Germany has some of the strictness email marketing laws in the world. The German regulations are defined by the Federal Data Protection Act, the GDPR, and the Telemedia Act.
All emails must include contact information and clear identification of sender in the form of a legal notice. This legal notice can be linked to but must contain the following information:
- The name of the sender and, if applicable, company name
- The authorised representatives for legal entities
- The postal address of the sender (a P.O. box is not sufficient)
- The sender's telephone number, fax number or an electronic contact form
- The sender's email address
- Any applicable commercial, cooperative, association, or partnership register numbers
- The name of the publisher or person legally responsible for the content of the email
- If available, the sender's VAT identification number or business identification number
All of this information must be easy to digest, directly accessible (linked directly from the email), and permanently available to your recipients.
There are some strict guidelines applying to subject lines. These should not use typical spam words such as free, offer, sex, or German words like umsonst (free), kostenlos (no charge), Geld (money), or Glücksspiel (prize/competition).
Both the Federal Data Protection Act and the German Act Against Unfair Competition require that you have the consent of your recipient before sending them marketing emails, unless they are your existing customer.
Consent, whether implicit or explicit, should be collected through a double opt-in registration as you must store records of consent.
Germany requires that companies have a data security officer. The person is in charge of maintaining and enforcing data security standards.
There are large maximum fines that can be levied as penalties in the event of a breach, however the Information Commissioner's Office (ICO) has repeatedly said that it would not make early examples of organisations for minor infringements of the GDPR, nor would maximum fines become the norm.
The maximum fine available under the GDPR is up to €20 million, or 4% annual global turnover – whichever is higher.