• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Can Mailchimp be used in a way that is permissible under data protection law?

7. November 2022
in Data protection Law
Reading Time: 4 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • The BayLDA considers Mailchimp to be inadmissible if no additional data protection compliance measures are taken.
  • Transmission of e-mail addresses could be problematic under data protection law without further measures.
  • Mailchimp 's privacy policy does not mention complete encryption of user data.
  • The only encryption instructions are contained in "Data Export Conditions".
  • Mailchimp 's privacy policy does not offer sufficient protection from US authorities.
  • The BayLDA did not consider a fine to be necessary in this case.
  • The transmitted e-mail addresses are considered to be relatively insensitive data, which leads to lenient measures.

In line with my article today regarding Cloudflare(see here), due to a recent decision by the Bavarian State Office for Data Protection Supervision, I would also like to briefly highlight Mailchimp, which is almost omnipresent in the WordPress universe and is still used by many providers to send email newsletters.

In the opinion of the BayLDA, Mailchimp is at least unlawful if, as a user, one does not check whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, in particular because, in the opinion of the BayLDA, there are indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After looking at Mailchimp’s privacy statement, there is nothing about encryption anywhere there. Even in the document that Mailchimp calls “GDPR compliance”, which is only available in German, there is nothing about encryption.

The only reference to encryption is a document called “Data Export Conditions”.

Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.

 

Translated then:

Mailchimp has implemented, where and to the extent technically feasible, encryption technologies throughout its infrastructure to protect User Data from unauthorized access when processed internally by Mailchimp. For example, all Mailchimp production pages use Transport Layer Security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network uses 128bit WPA2 encryption. In addition, Mailchimp emails (256bit), all VPN connections (256bit) and the internal chat application (256bit) are also encrypted. Login pages use TLS and have protection against brute force attacks. This also applies to Mailchimp mobile apps and the Mailchimp API.

 

When you get right down to it, this is probably not a sufficient assurance that user data is fully encrypted, even from access by Mailchimp itself. Rather, Mailchimp limits that data would be protected from “unauthorized access.” However, access by US authorities, for example, would precisely NOT be unauthorized.

The magazine affected by the aforementioned proceedings at the BayLDA only escaped a fine due to an appropriateness consideration.

The BayLDA on this:

Supervisory measures going beyond this determination of the inadmissibility of the above-mentioned data transfers pursuant to Art. 58 Par. 2 DSGVO, we do not consider it necessary in the specific case at hand by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e-mail address was not permitted under data protection law. We do not consider it necessary to impose a fine, as you have requested. In this respect, we hereby inform you that, in our opinion, a data subject has no legal entitlement to the imposition of a fine in the event of a data protection violation, and in our opinion, no entitlement to a discretionary decision on punishment with a fine.
For unlike some other of the provisions of Art. 58 para. 2 GDPR (such as the power to instruct the controller to comply with requests from the data subject to exercise his or her rights (Article 58(2)(c) GDPR), the power to impose a fine under Article 83 GDPR (Article 58(2)(i) GDPR) does not serve to safeguard the rights and freedoms of a data subject, but the public interest in the enforcement of the law. Consequently, a data subject has no subjective right against the data protection supervisory authorities to decide on the imposition of a fine pursuant to Art. 58 para. 2 letter i DSGVO to. However, even if one were to recognize such a subjective right of a person concerned, there would be no claim on your part to imposition of a fine against XXXX given. Taking into account the relevant factors listed in Article 83 of the GDPR that play a role in this decision, it is within the scope of discretion to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in the present case, and secondly because the data involved – in the form of e-mail addresses – is still relatively manageable in terms of its sensitivity; the latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, particularly against the background that the above-mentioned Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version, so that the present infringement is still to be classified as minor with regard to its nature and gravity (Article 83 (2) (a) GDPR), and in particular only a slight degree of negligence at most is to be affirmed (Article 83 (2) (b) GDPR).

 

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: ChatComplianceData protection LawE‑mailEmailMailPrivacySicherheit

Weitere spannende Blogposts

Artificial intelligence in esports: legal challenges and solutions for fan engagement, game improvement and sponsorship.

Artificial intelligence in esports: legal challenges and solutions for fan engagement, game improvement and sponsorship.
9. June 2023

Introduction The rapid development of artificial intelligence (AI) is having a profound impact on various industries, and esports is no...

Read moreDetails

Court proceedings via Skype

Court proceedings via Skype
7. November 2022

As a lawyer with a strong affinity for IT law, I now try to run my practice with as little...

Read moreDetails

Advertising labeling for influencers soon only with real consideration?

Advertising labeling for influencers soon only with real consideration?
7. November 2022

One of the biggest topics here on the blog is certainly the question of when influencers, streamers, etc. have to...

Read moreDetails

10 aspects computer game developers should look for in a publishing contract

judge plays videogames in his spare time
27. July 2023

A publishing contract can be the turning point in any game developer's career, contributing to the growth and success of...

Read moreDetails

LG Köln confirms previous influencer case law

Legal form as an influencer? A few hints!
17. October 2019

In a recent ruling, the Regional Court of Cologne has endorsed the hitherto very critical influencer case law and once...

Read moreDetails

Debcon – the fax garbage probably starts again

File sharing and instruction by parents
7. November 2022

Debcon is a red rag for numerous IT lawyers who also handle file-sharing cease-and-desist letters. The reason for this is...

Read moreDetails

Legal aspects of the use of AI in marketing

Legal aspects of the use of AI in marketing
11. August 2023

In recent years, artificial intelligence (AI) has emerged as a transformative technology across numerous industries, with the marketing sector standing...

Read moreDetails

Facebook: New rulings on deletion claims

Facebook: New rulings on deletion claims
7. November 2022

Recently, there have been some decisions on deletion claims against Facebook, which I would like to present here. Amount in...

Read moreDetails

When is an email “received” in a business environment?

When is an email “received” in a business environment?
7. November 2022

The legal term "access" is relevant to numerous legal issues. When exactly this is the case, however, can be disputed...

Read moreDetails
Contractual regulations for no-code/low-code software development
Other

Contractual regulations for no-code/low-code software development

21. May 2025

No-code and low-code platforms enable rapid software development without extensive manual programming. Applications are increasingly being developed on the basis...

Read moreDetails
Erotic content on OnlyFans: Copyright and personality rights protection for creators

Erotic content on OnlyFans: Copyright and personality rights protection for creators

20. May 2025
Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

19. May 2025
Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

18. May 2025
From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

17. May 2025

Podcastfolge

d00527fd01b1f807a4f80c0f202069e7

Legal basics for startup founders – how to start on the safe side!

9. November 2024

In this episode of the Itmedialaw podcast, lawyer and entrepreneur Marian Härtel takes you on a journey through the legal...

Read moreDetails
da884f9e2769f2f96d6b74255be62c27

The role of the IT lawyer

5. September 2024
86fe194b0c4a43e7aef2a4773b88c2c4

On the dark side? A lawyer in the field of tension of innovative start-ups

26. September 2024
4f3597d5481e0f38e37bf80eaad208c7

The IT Media Law Podcast. Episode No. 1: What is this actually about?

26. August 2024
8ffe8f2a4228de20d20238899b3d922e

Web3, blockchain and law – a critical review

26. September 2024

Video

My transparent billing

My transparent billing

10. February 2025

In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...

Read moreDetails
Fascination between law and technology

Fascination between law and technology

10. February 2025
My two biggest challenges are?

My two biggest challenges are?

10. February 2025
What really makes me happy

What really makes me happy

10. February 2025
What I love about my job!

What I love about my job!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung