william-iven-19843-unsplash

Direct marketing rules and exceptions under the GDPR

Direct marketing includes SMS and emails that a customer receives from a product or service provider.

As a general rule for direct marketing, the company needs a consent from a customer. However, there are several exceptions when it’s allowed to send the emails to the customers without asking for a consent.

Please note that the representative can be contacted for direct marketing purposes for business related products or services through electronic mail without their prior consent but only in the context of the position they hold. Therefore, there are additional exceptions for B2B direct marketing rules.

 

Newsletters and direct marketing to the customer

Service notifications

Profiled direct marketing

Providing similar products or services in the context of a customer relationship

ExplanationRegular newsletters or messages (cold emails). The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Welfare notifications. Customer behaviour patterns (based on purchase history) are used for targeted messages. The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Contact information for direct sales of similar products or services to the customer may be used.
Basis of data processing

Consent or clear declaration of will, for example, entering an email on the company’s website in the newsletter field or click at tickbox. Must be able to get out of direct marketing.

Opt-in and Opt-out

 Legitimate interest to send notices- you can rely on legitimate interests for marketing activities. However, in case you have to show that you use people’s data proportionately. Meaning, it has a minimal privacy impact, and people would not be likely to object.

Opt-out

 Consent, e.g. acceptance of personal data processing. The right to object at any time to the processing of personal data. The information shall be provided clearly and separately from any other information.

Opt-in and Opt-out

 The previous sale of a product or service. During the initial collection of data, and whenever the data is used, the customer has a clear and understandable way to prohibit the use of such contact information in a free and easy way.

Opt-out

Legal provisionsDirective 2002/58/EU article 13 section 1 GDPR preamble 47; GDPR article 6 (f) GDPR article 21 section 2Directive 2002/58/EU article 13 section 2
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
GDPR checklist for controllers

GDPR checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

It’s practically not possible to run a business without processing personal data and exchanging it with other businesses. It may...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...
Finnish DPA ordered a company to change their data processing practises

Finnish DPA ordered a company to change their data processing practises

An article was published recently in the Helsingin Salomat about the Finnish Data Protection Authority who had ordered a payment and...
Data Protection Officer’s role and responsibilities

Data Protection Officer’s role and responsibilities

In light of the latest survey conducted by the CPO Magazine, we are looking into the role of the Data...
GDPR Compliance Checklist for 2020

GDPR Compliance Checklist for 2020

Just recently, a report was published based on a survey of 252 global privacy professionals working for a wide range...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR requires companies to keep an internal record,...

Zpracovává vaše společnost osobní údaje?


Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje

 

Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 


Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?


Kas teie ettevõte kogub ja töötleb isikuandmeid?


Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?


Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data