPR). What does this mean for companies? In an emergency, they are obliged to be able to prove compliance with data protection principles. Violations can result in high fines, which is why logs of the use and processing of personal data are strongly recommended.

Conditions for consent (Article 7 GDPR)

The new EU GDPR also has an impact on the implementation of mailing campaigns: Art. 7 stipulates that voluntary consent to the use of personal data must be given. However, the user must have given this consent clearly himself, for example by actively giving his consent to the newsletter subscription in a form. Forms that already have the pre-checked subscription consent box are not legally valid. In addition, the consent must not be made dependent on the conclusion of a contract or a service. By the way: Consent that has already been obtained in the past is also valid after the GDPR has come into force if it meets the new requirements.

Right to erasure (Art. 17 GDPR) and to be forgotten (Art. 17 Para. 2 GDPR)

This new type of right to erasure is of particular importance for address trading, Internet search engines and social media services. The right to be forgotten includes, among other things, the deletion of all links to the respective personal data, including the deletion of all replications. For providers, this means that they not only have to delete the user data, but also have to inform other website operators if they have duplicated the personal data.

Right to restriction of processing, Art. 18 GDPR

The right to restriction of processing is also new. This can be achieved, among other things, if a person has lodged an objection but it is not yet clear whether the reasons for the data processing of the person responsible outweigh the person.

Right to data portability (Art. 20 GDPR)

In the future, everyone has the right to receive a copy of their personal data in a machine-readable data format. In addition, users can request porting of their data from the old to the new provider. From the customer's point of view, data can therefore be transferred and taken with you without any problems. The right to data portability is intended to reduce provider dependency: for example, a cloud user can easily move their data to another cloud provider in the future. The two-year transition period (a year of which has already passed) should therefore be used by companies to implement technical data portability options.

Overriding legitimate interests (Recital 47, GDPR)

What are the consequences of the innovations for classic address trading? Although consent cannot be transferred to another company, the new General Data Protection Regulation still allows addresses to be traded. Because usually the buyers of addresses are not known in advance (and thus at the time of the declaration of consent). Address trading and the transmission of personal data without consent is permitted if the person responsible has a legitimate interest. “A legitimate interest could exist, for example, where there is a relevant and reasonable relationship between the data subject and the controller, e.g. B. if the data subject is a customer of the controller or is in its service.” (Recital 47, GDPR).

One stop shop

The new one-stop shop mechanism simplifies the issue of data protection for companies with branches in EU member states and offers an enormous advantage: the supervisory authority at the headquarters is responsible for cross-border data processing. In the event of complaints, a person concerned can contact the data protection supervisory authority at their place of residence in data processing matters. Finally, a uniform data protection law has been created throughout the EU.

Privacy by design – data protection through technology design and data protection-friendly default settings (Art. 25 GDPR)

With the entry into force of the General Data Protection Regulation, there are new requirements for product development and implementation: the person responsible must take technical and organizational measures (e.g. to pseudonymize the data). In addition, it must be ensured that only the personal data required for a specific purpose is processed in the standard settings. This innovation will have a major impact on the development of IT products in particular.

Notification of personal data breaches to the supervisory authority (Art. 33 GDPR)

Violations of data protection should be reported to the supervisory authority within 72 hours. An exception is when the violation is unlikely to result in a risk to the freedoms and rights of a natural person. The report includes a concrete description, an assessment of any consequences, contact details of the data protection officer and measures already taken. In addition, the person responsible must document the violations of data protection precisely. For companies, this means in plain language that they will have to do much more work in the future and that issues such as data theft and hacker attacks must be specifically recorded.


The new changes contain one or the other stumbling block for companies and therefore a competent legal advisor should be consulted in any case. Topics such as data protection declaration, compliance obligations, consent and also the obligation to report violations belong in the hands of an expert in order to avoid costly warnings and fines. In the worst case, violations can result in sanctions of up to four percent of annual sales.


General Data Protection Regulation, The Federal Commissioner for Data Protection and Freedom of Information, edition: 2nd edition, May 2016

Consumer Insights: Finding and Guarding the Treasure Trove, Capgemini Consulting</ a>