• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Can Mailchimp be used in a way that is permissible under data protection law?

7. November 2022
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The BayLDA considers Mailchimp to be inadmissible if no additional data protection compliance measures are taken.
  • Transmission of e-mail addresses could be problematic under data protection law without further measures.
  • Mailchimp 's privacy policy does not mention complete encryption of user data.
  • The only encryption instructions are contained in "Data Export Conditions".
  • Mailchimp 's privacy policy does not offer sufficient protection from US authorities.
  • The BayLDA did not consider a fine to be necessary in this case.
  • The transmitted e-mail addresses are considered to be relatively insensitive data, which leads to lenient measures.

In line with my article today regarding Cloudflare(see here), due to a recent decision by the Bavarian State Office for Data Protection Supervision, I would also like to briefly highlight Mailchimp, which is almost omnipresent in the WordPress universe and is still used by many providers to send email newsletters.

In the opinion of the BayLDA, Mailchimp is at least unlawful if, as a user, one does not check whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, in particular because, in the opinion of the BayLDA, there are indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After looking at Mailchimp’s privacy statement, there is nothing about encryption anywhere there. Even in the document that Mailchimp calls “GDPR compliance”, which is only available in German, there is nothing about encryption.

The only reference to encryption is a document called “Data Export Conditions”.

Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.

 

Translated then:

Mailchimp has implemented, where and to the extent technically feasible, encryption technologies throughout its infrastructure to protect User Data from unauthorized access when processed internally by Mailchimp. For example, all Mailchimp production pages use Transport Layer Security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network uses 128bit WPA2 encryption. In addition, Mailchimp emails (256bit), all VPN connections (256bit) and the internal chat application (256bit) are also encrypted. Login pages use TLS and have protection against brute force attacks. This also applies to Mailchimp mobile apps and the Mailchimp API.

 

When you get right down to it, this is probably not a sufficient assurance that user data is fully encrypted, even from access by Mailchimp itself. Rather, Mailchimp limits that data would be protected from “unauthorized access.” However, access by US authorities, for example, would precisely NOT be unauthorized.

The magazine affected by the aforementioned proceedings at the BayLDA only escaped a fine due to an appropriateness consideration.

The BayLDA on this:

Supervisory measures going beyond this determination of the inadmissibility of the above-mentioned data transfers pursuant to Art. 58 Par. 2 DSGVO, we do not consider it necessary in the specific case at hand by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e-mail address was not permitted under data protection law. We do not consider it necessary to impose a fine, as you have requested. In this respect, we hereby inform you that, in our opinion, a data subject has no legal entitlement to the imposition of a fine in the event of a data protection violation, and in our opinion, no entitlement to a discretionary decision on punishment with a fine.
For unlike some other of the provisions of Art. 58 para. 2 GDPR (such as the power to instruct the controller to comply with requests from the data subject to exercise his or her rights (Article 58(2)(c) GDPR), the power to impose a fine under Article 83 GDPR (Article 58(2)(i) GDPR) does not serve to safeguard the rights and freedoms of a data subject, but the public interest in the enforcement of the law. Consequently, a data subject has no subjective right against the data protection supervisory authorities to decide on the imposition of a fine pursuant to Art. 58 para. 2 letter i DSGVO to. However, even if one were to recognize such a subjective right of a person concerned, there would be no claim on your part to imposition of a fine against XXXX given. Taking into account the relevant factors listed in Article 83 of the GDPR that play a role in this decision, it is within the scope of discretion to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in the present case, and secondly because the data involved – in the form of e-mail addresses – is still relatively manageable in terms of its sensitivity; the latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, particularly against the background that the above-mentioned Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version, so that the present infringement is still to be classified as minor with regard to its nature and gravity (Article 83 (2) (a) GDPR), and in particular only a slight degree of negligence at most is to be affirmed (Article 83 (2) (b) GDPR).

 

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: ChatComplianceData protection LawE‑mailEmailMailPrivacySicherheit

Weitere spannende Blogposts

Smart contract implementation in traditional contracts

Smart contract implementation in traditional contracts
10. October 2024

The integration of smart contracts into traditional contract structures opens up fascinating opportunities for blockchain start-ups, but also poses complex...

Read moreDetails

Federal Cartel Office v. Facebook: Full text

LG Munich: Data protection consent on dating platform
7. November 2022

The Bundeskartellamt's decision against Facebook garnered some criticism, which begins with the question of the Bundeskartellamt's jurisdiction. But also elementary...

Read moreDetails

The ‘Blue Pencil Test’ in German Law – Application and Significance from the Perspective of an IT Lawyer

The ‘Blue Pencil Test’ in German Law – Application and Significance from the Perspective of an IT Lawyer
13. May 2023

What is the "Blue Pencil Test"? In my daily work as an IT lawyer, it is not uncommon for me...

Read moreDetails

Account suspensions from online and mobile games

Small summary – Blizzard vs. Bossland
23. February 2023

Playing online games or mobile games is becoming more and more fashionable and already the vast majority of Germans play...

Read moreDetails

Court case via internet chat

Court case via internet chat
7. November 2022

The Federal Constitutional Court has restricted the possibility of conducting court proceedings via Internet chat. What sounds absurd at first...

Read moreDetails

OLG Hamm: Information on the manufacturer’s warranty

OLG Hamm: Information on the manufacturer’s warranty
7. November 2022

The Higher Regional Court of Hamm has ruled that manufacturer's warranty statements in operating instructions can give rise to a...

Read moreDetails

License agreements for software start-ups

License agreements for software start-ups: How to optimally protect your intellectual property
13. October 2024

For software start-ups, intellectual property is often the most valuable asset. The correct drafting of license agreements is therefore crucial...

Read moreDetails

Data protection ruling: Important information for craftsmen and service providers on contact forms

Data protection ruling: Important information for craftsmen and service providers on contact forms
24. May 2023

Core of the judgment In a remarkable ruling, with the file number 17 O 125/23, the Regional Court of Cologne...

Read moreDetails

Influencer jurisprudence: OLG Munich vs. the rest of Germany?

Frankfurt district court a.M. softens influencer jurisdiction
7. November 2022

Did Cathy Hummels advertise on her Instagram profile as an influencer? This question was addressed by the Munich Higher Regional...

Read moreDetails
BGH-Coaching-Urteil 2025: Online-Coachings als Fernunterricht – ZFU-Pflicht und Vertragsnichtigkeit
Law on the Internet

BGH-Coaching-Urteil 2025: Online-Coachings als Fernunterricht – ZFU-Pflicht und Vertragsnichtigkeit

18. July 2025

Ein neues BGH-Urteil sorgt für eine Schockwelle in der Coaching-Branche: Am 12. Juni 2025 hat der Bundesgerichtshof (BGH) entschieden, dass...

Read moreDetails
Eigentum an Software – Wem gehört eigentlich der Code?

Eigentum an Software – Wem gehört eigentlich der Code?

14. July 2025
Startup ohne Entwickler?

Startup ohne Entwickler?

8. July 2025
Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

7. July 2025
So langsam nimmt der Shop Form an

So langsam nimmt der Shop Form an

3. July 2025

Podcastfolge

Rechtliche Herausforderungen und Chancen durch KI-Influencer und virtuelle Mitarbeitende

Rechtliche Herausforderungen und Chancen durch KI-Influencer und virtuelle Mitarbeitende

19. April 2025

In dieser Episode wird die rechtliche Einordnung von virtuellen Mitarbeitenden und KI-Influencern im Marketing untersucht. Der Fokus liegt auf den...

Read moreDetails
“Digitales Recht Entschlüsselt” mit Rechtsanwalt Marian Härtel

“Digitales Recht Entschlüsselt” mit Rechtsanwalt Marian Härtel

25. September 2024
Juristische Trends für Startups 2025: Chancen und Herausforderungen

Juristische Trends für Startups 2025: Chancen und Herausforderungen

19. April 2025
KI im Rechtssystem: Auf dem Weg in eine digitale Zukunft der Justiz

KI im Rechtssystem: Auf dem Weg in eine digitale Zukunft der Justiz

13. October 2024
Blick in die Zukunft: Wie Technologie das Recht verändert

Blick in die Zukunft: Wie Technologie das Recht verändert

18. February 2025

Video

Mein transparente Abrechnung

Mein transparente Abrechnung

10. February 2025

In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...

Read moreDetails
Faszination zwischen und Recht und Technologie

Faszination zwischen und Recht und Technologie

10. February 2025
Meine zwei größten Herausforderungen sind?

Meine zwei größten Herausforderungen sind?

10. February 2025
Was mich wirklich freut

Was mich wirklich freut

10. February 2025
Was ich an meinem Job liebe!

Was ich an meinem Job liebe!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung