igor-miske-207639-unsplash

How does GDPR affect Direct Marketing and Profiling

How does GDPR affect Direct Marketing and Profiling

Direct marketing and consumer behavioral habits (profiling) are the key tools a company uses to sell their product or service. Therefore, those tools need to be aimed correctly towards the specific type of customer. For example, a company has an online shop, where you can buy anything from lawnmowers to beauty products. Because the range of supply is so wide, customers need to be categorized according to their needs. In this article, the focus will be aimed at how the GDPR regulates direct marketing and profiling.

Direct Marketing Under the GDPR

According to the GDPR, if personal data is used for direct marketing, the data subject has the right to object against such processing. This must be taken into account regardless of whether personal data processing was carried out prior GDPR. Therefore, every company that processes data for direct marketing purposes should get familiar with the GDPR and the measures, which need to be implemented.

As mentioned, data subjects have the right to object against their data processing. Therefore, companies need to inform data subjects of the fact, that their personal data will be for marketing purposes. If a data subject has objected against such processing, the company needs to comply with the objection. This means that they are obliged to stop processing personal data for marketing purposes.  The objection must be accepted and fulfilled free of charge. If a company asks for a fee, it may face a fine by the supervisory agency.

Consumer Profiling Under the GDPR

Profiling of a natural person basically has the same requirements as direct marketing. Companies need to inform data subjects, that their data will be used for profiling purposes. In addition to that, companies will have to inform data subjects of consequences caused by profiling activities. Data subjects must be informed whether they are obliged to provide data. The effects of declining to provide data must be mentioned as well. The data subject has the right to object against personal data processing for profiling purposes in the same way as for direct marketing.

The Implementation of Technical and Organizational Measures When Profiling

Companies need to implement technical and organizational measures towards the factors which may cause inaccuracies in personal data.  It has to be done so those inaccuracies could be corrected, and the risk of errors – minimized. Also, security measures should be taken in order to protect data against the potential risks towards individuals’ rights and freedoms.  As well as to prevent discriminatory effects on a natural person based on special category data (racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation). Automated decision-making and profiling based on special category data should be allowed only under specific conditions.

When automated profiling is used, the company needs to inform the data subject about it and to give the data subject information about the logic involved, the significance and the envisaged consequences of the profiling.

All in all, if a company collects and processes personal data for direct marketing and profiling purposes, the GDPR is going to make their marketing strategies more difficult. Now data subjects need to be informed about the processing of their data for both profiling and direct marketing and they have the right to object such processing of their personal data, in which case company must meet this requirement. However, if a company processes personal data for both, direct marketing and profiling methods, objection needs to be applied for two of these separately.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Subscribe to our Newsletter

Your e-mail address is only used to send you our newsletter and information about the activities of GDPR Register. You can always use the unsubscribe link included in the mail.

Latest Posts
First GDPR Fine Issued in Lithuania

First GDPR Fine Issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2019

GDPR Compliance Checklist for 2019

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...
GDPR in B2B Marketing

GDPR in B2B Marketing

There are two separate EU level regulations to follow when processing personal data for direct marketing in B2B and B2C...
Data Protection Impact Assessment Guide

Data Protection Impact Assessment Guide

The General Data Protection Regulation (GDPR) has introduced a new obligation, which requires companies and organizations to carry out data...
Cyber Attacks from the Perspective of GDPR: Ransomware

Cyber Attacks from the Perspective of GDPR: Ransomware

Nowadays almost every business sector integrates digital technologies. IT infrastructure and practice, if not updated regularly, ages and becomes weaker. Therefore,...
Six Months With GDPR in Force. What Happened?

Six Months With GDPR in Force. What Happened?

The GDPR, that came into force on the 25th of May, 2018, expanded the EU‘s data protection area coverage, introduced...
Healthcare sector: How to Comply With GDPR?

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data