Direct marketing & GDPR: permission not always required, right?
Due to the emergence ofGDPR-legislationcompanies have started to think more about the privacy of the (potential) customers. However, because of all these new rules, it is sometimes no longer possible to see the wood for the trees. Many marketing-oriented companies therefore believe (wrongly) that theprocessing of personal data in the context of direct marketingcan now only be done with the consent of the customer. mr. Franklin explains why this is not always the case.
General Data Protection Regulation (AVG or GDPR)
TheGeneral Data Protection Regulation(GDPR, called General Data Protection Regulation in English) came into effect on May 25, 2018. With these new GDPR standards, the legislator wanted to promote security and transparency regarding the processing of personal data.
To achieve these objectives, companies must map processes in which personal data are processed, adjust them if necessary and provide information about the processing process to the data subjects.
Who does General Data Protection Regulation apply to?
The GDPR standards apply toany entity that processes the personal data of natural persons. Companies cannot therefore simply determine for themselves how they will collect, handle and manage personal data.
Personal data
Personal data is data about anatural personwhich this person can become directly or indirectlyidentified. For example, think of an e-mail address or a name.
Also information that does not offer the possibility to someonedirectlyto identify, but it is sufficient to do soindirectlyto be able to do, falls under the concept of “personal data”. A good example of this situation is the license plate on your car.
Processing
The term"processing"of personal data is broadly defined by the legislator. The GDPR Regulation defines “processing” as aoperation or set of operationswith regard to (a set of) personal data. For example, the mere collection and storage of personal data falls under the concept of "processing", as does the destruction of this data.
For a more detailed explanation of the concept of “processing” in terms of privacy law, you can consult theofficial websiteof theEuropean Commissionconsult.
Remarketing
Remarketing(orretargeting) is retargeting your website's previous visitors with more targeted ads. These advertisements are therefore tailored to the behavior of the user during his previous visits to your website.
Remarketing is a form ofprofilingwhere you use the personal data of the potential customers to find themmore focusedto be able to access. Because in this case theprocessing of personal datathe GDPR standards also apply here.
direct marketing
Direct marketing is a form of marketing involving advertising messagesbe addressed directly to identified or identifiable persons. It is therefore about direct promotion to the (potential) customer and not from the intermediary channels. Consider, for example, email marketing in which an email is sent to (potential) customers. Search engine marketing is also an example of direct marketing.
Direct marketing bringsprocessing of personal dataand therefore falls under the scope of the General Data Protection Regulation.
Legal basis for processing personal data
According to the current data protection regulations, the processing of personal data must always be based on one of thelegal bases determined by GDPR. In the most common cases, the explicit consent of the data subject will be used as the legal basis. This is also why you now see a checkbox appearing on almost every website where you can tick whether the company in question is allowed to contact you.
However, the explicit consent of the data subject is not always the only appropriate legal basis. TheGDPR provides six legal baseson which any processing of personal data should be based, and consent is only one of them. In some cases, there are stillother possibilitiesto justify the fact that you as a marketer process data.
We briefly explain the most frequently used legal bases.
Prior permission
One of the possible legal bases for the processing of personal data in the context of direct marketing is theprior consent of the user. The GDPR sets out 4 cumulative criteria that must be met in order for consent to be valid:
Informed choice
The person concerned must be fineunderstand what he has given his permission forgives exactly. This condition means that the entity processing personal data must properly inform the data subjectinform about the goal, the progressandthe frequencyof this processing. The information must also be formulated in understandable language and must be clear and complete.
It is not enough that this information is accessible. The company needs the people involved tooactively informabout the data processing.
https://www.dataprotectionauthority.be/publications/aanbeveling-nr.-01-2020.pdf
Free choice
The consent as a legal basis is not valid if the consent is necessary to prevent a certain disadvantage or if the consent cannot be withdrawn at all times. There must therefore be a realistic possibility for the data subject to refuse the processing of his personal data.
Specific permission
With this condition, the legislator wanted to give the data subject a certain degree of control over the use of the personal data obtained. This is also related to the transparency obligation on the part of the data processor.
Consent must therefore be given for one or morespecific direct marketing purposes. If the data processor has multiple purposes in mind, the data subject must be able to choose from these purposesselectif he will not agree with them all.
Explicit consent: opt-in, not opt-out
According to the GDPR, giving aactive consentrequired: the agreement of the data subject must be evidenced by a clear,unambiguous,positive act. A pre-ticked checkbox, in which the data subject must remove the tick in order not to agree to the data processing (opt-out), is therefore no longer relevant. According to current GDPR standards, you must use an opt-in system, whereby the person concerned must tick the checkbox to give his consent.
Implicit consent is thus invalid. The technique whereby a website announces that the data subject automatically agrees to the data processing by continuing to surf is now also prohibited.
Legitimate interest
It is a common misconception that direct marketing always requires the prior consent of the recipient. Recital 47 of the GDPR Regulation expressly states thatlegitimate interest a valid legal basisfor the processing of personal data in the context ofinstant marketingcan form.
When processing personal data, aconsiderationbetween the interest of the company and the right to privacy of the data subject. In order to use the legitimate interest of the company as a legal basis, this interest must therefore prevail. This becomesassessed on a case-by-case basis.
Please note that the possibility to rely on legitimate interests for direct marketing does not apply to electronic direct marketing. In this case, the Directive on privacy and electronic communications (e-Privacy Directive) must be taken into account.
Data Protection Officer
AData Protection Officer (DPO)is an independent person who monitors compliance with the GDPR within a company.
In some cases, appointing a Data Protection Officer is mandatory. Inthis blog post from Mr. Franklincan you estimate whether such an obligation applies to your company.
As certified DPOs, the experts at Mr. Franklin assists dozens of companies as a DPO, at fixed prices. You can contact us for assistance in procedures before the Data Protection Authority (GBA), such as a data breach report or a procedure before the Disputes Chamber, as well as in court proceedings (for example, if you want to challenge the imposed sanctions).
Why the GDPR experts at Mr. Franklin?
mr. Franklin is a law firm with aspecial expertise in offering all kinds of GDPR services. We stand forinnovative, but always qualitativeservice and attach great importance to continuous improvement of our expertise. Thanks to our experience and knowledge, Mr. Franklin was selected to realize a training program on cybersecurity and GDPRfollowing the call 539 Cybersecurity (ESF).
mr. Franklin offers, among other things, all-in-one formulas for your companyGDPR proofto make. Feel free to contact our experts for more information about our services.
CONTACTEER ONS!
THEY ALSO APPLIED TO MR. FRANKLIN
mr. Franklin provides us with excellent support in the field of legal IT assistance, GDPR, property law and financial disputes. Drive, speed, passion for the profession, correctness are just a few keywords that Mr. Franklin & their team type.
Xavier Goegebeur / Link Optimizer
mr. Franklin always provides quality work for a clear price.
Alain Carels / Carbofisc