Data protection in marketing: What data protection coordinators need to bear in mind

Marketing teams have come to work with a rich tool stack: From newsletter software and web tracking tools to AI generators for text and images: (Personal) data potentially flows across many interfaces – which is precisely where friction points with data protection can arise. This is not because marketing professionals are doing anything “wrong,” but because speed, creativity, and legal requirements simply do not always run in sync.

Typically, important questions only arise late in the process: “Do we really have the necessary consent?” or: “Why can't we use the new tool yet?”

Data protection coordinators therefore face the challenge of striking a balance between marketing practicalities and compliance.

To make data protection challenges easier for creative professionals, we explain when to get the data protection team involved and what information is needed to achieve the desired result as smoothly as possible

In short: Data protection teams must always be involved when personal data is processed and whenever there are changes or new developments that affect data protection processes in marketing. The right timing for involving data protection teams is often crucial. After all, the earlier the collaboration begins, the smoother the implementation will be.

Typical occasions for alignment with data protection are:

• Before implementing new tools
  e.g., CRM systems, automation solutions, or analysis software
• Prior to the use of new channels
  e.g., social ads, lead generation via partner platforms
• In case of process changes
  e.g., new forms for white paper downloads or news registrations
• Before using cookies and tracking technologies
  e.g., Google Analytics, Meta Pixel, Hubspot Tracking
• When transferring data to third parties
  e.g., in case of sales partnerships, agency access, or external hosting
• Prior to international data transfers
  e.g., when using US-based services or cloud providers outside the EU

As a rule:As soon as an email address, IP address, or a tracking pixel comes into play, the data protection team should be involved.

Proper preparation is essential for approval processes to run efficiently. The clearer the information, the faster the data protection team can make an informed assessment and provide recommendations if required.

The following standard information is usually required:

Question: Why is the measure being conducted?

The data protection team must understand the “purpose of data processing” in order to be able to assess or review the legal basis for data protection.

Question: What data is processed and how?

This involves providing a clear overview of the data flows. The following points are important here:

• What type of personal data is collected?
  (e.g., email address, IP address, interest profile)
• Where does the data come from?
  (own collection, third-party systems, lead acquisition, etc.)
• Who has access to the data?
  (internal: marketing, sales – external: agencies, service providers)
• Where is it processed or stored?
  (e.g., cloud systems, server locations)
  
• How long is the data stored?
  Is it transferred to a third country? (e.g., USA, UK, Switzerland)

Question: Which systems and providers are used?

The following information about the tools used is relevant for a data protection-compliant assessment:

• Name of the service provider
• Name of the tool
• Location of the provider (EU or third country)
• Data processing agreement (DPA)

If this information is complete, the data protection team can provide quick and targeted support. At the same time, this reduces the risk of subsequent adjustments or delays.

Next, we will use specific examples, from email marketing to tracking on landing pages, to illustrate where data protection issues frequently arise in real life, when alignment is advisable, and how approvals can be granted efficiently and in a legally compliant manner.

Situation:
Your company is planning to launch a marketing newsletter. 

Privacy pitfalls:
Consent for the newsletter must be obtained in a legally compliant manner, documented, and verifiable at all times. This also includes the double opt-in procedure and the corresponding information in the privacy policy. Newsletter tools must also be checked.

What information does the data protection team need from marketing?
In addition to the standard information, the data protection team requires the following additional information:

• Analysis of user behavior:
  Information on tracking data (e.g., analysis of bounce rate)
  
• Double opt-in process:
  Information on how newsletter subscribers give their double opt-in
  
• Revocation, including blacklisting:
  Information about the revocation option in each email and whether contacts are placed on a blacklist in the CRM tool after their revocation
  
• Use of cookies or external scripts in the registration form:
  Information about integrated scripts or cookies (e.g., reCAPTCHA, tracking pixels of the newsletter service provider) and about integration into the consent management tool (opt-in before activation)

What does the data protection team check?
The data protection team...

• ...checks the information provided and, if necessary, asks questions in order to assess the legal implications of the processing activity
• ...checks the DPA and, if necessary, approves the service provider or tool
• ...drafts consent texts to be used for the newsletter registration forms and the double opt-in email
• ... updates the text of the privacy policy to include information on newsletter distribution, service providers, tracking, revocation/unsubscription

Once approval has been granted, the data protection team enters the information provided into the record of processing activities (RoPA) as a processing activity.

The marketing team updates the privacy policy, consent texts, and, if necessary, the cookie banner on the website and ensures that there is an unsubscribe/revocation option in every email. The marketing team can then start sending out the newsletter.

caralegal best practice advice:
The more information the data protection team has available from the outset, the faster the approval process can be completed.

To save additional time, the marketing team can create consent texts and the double opt-in email in advance and submit them to the data protection team for review.

Situation:
The marketing team uses ChatGPT for copywriting ideas and DALL·E for image motifs in a social media campaign.

Privacy pitfalls:
When using generative AI, no personal data may be used in prompts. In addition, it is necessary to check how the rights to generated content are handled.

What information does the data protection team need from marketing?
In addition to the standard information, the data protection team requires the following additional information:

• Processed data:
  Details on the types of data processed when using generative AI – in particular, whether prompts contain personal or company-related information
  
• Social media platforms:
  Information about which social media platforms the created content is to be published on (e.g., LinkedIn, Instagram, TikTok)

What does the data protection team check?

• Which AI tools are permitted in the company and how they must be documented (e.g., in the company's own AI register)
• Existence of internal rules for designing prompts
• Checking whether the existing privacy policy already contains references to the social media platforms used on which AI-generated content is shared
• If necessary, adaptation of the privacy policy text and, finally, documentation of the AI tool used by marketing in the record of processing activities (RoPA)

Once approved by data protection, the marketing team may use the AI tools for production. Before doing so, the marketing team has to update the privacy policy on the website, if applicable.

caralegal best practice advice:
Internal AI guidelines can provide greater clarity. In these, companies define which AI tools may be used and how prompts must be designed. This provides a secure framework for creative work with AI.

Situation:
The marketing team uses ChatGPT for copywriting ideas and DALL·E for image motifs in a social media campaign.

Privacy pitfalls:
When using generative AI, no personal data may be used in prompts. In addition, it is necessary to check how the rights to generated content are handled.

What information does the data protection team need from marketing?
In addition to the standard information, the data protection team requires the following additional information:

• Processed data:
  Details on the types of data processed when using generative AI – in particular, whether prompts contain personal or company-related information
  
• Social media platforms:
  Information about which social media platforms the created content is to be published on (e.g., LinkedIn, Instagram, TikTok)

What does the data protection team check?

• Which AI tools are permitted in the company and how they must be documented (e.g., in the company's own AI register)
• Existence of internal rules for designing prompts
• Checking whether the existing privacy policy already contains references to the social media platforms used on which AI-generated content is shared
• If necessary, adaptation of the privacy policy text and, finally, documentation of the AI tool used by marketing in the record of processing activities (RoPA)

Once approved by data protection, the marketing team may use the AI tools for production. Before doing so, the marketing team has to update the privacy policy on the website, if applicable.

caralegal best practice advice:
Internal AI guidelines can provide greater clarity. In these, companies define which AI tools may be used and how prompts must be designed. This provides a secure framework for creative work with AI.

Situation:
Automated workflows are to be set up in the CRM system to segment leads according to behavior and for the delivery of personalized content.

Privacy pitfalls:
Automated segmentation can be considered profiling according to GDPR. This is particularly relevant when decisions about how to address customers or which offers to select are made fully automatically and without human intervention. In such cases, Article 22 GDPR may apply. This means that the data subject must be informed about the automated logic, and explicit consent may be required in some circumstances.

In addition, retention and deletion periods and retention guidelines must be clearly defined within the CRM system.

What information does the data protection team need from marketing?
In addition to the standard information, the data protection team requires the following additional information:

• Automation processes:
  Description of the planned automation processes in the CRM system (including objectives, triggers, data fields used, logic, and recipient groups)
  
• Degree of automation:
  Information on labeling that shows whether decisions are made fully automatically or whether human approvals are involved
  
  

What does the data protection team check?

• Assessment of the legitimacy of the processing, particularly with regard to the underlying legal basis (e.g., consent or legitimate interest) and the applicability of Art. 22 GDPR (profiling)
  
• Review of data flows, storage periods, and the deletion concept, as well as review of the DPA for the tool used
  
• Review of existing information obligations, i. e. whether data subjects must be informed about profiling and what other information obligations are in place

The data protection team then approves the tool and revises the text of the privacy policy with details of the CRM provider used. The marketing team updates the privacy policy on the website.

caralegal best practice advice:
Automation saves time—but it only remains legally compliant if there are clear deletion rules. Plan deletion routines from the outset to keep your data stocks lean and compliant.

Situation:
Your company is organizing an online raffle to generate new leads.

Privacy pitfalls:
It must be clear for what purpose personal data is being collected, i.e., whether it is used exclusively for the purpose of the raffle or also for marketing purposes (e.g., sending newsletters, product information by email)..

What information does the data protection team need from marketing?
In addition to the the standard information, the data protection team requires the following additional information:

• Terms and conditions of participation:
  Creation and provision of the full terms and conditions for the raffle, including information on responsible parties, competition process, prizes, participation deadline, and information on data processing
• Raffle forms and consent:
  Creation of registration forms or forms including checkboxes for marketing consent
  

What does the data protection team check?

• Legal assessment of the consent texts and conditions of participation
  
• Checking the double opt-in process (for email or telephone: additional verification of the phone number or address)
• Review of the data processing agreement and approval of the applied tools

The data protection team documents the online raffle in the record of processing activities, updates the text of the privacy policy if necessary, and grants approval to the marketing team. The latter then updates the privacy policy on the website.

caralegal best practice advice:
Good to know: There is no absolute prohibition on coupling. Participation in a raffle may (similar to white paper downloads) be linked to marketing consent, provided that it is voluntary, clear, and transparent. It is important to make it clear who is processing the data and for which purpose.

In addition, make sure that consent only becomes effective through a double opt-in, e.g., by confirming an email or, in the case of contact by phone, apply a separate verification of the phone number. Keeping a complete log of consents ensures that you can prove at any time when and for what purpose consent was given.

Data protection has long been part of everyday life in marketing departments, but it is rarely one of the favorite tasks of marketing professionals.

Our five scenarios show that the processing of personal data plays a crucial role in modern marketing, for example in campaigns, analyses, or automated customer journeys. That is why close cooperation between marketing and data protection teams, with clear responsibilities and defined processes, is vital.

The better marketing and data protection understand what information is required for approval, the faster it can be granted. If the marketing team provides all the relevant details, such as data sources, consents, or processing activities, from the outset, this saves queries and speeds up coordination considerably.

The process becomes even more streamlined when all information is collected centrally and provided in a structured manner. A shared platform where the marketing team enters all the information for the data protection review creates transparency, reduces alignment efforts, and makes approvals easier for all parties involved.

A digital solution like caralegal's Privacy Flow makes these tasks much easier and more secure. The software helps structure data protection processes in marketing, centrally document processing activities, and reliably track approvals.

If you as a marketing professional work closely with your colleagues in data protection, feel free to pass on this information. caralegal can help make collaboration more efficient and smoother.