• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Can Mailchimp be used in a way that is permissible under data protection law?

7. November 2022
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The BayLDA considers Mailchimp to be inadmissible if no additional data protection compliance measures are taken.
  • Transmission of e-mail addresses could be problematic under data protection law without further measures.
  • Mailchimp 's privacy policy does not mention complete encryption of user data.
  • The only encryption instructions are contained in "Data Export Conditions".
  • Mailchimp 's privacy policy does not offer sufficient protection from US authorities.
  • The BayLDA did not consider a fine to be necessary in this case.
  • The transmitted e-mail addresses are considered to be relatively insensitive data, which leads to lenient measures.

In line with my article today regarding Cloudflare(see here), due to a recent decision by the Bavarian State Office for Data Protection Supervision, I would also like to briefly highlight Mailchimp, which is almost omnipresent in the WordPress universe and is still used by many providers to send email newsletters.

In the opinion of the BayLDA, Mailchimp is at least unlawful if, as a user, one does not check whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, in particular because, in the opinion of the BayLDA, there are indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After looking at Mailchimp’s privacy statement, there is nothing about encryption anywhere there. Even in the document that Mailchimp calls “GDPR compliance”, which is only available in German, there is nothing about encryption.

The only reference to encryption is a document called “Data Export Conditions”.

Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.

 

Translated then:

Mailchimp has implemented, where and to the extent technically feasible, encryption technologies throughout its infrastructure to protect User Data from unauthorized access when processed internally by Mailchimp. For example, all Mailchimp production pages use Transport Layer Security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network uses 128bit WPA2 encryption. In addition, Mailchimp emails (256bit), all VPN connections (256bit) and the internal chat application (256bit) are also encrypted. Login pages use TLS and have protection against brute force attacks. This also applies to Mailchimp mobile apps and the Mailchimp API.

 

When you get right down to it, this is probably not a sufficient assurance that user data is fully encrypted, even from access by Mailchimp itself. Rather, Mailchimp limits that data would be protected from “unauthorized access.” However, access by US authorities, for example, would precisely NOT be unauthorized.

The magazine affected by the aforementioned proceedings at the BayLDA only escaped a fine due to an appropriateness consideration.

The BayLDA on this:

Supervisory measures going beyond this determination of the inadmissibility of the above-mentioned data transfers pursuant to Art. 58 Par. 2 DSGVO, we do not consider it necessary in the specific case at hand by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e-mail address was not permitted under data protection law. We do not consider it necessary to impose a fine, as you have requested. In this respect, we hereby inform you that, in our opinion, a data subject has no legal entitlement to the imposition of a fine in the event of a data protection violation, and in our opinion, no entitlement to a discretionary decision on punishment with a fine.
For unlike some other of the provisions of Art. 58 para. 2 GDPR (such as the power to instruct the controller to comply with requests from the data subject to exercise his or her rights (Article 58(2)(c) GDPR), the power to impose a fine under Article 83 GDPR (Article 58(2)(i) GDPR) does not serve to safeguard the rights and freedoms of a data subject, but the public interest in the enforcement of the law. Consequently, a data subject has no subjective right against the data protection supervisory authorities to decide on the imposition of a fine pursuant to Art. 58 para. 2 letter i DSGVO to. However, even if one were to recognize such a subjective right of a person concerned, there would be no claim on your part to imposition of a fine against XXXX given. Taking into account the relevant factors listed in Article 83 of the GDPR that play a role in this decision, it is within the scope of discretion to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in the present case, and secondly because the data involved – in the form of e-mail addresses – is still relatively manageable in terms of its sensitivity; the latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, particularly against the background that the above-mentioned Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version, so that the present infringement is still to be classified as minor with regard to its nature and gravity (Article 83 (2) (a) GDPR), and in particular only a slight degree of negligence at most is to be affirmed (Article 83 (2) (b) GDPR).

 

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: ChatComplianceData protection LawE‑mailEmailMailPrivacySicherheit

Weitere spannende Blogposts

More consumer protection when buying apps and software

More consumer protection when buying apps and software
7. November 2022

On November 3, 2020, the Federal Ministry of Justice and Consumer Protection presented drafts for the implementation of the Digital...

Read moreDetails

License agreements for software start-ups

License agreements for software start-ups: How to optimally protect your intellectual property
13. October 2024

For software start-ups, intellectual property is often the most valuable asset. The correct drafting of license agreements is therefore crucial...

Read moreDetails

Geoblocking Ordinance: Attention Warning Trap

Geoblocking Ordinance: Attention Warning Trap
3. December 2018

Complex Themam but relevant for game developers and many more The topic of geoblocking can be very complex in detail...

Read moreDetails

MiCar is partly there

a0f26104d9663e140f79896d2d5ee77a
4. July 2024

When the Markets in Crypto-Assets Regulation (MiCAR) comes into force on June 30, 2024, a new era for stablecoins in...

Read moreDetails

Let’s celebrate together 1000 articles full of expertise: IT Law, Blockchain, Privacy and more!

About lawyer Marian Härtel
7. April 2023

A significant milestone: 1000 articles I am pleased to announce that this blog now has a whopping 1000 articles on...

Read moreDetails

Optimized search and navigation: more content, better accessibility

Optimized search and navigation: more content, better accessibility
27. September 2024

This site has evolved over the years into a comprehensive resource for IT law, media law and related topics. It...

Read moreDetails

ChatGPT and lawyers: recordings of the Weblaw launch event

ChatGPT and lawyers: recordings of the Weblaw launch event
27. January 2023

The use of artificial intelligence in law is not new, and there are several useful application areas. In practice, relatively...

Read moreDetails

Data protection authority may ban operation of Facebook page

Facebook pages, data protection and August 1, 2019
12. September 2019

The Federal Administrative Court has ruled that the operator of a company page on Facebook may be obliged to shut...

Read moreDetails

Irish data protection authority fines Meta billions: A turning point for data protection in Europe?

District Court Frankfurt a.M. on the right to be forgotten
22. May 2023

Meta Ireland violates the GDPR: What the ruling of the Data Protection Commission means The recently concluded investigation by the...

Read moreDetails

Escape into default

26. June 2023

Introduction Flight by default is a term from German civil procedure law and refers to a tactical approach that can...

Read moreDetails
61a01a367632ed8b3400a0df83432980

Guarantee

10. November 2024
Sale-and-lease-back

Sale-and-lease-back

16. October 2024

Local court

25. June 2023
Why legal compliance will help your business succeed: A Competitive Advantage You Shouldn’t Ignore

Compliance

25. June 2023

Podcast Folgen

052c2ca5ca0421f0316b42073ce61791

Innovative business models – risk and opportunity at the same time

10. September 2024

In this exciting episode of our podcast, we take a deep dive into the world of innovative business models. Our...

c9c5d7fd380061a8018074c2ca5a81bf

Startups and innovation in Germany – challenges and opportunities

26. September 2024

This insightful podcast episode takes an in-depth look at the startup and innovation landscape in Germany and Europe. The discussion...

247f58c28882e230e982fa3a32d34dea

Digital sovereignty: Europe’s path to a self-determined digital future

8. December 2024

In this exciting episode of the itmedialaw.com podcast, we take a deep dive into the highly topical subject of digital...

7c0b449a651fe0b81e5eec2e23515012 2

Copyright in the digital age

15. January 2025

This insightful 20-minute podcast episode by and with me explores the complex topic of copyright in the digital age. The...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung