Germany Update: After Google Fonts, Now Mailchimp & Co. – Another Attempt to Use Data Protection as a Cash Cow

Do you remember the wave of requests for information, warnings and claims for damages due to the dynamic integration of Google Fonts on websites? Now that the public prosecutor’s office is investigating here on suspicion of warning fraud and extortion attempts, it has become quiet on this front. To this end, users of newsletter tools whose providers are based in the USA and offer tracking options are now being targeted.

What is it all about?

The procedure is simple: the web is automatically searched for websites where you can sign up for newsletters. If a newsletter tool such as Mailchimp is used, whose provider is located in the USA and/or tracking takes place, a person registers to receive the newsletter. A short time later, a request for information under data protection law is made and, depending on the reaction to it, possibly a warning and/or claims for damages plus lawyer’s fees.

What do I do in such a case?

Well, at least the right to information under Art. 15 GDPR should be answered carefully and completely. The right of access of data subjects is subject to very few restrictions in the GDPR and at the time of the right to information it will be difficult to assess whether, for example, an abuse of rights can be assumed in exceptional cases. You should not rely on this, but provide correct information.

In addition, you should seek advice on whether the newsletter tool you are using and the data processing consents you have obtained are legally compliant, i.e. whether they comply with the requirements of the GDPR and TTDSG. In any case, you should check whether a data transfer to the USA takes place and whether the newsletter dispatch is associated with tracking. For example, whether you are informed that the newsletter has been delivered and/or opened.

Depending on the result of the examination, you should plan the further procedure with your lawyer.

To the USA transfer:

Since the Schrems II ruling of the European Court of Justice, a legally secure data transfer to the USA in the context of sending newsletters has been practically impossible. Since July 10, 2023, the EU-US Data Privacy Framework (EU-US DPF) has again been an adequacy decision by the EU Commission, which makes such data transfer possible again. The prerequisite is that the US company to which the data is transmitted has undergone a corresponding certification procedure and is listed in the U.S. Department of Commerce database. The major providers will already be in the starting blocks for this certification process. In a few weeks or months, it will therefore be possible to use certain newsletter tools again in a legally secure manner, even if the providers are located in the USA.

However, the right to information and any claim for damages due to unlawful processing depends on the processing at the time of the right to information. Therefore, if you use a newsletter tool with US data transfer, you are in danger of becoming a victim of the scam described above until your provider is certified in accordance with the EU-US DPF.

For tracking:

According to § 25 TTDSG, the consent of the data subject is required for the use of tracking measures in newsletters. This means that when consenting to receive the newsletter, it must also be made clear that this consent also includes the tracking measures. The mandatory information under data protection law must also contain all information on tracking, including the recipients of data (typically the provider of the newsletter tool).

If you use newsletter tracking, be sure to check whether the declaration of consent and privacy policy you use meets these requirements.

In addition, the USA problem comes into play here again, as tracking data is regularly processed by the newsletter tool provider.

How can I prevent?

The best preventive measure is to use a newsletter tool that complies with data protection regulations.

There are German providers who work without third-country data transfer and also offer good support for legally compliant tracking. As a rule, these providers also meet the requirements of corporate marketing and the costs are not higher than those of the big US top dogs.

Even if the EU-US DPF opens up a possibility of US data transfer again, this does not automatically mean that all these providers become GDPR compliant. There are other critical issues, such as the use of data from your newsletter recipients for the provider’s own purposes. Therefore, have your currently used or projected tool critically checked to see whether it meets the data protection requirements.

Also, check if you need tracking. Do you actually use the data from the tracking? If not, don’t turn tracking on or off in the first place.

Our data protection team will be happy to support you in deciding on a newsletter tool as well as in processing requests for information.

By MELCHERS, Germany, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact germany@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.