On November 23, 2012, a German data protection working group on advertising and address trading published guidelines (in German) on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA.
The Guidelines focus on certain sub-sections of Section 28 of the German Federal Data Protection Act and provide details on how those provisions apply in practice. Among other issues, Section 28 addresses how data subjects consent to advertising, as well as how personal data may be processed in the absence of consent. Some of the topics addressed in the Guidelines include:
- restrictions for address lists and whether data sets can be combined;
- data usage periods;
- specific rules for business-to-business advertising;
- the duty to identify the data controller that first collected the personal data;
- the prohibition on advertising by using address data gathered via third parties;
- consent mechanisms (oral, written, electronic), double opt-in process and joint consents; and
- the timeframe for implementing a data subject’s objections, and the controller’s duty to provide sufficient notice about the right to object.
The Guidelines also provide important information on how the German DPAs view certain advertising practices, and should be of particular interest not only to users of advertising by mail but also those who commission and deploy online advertising in Germany.