Data protection in online marketing

GDPR and ePrivacy Regulation.
Dos and Don'ts.

Since 25 May 2018, the provisions of the General Data Protection Regulation (GDPR) have been binding throughout the EU. At the same time, the ePrivacy Regulation was initially intended to be applied, but the legislative process has been delayed until today. Nevertheless, online marketing must adjust to the fact that the ePVO will supplement the GDPR soon. It will mainly regulate the use of tracking software and cookies.

When may personal data be processed?
In principle, it must be ensured that the processing of personal data serves only the purpose specified for the collection. As a rule, a person whose data are collected must agree to this. They must, therefore, inform the data owner of the purpose and scope of the collection and point out to him that he can object to the processing of his data at any time.

However, the processing of personal data can also take place without the consent of a data owner if a company can justify this by a justified interest. This only applies if the interests or fundamental rights of the data owner do not predominate. If the interests of the data owner are merely affected, this does not usually stand in the way of data processing. If personal data is anonymized or pseudonymized, the probability of the permissibility of data collection via various tools is higher. In contrast to pseudonymization, it is no longer possible to assign data to a specific person by using a key.

Double-Opt-In, DSGVO, proof obligation, and high penalties – many Buzzwords approximately around the DSGVO already admit – which data security in online marketing means, this explains DeSight Studio in this contribution.

Double-Opt-In as default
To obtain legal protection, the data subject should consent to the collection and processing of his/her data. This is the case, for example, with a newsletter registration by the renewed confirmation by e-mail only with the Double-Opt-In. Single opt-in, on the other hand, is much more susceptible to errors and misuse, because third parties can also specify a recipient who has no interest at all in the content.

The data owner’s consent can only be given lawfully if he is informed by a GDPR You must also tell him in this way which the data will be made available to. The GDPR also strengthens the right of the data subject to object to data processing. They should be allowed to exercise their right of objection as efficiently as possible. One-click solutions should, therefore, be preferred.

Integration of cookie hints
In the future, the ePVO should provide a uniform basis for consenting to the use of cookies. Discussions in the past have already focused on whether an opt-in procedure is necessary or whether an opt-out process is sufficient. The latter is often the method of choice, as the user does not have to consent to the use of cookies immediately when visiting a website. Instead, the user can subsequently object to the opt-out procedure.

In principle, however, the user must be made aware of the use of cookies using a clear reference. However, it is questionable whether the operator of the website will have to obtain the user’s unambiguous permission in the future, or whether this can be done implicitly.

Professional association of the right journalists registered the association.

The Berufsverband der Rechtsjournalisten e.V. created this guest article and published by DeSight Studio GmbH. The BvDR registered association is the union of right journalists and attorneys from Germany, who publish legal contributions to most diverse topics on the portals,,, and