consent or legitimate interest?

The author of the material:

Anastasia Parkhimovich, personal data protection consultant at Data Privacy Office.

Marketing newsletter is a convenient way for a manufacturer or seller to remind of himself and “seduce” the client with a discount or a new product. Thanks to mailings, not only sales, but also loyalty increase: for the human brain, the familiar usually takes precedence over the unfamiliar. And, of course, the seller is interested in reaching as many people as possible with “happiness letters”. How to do this without breaking the law? Let’s tell!

Choosing a legal basis

Any marketing mailing involves the processing of personal data, sometimes in a minimal amount (for example, if only an e-mail address is used), and sometimes in a significantly larger amount (if a discount is provided individually based on the client’s preferences and purchase history). And in order for the processing to comply with the principle of legality (Art. 5.1 (a) GDPR), the correct legal basis must be determined.

In theory, providing information about discounts and new products and services could be a stand-alone service, for example, if a customer pays for a premium service that includes advance notice of discounts, new deliveries, etc. In this case, the contract between the company and the client may stipulate the number of such notifications, the deadline for sending them (for example, no later than two weeks before the start of the promotion for all other users) and other details. The processing of personal data in such a context will be subject to the performance of the contract (Art. 6.1 (b) GDPR).

However, in reality, marketing newsletter is extremely rarely an additional service that the client expects and requests (important!). In this case, the controller chooses between consent and legitimate interest, and the legitimate interest looks preferable: there is no need to request user consent, store information about when it was given, etc. You can simply add a user to the mailing list – and send him e-mail for e-mail. In addition, in such a situation, the controller often manages to justify the existence of a legitimate interest: he needs to promote his business, and notifying customers about discounts and new products can increase revenue. Since marketing mailing is not something unusual for a modern person, and also often only mail is used for such mailing, companies believe that the implementation of their legitimate interest does not significantly harm the rights and freedoms of subjects.

Not a single GDPR

But it’s not that simple! Marketing mailing questions in the form of e-mail, SMS-messages, etc. governs not only the GDPR, but also Directive 2002/58 / EC of 12 July 2002 regarding processing of personal data and the protection of privacy in the electronic communications sector. Thus, in addition to complying with the GDPR requirements, it is also necessary to take into account the restrictions imposed by the Directive on marketing communications.

Art. 13.1 of the Directive specifies that the use of e-mail for direct marketing is only permitted if subscribers have previously given their consent.

At the same time, Art. 13.2 of the Directive clarifies this rule: the consent of the addressee is not necessary if all of the following conditions are met:

  • the contact information (email) of the addressee was obtained directly from the client “in the context of the sale of a product or service”;

  • the company uses the data only to promote its own goods and services, similar to those that the client has previously purchased;

  • the client has the opportunity to unsubscribe from the mailing list easily and free of charge, both at the time of data collection and at each subsequent contact (that is, upon receipt of each subsequent letter).

The ability to send marketing messages in accordance with Art. 13.2 The Directive is called “soft opt-in”. In this case, consent is not necessary, therefore the controller can choose a legitimate interest as the legal basis for the processing. However, if at least one of the conditions is not met, alas – the processing will have to be based on the consent of the data subject.

Nuances of interpretation

Some provisions of Art. 13.2 Directives should be given special attention.

At first, since the Directive is not directly applicable in the EU countries, each state implements it in its own legislation, due to which law enforcement practice may differ from country to country. This is exactly what happened with the condition that the data must be obtained “in the context of the sale of a good or service”: some countries require the presence of a transaction (that is, the actual exchange of money for services and goods), while for others it is enough to prepare for transactions (for example, a request for a price or an assortment clarification). However, the mere fact of registering on a site or viewing its contents is not “the context of selling a product or service”.

Secondly, marketing email can only cover products or services (categories of goods or services) similar to those purchased by the user. That is, if a client has opened a current account with a bank, the bank can offer him payment cards, but not a loan for real estate or securities trust management services.

Thirdly, in the mailing list, the company can only offer its own products and services. Therefore, it is forbidden to transfer lists of emails to partner companies, as well as send advertisements for goods and services of partners to the client.

Fourth, the client should be able to unsubscribe from the mailing list. both at the time of data collection and upon receipt of any subsequent letter, and such an opportunity should be free and easy to implement. Hiding the “Unsubscribe from the mailing list” button in the depths of your personal account on the site or in the application is a clear violation, as well as the use of small print and the color of letters that merge with the background color (“maybe the client will not notice!”). If the client does not notice, the supervisory authority will notice, but the consequences will not be comparable to the user’s unsubscribing from the mailing list.

Total

When choosing the legal basis for the marketing mailing, pay attention not only to Preamble 47 GDPR (“The processing of personal data for direct marketing purposes can be considered as processing serving a legitimate interest”), but also the provisions of Art. 13 Directives. Perhaps, even if the balance of your interests and the rights and freedoms of clients is maintained, you are not entitled to use a legitimate interest as a legal basis for mailing.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *