1. October 2021

All You Need to Know about GDPR, DSGVO and UWG – German-speaking Markets and Data Privacy

Yes, it is confusing and yes, we know it’s scary for some businesses out there. Especially those who want to expand to the D-A-CH (Germany, Austria and Switzerland) markets need to know about the European Data Protection Laws.

In this article, we want to provide you with a comprehensive overview of what’s going on in European law

But: 

Please keep in mind that this article does not substitute any sort of legal advice.

Contact your attorney to obtain advice concerning any particular issue or problem. The views expressed are based solely upon Echobot’s interpretation of these regulations, do not purport to constitute official guidance, and may not be relied upon. We as Echobot have no authority or ability to determine or advise anyone regarding how any law or regulation should or will be interpreted by any court or regulatory authority.

First of all, we must distinguish between different types of laws that can influence your work in the EU, especially in German-speaking markets. Each law has its own area and therefore different aspects or teams in your business can be effected by them.

Let’s dive in.

What is GDPR?

The General Data Protection Regulation (GDPR) was passed in order to give people in the EU more rights about their personal data – especially online. In case you read DSGVO anywhere: That’s the Datenschutz-Grundverordnung (DSGVO), which is the German name for GDPR.

GDRP has to do with data processing not with reaching out to people. So, it basically applies to the whole organization and how you keep customer data stored for example. GDRP is here to protect the rights of natural persons and their personal data. For more info on this, see GDPR, Art. 1 or read more about it in our chapter How Does GDPS Affect Your Business"?

What is UWG?

So far, so GDPR. But about this mysterious UWG we already mentioned? The UWG (German: Gesetz gegen den unlauteren Wettbewerb) is a law that applies specifically for German-speaking markets. In English it translates as “Act against Unfair Competition” and regulates the way of selling aka how you use the data you collect. Section 7, where the act speaks about Unacceptable nuisance is especially relevant for us.

Basically, UWG tells sellers in German-speaking countries how they are allowed to contact businesses and people with their offer. Spoiler: It depends on the medium you use for your outreach!

When Does GDPR and When Does UWG apply?

GDPR (or DSGVO in German) is different to the UWG, but you should know both when doing business with the D-A-CH region. The latter has to do with outreach, while GDPR is only valid when we’re talking about processing data!

This becomes highly important for cookies or other type of banners, that need specification what you do with the collected data. More about that later on.

UWG instead, regulates the way you can contact people, which is a big deal for sales. We’ll go into detail about that soon.

Let’s briefly summarize:

GDPR

UWG

You’re collecting business emails, address and telephone numbers and process them.

You’re taking this data to do cold calls or email campaigns aka. you’re contacting these people in companies.

GDPR

UWG

You’re collecting business emails, address and telephone numbers and process them.

You’re taking this data to do cold calls or email campaigns aka. you’re contacting these people in companies.

So, the difference between UWG and GDRP is, that the latter concerns the processing of data while UWG handles reaching out to someone. Both are – obviously – closely interwoven.

How Does GDPR Affect Your Business?

As soon as you are dealing with people from the EU – even on other territories such as the US – you have to take the GDPR into consideration. This means GDPR applies to any company that offers goods or services to customers within the EU. This includes basically all major companies across the globe. So, if that is the case for you as well, you must have a solid plan for GDPR compliance or risk the penalties.

In many cases, you have to make sure that you inform the user/customer/website visitor about the processing of your data. There are certain regulations for the contents you need to add in cookie banner or in an email signature for example:

GDPR - Privacy Policy Settings for Cookies

Privacy Policy Settings for Cookies

GDPR - Information About Data Processing in an Email

Information About Data Processing in an Email

GDPR distinguishes between natural persons, the processing of their personal data and data that has been published in a business context. Just to give you a quick idea of what the main differences can be:

Personal Data

Business Data

  • Privat information that has not been published anywhere online (e.g. someone’s address)
  • Business data that is publicly available (e.g. business email)
  • Sensitive data that is not of a “general nature” (e.g. fingerprints)
  • Non-sensitive data that is general and connected to a job (e.g. business phone number)
  • There is no relationship/contact whatsoever between both parties
  • Both parties know each other and/or have been in contact before (e.g. trade fair)
  • There has been a recommendation from another person/business
  • Data processing happened without an understandable reason
  • There has been a tender or a concrete reason for processing data
  • The responsible party collects data in reserve without reasons
  • The responsible party can trace every reason for processing data

