On 17 January 2020, the Data Protection Authority (“DPA”) published its Recommendation No 01/2020 on the processing of personal data for direct marketing purposes. The DPA explains the rules with regard to direct marketing under the GDPR. The Recommendation answers the most frequently asked questions and contains many useful examples for all those involved in direct marketing. The recommendation is part of the implementation of the Strategic Plan 2019–2025, which identifies direct marketing as one of the priorities of the DPA.
The DPA recommendation is quite lengthy (79 pages) and covers almost all GDPR aspects of direct marketing. The main points are the following:
- In the absence of a legal definition, the DPA defines “direct marketing” as:
“Any communication, in any form, solicited or unsolicited, originating from an organisation or individual and which is aimed at the promotion or sale of services, products (whether in return for payment or free of charge), as well as brands or ideas, addressed by an organisation or individual acting in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and which involves the processing of personal data.”
Therefore, these are not only messages for commercial or money-making purposes; communications from non-commercial organisations (e.g. political parties, interest groups) may also constitute direct marketing. The DPA also confirms that strictly personal communications, New Year greetings, surveys or satisfaction surveys do not in principle constitute direct marketing.
- Direct marketing as defined by the DPA always involves the processing of personal data and is therefore only possible on the grounds of a valid legal basis under the GDPR. In practice, organisations will either rely on the explicit GDPR-compliant consent of the data subjects or on their legitimate interests. In the case of electronic unsolicited direct marketing messages for commercial purposes, consent will in principle be required under ePrivacy law, although it may be waived for existing customers under certain conditions. The DPA explains in detail how to determine the applicable legal basis and, where appropriate, how to obtain valid consent. For example, consent for direct marketing will not be freely given if it is a condition for using a service or obtaining benefits and discounts.
- Recipients of direct marketing should be given a clear and simple option to exercise their right of objection (in case of legitimate interest) or revocation (in case of consent). Where appropriate, data may no longer be processed for these purposes. Furthermore, all other requests to exercise rights (e.g. right of access or copy, rectification, etc.) must also be properly followed up.
- For all natural or legal persons concerned, it should be determined whether they qualify as separate controllers, joint controllers (e.g. in the case of a common Internet platform for the collection and sharing of customer data) or processors (e.g. for the provision of marketing and advertising communication services). A so-called “processor agreement” has to be concluded with processors, and joint processors have to agree among themselves to define their respective responsibilities under the GDPR.
- Particular attention should be paid to organisations specialised in aggregating, reselling, renting or trading data (e.g. so-called “data brokers”). Such processing will ideally require the prior informed consent of the data subjects. Companies using such partners must also inform the data subjects themselves and have the obligation to check whether the data have been collected and processed by the partner in a GDPR-compliant manner. If not, they can also be sanctioned for non‑compliance with the GDPR.
- Data subjects must receive detailed information containing all mandatory data specified in the GDPR. This information should be provided in clear, simple and accessible terms. The purposes of the processing must be precisely described in the privacy notice, as well as in the (internal) register of the processing activities. The mere reference to “direct marketing purposes” will not be enough in most cases. In the case of re-use of data for direct marketing, it must be verified whether this is in accordance with the purpose for which it was originally collected and whether there is a valid legal basis for this.
- The notification and the register will need to contain information not only on the processing purposes but also on the processing operations (e.g. profiling certain individuals by combining data about them, using the messaging service of a social network to send messages, etc.).
- Particular care should be taken when drawing up profiles (“profiling”), as this could have negative consequences for those concerned. If direct marketing generates decisions with legal consequences or a significant impact and these decisions are based solely on automated processing (e.g. offering products under different conditions according to profiles), specific rules apply; for example, the explicit consent of the data subjects will be required.
- If cookies are placed for the purpose of direct marketing, valid consent will have to be obtained. The DPA gives examples of formulations that can be included in the information banner.
- Only data that is strictly necessary for direct marketing purposes can be processed. Moreover, these data may not be kept longer than necessary (the DPA does not recommend a standard retention period, as this will have to be assessed on a case-by-case basis).
Verify that your company’s direct marketing policy complies with data protection legislation, e-privacy legislation and recent DPA recommendations. Our data protection team can, of course, assist you with this.