In a press release dated 28.06.2013 the Bavarian Data Protection Authorities (BayLDA) announced that they imposed a fine against the management of a commercial enterprise because one of their employees sent a newsletter with an open mailing list.

According to the press release, a female employee of a commercial enterprise had written a short e-mail to clients. The e-mail consisted of 10 pages (DIN A 4), of which 9.5 pages contained the e-mail addresses of the individual recipient.

Because of the fact that the e-mail addresses contained the first name and surname and their internet abbreviations respectively, the Bavarian Data Protection Authorities considered these data to be personal data pursuant to the data protection law which data may only be disclosed with the prior consent of the person concerned.

If all e-mail addresses in such a newsletter are entered in the „To column“ or in the „CC column“, all recipients of this e-mail can follow up who else is on copy. The Bavarian Data Protection Authorities know that in the hectic preoccupation with daily business it is very easy to enter the e-mail addresses of the recipients in the wrong field, however, in view of such a large number of open e-mail addresses the Bavarian Data Protection Authorities could see no possibility to consider this violation as a so-called „inadmissibility without consequences, but had to impose a fine.

In the case at issue the Bavarian Data Protection Authorities take it that the error concerning the personal data is not to be attributable to the employee of the enterprise alone, but is to be seen in the fact that the management did not attach the suitable degree of importance to such a deed. For this reason, the penalty notice was not directed to the employee in question, but to the management of the enterprise.

Remark of the author:

The problems regarding data protection within the field of newsletters are not handled with the necessary care.

It should in any case be borne in mind that the registration for a newsletter is connected with considerable legal requirements. The dispatch of newsletters is to be made under the provisions of data protection requirements. In the case at issue a „slipping of the address“ into the wrong field may lead to a violation of data protection requirements and result in a „significant“ fine. Thus, particular attentiveness and care should be taken into account in that all recipients of e-mail newsletters should be entered in the „BCC field“. Only in this way, i. e. if the e-mail addresses are entered in the „BCC field“, it can be ensured that the recipients cannot recognize who else has received this e-mail.

„BCC“ means „Blind Carbon Copy“ („Blind Copy“).

Author: Felix Seehausen, Attorney at Law, LL.M.