• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
ITMediaLaw - Rechtsanwalt Marian Härtel
Warenkorb
Plugin Install : Cart Icon need WooCommerce plugin to be installed.
  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel

ITMediaLaw - Rechtsanwalt Marian Härtel > Data protection Law > Can Mailchimp be used in a way that is permissible under data protection law?

Can Mailchimp be used in a way that is permissible under data protection law?

7. November 2022
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The BayLDA considers Mailchimp to be inadmissible if no additional data protection compliance measures are taken.
  • Transmission of e-mail addresses could be problematic under data protection law without further measures.
  • Mailchimp 's privacy policy does not mention complete encryption of user data.
  • The only encryption instructions are contained in "Data Export Conditions".
  • Mailchimp 's privacy policy does not offer sufficient protection from US authorities.
  • The BayLDA did not consider a fine to be necessary in this case.
  • The transmitted e-mail addresses are considered to be relatively insensitive data, which leads to lenient measures.

In line with my article today regarding Cloudflare(see here), due to a recent decision by the Bavarian State Office for Data Protection Supervision, I would also like to briefly highlight Mailchimp, which is almost omnipresent in the WordPress universe and is still used by many providers to send email newsletters.

In the opinion of the BayLDA, Mailchimp is at least unlawful if, as a user, one does not check whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, in particular because, in the opinion of the BayLDA, there are indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After looking at Mailchimp’s privacy statement, there is nothing about encryption anywhere there. Even in the document that Mailchimp calls “GDPR compliance”, which is only available in German, there is nothing about encryption.

The only reference to encryption is a document called “Data Export Conditions”.

Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.

 

Translated then:

Mailchimp has implemented, where and to the extent technically feasible, encryption technologies throughout its infrastructure to protect User Data from unauthorized access when processed internally by Mailchimp. For example, all Mailchimp production pages use Transport Layer Security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network uses 128bit WPA2 encryption. In addition, Mailchimp emails (256bit), all VPN connections (256bit) and the internal chat application (256bit) are also encrypted. Login pages use TLS and have protection against brute force attacks. This also applies to Mailchimp mobile apps and the Mailchimp API.

 

When you get right down to it, this is probably not a sufficient assurance that user data is fully encrypted, even from access by Mailchimp itself. Rather, Mailchimp limits that data would be protected from “unauthorized access.” However, access by US authorities, for example, would precisely NOT be unauthorized.

The magazine affected by the aforementioned proceedings at the BayLDA only escaped a fine due to an appropriateness consideration.

The BayLDA on this:

Supervisory measures going beyond this determination of the inadmissibility of the above-mentioned data transfers pursuant to Art. 58 Par. 2 DSGVO, we do not consider it necessary in the specific case at hand by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e-mail address was not permitted under data protection law. We do not consider it necessary to impose a fine, as you have requested. In this respect, we hereby inform you that, in our opinion, a data subject has no legal entitlement to the imposition of a fine in the event of a data protection violation, and in our opinion, no entitlement to a discretionary decision on punishment with a fine.
For unlike some other of the provisions of Art. 58 para. 2 GDPR (such as the power to instruct the controller to comply with requests from the data subject to exercise his or her rights (Article 58(2)(c) GDPR), the power to impose a fine under Article 83 GDPR (Article 58(2)(i) GDPR) does not serve to safeguard the rights and freedoms of a data subject, but the public interest in the enforcement of the law. Consequently, a data subject has no subjective right against the data protection supervisory authorities to decide on the imposition of a fine pursuant to Art. 58 para. 2 letter i DSGVO to. However, even if one were to recognize such a subjective right of a person concerned, there would be no claim on your part to imposition of a fine against XXXX given. Taking into account the relevant factors listed in Article 83 of the GDPR that play a role in this decision, it is within the scope of discretion to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in the present case, and secondly because the data involved – in the form of e-mail addresses – is still relatively manageable in terms of its sensitivity; the latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, particularly against the background that the above-mentioned Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version, so that the present infringement is still to be classified as minor with regard to its nature and gravity (Article 83 (2) (a) GDPR), and in particular only a slight degree of negligence at most is to be affirmed (Article 83 (2) (b) GDPR).

 

Tags: ChatComplianceData protection LawE‑mailEmailMailPrivacySicherheit

Weitere spannende Blogposts

Cloud contracts for start-ups

Cloud contracts for start-ups: legally compliant drafting of SLAs and data protection agreements
16. October 2024

For start-ups, cloud services offer enormous advantages in terms of scalability, cost efficiency and flexibility. However, the use of cloud...

Read moreDetails

Cryptowinter 2023: A turning point for blockchain technology in 2024?

Cryptowinter 2023: A turning point for blockchain technology in 2024?
22. December 2023

The shift in focus: from coins to real technology Due to my recently published article on Suno.ai and my involvement...

Read moreDetails

ECJ: Amazon doesn’t have to offer users a phone number

Working abroad in the EU? Do not forget A1 certificate!
28. February 2019

The Federal Association of Consumer Centres and Consumer Associations, Consumer Association of the German Federal Association of Consumers, sued Amazon...

Read moreDetails

Information requirements for SaaS providers: Blockchain and AI in a legal context

informationspflichten fuer saas anbieter blockchain und ki im rechtlichen kontext
13. August 2023

Competition law Competition law, a fundamental pillar of economic law, was created to ensure balanced and fair competition between market...

Read moreDetails

Contracts for startups

Contracts for startups
1. October 2024

As an experienced lawyer for start-ups, I have seen time and again how crucial professional contracts are for the long-term...

Read moreDetails

Bootcamps and talent promotion in esport? Player sale possible?

Bootcamps and talent promotion in esport? Player sale possible?
18. June 2019

A few months ago I published an article on the subject of transfer fees in esport. In the meantime, when...

Read moreDetails

DSGVO, data protection and data scraping: Case analysis LG Offenburg and Facebook

DSGVO, data protection and data scraping: Case analysis LG Offenburg and Facebook
23. May 2023

Introduction In the era of digital advancement, data scraping is a widespread practice that raises privacy concerns. But what exactly...

Read moreDetails

Trade Secrets Protection Act in April

Trade Secrets Protection Act in April
7. November 2022

With a 10-month delay, Directive (EU) 2016/943 on the protection of confidential know-how and confidential business information against unlawful acquisition,...

Read moreDetails

Withholding tax and advertising: some more info!

Tax treatment of Upwork in Germany?
7. November 2022

The issue of withholding tax when booking advertising on the Internet, especially on Google, has been boiling up quite a...

Read moreDetails
IT project contract

IT project contract

16. October 2024

An IT project contract is a legal agreement between an IT service provider and a client regarding the implementation of...

Read moreDetails
Step action

Counterclaim

24. June 2023
lizenzvertrag

Contract for work

26. June 2023
Corporate income tax

Corporate income tax

16. October 2024
Security token

Security token

2. July 2023

Podcast Folgen

Legal challenges in the gaming universe: A guide for developers, esports professionals and gamers

What will 2025 bring for start-ups in legal terms? Opportunities? Risks?

24. January 2025

In this exciting episode of the itmedialaw podcast, we take a deep dive into the legal developments that will shape...

238a909c26a0302cbd4792cbd18e4922

Global challenges for start-ups – A legal guide

10. October 2024

This informative podcast offers a comprehensive insight into the legal challenges faced by start-ups when expanding internationally. The experienced lawyer...

Looking to the future: How technology is changing the law

Looking to the future: How technology is changing the law

18. February 2025

In the final episode of the first season of the ITmedialaw.com podcast, we take a look at the future of...

c9c5d7fd380061a8018074c2ca5a81bf

Startups and innovation in Germany – challenges and opportunities

26. September 2024

This insightful podcast episode takes an in-depth look at the startup and innovation landscape in Germany and Europe. The discussion...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung