3 Min

Electronic marketing under GDPR and ePrivacy Directive (2002/58/EC)

Legal basis for processing of personal data

Direct marketing purposes

As outlined under Recital 47 GDPR, processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. That is, contacting customers in relation to products and services offered by the sender of electronic marketing communication (“Sender”) can, in general, be justified under Art. 6(1) lit. f) GDPR for the purposes of the legitimate interests pursued by the controller (i.e. Sender), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. A balance of interest must be undertaken on a case-by-case basis.

That means that prior consent (i.e. opt-in) is not required in relation to electronic marketing to existing customers/clients where the contact details of the recipients were obtained by the Sender in the context of the sale of its products or services. The Sender may then use the contact details for sending electronic marketing information (e.g. by email) for commercial purposes if such marketing communication relates to the Sender’s own similar products or services and the recipient was offered the possibility to object to receiving such marketing information (opt-out).

In this respect, data subjects have an unconditional right to object to, and thus prevent, any form of direct marketing (including electronic marketing) at any time under Art. 21(3) GDPR. The recipient must be offered the opportunity to object to the use of its personal data (i.e. contact details such as email address or name) in a free-of-charge and easy manner at the very moment of providing marketing information. Where the recipient does not make use of his or her opt-out right at the time of the sale, the recipient should be offered the option to opt-out in each subsequent electronic communication. In practice, this can be done by providing an opt-out link or opt-out button to click on in the marketing email.

In this respect, data subjects have an unconditional right to object to, and thus prevent, any form of direct marketing (including electronic marketing) at any time under Art. 21(3) GDPR. The recipient must be offered the opportunity to object to the use of its personal data (i.e. contact details such as email address or name) in a free-of-charge and easy manner at the very moment of providing marketing information. Where the recipient does not make use of his or her opt-out right at the time of the sale, the recipient should be offered the option to opt-out in each subsequent electronic communication. In practice, this can be done by providing an opt-out link or opt-out button to click on in the marketing email.

In case a recipient makes use of his or her opt-out right, the Sender must stop any electronic marketing communication and ensure that no commercial information is sent to the recipient in the future. The best practice approach is to include the contact details of such recipient in a ‘blacklist’ – most CRM tools provide for such blacklist solution.

Other purposes than direct marketing

In any other cases of electronically
approaching customers/clients for commercial reasons (i.e. other than direct
marketing) the express and informed consent (i.e. opt-in) of the customer/client
must be obtained prior to any processing of such customer/client data to be
lawful under the GDPR and ePrivacy Directive.

The relation between GDPR and ePrivacy
Directive is still highly disputed. However, in relation to electronic
marketing this does not really matter in practice. Taking into account Art. 94,
95 GDPR, and where consent is relied upon as legal basis for electronic
marketing, the strict standards for consent under the GDPR must be observed.
That is, marketing consent forms should incorporate clearly worded opt-in
mechanisms. This can include ticking a consent box or clicking on a
‘agree’-button.

As a common practice and requested by
several European data protection authorities as well as certain Member State
case law, double-opt-in (“DOI”) mechanism should be applied. This means that
prior to providing marketing information by email, a confirmation email is sent
to the recipient asking to verify the email address and consent to the
electronic marketing. In practice, this can be done by providing a special web
link or ‘agree’-button in the confirmation email to click on.

As consent must be specific and informed to be valid (Art. 4(11) GDPR), recipients must be provided with information (i) from whom (i.e. which specific entity) and (ii) for which specific products or services they will receive marketing information. That is, marketing emails must not disguise or conceal the identity of the sender and products/services promoted.

Transparency obligations

The recipient must be informed about the
purpose and circumstances of processing in line with Art. 13 GDPR and either (i)
about the right to object at any time to processing of personal data concerning
him or her for direct marketing as stipulated under Art. 21(2) GDPR, or (ii) in
case of any other marketing purpose but direct marketing about the right to
withdraw consent at any time as stipulated under Art. 7(3) GDPR.

This can be done in practice by providing a weblink to a specific privacy notice or respective email attachment comprising all information stipulated under Art. 13 GDPR in the first email to be sent to the recipient.

