Since 25 May 2018, i.e. the date on which Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) entered into force, businesses have been required to conduct their marketing activities under new rules. Presented below are the circumstances in which a data subject’s consent for conducting marketing activities is required, and those in which such consent is not necessary.
Legal grounds for the processing of personal data for marketing purposes
Personal data is any information about an identified or identifiable natural person (e.g. name, phone number, email address, etc.). The processing of personal data means any operation or set of operations which is performed on personal data (collection, recording, storage, etc.).
The processing of personal data is compliant with the GDPR if:
- consent for the processing has been given;
- it is necessary for the performance of a contract;
- it is necessary for compliance with a legal obligation to which the controller is subject;
- it is necessary in order to protect the vital interests of the data subject or of another natural person;
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- it is necessary for the legitimate interests of the controller.
A business entity (controller) may only process personal data for marketing purposes if:
- consent of the data subject has been obtained; and
- the data is being processed in the legitimate interest of the controller.
Consent of the data subject
The first and main basis for the processing of personal data for marketing purposes is the consent of the data subject. Such consent, as defined in the GDPR, means an indication of the data subject’s wishes. Such indication must be freely given, specific, unambiguous and informed. It may be expressed either by a written or oral statement or by a clear affirmative action (e.g. ticking a box on a website). General authorisations are not considered as a valid basis for the processing of personal data.
In one of its recitals, the GDPR specifies that silence or inactivity does not constitute consent. In accordance with the current legal framework under the GDPR, the declaration of consent cannot be hidden (e.g. in the terms and conditions introduced by the controller) or written in small print at the bottom of the page.
Without doubt, the controller must be able to demonstrate that consent for the processing of personal data, including for marketing purposes, has been granted. It is important to point out that such consent can be withdrawn at any time. A child who is at least 16 years old may also give their consent to the processing of their personal data, however, only if the processing concerns the so-called information society services.
Controller’s legitimate interest
The second basis for the processing of personal data is a legitimate interest of the controller. However, it should be noted that this basis may only be relied upon for the purpose of direct marketing. A legitimate interest of the controller cannot be asserted where it is overridden by the interests or rights and freedoms of the data subject (e.g. when the data subject is a child).
According to one of the recitals of the GDPR, a legitimate interest exists where there is a relevant relationship between the data subject and the controller (e.g. a seller–customer relationship). However, it is important to note that the existence of a legitimate interest should always be assessed in a specific context. Therefore, businesses should rely on this basis for the processing of personal data only when they have no doubt as to whether such a relationship exists in a given situation. This is to avoid being accused of the lack of grounds for the processing of personal data and to avoid legal and administrative sanctions.
Direct marketing involves direct communication with the customer who is offered products or services tailored to their individual needs and expectations (e.g. by e-mail or telephone). With regard to direct marketing, the data subject must be guaranteed the right to object to the processing of their personal data. They must be informed that such an objection may be lodged at any time.
Controllers creating marketing databases must keep the full text of the consents to the processing of personal data received from the data subjects in order to be able to prove that such consents had been obtained.
Moreover, personal data may currently be processed only for a specified purpose and at a specific time. Consequently, personal data obtained in the past cannot be stored by business entities in their databases indefinitely if the purpose for which it had been collected has ceased to exist.
It should be emphasised that the GDPR does not prohibit the creation of personal databases for marketing purposes. It is allowed with the consent of the data subjects or if based on the controller’s legitimate interest. However, new responsibilities have been imposed on controllers. These include the obligation to provide information or the obligation to respect the data subject’s “right to be forgotten”.
Back to GDPR lawyer