# GDPR & Consent Management > Source: PDD - M2C - 001 Market to Lead (v.0.19, Jun 2025) §4.2.5 · §5.2.2 · §7.2.2 · §11 --- ## 1. Core Principle dormakaba treats **all countries using EU GDPR regulation as the standard**, regardless of local jurisdiction. Regional teams must additionally comply with any stricter local requirements. **Marketing Consent** and **Privacy Policy Acceptance** are treated as **two separate, independent actions**: | Field | What it confirms | |---|---| | **Privacy Policy Acceptance** | The user understands how their data will be handled | | **Marketing Consent** | The user grants permission to receive marketing communications | --- ## 2. Consent Rules by Source ### Digital forms (website, landing pages, newsletter) - Must include a **clearly labeled, unchecked checkbox** specifically for marketing consent. - This checkbox must be **separate** from the privacy policy agreement. - The checkbox must **link to the full policy text**. - Consent is explicitly given by checking the box — pre-checked boxes are not allowed. ### Manual entry (events, sales outreach) - Sales users in Salesforce must indicate consent by checking the custom field **"Marketing Consent Granted"**. - If left unchecked, the system treats the prospect as **not opted in** for marketing. ### Newsletter sign-up - Signing up for a newsletter implies that **Marketing Consent is given**. ### Default behavior - If no explicit value is recorded for Marketing Consent or Privacy Policy Acceptance → both default to **`false` (not accepted)**. - When a prospect is created in SFAE (manually/imported/form), the system assumes the prospect is **mailable** if they have **not Opted-Out**. - Exception: if the contact/lead comes from Salesforce CRM, the status is assessed by the `HasOptedOutOfEmail` field on the Lead/Contact object. --- ## 3. Definition of "Mailable" A prospect is considered **mailable = TRUE** only when all of the following conditions are met: - They have a **valid email address** - They have given **consent to receive emails** (opt-in / accepted privacy regulations) - They have **not unsubscribed** (not opted out) - Their email address has **not bounced** (no hard or repeated soft bounces) - They are **not blacklisted** - Their profile is **active and not suppressed** in the system --- ## 4. Prospect Lifecycle & Consent Status Changes Throughout the prospect lifecycle, consent status may change automatically: | State | Description | |---|---| | **Opted-in** | Eligible for marketing nurture activities | | **Opted-out** | Receives operational emails only; excluded from marketing nurture | | **Undeliverable** | Soft or hard email bounce; excluded from marketing activities | | **Archived** | Moved to recycle bin; excluded from all marketing activities | These changes are managed automatically by the system. No manual intervention is required to maintain compliance. --- ## 5. Preference Center To avoid full unsubscribes and give users more control, dormakaba implements a **Preference Center**. - Prospects can select **topics of interest** or **communication frequency** rather than opting out entirely. - All Preference Centers share a **standardized layout** for consistency across countries. - Countries have defined their Preference Center lists based on their specific types of communications. - Upon creation, a prospect is added to all public lists and can unsubscribe from specific communications through the Preference Center. - The **email footer** must contain a link to the Preference Center. - Segmentation rules ensure alignment with the prospect's selected preferences for all email communications. --- ## 6. Operational Emails **Operational emails** (non-marketing communications) are enabled and exempt from marketing consent requirements. Examples: - Product issue notifications - Partner Program communications (e.g. CH Fastletters) --- ## 7. Compliance Implementation in SFAE / Salesforce | Mechanism | Purpose | |---|---| | Custom fields | Capture Marketing Consent and Privacy Policy Acceptance per prospect | | Workflow rules | Enforce compliance checks at creation and update | | Segmentation rules | Exclude non-consented prospects from email sends | | Preference Center lists | Granular opt-in/out management per communication type | | Reporting dashboards | Monitor and demonstrate adherence to GDPR and other regulations | dormakaba must comply with: **GDPR** (EU), **CCPA** (California), and any other applicable local data privacy laws. --- ## 8. Double Opt-In — Legal Position & Country Guidance > **Source:** Legal opinion by Patrick Grawehr, Board Secretary | Legal, dormakaba International Holding AG. > **Decision date:** 29 April 2026 call. ### 8.1 What is Double Opt-In? Double opt-in (DOI) is a two-step consent process: 1. The prospect submits a form and ticks the consent checkbox (first opt-in). 2. The prospect then confirms their email address by clicking a link in a confirmation email (second opt-in / verification step). ### 8.2 Swiss Legal Position | Topic | Position | |---|---| | **Consent required?** | Yes. Swiss law requires consent to send marketing, newsletters, and similar communications (Art. 30, 31 and 6, Swiss Federal Act on Data Privacy — FADP; Art. 3 para. 1 lit. o, Swiss Federal Act on Unfair Competition — UCA). | | **Double opt-in legally required?** | **No.** Swiss law does not mandate the DOI process to obtain or prove consent (Art. 6 para. 6 FADP). | | **Explicit consent required?** | **No** — for standard personal data. Explicit consent is only required for sensitive personal data (Art. 6 para. 7 FADP). Name, phone number, and email address do **not** qualify as sensitive personal data. | | **Burden of proof** | Lies with dormakaba (the sender). DOI is the gold standard for proof, but any sufficient form of proof is admissible in court. | | **Practical risk** | Low. A person who no longer wants to receive communications will typically unsubscribe, making legal action to challenge consent rare. | ### 8.3 Disadvantages of Double Opt-In - Confirmation emails frequently land in SPAM, causing the second step to be missed. - Results in lower list conversion rates (especially for newly interested prospects). - For Swiss organizations with predominantly **returning customers**, this disadvantage is less significant. ### 8.4 dormakaba Decision — Switzerland > **Decision:** Implement double opt-in for the Swiss organization. This decision is specific to Switzerland and was made taking into account Swiss legal requirements and the factual implications for the Swiss customer base. ### 8.5 Country-by-Country Rule — ⚠️ Important > **The Swiss decision is NOT a global mandate.** DOI implementation is a **country-by-country / case-by-case** decision. Each dormakaba country organization must evaluate: 1. The specific local legal situation (applicable data privacy and unfair competition law) 2. The factual implications (customer base type, conversion impact, SPAM risk) Countries must **not** assume that because Switzerland adopted DOI, they are required to do the same. ### 8.6 Implementation Notes for SFAE When implementing DOI for a country: - A confirmation email (autoresponder) must be triggered immediately after form submission. - The prospect should only be added to marketing lists **after** the confirmation link is clicked. - The confirmation link action should set the `Opt-in` / `Marketing Consent` custom field to confirmed/true in SFAE. - Until confirmation, the prospect's `mailable` status should be treated as pending — do not include them in campaign sends. - Document the DOI flow in the relevant country's test flows before deploying to production.