Personal Data

Business Data

  • Privat information that has not been published anywhere online (e.g. someone’s address)
  • Business data that is publicly available (e.g. business email)
  • Sensitive data that is not of a “general nature” (e.g. fingerprints)
  • Non-sensitive data that is general and connected to a job (e.g. business phone number)
  • There is no relationship/contact whatsoever between both parties
  • Both parties know each other and/or have been in contact before (e.g. trade fair)
  • There has been a recommendation from another person/business
  • Data processing happened without an understandable reason
  • There has been a tender or a concrete reason for processing data
  • The responsible party collects data in reserve without reasons
  • The responsible party can trace every reason for processing data

Let’s see what kind of data is considered to be “okay” to process and what kind of data is “personal” and shouldn’t be processed under GDPR.

GDPR - Different Data, different Processing

Different Data, different Processing

Data in the green part can be processed more “easily” than the data in the orange/red section. Especially data that’s considered problematic and critical need an extremely valid reason for processing, which is why we’d recommend not to process that kind of data.

In Article 6 though, the GDPR brings lawfulness of data processing into the play. Let’s have a look what this means:

a.) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes;"

b.) "processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, …"

f.) "processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Again, we can filter out three important aspects

  • Consent 
  • Contract 
  • Legitimate Interest by controller or third party

As we’ve already seen, consent is important, when you use cookies for example or when you do a survey on the street and want to process the participants’ data. That you need to process data of customers when you’re having a contract with them? Makes sense.

The last aspect is especially interesting to you if you’re wondering how GDPR affects your sales. Legitimate interest is something you should keep in mind!

GDPR - Scale of Interest

Scale of Interest

What is Meant by Legitimate Interest?

In case of a complaint, you’ll have to argue in favor for your company’s legitimate interest in processing the data of another company or its employees.

“The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.”

Source: GDPR, Recital 47

Still, you need to be transparent in how you process data, why you do it and whether you have a plan when they’ll be automatically deleted.

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Source: GDPR, Recital 47

What About General Business Email and Phone Numbers?

General business phone numbers or email addresses are usually not that critical – which is an important exception. On the other hand, data that refers to a certain person must be treated very carefully.

Example for General Data:

  • info@business.net 
  • 0030 300 800 700

Example for Personal Data: 

  • johndoe@business.net 
  • 0030 300 800 701

In case you’re not sure about whether a number is connected to a certain person or department, better assume it is personal data and be extra careful.

What About Processing of CEO Data?

This is interesting: GDPR allows the data processing of CEO, Managing directors, authorized signatories, board members! Since this kind of data has to be published in official government institutions like for example the Companies House, you might process that data.

What About Self-Published Data?

When it comes to data published by a person on twitter for example about an office dog or about a birthday on LinkedIn, it’s critical. You can conclude: The processing of 

  • Pets 
  • Hobbies 
  • Vacation 
  • Names of Wifes/Husbands/Children 
  • Birthday 

must not be saved in your CRM or generally processed!

What do You Need to Inform Customers About?

It is advisable to summarize who, why, when etc. data is processed. Usually, this is covered centrally in your privacy policy. You can then integrate or link this document – e.g. in email signatures, contracts etc. – for every data protection-relevant process.

What Rights do Customers or Interested Parties have?

All people concerning by your data processing (aka. Data subjects) have the following rights: 

  • Right to information 
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing

Read about all data subjects’s rights in detail here: GDPR, Chapter 3

How Does GDPR Affect Your Sales?

Now, you might want to know what is important to you when you work in sales. Especially when it comes to cold calling, GDPR is always a hot topic. Here you need to know that – at least in Germany – the UWG mostly applies.

Concerning your sales activities, you don’t need to worry so much about GDPR but more about UWG. So, let’s see what you need to take into account.

How Does UWG Affect Your Business

In the US for example, it’s pretty normal to just grab your phone and cold call someone. Some say this is illegal in German-speaking markets. As far as the regulation goes: It is not illegal

BUT (and this one’s a big BUT), there are special rules


Let’s have a look at the text of UWG itself. In terms of sales it says:

An unacceptable nuisance shall always be assumed in the case of

2. advertising by means of a telephone call, made to a consumer without his prior express consent, or made to another market participant without at least the latter's presumed consent.

3. advertising using an automated calling machine, a fax machine or electronic mail without the addressee’s prior express consent


Source: UWG, Section 7

We can filter out two important aspects:

  • Expressed consent
  • Presumed consent

We already talked about “giving” consent prior to data processing when talking about the GDPR. Concerning the UWG, it’s about contacting another party instead of processing their data. Both, processing and contacting, are so closely connected to each other that you can’t really separate them though.

What Does Expressed Consent Mean?

Of course, (potential) customers can also express their consent to calls, newsletters etc. explicitly. Surely, you have seen a form like this when you started a free trial or subscribed to a company’s newsletter:

That’s a common way to ask for consent prior to contact AND you agree on the processing of your data according to GDPR.

Good to know: 

For letters you need neither expressed nor presumed consent. The good-old letter is still rather “relaxed” when it comes to UWG and GDPR.

What Does Presumed Consent Mean?

With presumed consent, UWG wants to make sure, that sales people only contact companies that really profit from the given offer. Without UWG, you could call a veterinarian and sell her an excavator – UWG makes sure, people won’t get spammed by unnecessary offers.

Presumed Consent therefore means that you “assume consent” from the person you’re reaching out to. You assume that your offer or product is relevant to them and facilitates their business life. It’s best if you track down why you called or wrote a company in order to assure presumed consent was given.

Especially for cold calls, presumed consent comes into play. For emails and good-old letters there are different rules. Let’s see how UWG affects your sales in detail.

How Does UWG Affect Your Sales?

You’re probably the most interested in the way data privacy regulations affect your sales. The most tricky question is: How do you reach out compliantly to a potential new customer or prospect?

That’s why we want to have a look at the first contact between you and a potential new customer here. If you already know someone as he/she is your customer or you were already exchanging addresses, let’s say at a fair, things are differently.

But when you really want to convince someone to buy your product, there are some things to consider. As already metioned: It highly depends on the medium for your first contact. It depends whether you’re reaching out via mail, phone or letter.

Outreach via Phone

If you call someone to place your offer, you have to take “presumed consent” into consideration. For example, is the person receiving your call in an industry you often sell to? Has the person a certain role in a company so that your product applies well (let’s say you produce HR software)? These could be reasons for presumed consent.

In order to be on the “safer side” concerning presumed consent, track your reason for contacting. Certain reasons can reduce the risk of warnings.

Here are some examples:


Reasons for Outreach

Industry

Timing

People

Event

If you sell products that are relevant for a certain industry.

If your service/solution is relevant for companies at a certain time.

If you sell products that are only used by certain people in a company.

If you sell products that are relevant to a company because of an event.

e.g. when you sell agricultural vehicles to farmers

e.g. when you’re a tax consultant preparing the annual financial statements

e.g. when you sell an HR software to HR managers 

e.g. when you sell office furniture to companies that recently opened a new building

Industry

Timing

People

Event

If you sell products that are relevant for a certain industry.

If your service/solution is relevant for companies at a certain time.

If you sell products that are only used by certain people in a company.

If you sell products that are relevant to a company because of an event.

e.g. when you sell agricultural vehicles to farmers

e.g. when you’re a tax consultant preparing the annual financial statements

e.g. when you sell an HR software to HR managers 

e.g. when you sell office furniture to companies that recently opened a new building

Outreach via Email

Email is the most difficult issue concerning UWG and privacy guidelines. Since you could send 1M emails in a few seconds, but only do one call in that time or spend a lot of money on letters, a different set of rules apply to mailings.


The strict regulations of the UWG might be a blessing for those receiving thousands of emails, but when you work in sales, tough regulations make your everyday business even more challenging.

UWG can even indicates an email signature as advertising! Therefore, we’d recommend: Only email someone you have been in contact before! For example, you talked to that person on the phone before or met her on a trade fair – to send further information via email is a common practice. But for the first ever contact? That’s a no-no.

As a rule of thumb: With emailing you ALWAYS risk warnings since the rules here are so strict. With personalization you can, of course reduce the risk, but the person receiving the mail has a quite solid ground to send a warning when he or she receives a cold email from you.

Fact Check: Double Opt-In
In general, you definitely need double opt-in when sending mass mails, e.g. when you use marketing automation or send invitations, newsletters etc).

Outreach via Social Selling

This might be seen as an exception, but here you must be careful as well. It might be better to use Xing or LinkedIn aka Business Platforms to sell instead of Facebook or Instagram, but even business platforms have their rules concerning spam:

Do not engage in spam or scams:

We don’t allow untargeted, irrelevant, obviously unwanted, unauthorized, inappropriately commercial or promotional, or gratuitously repetitive messages or other similar content. Do not use LinkedIn to sensationalize or capitalize on tragic events for commercial purposes. Do not use our invitation feature to send promotional messages to people you don’t know or to otherwise spam people. Please make the effort to create original, professional, relevant, and interesting content in order to gain popularity, instead of trying ways to artificially increase the number of views, re-shares, likes, or comments. Respond authentically to others’ content and don’t agree with others ahead of time to like or re-share each other’s content. 


Source: LinkedIn Community Policies

However, if a person maintains a publicly visible profile in a business social media network, such as Xing or LinkedIn, anyone can initiate a business relationship by means of a contact request. Since such networks exist explicitly for this purpose, this is clearly foreseeable for the person concerned.

Many platforms don’t even allow messaging without a connection first, which is their version of a double opt-in. Social selling is not 100% legal, but the risk to receive warnings might be lower.

Outreach via Letter

The good, old letter. Almost forgotten! Good news is: This is the most UWG-compliant way of selling! You can always send companies letters with your offer; it’s just illegal to drop your “advertising” if they have stickers on their letter box saying they don’t want to receive any. 

In conclusion:

  • Prior to calling: Make sure that there is legitimate interest from your side as a company to reach out to another party. 
  • Prior to a newsletter/mail: Let readers subscribe and confirm their subscription aka. ask for permission first. 
  • Prior to social selling: Make sure, you’re message is individual and does not sound spammy or repetitive. 
  • Prior to a letter: Make sure there is not a “no advertising” sticker on the letter box.


General advice: 

Never try to hide your address or name in mailings or letters. Be as transparent as possible and personalize your sales strategy! It will cause less warnings.

Is there a Difference for Austria & Switzerland?

To be quite frank here: No, not really. Both have similar versions to the UWG and Austria, of course, has to stick to the GDPR. Since Switzerland is located in the middle of the EU, they try to hold the level of data security as high as possible – otherwise it might have a negative impact on their economy.

Austria has the so-called § 107 of the new Telecom-Law 2003 (TKG 2003), which regulates outreach. So, you need to use an opt-in if your email has over 50 recipients or if the purpose is direct marketing. In fact, cold calling is considered illegal in Austria, but is still tolerated sometimes. Here it is even more important to individualize your offer!

For Switzerland it is quite similar, although Switzerland is not part of the EU. The Swiss have the New Federal Telecommunication Law of April 1st 2007 – UCA act regulating their sales and marketing activities. Not surprisingly this law also includes opt-in.

Conclusion: GDPR vs. UWG – The Who is Who of Data Privacy

You made it! You read the basics of German data protection regulations. We hope, you’ve learned something and it was comprehensible. Since we don’t know your particular business or use cases, we’d still advice you to talk to your lawyer and discuss your data strategies.


As a start, we created a little summary for you to remember when dealing with GDPR and UWG: 

  • Make sure your approach is always highly individualized and does not sound spammy! 
  • Make sure you use double opt-in for every email campaign with many email addresses! 
  • Make sure the other party has a clear demand and benefit from your solution! 
  • Make sure you have a good reason for contacting them! 
  • Make sure not to buy random addresses or B2B lead lists – rather get a sales intelligence tool where you can filter for your target audience and see the results in advance.

Medium for 1st Contact

Data

GDPR/DSGVO

UWG

Email

Business Email

Consent or legitimate interest

Express Consent

Call

Business Phone Number

Consent or legitimate interest

Express Consent,

Presumed Consent

Letter

Business Address

Consent or legitimate interest

/
(just make sure there is no sticker with “no ads” at the letter box)

Social Selling

Social Media Profile

Consent or legitimate interest

Express Consent,
Presumed Consent

Download: How Well do You Know the Data Protection Regulations in DACH?

We created a little test for you to download to test your knowledge about GDRP and UWG. Are you ready? 

Medium for 1st Contact

Data

GDPR/DSGVO

UWG

Email

Business Email

Consent or legitimate interest

Express Consent

Call

Business Phone Number

Consent or legitimate interest

Express Consent,

Presumed Consent

Letter

Business Address

Consent or legitimate interest

/
(just make sure there is no sticker with “no ads” at the letter box)

Social Selling

Social Media Profile

Consent or legitimate interest

Express Consent,
Presumed Consent

Related Content: