CleverElements and Data Protection – What Belongs in the Privacy Policy

If a website operator uses CleverElements, they typically process email addresses, salutation and name details, plus sign-up and dispatch data for the purpose of newsletter dispatch on the basis of recipient consent. This article summarises which data processing is typically associated with CleverElements and what should be included in a website's privacy notice.

A. CleverElements – Purpose and Functionality

CleverElements is a German provider for email marketing and newsletter dispatch, based in Berlin. Website operators use CleverElements primarily to provide sign-up forms, maintain recipient lists and send newsletter campaigns. CleverElements additionally provides functions for reporting, simple automation and interfaces to shop and CMS systems.

Functionally, CleverElements covers the following building blocks in particular: sign-up forms (embed forms and pop-ups), list management with segments and filters, editor and templates for newsletters, dispatch and reporting (open and click tracking), automated mailings and interfaces (API/plug-ins) to CMS and shop systems. The focus of this page is the integration feature that a German website operator typically uses: a newsletter sign-up form on the website and dispatch of email campaigns through CleverElements. Other use cases such as pure SMTP/API dispatch for transactional email are covered on separate pages.

According to publicly available information, the provider is clever elements GmbH, based in Berlin. Processing takes place, according to provider information, in German data centres or in the EEA, which regularly avoids third-country transfers.

B. CleverElements – Mandatory Information in the Privacy Policy

The GDPR requires the privacy policy to contain not only general information about the website operator, the rights of the data subject and the supervisory authority, but also – with regard to the use of specific tools such as CleverElements – a series of specific mandatory items. They serve the transparency principle of Art. 12(1) GDPR and allow data subjects to understand the processing.

In particular, the following items must be included:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA, and on what basis (Art. 13(1)(f) GDPR),
• the storage period or – if not possible – the criteria for determining the storage period (Art. 13(2)(a) GDPR),
• and – where the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These mandatory items are broken down for CleverElements below.

In practice, it has become common to give every individual tool its own template clause in the privacy policy. This "template-per-tool" practice has established itself as poor style: it leads to long, lawyer-drafted texts that repeat each other in substance, making the entire privacy policy hard to maintain and barely readable for users. A topic-oriented approach is more appropriate: it describes processing operations across themes (server operation, newsletter, tracking, sales …) and merely names specific service providers – such as CleverElements – in a recipients list in the appendix. This is exactly the methodology used by the matterius privacy policy generator.

C. CleverElements Provider

According to publicly available information, the contractual partner for CleverElements is clever elements GmbH, based at Schönhauser Allee 148, 10435 Berlin, Germany (exact address to be verified by the website operator).

As the provider is based in Germany, processing takes place primarily in the EEA; a third-country transfer is regularly not required in standard operation. If sub-processors in third countries are used in individual cases, the safeguards intended for this (in particular Standard Contractual Clauses, where applicable the DPF) must be examined.

CleverElements' privacy notice is available via the provider's website at https://www.cleverelements.com/. The data processing agreement is provided to customers as part of the contract handling.

D. CleverElements – Data Processing Step by Step

1. Collection: When a user submits the CleverElements sign-up form embedded in the website or is added as a recipient via API/plug-in integration, the entries (typically email address, optionally name, salutation, fields of interest), the IP address and a timestamp are transmitted to CleverElements.
2. Storage: Data is stored in CleverElements' infrastructure, according to provider information in German data centres or in the EEA.
3. Use: CleverElements dispatches the newsletters on behalf of the website operator and – where activated – measures open and click events. Bounces and unsubscribes are documented.
4. Disclosure: Disclosure occurs to the provider's sub-processors (in particular hosting). The provider publishes a list as part of the DPA.
5. Deletion: The website operator can remove recipients from lists or delete entire lists at any time. Storage limitation must be configured via list and retention settings.

E. Which Data Does CleverElements Process?

When sending newsletters via CleverElements, the following personal data is typically processed: email address, salutation, first and last name, optionally further fields collected by the website (e.g. language, industry, interests), the IP address at the time of sign-up, timestamps of the sign-up and the confirmation in the double opt-in process, send time of the individual emails, delivery status, open and click events, and unsubscribes.

This data falls into the following standardised data categories:

• Web server log data: in particular the IP address and technical metadata when calling the sign-up form and when retrieving embedded tracking pixels and click links in sent emails.
• Click paths: clicks on links in the emails sent by CleverElements, each with date and time.
• Device data: information about the device opening the email, e.g. device type and operating system.
• Browser information: browser or email client used to open the email.
• Coarse location data: coarse location of the recipient at city or municipal level, derived from the IP address.
• User account data: data identifying the recipient in the list, in particular the email address as the key identifier.
• User profiles: interests and segment assignments determined by the website operator for a recipient and metrics derived therefrom.
• Conversion events: where tracking is enabled, e.g. clicks on a call-to-action or visits to specific pages following a click in a newsletter.
• Interaction data: opening an email, clicks on individual links or buttons.
• Technical telemetry data: technical send and delivery metadata, bounce codes, loading times of tracking pixels.

F. CleverElements – Purposes of Use

The website operator typically uses CleverElements to inform subscribed recipients about its own content, products and offers, to document sign-up and consent in the double opt-in process, to ensure delivery quality and – where tracking is enabled – to measure the effectiveness of individual campaigns.

The purposes can be classified into the following standardised purpose categories:

• Provision of functionality: providing newsletter and email functionality, including sign-up form, double opt-in, dispatch of the requested emails as well as error detection and correction in the dispatch process.
• Security and abuse prevention: spam and bot prevention on the sign-up form, detection and prevention of list abuse (e.g. third-party sign-ups).
• General product improvement: aggregated evaluation of open and click rates to improve newsletter content and frequency in line with demand.
• General marketing: success measurement of campaigns, reach analysis and overall assessment of the email channel.
• User profile creation: assignment to segments or target groups based on interests and click and open behaviour.
• User-individual marketing: tailoring newsletter content to the individual interests and behaviour of the recipient (segmentation, automation).
• Legal enforcement: assertion, exercise or defence of legal claims, in particular proof of recipient consent (sign-up IP, timestamp, double opt-in) vis-à-vis supervisory authorities, competitors or courts.
• Compliance: compliance with statutory requirements regarding consent records and advertising emails (Art. 7 GDPR, Sec. 7 UWG).

G. Legal Bases for CleverElements

For the use case covered here, CleverElements falls primarily into the tool category newsletter / email marketing.

The following legal bases typically come into consideration:

• Recipient consent (Art. 6(1)(a) GDPR in conjunction with Sec. 7(2) No. 3 UWG) for the dispatch of newsletters and – where activated – for open and click tracking.
• Legitimate interests (Art. 6(1)(f) GDPR) in legal enforcement and compliance for storing sign-up metadata (IP, timestamp, double opt-in confirmation) as proof of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Legitimate interests in advertising within the scope of Sec. 7(3) UWG for direct advertising to existing customers for own similar goods or services, where the conditions are met.

Where open and click tracking is enabled, an explicit tracking consent of the recipient is typically required; if information is stored on or read from the device, Sec. 25(1) TDDDG must additionally be considered. The legal basis is to be assessed by the website operator on a case-by-case basis.

H. CleverElements – Special Notes

• Data Processing Agreement (DPA): The provider offers a DPA; concluding it is regularly mandatory, as CleverElements processes recipient data on behalf of the website operator.
• Place of business and third-country transfer: clever elements GmbH is a German provider; processing in the EEA is the standard case. A third-country dimension typically does not arise; individual sub-processors with a third-country dimension must be examined under the DPA.
• Sub-processors: An up-to-date list of sub-processors is available from the provider.
• Double opt-in: CleverElements supports double opt-in via the sign-up forms; the website operator should activate this setting in the relevant list and adapt the confirmation email accordingly.
• Consent record: Sign-up IP, timestamp and double opt-in confirmation should be retained permanently in order to provide evidence of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Open and click tracking: These features can be enabled in CleverElements; they should only be used if tracking consent is obtained cleanly and described in the privacy policy.
• Opt-out: Every newsletter must contain a working unsubscribe link under Sec. 7(2) No. 4 UWG; CleverElements provides placeholders for this purpose.
• List hygiene: Inactive and no longer existing addresses should be removed regularly; storage should be aligned with the consent given.

The above presentation is based on publicly available provider information and supplementary publicly accessible sources. A case-by-case assessment by the website operator remains necessary.

I. CleverElements – FAQ

J. CleverElements – Conclusion and Call-to-Action

CleverElements is a Germany-based provider for newsletter dispatch and email marketing. From a data protection perspective, particularly relevant topics are recipient consent, consent records via the double opt-in process and – where activated – open and click tracking. Being based in the EEA helps avoid third-country transfers; the DPA and privacy policy must cover the essential mandatory items (purposes, legal bases, recipient categories, storage period).

For the website operator, it is mostly not particularly useful to include a separate template clause for every individual tool – including CleverElements – in the privacy policy. This makes the policy long, unclear, hard to understand and difficult to maintain – contrary to the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is more appropriate: data processing operations are explained across topic blocks (server operation, newsletter, tracking, sales …); specific service providers such as CleverElements are simply listed in the recipients appendix. This is exactly the methodology of the matterius privacy policy generator.

K. Curator