This year too was once again a very turbulent one, and alongside the biggest change that occurred in the form of the GDPR, there were also other important industry-relevant changes to the law.
In 2018 there was actually only one heavyweight issue on the agenda, but it certainly packed a punch. We’re talking of course about the GDPR, compared to which everything else was peanuts. The General Data Protection Regulation, which has been in force since May, had a major impact on all companies that handle/process personal data, i.e. on the online print industry as well. This gave rise to a huge amount of frustration, but there were also positive legal judgements. I met with Dr. Martin Schirmbacher, legal advisor to the Initiative Online Print and partner at HÄRTING Rechtsanwälte to talk with him about a number of relevant legal judgements delivered in 2018. The upshot is an informative interview including a review of this year plus a brief outlook on 2019, which I want to share, of course, with interested readers.
Bernd Zipper: What then are the most important changes contained in the GDPR that people need to bear in mind?
Martin Schirmbacher: I once had an Urgent/Important/Complex to-do list, which I have just updated again. Everything that that you can automatically see from outside is urgent. Above all, that includes data protection statements on websites and in catalogs, and incidentally where web-to-print solutions and other platforms are involved too. Anybody who has not yet addressed this issue, has a big, fat to-do on their list before Christmas.
Handling cookies is a tough one. At the moment the issues of under what circumstances the new data protection law permits visitor tracking and of whether cookie opt-ins are required remains completely unresolved. In my view, pseudonymized tracking of user behavior continues to be legitimate, even without the user’s consent. However, you only need to obtain consent if you want to use completely different data for profiling purposes. As far as cookies are concerned, specific purpose is relevant. If the purpose associated with the cookie is legitimate and does not require consent, then there is no need for a separate cookie opt-in. If consent is required, an opt-in for that specific cookie must be created. You could also obtain it in the cookie banner. But then it has to be genuine consent and not just a choice between “Yes” and “Find out more”.
Bernd Zipper: Has anything changed in terms of employee data protection?
Martin Schirmbacher: Yes, what’s being debated in particular is video surveillance, for example. Parking lots, corridors and stairwells may continue to be monitored by video camera for security reasons. However, the interest of employees must be weighed up in each case. Surveillance of toilets and changing cubicles is at any rate an absolute no-no. Changes in this respect frequently entail changes to existing company agreements. For most of the people involved, renegotiating company agreements in the light of the new data protection law is no picnic – but there’s frequently no avoiding it.
Bernd Zipper: The extra paperwork in particular causes hassle. What exactly needs to be borne in mind here?
Martin Schirmbacher: Every company that processes data more than just occasionally has to maintain a register of all data processing activities. That is likely to apply to all online print providers, meaning that a data processing register needs to be produced. In particular that requires all departments to be surveyed in detail. So those conducting an as-is survey of this kind need to talk to Marketing, eCommerce and Sales as well as with Accounts, HR and IT. This register must be made available to the supervisory authorities for inspection upon request. You should check whether a contract data processing agreement needs to be concluded or renewed for all service providers that process personal data.
What is clearly not being given enough attention by companies at the moment are data protection impact assessments. A DPIA of this kind is a process on the basis of which data processing is described, its necessity is examined and the risks for people whose data is processed are assessed. Such an assessment always needs to be conducted when a data processing procedure harbors particular risks. This is the case, for example, where big data analysis of customer data, extensive profiling or even simple checkout payment method management are involved.
Bernd Zipper: That’s a whole lot of stuff with the potential to ruin your day. Were there other important changes or judgements in addition to the GDPR?
Martin Schirmbacher: Yes. And for once even a few positive ones. Right at the start of the year there was a judgement issued by the German Federal Supreme Court (BGH) that is likely to have really delighted most online marketers and online print providers. The Court ruled that any advertising consent provided by a consumer during the customer approach process is valid for a range of advertising channels. So, you don’t need to treat e-mail, phone and WhatsApp separately. Whether that makes sense or worsens conversion rates is another matter, but the BGH says that you are allowed to obtain the opt-ins together. Incidentally in the same judgment the BGH also stated in passing that consents that have been given once do not automatically expire. So, if you still have addresses that include old opt-ins, you can still definitely make use of them.
I can’t judge how many industry players that applies to, but the case law on influencer marketing is becoming increasingly more stringent. New judgements are clearly trending towards labeling requirements – even to some extent if no money whatsoever has been paid to the influencer.
Bernd Zipper: And wasn’t there something about corporate pages on Facebook?
Martin Schirmbacher: Indeed. That again is to do with data protection. The ECJ has ruled that the operator of a Facebook page is responsible for the user data collected on that page along with Facebook. This surprised many people, because the page operator only receives this data in aggregated form at best. But there’s a definite trend here. Joint responsibility does not require both parties to decide jointly on how data is used. At any rate the actual consequence of this is that all page operators must conclude a new Joint Control Agreement with Facebook. That’s a simple process because it’s automatic. But the data protection statement also needs to be amended. The best thing to do is to create a separate data protection statement for the Facebook page.
Bernd Zipper: Do you feel like risking a forecast?
Martin Schirmbacher: Well now, you don’t have to be a prophet to forecast that data protection will continue to be an issue that keeps everybody on their toes. Apart from the fact that we have the threat of an ePrivacy Regulation from Brussels hanging over us, there are still so many issues related to application of the GDPR that need to be clarified, meaning we are certainly not going to get bored. My tip would be – build up as much internal data protection know-how as you can, you’re going to need it.
