direct-marketing-gdpr

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities of direct marketing may include multiple steps:

  •  collecting personal data from potential customers,
  • creating profiles about those potential customers and their preferences,
  • and then sending personalized communications to them.

As a general rule for direct marketing, the company needs a consent from a customer. However, there are several exceptions when it’s allowed to send the emails to the customers without asking for a consent.

 The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. But it’s not so easy. Direct electronic marketing is currently regulated under the ePrivacy Directive, which generally requires opt-in consent before engaging in such activity. This means, that in most cases, even if you are relying on legitimate interests, the ePrivacy Directive would still require consent. However, there is an exception—marketing emails may be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service,”(Directive 2002/58/EC, Article 13(2).). Please bear in mind that this exception has been implemented differently by the EU member states and some differences may apply, especially in case of B2B communication..

In case of B2B communication, company representative can be contacted for direct marketing purposes for business related products or services through electronic mail without their prior consent but only in the context of the position they hold. Therefore, there are additional exceptions for B2B direct marketing rules.

Article 21 of the GDPR states that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”even if opt-in consent is not required before sending marketing emails, the GDPR requires that the recipient always be provided with an opportunity to opt-out of receiving such emails.

Following table will provide you a bit more structured view on possible legal bases for direct marketing activities under GDPR and ePrivacy Directive.

 

Newsletters and direct marketing to the customer

Service notifications

Profiled direct marketing

Providing similar products or services in the context of a customer relationship

ExplanationRegular newsletters or messages (cold emails). The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Welfare notifications. Customer behaviour patterns (based on purchase history) are used for targeted messages. The company receives electronic contact details of the customer in connection with the sale of the product or the provision of the service. Contact information for direct sales of similar products or services to the customer may be used.
Basis of data processing

Consent or clear declaration of will, for example, entering an email on the company’s website in the newsletter field or click at tickbox. Must be able to get out of direct marketing.

Opt-in and Opt-out

 Legitimate interest to send notices- you can rely on legitimate interests for marketing activities. However, in case you have to show that you use people’s data proportionately. Meaning, it has a minimal privacy impact, and people would not be likely to object.

Opt-out

 Consent, e.g. acceptance of personal data processing. The right to object at any time to the processing of personal data. The information shall be provided clearly and separately from any other information.

Opt-in and Opt-out

 The previous sale of a product or service. During the initial collection of data, and whenever the data is used, the customer has a clear and understandable way to prohibit the use of such contact information in a free and easy way.

Opt-out

Legal provisionsDirective 2002/58/EU article 13 section 1 GDPR preamble 47; GDPR article 6 (f) GDPR article 21 section 2Directive 2002/58/EU article 13 section 2
Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...