040 696 39 10 30 info@uptain.de
GDPR: What to keep in mind with abandonment-mails
13.12.19, Haydar Yüce

As an online merchant, you would like to reactivate your shopping cart abandoners after purchase cancellations with the help of abandonment-mails and are wondering how to make the mailings legally compliant? You would like to find out what the legal provisions of existing laws and in particular the General Data Protection Regulation (GDPR) are?

In this article you will learn how to implement mailings to shopping cart abandoners in a legally compliant manner in order to persuade customers to make a purchase after all. On the one hand, we discuss the GDPR, which regulates the handling of personal data (because e-mail addresses count as such). On the other hand, we also classify the law against unfair competition (UWG), which regulates the sending of advertising mails.

It is not long ago that the EU adopted the new Data Protection Law. A still widespread misunderstanding: The General Data Protection Regulation (GDPR) does not replace most of the existing national regulations, but merely supplements them. Many of the rules prescribed in the GDPR had already been anchored in the national legislation of Germany.


Legally compliant abandonment-mails

Whether reminder e-mails, service e-mails or newsletter: Of course, abandonment-mails may not simply be sent without further ado. Competition and data protection regulations regulate the conditions for sending advertising e-mails as well as the “collection, processing and use of personal data”. By personal data we mean all information that can be used to establish a personal reference. This includes e-mail addresses. 

To avoid warnings, online shops do well to comply with the legal provisions. The GDPR and other data protection and competition law provisions provide some guidelines for online shops with regard to abandonment-mails. If merchants observe these rules, shopping cart abandoners can be brought back into the purchase process in accordance with the law.


GDPR shopping cart abandonment mails remarketing


1. Sending e-mails


Abandonment-mails without explicit consent

Under one condition, shop merchants do not need explicit consent for sending abandonment-mails: The exception applies if the customer is already an existing customer within the meaning of §7 (3) UWG. In this case, online shops may send abandonment-mails without the customer’s express consent.

In other words, if a customer relationship already exists, i.e. the customer has ordered at least once in the online shop, a abandonment-mail may also be sent without any explicit consent. Further requirements are:

  • The e-mail address may be used for direct advertising of similar goods or services. Here it depends naturally on how similar the products are. It is clear that a pair of jeans is more like a sweater than a washing machine.
  • The customer must not have revoked the use of the e-mail address for this purpose (see right of revokation of the person concerned).
  • During the collection and each use it must be clearly pointed out that the use can be withdrawn at any time. In every abandonment-mail there must be a possibility to withdraw the consent.

This law is also valid after the GDPR has come into force, as the Munich Higher Regional Court confirmed in a ruling.


Abandonment-mails with explicit consent

As soon as one of the above conditions is not met, merchants need to obtain consent. Collecting e-mail addresses and obtaining consent is part of the collection of personal data. They are therefore subject to legal provisions that must be observed. Both the UWG [§7 (2) No. 3 UWG] and the GDPR [Art. 6 para. 1 GDPR] require explicit consent. The only exception is existing customers.


2. Collection and processing of data


Obligation of the responsible body to provide evidence

However, it is not sufficient to obtain only the consent. In order to make abandonment-mails legally compliant, the consent must also be proven. Art. 7 para. 1 of the GDPR regulates:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

Even if the GDPR does not prescribe a specific procedure, the double opt-in (DOI) offers a decisive advantage: the consent can be proven by the double opt-in procedure, because it is characterised by the fact that the interested party confirms his consent by actively clicking on a checkbox on the website and an additional second step. This usually consists of a click in an e-mail and makes the declaration of consent of the recipient technically conclusive.


Obligation of the responsible body to provide information

The senders of abandonment-mails need to inform the recipients about the collection and processing of personal data both at the time of consent (“Informed Consent”) and permanently on the website (“Privacy Policy”). Specifically, this concerns the following information, which is laid down in Art. 13 GDPR:


General information (unique information at the time of collection):

  • Name & contact details of the responsible person
  • Reference to rights of data subjects (e.g. contradiction)
  • Name & contact details of the data protection officer
  • Right to appeal to supervisory authority


Process-specific information (permanent information in privacy policy):

  • Purpose of processing
  • Legal basis according to Art. 6 GDPR
  • Data storage time
  • Recipient of the data
  • Transfers to third countries
  • Notification of whether profiling is taking place


Right of withdrawal of the person concerned

For the consumer, the GDPR is particularly noticeable in the possibilities for withdrawal. The fact that the possibility of withdrawal of a consent once granted must be given is nothing new. A simple reference to the right of withdrawal is not sufficient in practice. Rather, the so-called “principle of simplicity” must be observed. Art. 7 para. 3 of the DSGVO states that this is the case:

“The data subject shall have the right to withdraw his or her consent at any time. […] It shall be as easy to withdraw as to give consent.”

Since consent is usually given with a simple click, a link must be included in each individual abandonment-mail to enable uncomplicated withdrawal with a single click.


Order processor or “third party” within the meaning of the GDPR?

Whether Google Analytics, the use of web hosters or the use of e-commerce services, such as services for sending abandonment-mails: in order to function technically and be economically successful, online shops rely on processors. According to the GDPR, this refers to external service providers commissioned by an online shop to process personal data in accordance with instructions.

At this point, the GDPR distinguishes between processors and so-called “third parties”. In contrast to “third parties”, processors are permitted to collect and process personal data on the basis of a contract. The difference here lies in the fact that the processor is bound by instructions.


uptain offers GDPR-compliant solutions

With uptain, merchants opt for a solution that uses abandonment-mails to address shopping cart abandoners and bring them back into the purchasing process. The entire solution is legally compliant and can be used in accordance with the GDPR: the merchant decides to which customer groups the abandonment-mails may be sent.

  • Abandonment-mails are only sent to customers who have given a corresponding double opt-in (DOI) or are covered by § 7 (3) UWG. uptain uses only the personal data transmitted by our customers (eg email addresses).
  • According to Art. 21 GDPR, users have the option of terminating the processing of their personal data even after prior consent.
  • uptain acts as an order processor for you. As a result, uptain is not “third party” in the sense of the data protection laws (including GDPR) and may therefore process personal data for you.
  • uptain provides an exemplary data protection text (see Obligation of the responsible body  to provide information).


In addition to the legal provisions, uptain offers a high degree of data security, through …


  • Secure data management: The servers used are furnished according to current security standards and protect all data against unauthorized access.
  • Encrypted data transmission: The transfer of all data from the online shop to the servers used is always encrypted using randomized IDs.
  • The server location in Germany: The servers used are located in Frankfurt and are therefore subject to the security and data protection laws in Germany.


Abandonment-mails to Reactivate Shopping Cart Abandoners

With abandoner-mails, online shops recover more than 30% of shopping cart abandoners. Correctly used, the e-mail is not perceived as advertising, but as a service. To do this, the e-mail must first be tailored to the shopping cart abandoner in terms of content and form. You can find out how such an email is ideally structured in the blog article email after shopping cart abandonment: examples & templates.

In terms of content, the abandonment-mail can refer to products in the shopping cart, but also to the reason for the abandonment and provide appropriate solutions. Examples include – in addition to the simple reminder of products in the shopping cart – voucher codes for price-sensitive abandoners or the provision of customer service for abandoners in need of service. Thus, advertising aspects are pushed into the background.

In corporation with our partner, HÄNDLERBUND, we developed an info sheet regarding reaching out to shopping cart abandoners via e-mail. To the info sheet (german).

Further interesting posts:
How online shops successfully generate newsletter subscribers
Peak-End Rule in online shops: Creating positive moments
How to start with the Conversion Optimization for your online shop