On October 1, 2021, the new Section 7a of the German Unfair Competition Act (UWG) came into force, which obliges companies to document and retain consumers’ consent to telephone advertising, subject to severe threats of fines. How these obligations are to be interpreted in the opinion of the German Federal Network Agency (Bundesnetzagentur) and what this means for your deletion concept, you can find out here.
What is at issue?
Anyone who processes personal data on a business basis is obliged under the General Data Protection Regulation (GDPR) to store this data only to the extent and for as long as required by the purpose of the processing and to delete it otherwise. The corresponding retention and deletion periods must be documented in a deletion concept. The duration of the periods usually results from the law, for example from retention obligations under commercial and tax law or from the regular limitation period of §§ 195, 199 BGB (German Civil Code), for the duration of which the controller may have a legitimate interest in storing certain customer data.
What does § 7a UWG have to do with it?
Telephone advertising to consumers is only permissible under both data protection law and competition law (Section 7 UWG) with the prior consent of the person concerned. With the Fair Consumer Contracts Act, the German legislator created Section 7a UWG, which came into force on 1 October 2021. According to this, companies are obliged to document the obtaining, but also every use of a consumer’s consent to telephone advertising and to keep this documentation for five years from the last use. Violations of these documentation and retention obligations can be sanctioned by the Federal Network Agency – depending on the individual case – with a fine of up to EUR 50,000.00, Section 20 (1) no. 2 in conjunction with. Para. 2 UWG. A company that engages in telemarketing (or even just gives the impression of doing so) would therefore be well advised to revise its deletion concept. Typically, such deletion concepts have so far provided that only the data indispensable for the documentation of a telephone consent is stored and that this data is deleted after the expiry of the statutory limitation period (i.e. regularly three years at the end of the year after the last call to the data subject).
What’s the problem?
Now, one might think that it would be enough to simply extend the retention period to five years. But far from it: If one takes the legal opinion as a basis, which the Bundesnetzagentur (“BNA”) as the competent authority represents in its current consultation paper, companies will actually have to prepare themselves for some challenges.
Accordingly, the documentation must contain “complete, meaningful, transparent and comprehensible to outside third parties, truthful, tamper-proof and up-to-date information” regarding (i) the initial granting of consent, (ii) any further use of consent and (iii) even the revocation of consent (for which, however, there is no comprehensible reason if the revocation is observed by the controller). The documentation is only complete if it documents (i) all parties involved in the process in some way (in particular also all service providers and named employees); (ii) the content and scope of the consent, the revocation and the use (i.e. what was advertised in detail); (iii) the manner in which the consent was granted/exercised/revoked and (iv) the respective time of the process. All of this also applies to consents obtained before 1 October 2021 (so-called “Alt-Einwilligungen”), provided they are still being used.
The BNA justifies these extensive requirements by simply pointing out that the controller is already obliged to document the proof of consent according to Art. 7(1) GDPR anyway. This is not entirely wrong, but even such documentation must be measured against the principles of data economy and storage limitation.
In practice, the BNA’s catalogue of requirements would often mean that considerably more data would have to be stored for the “§7a documentation data set” than for the actual customer data set itself. This is because a company acting in compliance with data protection will typically process, for example, information on the customer and information on the external parties involved (i.e. sales partners) in separate systems in order to ensure that such data can only be accessed by individual employees with a need-to-know.
However, it is also not a solution to simply enrich the company’s end customer management system (CRM) with (somehow) telemarketing-relevant data. Firstly, because the CRM will contain data (e.g. on orders) that are none of the BNA’s business. Secondly, because in the BNA’s view the increased requirements of Art. 72 of the CDR 2017/565/EU for investment firms (sic!) should apply accordingly to the storage of the data record (Consultation Paper para.74). Hence, a (separate) audit-proof system is required to which the BNA can be granted access at any time without intermediate steps such as redactions or pseudonymisations.
On the other hand, this system must in turn be permeable in the sense that it responds to constantly updated information about when the customer was last called. This is because the time limit of Section 7a (2) UWG does not expire uniformly (e.g. at the end of each year), but rather depending on when the last call was made. The BNA does not explain how all these requirements are to be fulfilled at the same time without extensive double data storage.
And what do the data protection authorities have to say about it?
Whether this extensive interpretation of Section 7a UWG – and thus, in a mirror image, the considerable restriction of the right of the data subject to have his data deleted (Article 17 (3) (b) GDPR) – is really in the interest of the consumers concerned, as the BNA believes (Consultation Paper, para. 80), may be doubted. The five-year retention period is explained less by the actual requirements of clarifying the facts in the case of (indeed, regularly timely) consumer complaints about a call than by BNA’s chronic staff shortage, which makes it impossible for it to investigate such individual complaints in a timely manner.
However, it is also noteworthy that the BNA, despite its extensive interpretation, does not say a word about the particularly practice-relevant borderline cases in which a call may constitute advertising from the perspective of the person concerned, but the company intends to fulfil its pre-contractual or contractual information obligations with the call, for example. For such cases, one will in future have to assume a legitimate interest of the company to retain the information that may be necessary for legal defense against the BNA also for five years after the last call.
It will be interesting to see whether and how the data protection authorities will position themselves on the BNA consultation paper.
In any case, companies are advised not to underestimate the technical effort required to comply with the documentation and retention obligations of Section 7a UWG. Existing contracts with marketing and call-center service providers as well as address traders should also be reviewed to ensure that they are obliged to provide the client with all information required for documentation and retention.