Specific national regulations

National laws implementing the ePrivacy Directive may provide for specific regulations in respect of contacting customers for commercial purposes. In Germany, for example, section 7 German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb - UWG) stipulates that the express consent of the respective customer must be obtained prior to any processing of customer data in connection with commercial communication via phone, letter or email. Similar rules apply in other European jurisdictions.

Sanctions

Processing personal data for electronic
marketing purposes without a valid legal basis or not complying with the
transparency obligations can lead to administrative fines imposed by the
competent data protection authority of up to EUR 20 Mio. or 4% of the worldwide
group turnover, whichever is higher (Art. 83(5) lit. a), b) GDPR). To our
knowledge, no fine under GDPR has been imposed for data protection
infringements in relation to electronic marketing as of September 2019.

Moreover, data subjects can be entitled to damages where they suffered material or non-material damage as a result of an infringement of the GDPR.

Guidelines by major European data protection authorities on electronic marketing

France: https://www.cnil.fr/en/node/14686 (French only)

Germany: https://www.datenschutzkonferenz-online.de/media/oh/20181107_oh_werbung.pdf (German only)

Spain: https://www.aepd.es/media/informes/2018-0164-comunicaciones-comerciales-por-medios-electronicos.pdf (Spanish only)

UK: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Über den Autor

Sprechen Sie unser Sales-Team an

Erfahren Sie, wie DataGuard Ihnen helfen kann.

Finden Sie heraus, wie unsere Datenschutz-, Informationssicherheits- und Compliance-Lösung Vertrauen stärkt, Risiken minimiert und Umsatz steigert.

  • bis heute 100% Erfolgsquote bei ISO 27001 Audits
  • 40% Reduzierung bei Gesamtbetriebskosten (TCO)
  • Eine skalierbare und einfach zu verstehende Web-Plattform
  • Praktisch umsetzbare Handlungsempfehlungen unserer Experten

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Fordern Sie noch heute Ihr Angebot an

Ihre Vorteile im Überblick

  • Benennung eines externen Datenschutzbeauftragten
  • Audit Ihrer Datenverarbeitungsvorgänge
  • Unterstützung rund um AV-Verträge, VVT, TOM, Schulung, u.v.m.
  • Personalisierte Betreuung durch Ihren Ansprechpartner 
  • Skalierbar für KMU und Konzerne
  • 100+ Experten aus den Bereichen Recht, Wirtschaft & IT

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Vereinfachung Ihrer Compliance-Prozesse

Ihre Vorteile im Überblick

  • Kontinuierliche Unterstützung auf Ihrem Weg zur Zertifizierung nach ISO 27001 und TISAX®️, sowie NIS2 Compliance
  • Profitieren Sie von persönlicher Beratung
  • Bauen Sie ein strukturiertes ISMS mit unserer InfoSec-Plattform auf
  • Automatische Erstellung verpflichtender Dokumente
Certified-Icon

100% Erfolgsquote unserer Kunden bei Audits nach ISO 27001

TISAX® ist eine eingetragene Marke der ENX Association. DataGuard steht in keiner geschäftlichen Verbindung zu ENX. Wir bieten lediglich Beratung und Unterstützung zur Vorbereitung auf das Assessment nach TISAX® an. Die ENX Association übernimmt keine Verantwortung für die auf der DataGuard-Website dargestellten Inhalte.

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Jetzt Angebot anfragen

  • Proaktive statt reaktive Unterstützung
  • Erstellung der wichtigsten Dokumente und Richtlinien
  • Umfassendes Compliance-Management
  • Mitarbeiterschulungen
  • Digitales Compliance-Management-System
  • Beratung durch erfahrene Branchenexperten

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Lernen Sie DataGuard kennen

Jetzt Angebot anfragen

  • Einhalten der EU-Whistleblower-Richtlinie
  • Digitales Whistleblowing-System
  • Einfache und schnelle Implementierung
  • Zentrale Datenquelle
  • Sicher und gesetzeskonform
  • Klares und transparentes Reporting

Vertrauen von mehr als Kunden

Canon  Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Burger King  Logo Contact Veganz Logo Contact Fressnapf  Logo Contact Völkl Logo Contact Arri Logo Contact Free Now  Logo Contact

Jetzt Termin vereinbaren