What is your rating of the MailChimp product

Mailchimp & Co. not permitted according to the ECJ? What the verdict means ...

Is your software legally compliant? 5 questions you should ask yourself about it!

In order to determine whether you can continue to use the solution you are using without hesitation in terms of data protection law, you need to clarify a few central questions. These also help when looking for an alternative to US tools or generally when choosing a data protection-compliant solution for newsletters, email marketing or marketing automation.

  1. Who stores and processes the data and where?

Outside the European Union (EU) or the European Economic Area (EEA), personal data may only be stored and processed if the country in which this takes place can demonstrate an adequate level of data protection. Due to the ECJ ruling, there is currently no corresponding adequacy decision for the processing of personal data of EU citizens in the USA or by US companies. Both the server location and the company headquarters therefore play a role here. This affects many common providers of email marketing and marketing automation software. Solutions from providers who save and process data in Germany or within the EU / EEA are therefore a secure alternative to Hubspot, Mailchimp and Co.

  1. Is the consent process compliant with the GDPR?

The fact that the data subject's consent is required for the collection, storage and processing of personal data is no longer a novelty. In the event of a violation, companies face not only fines but also irreparable damage to their image. Make sure that you use a legally compliant double opt-in procedure with the software you are using.

  1. Are tracking and the setting of cookies handled in a legally correct manner?

According to the BGH ruling from 2019, the setting of tracking cookies requires the consent of the user. In general, the tracking and creation of user profiles are subject to the GDPR, because personal data is collected and enriched into profiles. This also applies to tracking in mailings and newsletters. Regardless of which tracking technologies, tracking pixels or cookies are used - you are only absolutely legally secure if you have legally valid consent for every form of data collection and processing. The prerequisite is that the person concerned has been informed before he or she actively agrees to the collection and processing of data, for example by clicking on a checkbox that has not been clicked in advance. In the case of a software solution, check how the technical implementation is carried out and whether there are configuration options to correctly implement tracking opt-in and tracking opt-out.

  1. Are privacy by design and privacy by default used?

When it comes to technically realizing data protection-compliant marketing automation and email campaigns, reference is often made to privacy by design and privacy by default - as required by the GDPR. In the case of technology design (privacy by design), a company should define and implement suitable technical and organizational measures for processing in order to protect the rights of data subjects. Privacy by design means that software should work, be used and developed from the ground up in compliance with data protection regulations. Privacy by default also means technical and organizational measures that guarantee data protection-friendly and consequently the most restrictive default settings possible - for example, that only the personal data are collected that are necessary for the processing purpose. This could be implemented using a few standard mandatory fields in data forms and checkboxes that were not clicked in advance. So look carefully to see whether your software provider implements these two principles.

  1. Is the provider certified in terms of data protection and security?

Last but not least, it is an important quality criterion if a software provider can have the corresponding certificates or seals from independent testing bodies, for example TÜV. The internationally leading standard for information security ISO 27001 is used especially for the topics of data protection and security, as it proves compliance with the highest IT security standards. It ensures the integrity of company data and ensures that confidential data is protected.