Direct marketing and GDPR clarified

In this first recommendation, the GBA-APD emphasizes that direct marketing is an absolute highlight. The GBA-APD has received quite a few complaints in this regard. Reason enough to establish the rules of the game once again.

The GBA-APD wanted to make a practical and clear overview of the rules to be respected in direct marketing by all the actors involved. The recommendation is very practical and repeatedly refers to specific cases and to case law.

1. Explanation of important terms

First, the recommendation clarifies certain important terms.

Direct marketing is:

• any communication, solicited or unsolicited,
• aiming to promote services, products, brands or ideas,
• in a commercial or non-commercial context,
• directly to one or more individuals,
• involving the processing of personal data.

The various actors involved in direct marketing are also discussed, namely the controllers, processors and the personal data traders.

2. What to pay attention to when doing direct marketing?

First, direct marketing is not limited to commercial and for-profit businesses. It also involves communication falling under the definition of "direct marketing" from non-profit organizations, foundations, associations and governments.

When data are purchased by intermediaries involved in the sale, rental or enrichment of personal data, it is important that the origin of this data is always known. In addition, it should be checked whether the data subjects are sufficiently informed of the intended processing and whether these additional processing operations are compatible with its initial purpose. As from the moment of the original collection of the personal data, their transfer in the context of direct marketing must be foreseen and legally possible.

Even if the data subjects were sufficiently informed afterwards at the time of the use of their purchased personal data, it remains possible that their data were initially never collected for the purposes for which they are sold now. In this case, their processing in the context of direct marketing will in any event be illegal. Therefore, processors have particular interest in properly verifying the origin of these data.

The GBA-APD recommendation emphasizes that processing is only acceptable if it has a legal basis that cannot be changed during processing.

It is therefore important to designate at least one legal basis that remains valid throughout the processing. If that basis is no longer valid, the processing must be stopped without any possibility to switch to another legal basis.

3. "Legitimate interest" as a legal basis

The GDPR provides for the possibility of processing in the context of direct marketing on the legal basis of "legitimate interest".

As a reminder, for direct marketing electronic messages for commercial purposes, one must have received prior authorization from subscribers or users. But one can also rely on "legitimate interest".

As a reminder, for electronic direct marketing messages for commercial purposes, prior permission from those involved is in principle required. On the other hand, the ePrivacy Directive provides for a “soft opt-in” on the basis of which existing customers or subscribers can be informed about similar products and services that they have already purchased provided that they can object to this easily and free of charge.

The GBA-APD highlights and clarifies when there is a "legitimate interest". These principles form a basis for applying the legitimate interest as provided by the GDPR regarding direct marketing.

The following criteria must be met:

• The interest pursued by the processor must be justified;
• the processing must be necessary for the realisation of that interest;
• The interest of the processor must be weighted again the interest, freedom and fundamental rights of the people whose personal data are used.
  
  First, the GDPR provides that this assessment takes into account the reasonable expectations of the data subjects according to their relationship with the processor.
  
  Therefore, this legal basis cannot be used for direct marketing towards prospects. Indeed, in this case there is no prior link with the processor and therefore, in principle, there is no expectation of direct marketing.
  
  This consideration must also take into account the obligation to provide additional guarantees in direct marketing, including transparency, data minimization and a general and unconditional right to object to the processing.
  
  Transparency towards those involved is an essential element in the context of direct marketing. It is always the first (and most visible) element on the basis of which the processing is analyzed, checked and assessed by data subjects.

4. The right of objection

The right to object in respect of direct marketing is unconditional.

Every time an objection is made, any direct marketing processing regarding the relevant person must be stopped immediately.

This right of objection (and other information) must be sufficiently clear and must be explicitly proposed in every communication. It must be done in such a way that it is not possible that it is not seen.

A small "unsubscribe" link at the bottom of a direct marketing email is therefore not enough, despite the fact that this is a very common practice.

The possibility to object must be prominently presented in the e-mail. It must also be easy to implement: no further obligation to fill in one's own e-mail address or to let know why one unsubscribes ...

Moreover, attention must be paid to the terminology "unsubscribe". After all, this does not automatically mean that processing for marketing purposes is stopped. It is important to state clearly that "unsubscribe" means that the unsubscriber will no longer receive any direct mailing from the relevant processor.

It is essential that the execution of the right of objection achieves its objective. Bear in mind that those involved will be all the more motivated to take the necessary steps if they continue to receive e-mails after they have exercised their right of objection.

5. Conclusion

Despite the fact that the GDPR is already in force for quite some time, many companies still have a lot of questions about the actual implementation. It is a complex legislation that involves an uninterrupted process to comply. This applies to both existing processing and to newly planned processing.

In addition to the data protection regulations, direct marketing must also take into account the legislation on unfair trade practices.

We can provide you with information or assist you in relation to to this matter. Do not hesitate to contact us on +32 (0) 2 747 40 07 or via info@seeds.law. Our specialist regarding privacy and protection of personal data is also DPO (Data Protection Officer) and can offer you a total service in this context.