Nice to meet you.

Enter your email to receive our weekly G2 Tea newsletter with the hottest marketing news, trends, and expert opinions.

GDPR in DACH: How to Sell in the German-speaking Market

January 30, 2023

GDPR in DACH

No one wants to start their business journey in new markets by breaking the law. 

When the European Union (EU) rolled out the General Data Protection Regulation (GDPR) in 2018, many companies were concerned about how it would affect their business. This was especially true for those looking to break into the European market, specifically the German-speaking region known as DACH (D/Germany, A/Austria, and CH/Switzerland), where regulation is tight.

In the world of sales, organizations need to rethink how they can comply with the GDPR but still generate quality leads to remain competitive. So, how can your sales team source compliant contact information and stay at the top of their game?

The GDPR may seem intimidating to a salesperson, especially in a new market. However, Germany is the largest economy in the EU, and with Austria and Switzerland also bringing substantial spending power, they’re definitely worth the effort. 

So, let’s understand from the beginning.

Unpacking all the acronyms and main terms

Here are some key GDPR-related terms to keep in mind.

What is GDPR?

The GDPR, or General Data Protection Regulation, was rolled out to give consumers in the European Union (EU) more control over their data. 

DSGVO is the German term for GDPR and stands for Datenschutz-Grundverordnung. The German-speaking regions of the EU are particularly rigid regarding data protection, making it challenging for companies in other areas of the world to break into these markets without a solid plan.

In short, it’s a regulation that protects the fundamental rights and freedom of people concerning the processing of personal data and the free movement of such data.

In the context of GDPR, you’ll often hear about Consent and Legitimate Interest because they play a vital role within the regulations. But what do they mean, and how are they different from each other?

Why is consent so crucial in GDPR for sales?

Consent is the explicit agreement a user makes by opting in to allow your company to collect, store, and process their data. Why is this important for Sales? Depending on how you’ve contacted your prospect, they must opt-in to be lawfully contacted, but more on that in the e-Privacy chapter.

What is legitimate Interest as outlined in the GDPR?

Unlike explicit consent from the user, legitimate Interest is when you know you have a valid reason for data processing. That is, your business interest far outweighs any other factors. A good example is a credit card company that notices suspicious charges on a customer’s account. In this case, they’ll have to access and process the customer’s data because that serves to protect the customer. 

What is e-Privacy?

While the GDPR regulates how personal data is processed, the e-Privacy Directive (PECD) contains specific rules for electronic marketing and sales outreach. The GDPR is directly applicable in the EU.

However, the PECD had to be implemented by national laws within each EU member state as well as the EEA. That means each country has separate, slightly differing PECD laws that govern how you reach out.

In Germany, the PECD is implemented by the Gesetz gegen den unlauteren Wettbewerb (UWG). In English, the law is known as the Act against Unfair Competition. In Austria, the PECD was implemented by the Telecommunications Act 2021 (TKG).

Since Switzerland isn't a member of the EU, the GDPR and e-Privacy Directive don't apply. The Swiss have their own regulations:

  • The Federal Act on Data Protection (FADP)
  • The Federal Act on Unfair Competition (UCA)

Because Switzerland is located in the heart of Europe and has close economic ties with the EU member states, Swiss law is still heavily influenced by EU law–both in the context of content and interpretation.

So, how can you easily remember what the GDPR and PECD regulate?

GDPR vs PECD

Source: dealfront

Now that you’re more familiar with the two main terms, let's break down how to set up your company and sales strategy for success in the German-speaking market.

The most relevant aspects of GDPR & PECD for Sales 

Back when people used to go door-to-door to try and sell products or services, customers knew very little about what happened with the information they shared. Now, every consumer can go online to find exactly what happens to their data when they sign up for a newsletter, product demo, or whitepaper download.

Not only that, everyone has the right to decide how they want their information handled. That means someone might have initially agreed to give you their work email address to download that whitepaper, but they can also revoke that permission at any time.

Thankfully, in the digital age, salespeople don’t have to risk getting a door slammed in their faces anymore. But outreach can still be tricky, especially when you have to navigate policies that regulate how you do that.

So, how should you go about sourcing leads in a GDPR-compliant way and performing outreach in line with PECD best practices?

Begin by building trust. 

Data collection: GDPR compliance from the get-go

Compliant data sourcing isn’t as complex as you might think, but you still have to have a solid strategy in place. Sure, you could buy addresses from a list broker, but you’d be setting yourself up for hefty fines in the German-speaking market. 

As you know, under the GDPR, you need to have a legal basis for processing personal data. As mentioned above, one legal basis under the GDPR is a legitimate interest. While the GDPR explicitly mentions sales and marketing activities as an example for legitimate use (see Recital 47 GDPR), the balancing test has to be made on a per-person basis and cannot be generalized.

While the legitimate interest balancing test cannot be generalized, a good rule of thumb is that people have less interest in not having their data processed if their data is - with their knowledge -  publicly available or if they voluntarily shared their data with you.

Switzerland has slightly different regulations here. Unlike the GDPR, the FADP does not require a legal basis for processing personal data by non-public bodies. It works solely on an opt-out basis.

In short, if the individual doesn't want their personal data processed, they must object to it. As long as you adhere to the regulations of the FADP and the individual has not objected, non-public entities (private companies, etc.) can process personal data!

What is first-party data, and how is it collected?

In the world of B2B, first-party data is any business-related information submitted voluntarily by your prospect directly to you. Perhaps they filled in a survey at your trade fair booth or signed up for your newsletter via your website; the information didn’t pass through any other party’s hands to get to you. 

Here’s what the online form might look like:

example of a sign up form

Source: dealfront

What is zero-party data, and how is it collected?

Zero-party data collection is similar in how the data moves from the customer directly to you, but the information itself isn’t necessarily business-related. Instead, it has more to do with behaviors and preferences.

For example, instead of just sharing their business email address with you, customers might also share that they enjoy listening to podcasts or when their birthday is. 

Think of it like this: What kind of additional (not necessarily business-related) information might the customer give when chatting with you? With both first and zero-party data collection, trust is implied because your prospect freely gives you their information.

Now that you know how to collect data, what next? Continue building on that trust.

Data processing: How does the user know what you’re doing with their data?

You know why you need data, but letting the user know why and how you intend to use their data is just good business. Whether it’s for product improvement or to understand how they interact with your brand, make your intentions transparent throughout their interactions with you. It begins the moment someone lands on your website and confirms the cookie policy:

cookie policy example

Source: dealfront

Without this transparency and clarity, your user doesn’t have sovereignty over their data, which is the whole purpose of the GDPR. Because without data sovereignty, they won’t be able to make informed decisions. How can you ensure they have that control? 

Here are some tips:

How to ensure users can easily access and control their data

Source: dealfront

Data storage and security: How and where is all the data stored?

Your users trusted you with their information because you made your intentions transparent, and now your users want to know more.

Where should data be stored according to regulations?

GDPR implements strict rules for the transfer and storing of personal data outside of the EU, so if you want to do that, you’ll have to adhere to the GDPR regulations.

But that’s not the only thing GDPR says about data storage. It also dictates how long you can store the data and when or how to delete it.

How long can data be stored?

The GDPR doesn’t set a strict limit, but personal data should only be stored as long as required and generally for the shortest time possible. That means if you don’t have valid reasons for continuing to store the data, such as for tax purposes, be sure to delete it. You are also required to inform any involved 3rd parties and ensure they also comply.

Another stipulation is that you keep the data up to date if your company plans to store it over a longer timeframe. Reach out to your customers or give them a way to keep their data current. And as always, make sure you communicate why you need to store their data for longer.

Data best practices: Keep your intentions and data collection transparent

Potential customers giving you their information is the first step, but they need to know that they can always access their data, be informed about how you’re processing it, and revoke their consent at any time. 

Always be transparent about why you’re collecting customer data. If it’s to provide them with a better user experience in the future, then just say that. The why and how of data collection should never just be part of the small print. 

Make it as easy as possible for a user or prospect to come to you and ask for their data. Be sure to provide them with an easy way to download it, too. Nothing will turn off potential or current customers more than not knowing if you’re trustworthy or care about their data security.

Now that we've discussed the proper way to collect, store, and process data, let's move on to how to compliantly reach your prospects.

Cold outreach done right with the UWG

As mentioned before, the GDPR is in place to regulate how a prospect’s data is collected, stored, and processed. Let’s look more closely at how the PECD, i.e., how each DACH country implements the UWG, TKG, and UCA,  affects how your sales team reaches out to prospects.

Cold outreach has the reputation of being tricky to do right. No one is truly enthusiastic about being called or emailed for the sole purpose of being sold a service or product. Under the GDPR, a lot of marketing or sales activities can be based on the legitimate interest of the company doing the outreach.

This can include marketing their products or services, improving and promoting those products or services, and growing their business. Please refer to Recital 47 of the GDPR for more information.

However, the UWG and other laws implementing the PECD don’t have the option to base their outreach on legitimate interest. Under the UWG, TKG, and UCA, different rules apply to each method of outreach: telephone, email, or by post. You’ll need consent for most means of sales and marketing communications.

What is the difference between expressed consent and presumed consent?

Before reaching out to customers, ensure you're offering exactly what your prospect needs. When you’ve established that your product matches their needs, get their consent to contact them.

expressed vs presumed consent

Source: dealfront

If you’re reaching out as a B2B company to prospects in the DACH region, to be truly successful, you need to understand how the different types of outreach are affected by the PECD, i.e., the respective national laws like the UWG or TKG that have implemented it.

Cold calling 

Any sales rep will tell you that cold calling is one of the most challenging outreach methods. Dealing with people hanging up on you can be as demoralizing as a door in the face. But if you do your research, you can avoid violating the respective laws within DACH implementing the PECD. 

For example, if your prospect signed up for a demo version of your platform, they should have the option to allow you to contact them. Unless they choose to accept calls, don’t call. Your prospect or customer can also retract this consent at any time.

Please note that you're also not allowed to hide your telephone number when calling prospects – this is especially relevant in Switzerland. Your prospect should be able to verify your business identity with the telephone number if necessary. This will also enable the person to block all further calls from an unwanted number. Preventing them from doing that violates UCAU.

Cold email prospecting

Email outreach can be tricky in the context of the PECD laws. Cold emails–direct and mass emails aren’t allowed under the individual PECD laws and the UCA within DACH. But there are some exceptions.

Sending direct emails to recipients without their consent is allowed if:

  • You’ve received their email address during the sale of products or services. Any further communication on your end must relate to marketing those same products or services.
  • You’ve informed the recipient of their right to opt out before the first outreach via email.
  • The recipient didn’t opt out.
  • You’ve informed the recipient of the right to opt out of any marketing email you sent them. You must provide a valid email address where they can send their opt-out request.

To recap: if you’ve collected their email through a previous sale and intend to use it to cross or upsell, you can send an email. Again, this is all provided you’ve given them a way to opt out! If none of this applies, you must get your recipient's consent.

So, how can you prepare your pitch to hit right and align with the regulations?

The easiest way to ensure you’re on the right track is only to send emails if you’ve had previous contact with a prospect and they’ve given express permission to contact them. For example, if your company hosts a webinar that requires people to register, you can provide them with the option to opt-in to email marketing. But in the DACH market, opting for it isn’t just as simple as it sounds.

What is a double opt-in? 

Imagine a user signs up to receive something from you and agrees to be contacted via email; they’ll first get an email asking them to confirm that’s what they really want. You can only proceed with your email outreach once they’ve consented for a second time.

This regulation affects things like newsletters and email campaigns that showcase new offerings. Please note that a double opt-in is only relevant in Germany and Switzerland. Austria only needs a single opt-in but a double opt-in is recommended. 

Step 1 of a double opt-in:

double opt in step 1

Source: dealfront

Step 2 of a double opt-in:

double opt in step 2

Source: dealfront

All your prospect has to do now is follow the steps outlined above, and you’ll have permission to send that newsletter!

This all sounds time-consuming (and it is), but the benefit for you is that with a double opt-in, you can be sure that your prospect wants to receive communication from you.

Other outreach methods

Although no longer common, reaching out to potential clients with advertising or a sales pitch in the form of a physical letter is the most appropriate method of contact in the context of the PECD. However, you need to do your research! 

Tip: Since you won’t be able to verify every single mailbox personally, make sure you don’t “spam” their mailbox and that if they ask you to cease contacting them, you comply immediately.

Social selling is becoming popular in B2B to find prospective customers. You can find a virtual treasure trove of ideal customers on popular social business networks. It’s common to reach out to prospects, informing them of your products or services.

However, GDPR compliance, explicitly proving legitimate interest, is still required here. Please check the guidelines of the platform you’re using, which often restricts social selling to avoid spam.

Trade shows are also great for reaching out to your target market. Hundreds or even thousands of people already interested in your service or product are all now under one roof, waiting to hear what you offer. If they want to hear more about you, your service, or your product, get signed consent that you’re allowed to follow up with them.

Which outreach methods are allowed in each country?

The German language may be something that each country in the DACH region has in common, but are there differences in outreach regulations? Keep in mind that there may also be a preference in each country on how they like being contacted. Knowing the laws and general preferences can boost your outreach success.

Germany

Although cold-calling is technically illegal, it’s still tolerated. However, don’t forget that the UWG requires that you have previous consent to call – either presumed or expressed. 

Email outreach is where you have to tread more carefully. As we mentioned previously, Germany requires a double opt-in for any kind of email communication and outreach. 

Austria 

There is no presumed consent framework in Austria as in Germany, meaning cold calling is illegal here. But, in Germany, it’s tolerated.  Email may seem your safest bet in Austria, as they only require a single opt-in instead of a double opt-in. However, it’s exactly this lack of a double opt-in that could leave you vulnerable to liability. 

Switzerland

Although it’s not part of the EU, to conduct business, Switzerland’s regulations closely match those of its DACH neighbors. Like Germany, Switzerland requires a double opt-in for any email correspondence. 

Cold-calling regulations closely match Germany as the presumed consent regulation is also in place here.  

Understanding how DACH does business 

Gaining knowledge on selling more effectively can sometimes be as straightforward as reading up on the latest sales psychology tips. But why stop at just that?

Put aside all the stereotypes you have of the German-speaking region of Europe. Apart from the vital business context that the GDPR and UWG provide, you must also ensure you’ve learned about each market within the DACH region. Cultural context is essential here and can make or break your success, no matter how compliant you are.

Although each region has distinct cultural characteristics, several similarities are especially relevant for doing business. Here are the top five:

  1. There’s quite a high level of formality expected when doing business in any of the three countries. However, the level of formality can be industry-dependent. So, how you approach a tech company will be different than how you approach a construction company. If you’re unsure, keep it formal.
  2. The adherence to a rigid business hierarchy and structure is closely related to formality. But, again, this is largely industry-dependent so do your research.
  3. All regions are very task-focused. There’s a huge emphasis placed on getting things done rather than building relationships. It’s more efficient, which is another trait favored by DACH.
  4. Reliability is another must-have when doing business within DACH. Be on time, and do what you say you’re going to do.
  5. Written communication (not just outreach-related) is preferred over spoken communication in all regions of DACH. So whether it’s an email or a brochure, make sure it’s well-written and logically structured.

A good rule of thumb for all German-speaking regions, especially in the context of B2B, is never to discuss or ask about topics involving someone’s private life. 

4 steps to GDPR and PECD-compliance in sales for DACH  

Now you have all the information, how do you put it into practice? Of course, there’ll be work on your end, but we’ve taken all the guesswork out of the equation. 

1. Audit

Take a look at your current compliance documentation and ask the following questions:

  • Is it all up-to-date? 
  • Do you have all the legally-required documentation available and easy to find?
  • Do you need an internal compliance officer or lawyer to review or create new documents as required?

2. Plan

Figure out how to take any necessary measures. How do you plan to be compliant, and what areas of your business are directly affected? Compliance is vital for different departments within an organization, not just sales. 

Every department needs to be on the same page regarding your outward-facing compliance strategy. That means I.T. or HR has to have the same understanding of your compliance strategy as the sales or marketing teams.

3. Execute

How do you let your customers or prospects know you’re compliant? By telling them, of course! Make compliance a part of every aspect of your business within DACH. Whether during outreach, in a newsletter or as part of an email signature, your dedication to compliance will not go unnoticed. 

  • Make your intentions known during contact – why have you reached out to them?
  • Don’t forget! Be sure to review the consent requirements.
  • Always tell people why you need their data, how you intend to process it, and where you will store it.
  • Remind your customers to keep their data/information up-to-date and make it easy for them to do so.
  • Create a data management hub for your customers to have a more transparent and consistent overview of their data.

4. Maintain

Creating strategies, frameworks, and documentation is great, but they aren’t static. You must ensure you’re keeping up with the latest developments and align your internal and customer-facing documentation accordingly.

Ensuring you communicate changes to your prospects, customers, or users is critical. Make it easy for them to see what has changed and explain how these changes will affect their data or how you reach out to them.

In short, stay informed about any updates regarding GDPR or UWG and adjust your internal processes and documentation to reflect these changes.

GDPR isn't a barrier to your success 

It may seem overwhelming to start selling to the German-speaking markets. However, with strict regulations and a more conservative and rigid culture, there are many things to be careful of before you get going.

Understand the implications of both the GDPR and UWG, and learn how they affect a customer’s or prospect’s data and how you reach out to them. Get to know the DACH region's culture to boost your sales success. Equipping your teams with a deeper understanding of who they’re doing business with will ensure you reach your goals faster.

If you’ve done the prep work and have a clear vision of where you want to go, compliance with the GDPR and the respective PECD laws shouldn’t hinder success. Instead, think of compliance as helping you build trust, position yourself as an authority in your space, and help you sustain profitable customer relationships.

Europe isn't the only market with data regulations. Learn more about similar state laws in the US, especially the California Consumer Privacy Act (CCPA), before venturing into the US market.


Get this exclusive AI content editing guide.

By downloading this guide, you are also subscribing to the weekly G2 Tea newsletter to receive marketing news and trends. You can learn more about G2's privacy policy here.