Marketing automation and data protection - what to consider

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email

Efficiency - that is, in a word, the benefit derived from Marketing Automation results. Today, the coordination of a large number of simultaneously executed tasks and processes along a predefined activity path is part of the basic competence for effective marketing.

New call-to-action

Although the majority of European sales experts believe that marketing automation is the most important element for sustainable growth. However, with the European Data Protection Basic Regulation GDPR a regulatory component which directly counteracts the fundamental intentions of marketing automation in many areas. We show how marketing automation and the GDPR can be reconciled.

Marketing automation and data protection - is that even possible?

At first glance, the Marketing Automation Intentions and Privacy incompatible. While marketing automation is all about the unhindered use of stored data, the GDPR seems to want to prevent just that. But the regulation is not quite that radical and impractical after all.

Marketing Automation is largely based on the intensive observation and evaluation of the customer journey, i.e. the Procedure of the interested party from the first contact to conversion - and beyond. In other words, marketing automation uses the traces that the prospect leaves behind online.

Tracks - that is data stored in digital space. The more complete the data trail is, the more effective the measures can be used to Lead generation fail.

The problem is that the more complete the database, the greater the potential for conflict with regard to data protection.

In these three areas in particular, marketing automation must be reviewed for data protection requirements:

  • Storage of personal data
  • Email marketing
  • Web tracking

On these fields the Most intensive use of stored data. At the same time they put Basic functionalities effective marketing automation. Harmonizing this with the requirements of data protection is therefore of existential importance.

Personal data - the crown jewels in data protection

Data that is researched and stored during the evaluation of the customer journey is legally considered to be personal data classified. The legislator assigns them a high protection requirements and therefore subjects them to strict legal regulations. This can lead to massive restrictions in the flow of communication between providers and interested parties.

Data storage on European servers

Location issues are of fundamental importance in the evaluation of factors relating to data protection law. The legal position in a specific case depends, for example, on whether the Email server or the CRM server in the EU area is stationed or outside. This is where one of the most important legal guidelines comes into play:

Data collected in the EU may only be stored on servers that are also physically located within the EU.

This poses a difficult problem for users of marketing automation systems. Most of the leading operator of marketing automation platforms make their services available as SaaS applications - and these usually run on non-European servers, mainly in the USA. But that's not all: most providers store their data worldwide distributed on many servers - according to European data protection a improper procedure.

This makes the storage of personal data a problem that should not be underestimated. As a rule, the only way to deal with this contradiction is to Provider locates the Data storage on servers stationed in Europe make.

Obligations for the storage of personal data

You have these legal obligations as an advertiser when storing personal data:

  • Drafting of a Service contract between you and the operator of the marketing automation service, which is the Access conditions, the Handling personal data and the Security measures regulates.
  • Clarification about which Company takes over the data processing on behalf.
  • Clarification on which Location the data processing takes place.

An important principle in the handling of personal data is the Opposition option. The addressee must be given the opportunity to to object to the storage and processing of his data at any time, respectively their Request deletion.

E-mail dispatch - only if desired

When it comes to sending out mailings, this principle applies: Nothing works anymore without Double Opt-in - at least with New contacts. The unsolicited sending of advertising messages to addressees who have not yet been contacted is only permitted with their express consent permissible. What many do not know: This provision applies not only to Private individualsbut also for B2B contacts.

You must obtain approval by Opt-in procedure obtain, i.e. via an inquiry, whether the interested party agrees to the sending of offers. In doing so, the request must explicit include the information that the Sending the offers by e-mail takes place. The opt-in request can be made via all common communication channels - from SMS to postal letter. By the way, the request can also be made by e-mail: According to data protection, an opt-in e-mail is not considered unsolicited mailing.

The exception to the rule are Contacts with customers or leads. If the addressee has already once used your Offer taken up or entered in one of your mailing lists, you may give him send further offers without prior consent - but only to the e-mail address provided by the customer.

Integration of an opt-out option

There are also some rules to follow when sending to customers or leads. Thus, within the scope of receiving the e-mail address, the Opt-out option be passed on to the customer, i.e. the information that the addressee has Permission to send can revoke at any timeand how this is to be done. Of course, the sending is only allowed if the recipient has not exercised his right to object.

The authorization to send unsolicited advertising messages by e-mail to Customers or leads is not an unrestricted carte blanche. You may only make offers to the recipient that are with his previous consumption behavior in relation stand. In other words, you may offer unsolicited shoes and fashion accessories to a customer who has bought a handbag, but not household appliances.

In marketing automation, there are particular ways to get consent for email offers. The most common way is the Generation of a performance reference by the addressee. This is usually done by offering to send the recipient content of interest to him or her by e-mail if he or she provides his or her e-mail address. In the interest of the legally compliant implementation should be integrated an unfilled checkbox. By actively clicking on it, the addressee confirms his or her consent. It also makes sense to include a link here to your Privacy policy.

Basically, the following applies to any advertising mail - by whatever means you have received consent: There should always be a link included that Revocation of the declaration of consent allows.

Webtracking - on the trail of the lead

In order to support the interested party on its Customer Journey Marketing Automation uses the latest technology to Cookiesand this in an intensive way. Only in this way can a Personal reference to the behavior of the interested party produce. This creates comprehensive logs of click paths and the associated times, but also a range of other sensitive information.

In the initial phase, this accumulated treasure trove of data does not yet have a concrete personal reference. As soon as the prospect becomes active by leaving his contact data, the behavioral profile is given a concrete name. From this moment on, the entire set of marketing automation tools goes into action, from the Web content personalization to the focus of pop-ups and mailings. In other words, the customer journey now has a face.

It is obvious that, from a data protection perspective, a number of legal regulations come into play at this stage. You are obliged to comply with these regulations:

Information about it,

  • that Cookies be set,
  • That cookies for personalization of e-mail deliveries be used,
  • and that the Click behavior saved and can be coordinated via the cookie.

You need to give the visitor of your site the possibility to use this Accept or object to measures. If he accepts it, you have effective consent and can set the cookies. If the consent is not present, you may not track and store the usage behavior.


Marketing automation can also be used effectively from a data protection perspective. However, the Regularium, which is due in particular to the GDPR must be observed in detail in order to reliably avoid subsequent legal problems.

New call-to-action

In particular, when storing personal data, sending promotional e-mails and using cookies to personalize offers and content, you should pay careful attention to all regulations.


This information does not constitute legal advice, but is to be understood as non-binding assistance only.


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
Share on print

Leave a comment

Thought Leadership content

Content recommended for you.

Stay informed: We want you to be on top of the current developments in marketing and technology. In our magazine, we share both fundamental and hot topics - in blog or video format.