Many companies that collect and process online customer data for marketing and CRM purposes find it difficult to orientate themselves in legal regulations and to navigate the jungle of regulations in compliance with data protection rules. The following tips are not only intended to support companies in handling online customer data in compliance with data protection regulations, but also to ensure that data protection inquiries from users are adequately handled.

Comply with statutory notification requirements

Companies must inform their customers about the collection of personal data, which includes data that provides information about specific or identifiable persons, as well as about the type of data collected and the type and scope of its use. Customers must also be informed about the transfer to third parties and data processing overseas and information about the storage and further processing of IP addresses, too. In general, providers should also point out the storage of IP addresses if names or other personal identification features are not collected.

Therefore, it is recommended to provide information on data collection and processing under the keyword "data protection". Make sure that it is easy to find on your website and transparent for the user, and that these instructions are formulated in an understandable manner for any customers. Under no circumstances should you hide the information in the terms and conditions or under false headings. Make your customers aware of the fact that you are using a web analysis system and explain to them the exact purpose of the collection, the scope, and the use of the data. When selecting a web analysis system, make sure that it has configuration options to prevent, for instance, any query about visitors of geographic- or provider information.

Grant right of withdrawal and objection

In principle, customers have the right to revoke their consent to the use of their data for advertising and market research purposes for all personal data recorded. There is also a right to object to the creation of user profiles that have been created under a pseudonym for market research and analysis purposes. If the customer wishes to make use of these rights and no longer wants to contribute to the personal or pseudonymised usage profile data, the website operator must arrange for this and implement it technically. This applies in particular to the deletion of existing personal data insofar as they are not required for the contractual relationship with the user. From a data protection point of view, it is therefore not sufficient to suggest certain modifications to the customer's browser, such as blocking cookies.

Hence, it is advisable to store personal and non-personal data in separate databases to guarantee being able to make deletion or anonymization of personal information quickly and easy to implement. To prevent usage data from being saved, you should first switch off the log file of your web server. IP addresses are usually stored there, which in turn can be used to generate personal usage profiles. Or you should reconfigure the log file so that the user's IP address is not listed at all. Many web analysis providers have far-reaching methods to ensure that a single visitor is actively excluded from data collection. When choosing a web controlling provider, you should definitely value such a function.

You should also specify a particular contact person for questions about data protection, ideally an in-house data protection officer, who should be informed about all data collections and the further use of the data. Users must be able to see directly on the website who the right contact person is for their questions: therefore, either include a direct email link in the data protection declaration or introduce your company's data protection officer by name.

You should give clear and correct answers to inquiries and address your customers' concerns - as promptly as possible and with the necessary openness. Refer to your privacy policy only if all questions are adequately answered and available. Speechlessness, unfriendly and factually incorrect answers, or a reference to a data protection declaration that has no relevant content, appear dubious, unprofessional, and massively damage the bond of trust.

In other words, seeing data protection as a chore is fundamentally wrong, since a proper, transparent and prudent handling of personal data is in the company's own interests: on the one hand, poor data protection causes problems with supervisory authorities and competitors, and on the other hand, employees or third parties with a criminal disposition or negligence can cause enormous damage to the company. Apart from the fact that a provider who handles personal data in a non-transparent or even unlawful way cannot be trusted. Transparency and good data protection, on the other hand, are sales arguments and important building blocks for online success.

By Daniela La Marca