6. Special aspects in other countries
6.1 Scope of application of the GDPR
According to Art. 3 of the General Data Protection Regulation (GDPR), the GDPR applies to all companies that have their registered office in what is known as the European Economic Area (EEA). In addition to the EU Member States, the EEA also includes Norway, Iceland and Liechtenstein. Furthermore, the GDPR applies to companies that specifically target the European market with their offers, even if they are not based in Europe. Accordingly, the processing of personal data in connection with the sending of a newsletter – which essentially involves the use of the data subjects’ email addresses – must (also) be measured against the conditions of the GDPR.
The legal basis for sending marketing emails are points (a) and (f) of Art. 6 of the GDPR.
Consent pursuant to Art. 6(a) in conjunction with Art. 7 of the GDPR represents the standard means of justification for the delivery of newsletters. It is also usually used for this purpose by most companies. The requirements for consent have already been described in detail in Chapter 2.
In the context of complaint management under the CSA, the eco Complaints Office is frequently faced with cases where senders claim that the sending of commercial emails was based on the existence of legitimate interests under Art. 6(f) of the GDPR.
Is the existence of a legitimate interest sufficient for the sending of commercial mailings?
No, it is not sufficient! The so-called ePrivacy Directive (Data Protection Directive for Electronic Communications 2002/58/EC of the European Parliament and of the Council of 12 July 2002) and its national transpositions take precedence. The ePrivacy Directive stipulates that, according to Art. 13, either consent must be granted or the advertising email must be sent under the strict conditions of an existing customer relationship. Legitimate interest alone is not sufficient, not even in the context of a customer relationship.
This directive is concretised by the national laws: for example, in Germany, this relates to the regulations of Section 7 of the German Act against Unfair Competition (UWG). In addition, national case law has developed criteria for the aforementioned requirements that a sender should take into account, with the sender having to provide corresponding evidence.
Without the existence of consent within the meaning of the GDPR, the following conditions would, therefore, have to be met:
- An existing customer relationship
- Advertising for a company’s own similar products or services
- The customer must be clearly and unambiguously given the opportunity to reject such use free of charge and without difficulty, and
- The client has not rejected this use from the outset
The exact details are described in Chapter 2.5 for the German legal situation. The ePrivacy Directive has to be transposed in all European countries so that the same regulations exist across the EEA.
As a sender of commercial emails, it is not sufficient to invoke the existence of legitimate interest to use personal data in email marketing. Due to the ePrivacy Directive, these rules always apply to the marketplace, independently of the country of origin.
The sender who can rely on consent or – on an exceptional basis – on an existing customer relationship is therefore legally secure.
This is also in line with the requirements of the CSA, which in its criteria explicitly stipulates the existence of one of these two options for certified senders.
6.2.1 Email marketing in Austria and the GDPR
In Austria, the regulations on email marketing in the Austrian Telecommunications Act (TKG 2021) or the Austrian Data Protection Directive for Electronic Communications (DSG) generally take precedence over the provisions of the Austrian Data Protection Act (DSG) and the General Data Protection Regulation (GDPR) as a “lex specialis”. This means, for example, that the permissibility of contacting someone for advertising purposes must be assessed according to the provisions of the TKG 2021 and not exclusively according to Art. 6 of the GDPR.
However, the Austrian Data Protection Authority (DPA) has ruled that, in certain cases, a breach of the provisions on email marketing in the TKG 2021 may also constitute a breach of the “right to confidentiality” under Art. 1(1) DSG and a breach of provisions of the GDPR (DPA of 07.03.2019, DSB-D130.033/0003-DSB/2019). Accordingly, the advertised person’s right to confidentiality pursuant to Art. 1(1) of the DPA may be violated if the consent does not comply with the requirements of Art. 4(11) of the GDPR (see below). In this case, the data subjects also have the right to lodge a data protection complaint pursuant to Art. 77 (1) GDPR.
The permissibility of a contact for email advertising is governed by the TKG 2021. However, the provisions of the GDPR are applicable in email marketing where the specific provisions of the TKG 2021 do not take precedence, such as when assessing the legality of consent for data processing.
6.2.2 The legal framework in Austria
The legal framework for email marketing in Austria remains fragmented even after the entry into force of the GDPR, the amendment to the Austrian Data Protection Act (DSG), and the recently enacted amendment to the Austrian Telecommunications Act (TKG 2021).
The regulations for email marketing are still part of Austrian telecommunications law and have been regulated in the new TKG 2021 (formerly TKG 2003) since November 2021. Within the framework of the associated “special data protection law”, the central provision for email marketing in Austria can be found in the 14th section of the TKG 2021 in Art. 174 TKG 2021 under the heading of “Unsolicited communications”.
More precisely, the central provisions for email marketing are found in Art. 174 Para. 3 to Para. 6 TKG 2021. These provisions pertain to emails sent to consumers (B2C) and to businesses (B2B).
The (new) TKG regulations on email marketing have been in force and in effect – without transitional provisions – since 01.11.2021 and remain unchanged in terms of content.
In the explanatory remarks to the draft legislation of the TKG 2021 (also referred to as legislative materials – reflecting the legislator’s ideas) there are no statements whatsoever on the new Art. 174 TKG 2021, so that it can be assumed that the legislator wanted to maintain the previous regulations on Art. 107 TKG 2003. It can be concluded that the existing case law on Art. 107 TKG 2003 can also be applied to the current legal situation.
In Austria, the new Austrian Telecommunications Act 2021 (TKG 2021) has been in force since 01.11.2021. The provisions on email marketing remain unchanged.
6.2.3 Scope of application
Whether the Austrian provisions on email marketing are applicable or not is to be determined according to what can be termed as a “recipient country principle”. The recipient country principle means that the applicable law is that to which the recipient of the email is always subject. This “crime scene fiction” is regulated in Austria in Art. 174(6) TKG 2021. An offence committed abroad is therefore punishable at the place where the message reaches the subscriber’s connection. According to the case law of the highest courts, it is not the server location that matters, but the respective end device where the prohibited effect occurs (Austrian Administrative Court (VwGH), 19.12.2013, 2012/03/0052).
The provisions of the Austrian Telecommunications Act 2021 (TKG 2021) on unsolicited messages apply when the message reaches an end device in Austria (“recipient country principle”), regardless of the country and server location from which the message was sent.
6.2.4 Permissibility of email marketing – consent
The provision of Art. 174 (3) TKG 2021 basically provides for an “opt-in” procedure for the permissibility of email marketing. This means that email marketing is generally only permitted if the addressee has given their prior consent.
Specifically, according to Art. 174(3) TKG 2021, the consent of the addressee of the email for the sending of an “electronic mail” is then required “if the sending is for the purposes of direct marketing”.
What is meant by “electronic mail” is defined in Art. 2(h) of the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on privacy and electronic communications”) and, to the same effect, by Art. 160 (3)(13) TKG 2021. The provisions of the Austrian Telecommunications Act 2021 (TKG 2021) are based on the designated EU Directive and transpose its regulations into national law.
Accordingly, “electronic mail” means “any text, voice, audio or image message sent over a public communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient”.
In accordance with the EU Directive (see 40th recital), the Austrian regulation in Art. 174 (3) TKG 2021 also explicitly includes the sending of text messages/SMS.
However, according to the broad definition of the EU Directive and the TKG 2021, “electronic mail” also includes MMS as well as messages within the scope of messenger services, social networks or online platforms.
The term “direct marketing” is neither defined in the ePrivacy Directive nor in Austrian law. Therefore, reference must be made here to the legal materials on the one hand and to the interpretations and principles of interpretation developed by the highest courts on the other. A first orientation is provided by the EU Directive concerning misleading and comparative advertising, which, among other factors, defines the term “advertising” (Directive 2006/114/EC of 12 December 2006). According to this Directive, advertising generally means the promotion of goods and products (see Art. 2 of the Directive).
A broad interpretation of the term “direct advertising” was already stipulated by the legislative material in the TKG 2003, which defines this term as referring to any content which promotes a specific product, but also a specific idea, including specific political issues or the delivery of associated arguments. Furthermore, the legislator’s ideas state that the term “direct advertising” is to be seen in the light of practical experience and needs and is, therefore, to be broadly interpreted.
This broad understanding of the term by the legislator has been further developed by the Austrian Supreme Court (OGH) and the Austrian Administrative Court (VwGH), which have repeatedly taken the view – based on the legislative material – that the term “direct advertising” also includes any measure that serves the purpose of drawing attention to a specific need and the possibility of its fulfilment, while even the suggestion to make use of certain services can also be subject to this term. The format of a newsletter or information mail does not affect the qualification as advertising (Supreme Court of 30 September 2009, 7 Ob168/09w; Administrative Court of 19 December 2013; 2011/03/0198). Consequently, according to the case law of the two highest courts, direct advertising is present – regardless of the name and design of the email message – if the purpose of the sender is to promote sales.
The understanding of the term “direct advertising” must therefore be interpreted dynamically and always considered in each individual case “in the light of the experience and needs of the practice”. It must also not be evaluated in a purely formal manner according to the external presentation, but rather according to the purpose and content, which must serve to promote sales individually or jointly. Accordingly, an email with which consent to email marketing is to be obtained is itself to be understood as “direct advertising” and therefore requires consent in advance, unless this email message is used exclusively to authenticate recipients (Administrative Court of 26 June 2013, 2012/03/0089; see further detail below).
Consent as the central connecting criterion of Article 174 TKG 2021
The consent required in Art. 174 (3) TKG 2021 implements the so-called “opt-in” principle. The consent must be obtained before the email is sent.
There are no further formal provisions for consent in the TKG 2021. The GDPR must apply for the purposes of a systematic interpretation. This also means that consent pursuant to Art. 174 TKG 2021 must be given in accordance with Art. 4(11) GDPR on the following basis:
- freely given,
- for the particular case,
- in an informed manner, and
and may be revoked at any time.
Of particular relevance in this context are the following exemplary constellations:
- The registration to receive electronic information must be freely given from the outset and must not be a mandatory condition –g., in connection with a product purchase. Otherwise, the requirement of voluntary action would not be met, and the consent would be invalid.In this constellation, if the consent to process non-contractual personal data is “coupled” with the conclusion of a contract, the prohibition of coupling under data protection law in Art. 7(4) of the GDPR must be observed.
- The notice must relate to the receipt of electronic information from a specific sender and/or several specific If it is not clear to the recipient from the outset from which company or companies he/she is to receive advertising from, he/she cannot realise the implications of his/her decision. He/She would thus be unaware of the full and true facts and his/her consent would therefore be invalid.
The burden of proof for the existence of consent of the recipient lies with the sender of the email.
For this reason, the “double opt-in procedure” has established itself as the standard procedure for email marketing in Austria. This is generally understood to mean obtaining the consent of a recipient in a two-stage system. This involves a registration for the receipt of electronic information – for example, on the provider’s website – followed by an individual message sent to the specified email address confirming that registration has taken place for this email address. The sending of advertising messages can only take place after a response to this individual email, which confirms the registration or a comparable reaction (e.g., by clicking on a link in the email).
The confirmation or reaction by the recipient is ultimately decisive and constitutes the documented proof of consent for the subsequent sending of email advertising.
In this context, it is important that the transferred email message serves exclusively to authenticate the given email address and is not already directed towards the sale of services of the provider.
The term “direct advertising” has a very broad meaning in Austria (in line with the EU Directive 2006/114/EC) and is always the case if an email serves to promote sales. The sending of advertising emails is generally only permitted with the consent of the recipient. To obtain consent, the requirements of the GDPR must be observed so that the consent is given for the specific case on a voluntary basis, as well as in an informed and unambiguous manner, and can be revoked at any time. The consent of the recipient must be documented by the advertiser. Therefore, the “double-opt-in” method has become established in Austria, in which recipients confirm their consent to the application once again in an authentication email.
6.2.5 Exceptions to consent – Existing customer relationships
The exception to the requirement to obtain consent for email marketing is regulated in Art. 174(4) TKG 2021 and relates to direct advertising in connection with existing customer relationships. According to this provision, prior consent to email marketing is not necessary, but the customer has the right to reject email advertising (“opt-out”).
Electronic advertising without consent is permitted under cumulative compliance with the following conditions:
- Collection of the recipient’s email address in connection with the sale of a good or service, and
- At the time of collecting the sender’s email address and at the time of each of the subsequent mailings, granting the recipient a clear and unambiguous right to reject advertising free of charge and without difficulty; and
- Email advertising to be used exclusively for one’s own similar products or services, and
- Checking the so-called “Robinson list” or the “ECG list” maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR-GmbH), to determine whether the recipient may not be registered.
All of the above conditions must be complied with simultaneously in order to permissibly conduct email marketing without consent.
In this context, the condition of advertising “one’s own similar products or services” needs to be dealt with in greater depth. What exactly is to be understood by this is dealt with differently in Austrian texts. In any case, the concrete content of the advertising emails is decisive, and each individual case must be examined in detail.
If the email address of the recipient was obtained, for example, in connection with a seminar, the subsequent emails should at any rate contain information on further upcoming seminars or new information on the content of seminars that have been held. An advertisement for a product of the advertiser who, in addition to seminars, also sells products that have no connection with the seminars and the seminar content would, in our view, no longer be classified as “one’s own similar product” or “one’s own similar service” and should therefore not be advertised by email without the customer’s consent.
In our opinion, a good and reliable approach to interpreting the element of “one’s own similar products or services” is to consider the perspective of the recipients concerning which products and services they could already expect to be advertised when they first ordered a product or used a service, and which information they could therefore potentially have an interest in. This classification then depends to a certain extent on the product or service range on the one hand and on the concrete “first order” on the other.
In this context, it is also important to note that only one’s own similar products and services may be advertised, not those of others. This means that there must be a binding identity between the service provider and the advertiser.
Of particular relevance is also the possibility provided by law for recipients to unsubscribe from email marketing measures without any difficulty and free of charge. In this context, it is recommended that recipients of email advertising be given the opportunity to unsubscribe from further email correspondence in every message – e.g., by clicking on links. However, due to the lack of formal provisions, recipients cannot be bound to a certain procedure. It will therefore suffice if the recipients declare their “unsubscribe” in an email response to the transferred email, irrespective of the unsubscribe link in the email.
An “unsubscribe” should be possible without adapting the means of communication (if this is technically possible). If a customer receives an advertising SMS on his/her mobile phone, for example, it is “not problem-free” if he/she does not get to declare a withdrawal of consent in the same format – namely by SMS – but has to initially switch to another means of communication (OGH 28.09.2021, 4 Ob 95/21f). The right to object to the receipt of advertising messages must also be communicated clearly and unambiguously and it must already exist when the data is collected. It is not sufficient if the right to unsubscribe from further mailings is only provided for in the respective advertising mailings (VwGH 25.03.2009, 2008/03/0008).
The so-called “Robinson list” or “ECG list” is regulated in Section 7(2) ECG (E-Commerce Act). Persons can be entered in this list free of charge and their advertising by means of electronic mail thus becomes inadmissible in principle. Therefore, from the point of view of the advertiser, it is essential to consult the list maintained by RTR-GmbH before sending emails with advertising material, unless an “opt-in” case exists. More detailed information on viewing the list is available here (as of 28.10.2022).
In the case of existing customer relationships, no separate consent is required from the recipients for email advertising, if
- the sender has received the contact information for the message in connection with the sale or service to their customers, and
- this message is made for the purpose of direct marketing of one’s own similar products or services, and
- the recipients have been clearly and unambiguously given the opportunity to reject, free of charge and without difficulty, any such use of the electronic contact information at the time of its collection and additionally at the time of each of the subsequent mailings, and
- the recipients have not rejected the sending from the outset, in particular not by entering their name in the list referred to in Section 7(2) of the E-Commerce Act.
6.2.6 Further legal requirements for permissible email marketing
22.214.171.124 Content requirements for the design of advertising emails
The sending of electronic mail for the purpose of direct advertising is inadmissible in all instances (Art. 174(5) TKG 2021) if the identity of the sender from whom the message is transferred is either concealed or disguised, or if there is no authentic address to which the recipient can send a request to terminate such messages. Art. 174(5) TKG 2021 also refers to Section 6 (1) ECG. This provision contains two essential obligations for senders of email advertisements, namely:
- the identification of commercial communication for this purpose, and
- the identification of the natural or legal person who commissioned the commercial communication.
These obligations may not be violated, and the recipients may not be requested in the advertising mailings to visit websites that violate this provision.
Section 7 (1) ECG contains a specification of Section 6 ECG to the effect that the advertising email must be “clearly and unambiguously” recognisable for this purpose when it is shown in the email programme. What follows is that every advertising email must already be identified for this purpose in the “header” and the advertising character of the communication must not be disguised or concealed.
Furthermore, in the case of email marketing, what must be taken into account pursuant to Art. 1a(3) of the Austrian Federal Act Against Unfair Competition (UWG) is that the “promotion of customers by persistent and unwanted solicitations over telephone, fax, e–mail or other remote media except in circumstances and to the extent justified by law to enforce a contractual obligation” (see Annex No. 26 to the UWG) is considered an aggressive and therefore unfair business practice in all instances and is therefore illegal, regardless of prior consent (“opt-in”, see above). In this respect, the scope of application of the UWG goes beyond that of the TKG 2021 and must always be taken into account when designing email marketing.
126.96.36.199 Legal notice obligations and further information obligations
The “clear recognisability of the identity of the sender for the recipient”, which is defined within the content requirements for the design of advertising emails according to Art. 174(5) TKG 2021, is underlined by the legal notice obligation for senders of email advertising in Section 5(1) ECG. In addition to specifications on the name or company of the sender and the address and an electronic contact address, particular specifications included in the legal notice obligation includes the sender’s company in terms of the company register law, supervisory authority law, professional law and trade law.
In Austria, there are also multiple additional information obligations to be taken into account, in particular those of the Austrian Media Act (MedienG), the Austrian Commercial Code (UGB) and the Austrian Trade Act (GewO), with the content of these largely overlapping with each other.
Art. 24 of the Austrian Media Act regulates an independent legal notice obligation, which is applicable to email advertising, provided that emails are “disseminated in comparable makeup at least four times each year” (so-called “recurrent electronic medium”). The content of this legal notice obligation is the name or the company name as well as the address of the media owner and the publisher. The obligation to publish rests with the media owner. If the media owner also falls under the provisions and the legal notice obligation of the ECG (see above), the specifications on the legal notice pursuant to the Media Act can be provided together with the specifications on Section 5 ECG.
For media owners of any periodical medium – this also includes a “recurrent electronic medium” (see above) – further disclosure obligations apply in addition to the legal notice obligation, which are regulated in Art. 25 of the Austrian Media Act. In particular, these disclosure obligations include information on the object of the enterprise, the media owner’s executive bodies, shareholdings under company law, as well as the declaration on the basic direction of a periodical medium (a so-called “basic line”). Here again, if the media owner is also subject to the provisions and the legal notice obligation of the ECG (see above), the specifications on the fulfilment of the disclosure obligations under the Austrian Media Act can be provided together with the specifications on Art. 5 ECG.
Pursuant to Art. 25 (5) of the Austrian Media Act, a significant exception to the disclosure obligation applies to emails, including newsletters, the content of which does not contain any information exceeding the presentation of the personal lifestyle or the presentation of the media owner, and which is not suitable for influencing public opinion. In this case, only the name or the company, the business purpose of the company (if applicable), and the place of residence or the registered office of the media owner are to be indicated.
Another relevant provision under the Austrian Media Act is Art. 26: This provision standardises the obligation to explicitly mark paid insertions in emails for this purpose (namely as “advertisement”, “paid insertion” or “advertising”) in order to avoid any doubt that the publication has been made in return for payment.
In addition to the aforementioned specific media law provisions, there are also company law and trade law provisions that must be examined in individual cases with regard to email marketing and which, if necessary, must be applied and complied with:
- Art. 14 of the Austrian Commercial Code (UGB) regulates the content requirements for “business letters and order forms” of companies registered in the commercial register, depending on their legal form (corporations, registered sole traders, etc.).“Business letters” refers to all business communications with specific recipients, irrespective of whether the communication is sent in paper form or “by other means”, which refers primarily to emails. Thus, the regulation of Art. 14 UGB is also applicable to emails sent by companies registered in the commercial register. The information according to the UGB largely overlaps with that of the Austrian Media Act and the ECG, but must be stated directly in the email. In essence, this information concerns information on the company register and information on the company structure.
- Pursuant to Section 63 of the Austrian Trade Act (GewO), traders who are not registered companies must indicate their name and the location of their trade licence on business letters and order forms that are addressed to specific recipients on paper or in any other way. The obligations arising from Articles 5 and 6 ECG shall not be affected by these provisions.
Senders of an advertising email must clearly identify themselves and clearly indicate the advertising purpose of their email. The email content must also include a legal notice and fulfil other legal information requirements. Regardless of whether recipients have given their consent to email advertising, they should not be persistently and unwillingly solicited as customers.
6.2.7 Sanction standards
Breaches of the email advertising provisions may result in administrative fines of up to 50,000 Euro under the TKG 2021 or fines of up to 20 million Euro under the GDPR or, in the case of a company, fines of up to 4% of the company’s total annual worldwide turnover in the previous business year.
In addition, competitors, affected recipients and, in certain cases, interest groups or consumer protection associations can take action on breaches of the email advertising provisions and assert claims for injunctive relief and compensation damages.
In Switzerland, the Swiss Federal Act on Data Protection (FADP), the Swiss Unfair Competition Act (UCA) and the Swiss Telecommunications Act (TCA) serve as the legal basis for advertising emails.
What follows deals exclusively with the revised version of the DPA that will come into force in 2023. For the legal situation in force until the end of 2022, please refer to the 6th edition of the eco Guidelines for Permissible Email Marketing from 2016.
6.3.1 Email marketing as data processing
With the revision of the FADP, Switzerland has to a large extent – but not completely – aligned its Act on Data Protection with the GDPR. In particular, the specificities of the “Swiss approach” will be discussed below.
Since the sending of emails constitutes the processing of personal data, the general principles of data protection must be observed, and the rights of the data subjects must also be protected in accordance with the Swiss Federal Act on Data Protection. The need to comply with these rules arises for the following reason: the data required for sending the emails must be collected in a particular manner. This is also a significant data protection action and must comply with the rules mentioned.
188.8.131.52 Email marketing as a permissible expression of economic freedom
First of all, the general principles of data protection law must be observed for the processing actions. These are regulated in Art. 6 FADP and correspond to those of the GDPR. These include legality, good faith, proportionality (restrained data processing), transparency, accuracy, “privacy by design” and “privacy by default”. In contrast to the GDPR (where data processing without justification is generally prohibited), in Switzerland, data processing is permitted as long as it does not unlawfully infringe on the personality of the data subject (Art. 30 DPA). This is a fundamental difference in Swiss law.
For example, the collection of data is not considered unlawful if the data controller can claim an overriding interest (Art. 31(1) FADP).
The commercial interest of a company to come into contact with other market participants in the free economy to (potentially) conclude a contract is recognised as a legitimate interest. In Switzerland, it is derived from economic freedom (Art. 27(1) Swiss Federal Constitution). The processing of personal data for the purpose of direct advertising therefore serves what is referred to as a legitimate interest.
The legitimate interest of the advertising company in collecting or processing data for the purpose of transmitting messages must also override that of the data subject (protection of address data such as surname, first name, email address; protection from harassment). The following applies in this regard: The collection of address data by a company must be suitable to fulfil the purpose of the advertising, which is to be affirmed in the case of email marketing (suitability). A less far-reaching but essentially equivalent alternative to this procedure is not readily apparent (necessity or subsidiarity).
Ultimately, in view of the nature of the address data, there can be no sense of a significant threat to the data subjects’ fundamental freedoms: Firstly, it involves specifications that, in essence, merely enable the person’s accessibility, but do not reveal anything further about the recipient. There is therefore no significant potential impairment of the data subject.
The following applies however to business dealings (think of the scenario where the recipient is an employee of the company addressed by the commercial communication): here the recipient is willingly placed in a setting in which such communication (to be received by the employer) was to be expected. The recipient’s interest in protection is therefore reduced from the outset.
The situation is somewhat different in the “B2C” context – i.e., when an advertising company contacts a consumer. In Switzerland, the principle applies that data processing is generally not unlawful if the data subject has made his/her personal data generally accessible and has not expressly prohibited its processing (Art. 30(3) FADP). If an email address originates from publicly accessible sources, email marketing is possible from the perspective of data protection law, as long as there is compliance with Art. 30(3) FADP.
However, in the instance where the data subject has not disclosed his/her email address or has disclosed it exclusively to a specific addressee for a specific purpose, the data subject must be at least aware of the basic purpose of the data processing. This is likely to be the case, for example, if a data subject discloses his/her email address in the context of a prize draw and is informed by the data collector that it could be passed on to third parties for the purpose of contacting him/her for advertising purposes. If a company purchases such email addresses, it should have the data collector show how the email addresses have been obtained and whether or how the data subject has been informed in a comprehensible manner about the collector’s transfer to third parties. Email addresses that originate from unknown sources or (suspected) hacked or leaked databases should, however, not be used under any circumstances.
If a risk assessment is carried out, it should be noted that a first-time, unlawful email contact in the B2C sector is not covered by the criminal law catalogue as defined in Art. 60 et seq. FADP and, as a rule, does not lead to claims for damages. Moreover, in contrast to the legal situation in Germany, for example, Swiss law does not provide for warning letters with associated costs. If data subjects – whether legally contacted or not – wish to avail of their data subject rights (such as objecting or requesting the deletion of their personal data), they must naturally be granted these rights in equal measure. In case of doubt, please consult a specialist.
In summary, the collection and use of data for the purpose of email marketing is either legitimate or has a comparatively low risk from a data protection perspective. Nonetheless, the Unfair Competition Act (UCA) must be observed, as even contacts that comply with data protection can be considered to be “unfair”.
184.108.40.206 Create transparency, protect data subjects’ rights
- The identity and contact details of the controller
- The purposes of the processing (including an explanation of email marketing)
- The categories of personal data that will be processed
- Individual recipients or categories of recipients (if personal data is transferred to third parties)
- States or regions to which personal data are transferred (in the case of transfers abroad); in this case, also state the guarantees or exceptions on which the controller relies (e.g., standard contractual clauses).
The other data subject rights (Art. 26 et seq. FADP) are based on the GDPR, but are somewhat less extensive in terms of content. These include:
- the right to access
- the right to request disclosure or transfer
- the right to rectification
- the right to erasure
- the right to opt out
220.127.116.11 Further obligations under data protection law
Under Swiss law, anyone who processes personal data must inform data subjects and the Swiss Federal Public Information and Data Protection Commissioner (FDPIC) in the event of a data security breach if the breach poses a high risk for the personality or the fundamental rights of data subjects (Art. 24 FADP). This regulation is less strict than the GDPR. In particular, the 72-hour deadline and the obligation to record the breach are missing. As a rule, the “high risk” requirement is not to be assumed if limited address data files from the inventory of the advertising company are lost (if a large number of address data files are affected, contacting the FDPIC could nevertheless be appropriate from a risk management perspective).
As a new feature, Swiss law recognises the “principle of effects”. The FADP now also applies to foreign companies if the data processing has an effect in Switzerland (Art. 3(1) FADP). This means that the FADP becomes relevant when email marketing is directed towards data subjects in Switzerland.
Companies registered abroad must also appoint a local representative in Switzerland if the following conditions are cumulatively met: (i) processing of data subjects’ data in Switzerland; (ii) the processing is related to offers to these data subjects or to the monitoring of the data subjects’ behaviour; it is (iii) extensive and regular; and it is (iv) of high risk for the data subjects (Art. 14 para. 1 FADP). These conditions are not usually met in the case of email marketing. If in doubt, consult an expert.
18.104.22.168 High fines for private individuals
The DPA provides for fines of up to CHF 250,000 for various breaches of data protection law. These include:
- Breach of information, disclosure and cooperation obligations (Art. 60 FADP)
- Breach of due diligence obligations (Art. 61 FADP)
- Breach of the professional secrecy obligation (Art. 62 FADP)
- Failure to comply with orders (e.g., that of the FDPIC) (Art. 63 FADP)
Personal criminal liability applies, which is a significant difference compared to the GDPR. This means that fines under the FADP are generally imposed on the private person (and not, for example, on the company for which they work). Procedurally, these fines are enforced in criminal proceedings and not in administrative proceedings.
A distinctive Swiss feature is the strict “professional secrecy” under data protection law as defined in Art. 62 FADP. Confidential personal data that a private person obtains in the course of their profession may generally not be disclosed to third parties. It is debatable as to whether this “professional secrecy” is linked solely to the requirement of secrecy or if it is only a criminal offence if there is also a data protection breach. This additional unwritten requirement (which mitigates the law and must therefore be observed) is implied by the content.
Even after the revision, data protection law in Switzerland remains pragmatic. As a rule, email marketing will not fail due to data protection law requirements as long as the marketing company provides transparent information and respects the rights of the data subject (for example, the right to object).
6.3.2 Email marketing can be “unfair”
The purpose of the Unfair Competition Act (abbreviated as UWG in the German-language text and UCA in the English-language text) is to ensure fair and non-distorted competition in the interest of all parties involved. Unfair and unlawful is any conduct or business behaviour which is deceptive or otherwise contrary to the principle of good faith and which influences the relationship between competitors or between providers and customers. Sending unsolicited emails is also considered to be unfair competition. What functions smoothly from the perspective of data protection law can consequently nevertheless prove to be unlawful. In reality, when email campaigns fail it is not because of the FADP, but because of the UCA. When it comes to the TCA, the legislator additionally regulates which measures telecommunications providers must implement in order to protect market participants from unfair competition at the infrastructural level.
22.214.171.124 Email marketing as “mass advertising” to non-customers
Pursuant to Art. 3(1)(o) UCA, anyone who undertakes mass transmission of advertising by means of electronic communication acts unfairly if there is no direct connection to specifically requested content. This is also the case for anyone who arranges for such transmissions and, in doing so, fails to obtain the customers’ consent in advance, or fails to indicate the correct sender or to indicate a problem-free and free-of-charge rejection option.
First of all, it must be emphasised that individually (“manually”) sent mailings which are addressed to a single and specific person for the purpose of initiating contact, and which may even have individualised content, are not considered to be unfair. Only the mass sending of such emails constitutes an offence. The reason for this is socio-political: the effort of the advertising company should not be a single click if, on the recipient’s side, countless recipients must read the unwanted message and delete it manually. The time spent on sending the message would be grossly disproportionate to the (accumulated) time wasted by all recipients. But if a company takes the time to contact an individual, this should be regarded as acceptable. One-to-many is forbidden; one-to-one is allowed. A numerical definition of what “many” actually means (sometimes the limit of 50 emails is suggested) does not exist under Swiss law. Unfairness is assessed on a case-by-case basis.
126.96.36.199 Requirements for email marketing to non-customers
The legislator lists three conditions that must be fulfilled in order for email marketing in the form of “mass mailings” to be lawful:
- Obtain opt-in (with one exception, see Note 1)
- Indicate the correct sender “and” (see Note 2)
- Indicate a problem-free and free rejection option (see Note 3)
- Those who already have “warm” contacts (existing customers) may continue to write to them with messages about similar goods or services until they opt out (more on this below in point 2.c)
- Regarding opt-in: The legislator has not further specified the possible types of consent. Address data collected “offline” is usually collected manually by the customer. Address specifications taken from business cards received – for example, at a conference – will have to be gradually legitimised in the light of the UCA rule (first create the opportunity to opt out in the individual mailing and then treat the lack of opt-out as consent) in order to achieve complete legal certainty. Practice shows that, at least in Switzerland, little sensitivity is shown in this regard. In other jurisdictions, however, this may be different.
- If the registration takes place “online”, a “single opt-in” would be sufficient from the UCA’s point of view. For evidence purposes, however, a “double opt-in” is recommended. In this case, the customer first enters his or her email address in a field, sends the form and then, by clicking on a link in the received email, confirms that he or she has actually consented to email marketing. This broadly guarantees that the actual customer and not a third party has entered the email in the form. This protects the senders of email messages against this objection, which is often raised in practice. (“Consent without an attributable legal subject is invalid”).
The “and” is not expressed in the legal text due to an editorial oversight by the legislator. Nevertheless, all three requirements must be fulfilled cumulatively.
In every validly sent marketing email, the correct sender must be named and a simple unsubscribe option must be provided. In practice, this is the personalised unsubscribe link that the customer can click on.
188.8.131.52 Conditions for email marketing to existing customers
Art. 3(1)(o) UCA provides for exceptions to the requirement of consent for existing customers. An existing customer is a person who has already purchased goods or services from a company. In this case, the company may send the existing customer advertising emails for similar goods or services (but not for third-party services), even without the customer’s consent. The condition here is also that the sender is recognisable and that a simple unsubscribe option is provided.
184.108.40.206 Email addresses from third parties
Any address trader who wants to offer email addresses to third parties for the purpose of email marketing must also adhere to the principles just mentioned (consent, sender, unsubscribe option). This means that the address trader not only needs the consent of the customer for individual purposes, but also for the transfer to third parties. If the address trader is active in a certain industry (for example, in the “cosmetics industry”), such consent is conceivable and could read as follows:
“I would like to receive information and offers on interesting cosmetic products from third parties via email in the future”. In this context, the customer may and must expect to receive advertising for facial creams in the future, but not for cryptocurrency trading platforms.
While a completely abstract consent for the disclosure of a person’s own email address for any feasible purpose to an unlimited number of third parties is not inconceivable from an UCA perspective, it should only be restrictively applied. The reason for this is that email marketing has not only a legal but also a factual, social component. Anyone who is annoyed by email advertising will not become a new existing customer. If a company is thinking of buying address data, it should ensure that this is data from people who are interested in its own industry in the broadest sense.
220.127.116.11 Email addresses from public sources
Anyone who publishes their email address on a publicly accessible website does not thereby (by implication) consent to receiving advertising emails. Here, too, the above-mentioned principles must be observed (consent, sender, unsubscribe option). The consent of the recipient will regularly fail to be received. From the perspective of the UCA, the use of publicly available email addresses for sending mass advertising via email should be avoided.
18.104.22.168 Sanctions for UCA breaches
Anyone who intentionally commits acts of unfair competition under Art. 3 UCA is liable to a custodial sentence of up to three years or a monetary penalty (Art. 23 UCA). However, there has not yet been a legally binding federal court ruling in Switzerland on this offence (Art. 3(o) UCA). In its decision UE170371 of 6 March 2018, the Higher Court of the Canton of Zurich ruled against a breach of the Unfair Competition Act in a case in which a law firm from Peru delivered three unsolicited emails to a Swiss lawyer:
“However, with the factual references to the court holidays in Peru (Cert. 6/1/3), to the entry of two attorneys-at-law in the law office (Cert. 6/1/4) and to the procedure for entering a trademark or a patent in an electronic register in Peru, Respondent 1 did not act in a deceptive manner or in any other way in breach of good faith within the meaning of the general clause of Art. 2 UCA, nor did it act in a particularly intrusive manner.”
The cited decision shows that a court in Switzerland was lenient – at least in this specific case – even though the sender did not have the consent of the recipient, as the content of the email was not said to be clearly intrusive spam.
22.214.171.124 Domain name blocking
The revision of the TCA in 2021 enabled the public prosecutor’s office or the court to revoke consent or block domain names in cases of breaches of the UCA (Art. 26a UCA). This means that a company can forfeit its sender email domain in cases of unauthorised mass advertising if this is necessary to prevent new infringements. However, this only applies to “. ch” domains.
Email marketing is possible from an UCA perspective. In the case of non-customers, the principles of the recipient’s consent, the recognisability of the sender, and the provision of an unsubscribe option must be observed. Existing customers do not have to separately consent to receiving advertising emails.
6.4 United Kingdom
In the United Kingdom of Great Britain and Northern Ireland (UK), data protection and the regulations regarding legally compliant email marketing could further change in the wake of Brexit. However, the regulations of the Data Protection Act (DPA) from 2018 still apply. This Act formalises the entry into force of the GDPR in UK national law and specifies a number of particular points, which means that GDPR regulations still continue to apply.
In addition, Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 is very specific about the conditions for compliant email marketing. According to the UK’s data protection authority – the Information Commissioner’s Office (ICO) – “electronic mail” covers all electronic communications, including voice messages and SMS messages, newer technologies such as other messenger services, and messages via social media. Consequently, the information provided below is relevant not only to emails but to all electronic marketing communications.
As a general rule, data processing is prohibited in the UK and may therefore only take place with a valid legal justification. In the context of email marketing, personal data is processed, such as the email address, the surnames and first names of the recipients, and, if applicable, titles and the position in an organisation. Also in this context, Regulation 22 clearly states that email marketing is generally prohibited and only permitted with the consent of the data subjects.
What does consent look like in email marketing?
Valid consent under the GDPR and DPA 2018 follows clear and specific information and is voluntary and active. For email marketing, this means:
Information: The data subject is informed clearly and simply about the specific data processing, including what data is processed, how this is processed and for what purposes, and who is responsible for the data processing. The data subject is also informed about any recipients of the data. The information as well as the consent can be given orally, in writing or electronically. As it is difficult to verify oral consent, the electronic or written form is recommended. In the case of email marketing, for example, this can be a check box on a website or a paper document with a signature when visiting a trade fair.
Freely given nature of consent: Consent is only valid if it is given without compulsion. Accordingly, data subjects must not be exposed to any disadvantages if they do not wish to receive marketing emails. Consent is considered invalid if data subjects have to agree to marketing emails in order to be able to shop online.
Active: Consent is only valid if it is actively given by the data subject. Consent must not be the default setting but must be actively granted by the data subject. Accordingly, it is crucial to explain the difference between opt-out and opt-in for consent on websites, especially in the case of cookie banners or specifically in the case of consent for newsletters and email marketing. Opt-out means that the checkbox options on a website have already been checked and that the visitors must click on them out to opt out. In the context of opt-in, the checkbox options are not yet preselected, in contrast to opt-out. In order to give their consent, visitors must actively click on the checkbox. In the context of the GDPR and the UK data protection legislation, only the opt-in format is considered to entail legally compliant consent.
Due to these strict rules, the UK’s ICO (Information Commissioner’s Office) also advises against relying on indirect consent. If the consent is given to a third party and not directly to the responsible person, proving the legal compliance of the consent is more complicated and poses a risk for the advertiser.
With this being the case, obtaining direct, voluntary and active consent with clear and specific information on data processing is considered the highest guarantee of data protection compliance in email marketing.
Is it also possible without consent?
Alternatively, as previously described, in the UK the exceptional basis of the customer relationship also applies, which is also referred to in the UK as “soft opt-in”. The conditions for this are similar to those previously outlined. Firstly, the email address must have been collected when a product or service was purchased. In this case, the collecting agency must give the user a simple right to object to the marketing emails and must also offer this in every email. The sender may then only advertise products that are similar to the goods or services purchased.
The exceptional basis only applies to commercial marketing, so charities, political parties or non-profit organisations cannot rely on the exceptions.
Are there exceptions for B2B communication?
The above rules do not apply to business-to-business (B2B) communication, which means messages to businesses such as legal entities, such as private limited-liability companies. However, sole traders or some partnerships, for example, are not considered businesses in this sense and instead are afforded the same protection as individual customers. In addition, the B2B exceptional basis does not apply to personal mailboxes such as firstname.lastname@example.org.
For further information specific to the UK legal situation, we recommend reading the ICO’s “Guidance on direct marketing”.
In essence, the legal regulations in the UK are the same as those in the GDPR. Nevertheless, special features must be observed, and future legal developments must be closely monitored and taken into account.
 ICO is an independent UK authority for safeguarding information rights in the public interest, for promoting openness of public bodies, and for data protection for individuals.