Again and again you see pages or companies that make certain goodies, such as a download of something, dependent on the user signing up for a newsletter, for example. But is that permissible?
The user is thus forced to pay with the consent to the use of his personal data for advertising purposes.
However, this is quite problematic, because the GDPR has codified a so-called ban on coupling. This was already in place in the days of the Federal Data Protection Act. However, it has been tightened up by the GDPR. And the corresponding norm is quite unfortunate formulated.
Currently, Article 7 paragraph 4 GDPR applies:
In assessing whether consent has been given voluntarily, account must be taken as far as possible of whether, inter alia, the performance of a contract, including the provision of a service, is the consent to a contract. processing of personal data that are not necessary for the performance of the contract.
This means that a link, if any, is only possible if data collection, data storage and data processing are absolutely necessary for the fulfilment of the basic contract. What may still be the case with the address for a DHL delivery is certainly not given in advertising emails.
The recital in the preamble to the standard sheds some light on the matter:
Consent is not deemed to have been given voluntarily if consent cannot be given separately for different processing operations of personal data, although this is appropriate in individual cases, or if the performance of a contract, including the provision of a service, is dependent on consent, although this consent is not necessary for performance.
Registration for an advertising newsletter, for example as part of an ordering process, would therefore not be “voluntary”. In this case, therefore, care must be taken to ensure that the ordering process is formulated in a clean manner, so that the user/purchaser always only voluntarily provides his/her data and does not feel compelled to do so in order to be able to complete the order or to provide an advantage on the page. to receive. So while there is a large grey area here, complete connections are certainly not allowed. A “Give us your emails and you get access to our infovideo/download/PDF” is not allowed. This can only be considered admissible if an entire contract is available, for example because the download is possible via subscription and the data is required for billing purposes or if the registration is made for a community within the scope of which “registered” Users have advantages, such as downloading certain documents. Unfortunately, we can quickly get into a liability trap here, which would also be possible in case of doubt.
Data protection authorities also probably agree that the GDPR did not want to make “payment with data” impossible in principle. On the contrary. However, the concrete implementation must meet the new requirements for voluntary, informed and will-activation, which is why details can be important.
