High-value address solutions that are compliant with data protection regulations.

Transcription

1 High-value address solutions that are compliant with data protection regulations. 1. Germany s Federal Data Protection Act (BDSG) in overview The German Federal Data Protection Act applies to the collection, processing and use of personal data. The opt-out solution which had been used to date was revoked when the amended Federal Data Protection Act went into force in September Instead of the previous opt-out solution, the data subject's consent is now required before personal data can be used for advertising purposes. There are 7 exceptions to the consent requirement: 1. Advertising aimed at existing customers One s own products or services may be advertised to private customers or business customers 1 provided that the data was collected from the data subject. When the data is collected directly from the data subject, the individual must be informed at the time the data is collected of the plans to use that data for advertising purposes and of the option of refusing consent to the use of one's data for advertising purposes. 2. Advertising aimed at interested parties One s own products or services may be advertised to interested parties 2 provided that the data was collected from the data subject. When the data is collected directly from the data subject, the individual must be informed at the time the data is collected of the plans to use that data for advertising purposes and of the option of refusing consent to the use of one's data for advertising purposes. 3. Data from directories that are available to the public It is lawful to advertise one's own or third-party products and services using data from publicly accessible directories B2B advertising Advertising that is related to the individual s occupation/employment and is sent to the individual s work address is lawful. This applies to natural persons (a company s employees) and to self-employed persons and freelancers. 1 A customer relationship exists if there is an underlying legal transaction such as a sales contract or the purchase of goods. 2 A relationship with an interested party exists if there is an underlying quasi-legal obligation, such as a request for bis or information. 3 Publicly-accessible directories are, for example, address lists, telephone directories and business directories (copyrights must be observed). Deutsche Post Direkt GmbH Telephone: Page 1/ Troisdorf, Germany

2 5. Advertising to solicit donations Organizations that enjoy preferential tax treatment, such as non-profit associations and political parties, may solicit donations. The main focus of this advertising must be on soliciting donations. It can however also be combined with other advertising. By contrast, campaign advertising by political parties is not privileged. 6. Transparent transfer It is lawful to transfer address data when the advertising material indicates the body 4 that originally collected it. 7. Transparent use It is lawful to transfer address data when the advertising material indicates the controller 5 that is responsible for its use. The following applies to all seven exceptions to the consent provision: Additional data that does not have to be collected from the data subject, such as selection criteria, may be added to and stored with the recipient data. 2. The BDSG s impact on Deutsche Post Direkt products and services The use of address solutions enables and/or optimizes direct advertising. Deutsche Post Direkt offers the entire range of professional address management services from address cleansing to enrichment and analysis all the way to address rental services. Deutsche Post Direkt markets personal data in accordance with the provisions of Section 29 of Germany's Federal Data Protection Act. In addition to address data such as name and address, personal data also includes additional information about the data subject's credit standing 6, consumer patterns and buying intentions. In addition to personal data, Deutsche Post Direkt offers target group attributes for enrichment, analysis and selection purposes; these attributes are based on statistical data. 2.1 The BDSG s impact on address cleansing Maintaining and updating address databases for existing customers and interested parties is lawful. When the requirements for an exception are met for advertising aimed at existing customers or for advertising aimed at interested parties, companies may use data on existing customers and interested parties to advertise their own products and services when this data was collected directly from the data subjects or from publicly accessible sources. Furthermore, Section 35 (1), first sentence of the Federal Data Protection Act even establishes an obligation to rectify incorrect address data. 4 The body that originally collected the data is the body that collected the data for the first time from the data subject or collected the data from a directory that is available to the public. 5 That person or body which collects, processes or uses the personal data for itself or has this done on its behalf by others. Deutsche Post Direkt GmbH Telephone: Page 2/ Troisdorf, Germany

3 Other companies' private customer data is cleansed on the basis of Deutsche Post Direkt's postal reference file. Containing more than 190 million current and past private addresses, this database is unique in Germany in terms of its size, completeness and up-to-dateness. Deutsche Post's address verification service is one of the services used to keep the address information current on an ongoing basis. For this, Deutsche Post mail carriers check and confirm whether addresses are written correctly and are deliverable. In addition, changes in postal codes and thousands of relocation notifications a day are incorporated into the postal reference file, insofar as the data subject has consented to the disclosure of the new address. Information on addressees who have died is provided to Deutsche Post Direkt by survivors of the deceased. This information is made available on a voluntary basis under a cooperation agreement with the Association of German Undertakers (Bundesverband Deutscher Bestatter). In Germany, there is no central file containing the address information of people who have died. Moreover, Germany's data protection law prohibits the retrieval of this information from civil registers. Despite extensive efforts to keep address data up-todate, mail items may still be returned because they are undeliverable. For this reason, Deutsche Post Direkt utilizes cooperation partner information regarding deceased persons in order to cleanse companies private customer data: SCHUFA Holding AG receives the addresses of deceased persons from its approx. 8,500 contract partners, which include all the major banks, as well as private and regional banks with retail banking. Furthermore, Deutsche Post Direkt processes addresses of deceased persons, as provided on a voluntary basis by their survivors, within the framework of a cooperation agreement with the Association of German Undertakers (Bundesverband Deutscher Bestatter). Despite extensive efforts to keep address data up-to-date, mail items may still be returned because they are undeliverable. 2.2 The BDSG s impact on address enrichment Deutsche Post Direkt offers statistical information and additional personal information for address enrichment purposes. Enrichment is a prerequisite for the analysis and segmentation of customer addresses and/or the exact target-group-based selection of rental data Statistical data In addition to geocoordinates and risk indices, statistical data includes first and foremost micro-geographical information from the microdialog database. This database contains socio-demographic, consumer and structural data plus information regarding area and region, certain industries and lifestyle. The data is aggregated at the microcell level with an average of 6.6 households. Probability statements are used to determine which target group attributes are represented in the microcell. It is not known whether these approximate statistical values such as values related to a specific purchasing behavior actually apply to persons in the microcell. The microdialog database contains no data which would allow the identification of the data subject and it is not subject to the BDSG. Microgeographic information is kept strictly separate from rental data. Accordingly, statistical probability statements are not stored Deutsche Post Direkt GmbH Telephone: Page 3/ Troisdorf, Germany

4 together with personal address data. For each individual customer order, a one-time selection is made solely at the microcell level and the result is then populated with the available address data. This process ultimately produces a file that contains only addresses and no additional information. The selection at the microcell level is then deleted. In the process, personal data and statistical data not only from Deutsche Post Direkt but also from other advertisers must always be stored separately from one another. In other words, a data record containing personal data may not at the same time contain statistical features as well. Enriching address lists of existing customers, interested parties and rental data with statistical information is lawful Personal additional information Deutsche Post Direkt continues to offer additional personal information such as telephone numbers or information regarding an individual's credit standing. 6 Enriching address lists of existing customers or interested parties with personal information is lawful when the company has a legitimate interest Impact of the BDSG on address analysis Amendment I (scoring) led to a number of new provisions for the transfer of data to rating agencies and the use of scoring procedures in connection with a contractual relationship. This does not apply to scoring for the selection of addresses for advertising purposes when the advertising contains no directly binding offer of a contract. Advertising usually represents an invitation to submit an offer; for example, when a catalog with an order form is mailed. For this reason, the analysis of address databases for existing customers or interested parties is lawful as long as any mailing that is generated from it does not contain a directly binding offer of a contract. Under these conditions, conducting an analysis for the purpose of selecting rental data is also lawful. Deutsche Post Direkt GmbH Telephone: Page 4/ Troisdorf, Germany

5 2.4 Impact of the BDSG on address renting Deutsche Post Direkt offers advertisers a broad range of target group addresses which may be used in conformance with current data protection law for customer acquisition purposes. 6 Source: arvato infoscore 7 Advertising is also a legitimate interest. 8 Lettershop, data center Renting of consumer addresses from the rental database Deutsche Post Direkt markets the consumer addresses from its rental database under the provision that the requirements are met for an exception based on transparent use. Therefore, using address data for advertising third-party products and services is lawful when the advertising indicates the controller that is responsible for the use of the addresses. Data transfer: Deutsche Post Direkt does not transfer the address data directly to the advertiser but rather makes it available to the contracted letter shop which is in charge of printing and mailing. Data protection considerations: The recipient of the mailing must be informed of the option of refusing consent to the use of personal data for advertising purposes. It must also be clear from the advertising that Deutsche Post Direkt is the controller responsible for the use of the data Brokering of address lists Deutsche Post Direkt brokers the rights of use for third-party address data (so-called list-broking addresses) provided that the requirements for an exception are met based on transparent use. Therefore, using address data for advertising third-party products and services when the advertising indicates the controller that is responsible for the use of the addresses. Deutsche Post Direkt GmbH Telephone: Page 5/ Troisdorf, Germany

6 Data transfer: Deutsche Post Direkt does not transfer the address data directly to the advertiser but rather makes it available to the contracted letter shop which is in charge of printing and mailing. Data protection considerations: The recipient of the mailing must be informed of the option of refusing consent to the use of personal data for advertising purposes. It must also be clear from the advertising that the list owner is the controller responsible for the use of the data Renting of business addresses When the requirements for an exception are met for B2B advertising, advertising that is related to the individual's occupation/employment and is sent to the individual's work address is lawful. This applies to natural persons (a company's employees) and to self-employed persons and freelancers. Data transfer: Deutsche Post Direkt may transfer the address data directly to advertisers. Data protection considerations: The recipients of the mailing must be informed of their right to refuse their consent to the use of their data for advertising purposes Maintenance of the rental data The rental data is maintained using Deutsche Post Direkt's postal reference file. Containing more than 190 million current and past private addresses, this database is unique in Germany in terms of its size, completeness and up-to-dateness. Deutsche Post's address verification service, among others, is used to keep the address information current on an ongoing basis. For this, Deutsche Post mail carriers check and confirm whether addresses are written correctly and are deliverable. In addition, changes in postal codes and thousands of relocation notifications a day are incorporated into the postal reference file, insofar as the data subject has consented to the disclosure of the new address. Information on addressees who have died is provided to Deutsche Post Direkt by survivors of the deceased. This information is made available on a voluntary basis under a cooperation agreement with the Association of German Undertakers (Bundesverband Deutscher Bestatter). In Germany, there is no central file containing the address information of people who have died. Moreover, German data protection law prohibits the retrieval of this information from civil registers. Despite extensive efforts to keep address data up-to-date, mail items may be returned because they are undeliverable or because the rental data contains the addresses of persons who are no longer living. For this reason, Deutsche Post Direkt utilizes cooperation partner information regarding deceased persons in order to maintain rental data: SCHUFA Holding AG receives the addresses of deceased persons from its approx. 8,500 contract partners, which include all the major banks, as well as private and regional banks with retail banking. Furthermore, Deutsche Post Direkt processes addresses of deceased persons, as provided on a voluntary basis by their survivors, within the framework of a cooperation agreement with the Deutsche Post Direkt GmbH Telephone: Page 6/ Troisdorf, Germany

7 Association of German Undertakers (Bundesverband Deutscher Bestatter). Despite extensive efforts to keep address data up-to-date, mail items may still be returned because they are undeliverable. 2.5 Information which data protection law requires advertising to include The information required by data protection law must be noticeably placed on the advertisement, such as in a footer to the mailing, on order forms or on the inside of the cover page of the catalog Reference to the controller When consumer addresses are rented from the rental database, this reference should read as follows: Controller within the meaning of the Federal Data Protection Act (BDSG): Deutsche Post Direkt GmbH, Postfach , Wuppertal. In the case of list-broking addresses, the relevant list broker is named as the controller. The data subject's legal right to refuse to consent at any time for the use or transfer of personal data by a controller is ensured by Deutsche Post Direkt's use of an internal blocking list. In addition, whenever there is an order, Deutsche Post Direkt undertakes to compare the data with the 'Robinson list' of the German direct-response marketing association Deutscher Dialogmarketing Verband. Blocking notices are put in place and inquiries about the origin of data answered without delay. This is done in the interest of the data subjects as well as for the purpose of avoiding complaints vis-à-vis companies that advertise Reference to the option of refusing to consent to the use of one s data for advertising purposes The sender s identity and the recipient s right not to consent to the use of his/her data must be indicated namely, on every piece of advertising regardless of whether it is sent to existing customers, new customers, business persons or private individuals. Example text: Wenn Sie künftig unsere Informationen und Angebote nicht mehr erhalten möchten, können Sie der Verwendung Ihrer Daten für Werbezwecke widersprechen. Teilen Sie uns dies bitte möglichst schriftlich unter Beifügung des Werbemittels und Angabe Ihres Namens und Ihrer Anschrift an unsere Adresse mit. [Translation for this proposed wording for your information: If you do not wish to receive our information and offers in the future, you can object to the use of your data for advertising purposes. If you wish to object, please notify us in writing (if possible) to our address and enclose the advertising material and your name and address details.] Deutsche Post Direkt GmbH Telephone: Page 7/ Troisdorf, Germany

8 3. Deutsche Post Direkt and data protection authorities Deutsche Post Direkt is one of the leading German address service providers and, as such, maintains close contact with representatives of the data protection authorities. As a company that processes personal data, it is required to notify the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information when it processes personal data. Moreover, Deutsche Post falls under the direct jurisdiction of the Federal Commissioner for Data Protection and Freedom of Information with whom it has a regular dialog. Deutsche Post Direkt's own data protection officer is frequently included in this dialog for monitoring and consultation purposes. 4. Data protection and data security measures taken by Deutsche Post Direkt Deutsche Post Direkt employees have undertaken in writing to comply with the obligation to maintain confidentiality pursuant to Section 5 of the Federal Data Protection Act and have informed themselves about any other existing obligations that customers may have regarding confidentiality such as banking secrecy or the protection of social data. Organizational and security measures ensure that only authorized employees have access to the data. In the area of address rental, Deutsche Post Direkt works only with letter shops that are members of the German Dialog Marketing Association (DDV), comply with data protection regulations and requirements, and submit confirmation that the address data was deleted following completion of the customer's order. Control addresses in the rental batch ensure that data is not forwarded to other parties. In the case of online address validation/collation, Deutsche Post Direkt complies with the latest security standards. Whenever data is transferred to or from its servers, Deutsche Post Direkt uses not only customized encryption processes but also encryption techniques similar to those used, for example, in online banking. The techniques Deutsche Post Direkt uses for encryption and authentication range from the use of 'https' for data transfers to virtual private networks. The most secure way to transfer address databases for the purpose of cleansing or updating customer data or to transfer rental data is the FTP transmission offered via the online services of Deutsche Post Direkt. In order to use the FTP transmission, companies are given user access and create their own password. As an additional security measure, companies can opt to transfer their data using password protection or PGP encryption. Deutsche Post Direkt has been certified according to the industry standard ISO on the basis of IT Baseline Protection standards set forth in IT-Grundschutz. Germany's Federal Office for Information Security (BSI) certified the business processes used in the ADDRESSFACTORY product family for cleansing and enriching customer addresses and Deutsche Post Direkt's online services (/online-services) with their integrated data exchange platform. This certification documents that Deutsche Post Direkt has implemented special technical and organizational security measures required by Section 9 of the Federal Data Deutsche Post Direkt GmbH Telephone Page 8/9 Last revised: Troisdorf, Germany 05/08/2014

9 Protection Act for processing personal data on behalf of others. The BSI certification releases customers from the obligation to monitor Deutsche Post Direkt as contractor, as otherwise required by data protection law. 5. Deutsche Post Direkt is a member of the German Dialog Marketing Association Deutsche Post Direkt is a member of the German Dialog Marketing Association (DDV) and, as such, guarantees through regular certification the highest level of professionalism and quality. In order to receive the DDV seal of approval for quality and service, important requirements must be met. These include training and instructing employees in data protection, ensuring transparent order processing and documentation, and compliance with technical and organizational data protection measures. DDV members are audited annually. Consequently, advertisers can be sure that members uphold service quality and data protection requirements. As a result, the DDV seal of approval for quality and service is also an important criterion when selecting or commissioning service providers. Disclaimer: This additional information does not replace a legal examination of the respective case. Although content is carefully reviewed, Deutsche Post Direkt assumes no liability for its accuracy, completeness or up-to-dateness. Deutsche Post Direkt GmbH Telephone Page 9/9 Last revised: Troisdorf, Germany 05/08/2014