Search for a law firm
August, 12 2019
July, 23 2019
Electronic direct marketing and the issues arising from GDPR and the e-Privacy Directive
Companies are increasingly using marketing to promote their products and services not only to their existing customers but also to potential ones. This is the purpose of the electronic marketing, to target individuals using digital methods, such as text messages or emails.
According to the Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-Privacy), as well as the relevant Cypriot Law (i.e. The protection of individuals with regard to the processing of personal data and on the free movement of such data Act 125(I)/2018 and The Regulation of Electronic Communications and Postal Services Act (112(I)/2004), companies changed their entrepreneurial mindset and the methods of sending marketing messages. Both laws were enacted to ensure that mobile and internet users have control over their personal data and that a legal obligation exists for all companies to maintain and use personal data in a transparent way guaranteeing the safety of the information.
The e-Privacy Directive is the first legal document regulating electronic marketing. Simultaneously, GDPR provides that direct marketing may be constituted as a legitimate interest when processing of personal data is performed. However, the individual-customer (the data subject) has the right to object to the processing that takes place for marketing purposes and in the case where an objection is expressed, the company, as the controller, is obliged to grant him/her this right.
This article examines whether your company is allowed to send those marketing messages and emails and whether your company has been given the appropriate consent for this purpose.
Considerations that must be taken into account before sending a marketing email or message
The first consideration is whether the receiver of the message or email, which constitutes electronic direct marketing, is an individual or a legal entity. This is a crucial question since GDPR applies only to natural persons and not to legal entities, thus GDPR issues arise only when the particular message or email is addressed to a data subject.
The second consideration is whether the marketing department of your company has demonstrated or is able to demonstrate and prove at any time, that the data subject has given his/her consent to the processing of his/her personal data for the purposes of electronic direct marketing. Although the personal data of a particular data subject is processed for a purpose or purposes, such as sales of goods or provisions of services, the data subject must have given his/her consent to the processing for direct marketing separately.
Without prejudice of the above-mentioned considerations, the e-Privacy Directive warns that the practice of sending electronic emails for the purpose of direct marketing disguising or concealing the identity of the company or without a valid address to which the data subject may send a request that such communication must be ceased, is not acceptable. Therefore, ensure that the marketing emails or messages describe and define properly your company.
Exceptions to the consent and the rights of the individual
Furthermore, it needs to be taken into account that the consent is not always needed for electronic direct marketing, provided that all of the following conditions are met:
- your company receives electronic contact information from the customer, which is used for purposes such as text messages or emails;
- the contact information was previously received as the result of a purchase;
- the contact information will later be used exclusively for the direct marketing of products or services of the same product or service group;
- electronic direct marketing is concluded by your company, this means that in case your company acts as a joint-controller with another company-controller, the first and subsequent activities of marketing must have been done by the same controller.
Despite the above-mentioned exceptions, the customer or potential customer still has the following rights:
- The data subject has the right to object to and forbid the use of his/her personal data for direct marketing purposes at any time, easily and free of charge. In this case, the company and its relevant department can no longer process the data subject’s personal data for the purpose of electronic direct marketing; and
- The data subject has the right to refuse to accept electronic direct marketing messages or emails through the opt-out choice. Consequently, the company may create a list of the persons who have selected to opt-out in order to avoid any chance of sending them emails in the future.
In general, GDPR has not made any changes to the provisions of the e-Privacy Directive. The only difference between the two relates to the stricter definition of consent of the data subject. Having mentioned the above, your company shall meet both GDPR’s and e-Privacy obligations and especially adhere to the new notion of consent which must be affirmative, or “opt-in” and always provide the option of “opting-out”