GDPR: Definition, Bedeutung & Beispiele im Direktmarketing

What Is the GDPR? -- Significance for Direct Marketing

The GDPR -- officially Regulation (EU) 2016/679 -- is the European Union's central data protection law. Adopted on 27 April 2016 and directly applicable in all EU member states since 25 May 2018, it governs the handling of personal data and replaced the former Data Protection Directive 95/46/EC. With 99 articles and 173 recitals, the GDPR creates a uniform legal framework for the entire European Economic Area -- including Iceland, Liechtenstein, and Norway.

For direct marketing, the GDPR is of central importance because it determines under what conditions companies may use personal data for advertising purposes. The crucial insight: direct mail advertising is permissible under the GDPR even without prior consent -- a considerable advantage over email marketing, which requires explicit consent (opt-in). The legal basis for this is Art. 6(1)(f) GDPR (legitimate interest), supported by Recital 47, which explicitly mentions direct marketing as a possible legitimate interest.

The Stuttgart Higher Regional Court (OLG Stuttgart) expressly confirmed this legal position in its decision of 2 February 2024 (case no. 2 U 63/22): personalised direct mail advertising is covered by Art. 6(1)(f) GDPR -- even without an existing customer relationship. This places direct mail advertising on a significantly firmer legal foundation than digital advertising channels.

Why Direct Mail Is Permitted Without Consent

The GDPR recognises six legal bases for the processing of personal data (Art. 6(1)). For direct mail advertising, point (f) (legitimate interest) is the decisive basis. The legislator explicitly stated in Recital 47, sentence 7: "The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

This legitimate interest must be verified through a three-step test that the CJEU has confirmed in several rulings (including C-252/21, Meta Platforms, and C-621/22, KNLTB): First, there must be a legitimate interest on the part of the advertiser. Second, the processing must be necessary to pursue that interest. Third, the interests and fundamental rights of the recipient must not override it. In the case of direct mail, this balancing exercise almost always falls in favour of the advertising company -- because the intrusion caused by an advertising letter is considered minor: the recipient can simply ignore or discard it.

In direct comparison with email marketing, the decisive difference becomes clear: while email advertising requires prior explicit consent (double opt-in) under Section 7(2)(3) of the German Unfair Competition Act (UWG), direct mail operates on the opt-out principle -- the advertising is permitted as long as the recipient does not object. In practice, this means: companies can reach nearly 100 percent of their existing customers by post, whereas significantly fewer contacts are often reachable by email because a valid opt-in is not available for all of them.

Existing Customers vs. New Customers -- Different Requirements

The GDPR does not explicitly distinguish between existing customers and new customers. In practice, however, different requirements apply to documentation and information obligations. For existing customers, the balancing of interests almost always falls in favour of the company: the customer has an existing business relationship and can "reasonably expect" advertising (as formulated in Recital 47). The information obligations are governed by Art. 13 GDPR, since the data was collected directly from the customer.

For new customers, the balancing of interests must be documented more carefully, because the "reasonable expectations" are less clear-cut. However, the OLG Stuttgart clarified in 2024 that postal advertising to new customers is also covered by Art. 6(1)(f) GDPR -- a prior customer relationship is not required. Particularly important here is Art. 14 GDPR: if the address data originates from third parties (e.g. address purchase), the advertiser must inform the recipient about the data source no later than with the first advertising letter. In practice, a brief notice in the advertising letter with a reference to a detailed privacy policy online is recommended.

The DSK (German Data Protection Conference) stated the following gradation in its guidance on direct marketing (updated February 2022): postal advertising to all customers after a purchase without selection is generally permissible. Simple selection by criteria such as postcode or alphabetical order is also unproblematic. Only with complex profiling -- such as detailed behavioural analysis -- may consent become necessary.

What Companies Must Concretely Do -- Compliance Requirements

Even though direct mail advertising is permissible without consent, companies must fulfil several GDPR obligations. First and foremost is the documentation of the balancing of interests: companies must record in writing why their advertising interest does not override the rights of the recipients. This documentation belongs in the record of processing activities (Art. 30 GDPR), which must be maintained for every data processing operation anyway.

Second, companies must establish a mechanism for objections. Art. 21(2) GDPR grants recipients the right to object at any time and without justification to the use of their data for direct marketing. After an objection, the advertising must be stopped immediately -- without further balancing. The notice of this right to object must be provided no later than at the first point of contact in a "clear and separate from any other information" form (Art. 21(4) GDPR). In practice, this means: every advertising letter needs a brief, clearly visible data protection notice with contact details for lodging an objection.

Third, it is advisable to cross-reference with the Robinson List maintained by the DDV (German Direct Marketing Association). This opt-out list, which has existed since 1971, contains over one million entries from consumers who do not wish to receive unsolicited personalised advertising. Its use is voluntary, but it is recommended by data protection authorities and industry associations. For address trading, the GDPR has significantly tightened the requirements: the former list privilege of the old German Federal Data Protection Act (BDSG) no longer exists. Several supervisory authorities, including the State Commissioner for Data Protection of Baden-Wuerttemberg, consider a legitimate interest in address trading to be "generally not present". In practice, the lettershop procedure has therefore established itself as a privacy-friendly alternative: address providers and advertising materials are kept separate, and the merging only takes place at the lettershop.

Key Court Rulings on Direct Mail Advertising

Case law has confirmed the permissibility of direct mail advertising under the GDPR multiple times in recent years. The landmark decision is the ruling by the OLG Stuttgart of 2 February 2024 (case no. 2 U 63/22): a consumer had received personalised direct mail advertising for insurance products -- without prior consent and without an existing customer relationship. The court dismissed the claim for damages under Art. 82 GDPR: personalised direct mail advertising is covered by legitimate interest, a prior customer relationship is not required, and a mere wish not to receive advertising does not constitute non-material damage.

At EU level, the CJEU confirmed in case C-621/22 (KNLTB, 4 October 2024) that purely commercial interests can also constitute a legitimate interest within the meaning of Art. 6(1)(f) GDPR. At the same time, the German Federal Court of Justice (BGH) ruled on 18 November 2024 (case no. VI ZR 10/24) that a GDPR violation alone does not automatically establish a claim for damages -- concrete non-material damage must be demonstrated.

Fine practice confirms the low risk level of direct mail advertising: the large GDPR fines in the marketing sector almost exclusively concern digital channels -- for example Meta (390 million euros, 2023) or LinkedIn (310 million euros, 2024) for impermissible behavioural advertising. Specific fines for direct mail advertising are barely documented in Germany, since postal advertising is fundamentally considered permissible.

The GDPR as an Opportunity for Direct Mail

Paradoxically, the GDPR has strengthened direct mail rather than weakened it. While digital channels suffer from tightened consent requirements, cookie regulations, and increasing ad blocker usage, the postal channel offers legally secure access to customers and prospects. According to the Dialogue Marketing Monitor 2024 by Deutsche Post, the total German advertising market in 2023 amounted to 42.5 billion euros, with dialogue media reaching a new record high of 23.6 billion euros. 83 percent of recipients look at addressed advertising mail -- an attention rate that no digital channel achieves.

AutoLetter makes this opportunity actionable: companies can send GDPR-compliant direct mail automatically -- with integrated objection management, documented balancing of interests, and measurable tracking. This turns the legal advantage of direct mail into a practical competitive edge.