Data protection and marketing automation must go hand in hand

Datenschutz im Marketing Automation

Anyone who already does data-based marketing knows exactly what I'm talking about: hoarding and using customer data to generate sales where the customer is willing to invest. However, legislation has become increasingly strict and the latest marketing technologies (MarTech) enable a kind of "data crawling" that sometimes comes up against legal grey areas. So how can one be sure what is allowed and what is not?

By using marketing automation, companies, and perhaps also your company, want to create a clear competitive advantage for themselves, the effect of which should definitely not be underestimated. In the long run, marketing automation can give your company a big advantage in the activities of customer acquisition and customer relationship management, gaining transparency, improving sales, increasing conversion and closing rates and other marketing-related activities. The goals and strategies that are pursued through the use of marketing automation and artificial intelligence are usually well thought out and comprehensible.

However, what is too often forgotten when establishing a corresponding system is the consideration of the data protection law regarding the personal data processed, stored and modifiable in the system, which is subject to special treatment according to the Swiss data protection law. This article is intended to provide you with a basic understanding of the Swiss Data Protection Act (DSG) and to support you in taking into account all fundamental aspects of the processing of personal data.

An introduction to data protection “basics”

The actual basis for the Swiss Data Protection Act is the Swiss Civil Code. It is interesting to take a closer look at Article 13 “Protection of privacy”:

  • “Everyone has the right to respect for his or her private and family life, his or her home and his or her correspondence, postal and telecommunications traffic. Everyone has the right to protection against misuse of their personal data” (Federal Constitution of the Swiss Confederation, 1999, p. 3).

This Article is supported by the Federal Act on Data Protection of 1 July 1993. The corresponding ordinance (DSG) regulates the details. In addition, the Swiss Civil Code contains Articles 28-28l, which specify how a violation of personality is dealt with by the law:

  • “Anyone whose personality is unlawfully violated may bring an action before the court for his or her protection against anyone who participates in the violation” (Federal Assembly of the Swiss Confederation, 1907, p. 7).

The wording of the law may sound a bit strict, but it is important to understand that the violation or misuse of personal data is considered a criminal offence in Switzerland and thus illegal. This failure to comply with the law can, in the worst case, lead to negative financial consequences and reputational damage to a company. According to the Federal Act on Data Protection and Art. 2 Scope, FADP applies when data processing of natural and legal persons is carried out by private persons or federal bodies (Federal Assembly of the Swiss Confederation, 1992, p. 1). Personal data means “all information relating to an identified or identifiable person” (DPA, Art. 3, 1992, p. 1). Data processing as defined in Article 3e is to be understood as follows: “Processing: any handling of personal data, irrespective of the means and procedures used, in particular the obtaining, storing, using, altering, disclosing, archiving or destroying of data” (FADP, Art. 3e, 1992, p. 1).

What to consider with customer data from abroad

It is important to note that companies that process customer data from near abroad, such as the EU, are subject to the European law DSGVO. This means that Swiss companies are also affected by the GDPR insofar as they process the personal data of natural persons who are resident in the EU area. According to Article 3(2a) and (b) of the GDPR, the following applies:  

This Regulation shall apply to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union, where the data processing is related to it:

  • a) offer goods or services to data subjects in the Union, regardless of whether a payment is to be made by those data subjects; 
  • b) monitor the behaviour of data subjects insofar as their conduct takes place in the Union” (GDPR, 2018). 

If Swiss companies are affected by these criteria, the following obligations arise in relation to the GDPR: 

  • Guarantee of “Privacy by Design
    Intervention of the organisational measures to ensure compliance with the EU GDPR and to protect the data of the data subject;
  • Guarantee of «Privacy by default»
    Ensure by default settings that only those data are collected that are actually necessary for the respective purpose. 

In addition, it must be taken into account that the application of the GDPR only applies to the processing of personal data. The GDPR does not apply to the processing of other types of data.

What does that mean for you exactly?

Compliance with the legislation is up to the respective company and not the data subject. This responsibility cannot be delegated. Therefore, it is essential that your company evaluates and implements the appropriate measures to avoid the negative consequences. But what measures can be introduced by the company to strengthen the protection of personal data?

  1. First and foremost, management should become aware of these critical points and pursue the appropriate data protection strategy in the company. The strategy is the core for the further steps regarding data protection in the company;

  1. Damit der Datenschutz im Unternehmen nicht nur auf dem Papier bestehen bleibt, soll der Datenschutz auch gelebt werden. Dafür ist die Sensibilisierung der Mitarbeiter/-innen dringend nötig. Denn Wissen ist bekanntlich Macht. Die Wissensverteilung kann in Form einer Schulung, interaktiv oder digital, umgesetzt werden;
  2. It is helpful to define a person responsible for data protection who, from a psychological point of view, successfully coordinates and accompanies the implementation and compliance of the plans by handing over responsibility to those involved. Thus, the company has a person who is committed to data protection and, at best, also enthusiastic about it;
  3. “Last but not least”, the consideration of security measures in the software and infrastructure used should be on the agenda.

In summary, these are the best prerequisites for the correct handling of data in the company.

And what’s next in your marketing automation?

Admittedly, the legal passages mentioned tend to be very dry subject matter and may seem very complex for an untrained person with the associated regulations. Don’t worry, you don’t have to learn all the factors by heart. It’s just important for you to understand that even though marketing automation as a technology is a very cool thing, you must always be aware of the legal situation of your customers in relation to the data they share with you so that you don’t unwittingly become liable to prosecution.

YOUNITY specialises in providing you with the organisational and technological basis for the implementation of successful marketing automation in Marketing Solution Design and the best possible systemic support to ensure that the legal basis is taken into account. YOUNITY is continuously pursuing technologies that can support you in the compliant processing of customer data. Here are some tips to keep in mind when getting started with marketing automation tools:

  • Consent to cookie tracking should be able to be displayed on web pages and captured by the system;
  • The legal basis for processing personal data shall be recorded in the system at the time of contact;
  • Email subscriptions should be able to check and track whether the legal basis exists, the corresponding opt-ins and opt-outs should be registered by the system;
  • The system can distinguish between subscription types with and without a legal basis;
  • The system offers a DSGVO-compliant deletion of contact data as a function;

YOUNITY’s partner technologies, such as HubSpot (Guide to GDPR-compliant use) and BSI Customer Suite (Data protectionCapability) offer the right tools for this.

And now, have fun and success on your Marketing Automation Journey!



Depending on your individual situation, we form concrete packages of measures that make processes more efficient, uncover missing or unnecessary systems and thus optimise costs.


Image: ThisIsEngineering, Pexels

Kommentar schreiben
Dieses Feld kann nicht leer sein.
Dieses Feld kann nicht leer sein.
Diese E-Mail-Adresse ist ungültig.
Sie müssen die Datenschutzbestimmungen akzeptieren.