UK Information Commissioner’s Office has published detailed guidance on the Right of Access.
The right of access is a fundamental right under data protection law. And it has never been more necessary. In […]
Articles
Direct marketing rules and exceptions under the GDPR
Direct marketing GDPR rules include text messages (SMS) and emails that a customer receives from a product or service provider. But activities of direct marketing may include multiple steps:
- collecting personal data from potential customers,
- creating profiles about those potential customers and their preferences,
- and then sending personalised communications to them.
As a general rule for direct marketing, the company needs a consent from a customer. However, there are several exceptions when it’s allowed to send the emails to the customers without asking for a consent.
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. But it’s not so easy. Direct electronic marketing is currently regulated under the ePrivacy Directive, which generally requires opt-in consent before engaging in such activity. This means, that in most cases, even if you are relying on legitimate interests, the ePrivacy Directive would still require consent. However, there is an exception—marketing emails may be sent on an opt-out basis if the recipient’s details were collected “in the context of the sale of a product or a service,”(Directive 2002/58/EC, Article 13(2).). Please bear in mind that this exception has been implemented differently by the EU member states and some differences may apply, especially in case of B2B communication..
In case of B2B communication, company representative can be contacted for direct marketing purposes for business related products or services through electronic mail without their prior consent but only in the context of the position they hold. Therefore, there are additional exceptions for B2B direct marketing rules.
Article 21 of the GDPR states that “where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing” and that “where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”even if opt-in consent is not required before sending marketing emails, the GDPR requires that the recipient always be provided with an opportunity to opt-out of receiving such emails.
Following table will provide you a bit more structured view on possible legal bases for direct marketing activities under GDPR and ePrivacy Directive.
| Newsletter / direct marketing | Service notifications | Profiled marketing | Similar products / services | |
|---|---|---|---|---|
| What it means | Regular newsletters or marketing messages | Messages related to an existing service or customer relationship | Marketing based on customer behaviour or purchase history | Marketing of similar products or services to existing customers |
| Legal basis | Consent | Legitimate interest | Consent | Existing customer relationship |
| Consent required? | Yes | No, but balancing test needed | Yes | No |
| Opt-in / Opt-out | Opt-in, plus opt-out | Opt-out | Opt-in, plus opt-out/right to object | Opt-out |
| Legal source | Directive 2002/58/EU Art. 13(1) | GDPR Recital 47; Art. 6(1)(f) | GDPR Art. 21(2) | Directive 2002/58/EU Art. 13(2) |
