Electronic marketing under GDPR and ePrivacy Directive (Directive 2002/58/EC)

With the GDPR the legal basis for processing of personal data has changed.

Legal basis for processing of personal data

Direct marketing purposes

As outlined under Recital 47 GDPR, processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. That is, contacting customers in relation to products and services offered by the sender of electronic marketing communication (“Sender”) can, in general, be justified under Art. 6(1) lit. f) GDPR for the purposes of the legitimate interests pursued by the controller (i.e. Sender), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. A balance of interest must be undertaken on a case-by-case basis.

That means that prior consent (i.e. opt-in) is not required in relation to electronic marketing to existing customers/clients where the contact details of the recipients were obtained by the Sender in the context of the sale of its products or services. The Sender may then use the contact details for sending electronic marketing information (e.g. by email) for commercial purposes if such marketing communication relates to the Sender’s own similar products or services and the recipient was offered the possibility to object to receiving such marketing information (opt-out).

In this respect, data subjects have an unconditional right to object to, and thus prevent, any form of direct marketing (including electronic marketing) at any time under Art. 21(3) GDPR. The recipient must be offered the opportunity to object to the use of its personal data (i.e. contact details such as email address or name) in a free-of-charge and easy manner at the very moment of providing marketing information. Where the recipient does not make use of his or her opt-out right at the time of the sale, the recipient should be offered the option to opt-out in each subsequent electronic communication. In practice, this can be done by providing an opt-out link or opt-out button to click on in the marketing email.

In this respect, data subjects have an unconditional right to object to, and thus prevent, any form of direct marketing (including electronic marketing) at any time under Art. 21(3) GDPR. The recipient must be offered the opportunity to object to the use of its personal data (i.e. contact details such as email address or name) in a free-of-charge and easy manner at the very moment of providing marketing information. Where the recipient does not make use of his or her opt-out right at the time of the sale, the recipient should be offered the option to opt-out in each subsequent electronic communication. In practice, this can be done by providing an opt-out link or opt-out button to click on in the marketing email.

In case a recipient makes use of his or her opt-out right, the Sender must stop any electronic marketing communication and ensure that no commercial information is sent to the recipient in the future. The best practice approach is to include the contact details of such recipient in a ‘blacklist’ – most CRM tools provide for such blacklist solution.

Other purposes than direct marketing

In any other cases of electronically approaching customers/clients for commercial reasons (i.e. other than direct marketing) the express and informed consent (i.e. opt-in) of the customer/client must be obtained prior to any processing of such customer/client data to be lawful under the GDPR and ePrivacy Directive.

The relation between GDPR and ePrivacy Directive is still highly disputed. However, in relation to electronic marketing this does not really matter in practice. Taking into account Art. 94, 95 GDPR, and where consent is relied upon as legal basis for electronic marketing, the strict standards for consent under the GDPR must be observed. That is, marketing consent forms should incorporate clearly worded opt-in mechanisms. This can include ticking a consent box or clicking on a ‘agree’-button.

As a common practice and requested by several European data protection authorities as well as certain Member State case law, double-opt-in (“DOI”) mechanism should be applied. This means that prior to providing marketing information by email, a confirmation email is sent to the recipient asking to verify the email address and consent to the electronic marketing. In practice, this can be done by providing a special web link or ‘agree’-button in the confirmation email to click on.

As consent must be specific and informed to be valid (Art. 4(11) GDPR), recipients must be provided with information (i) from whom (i.e. which specific entity) and (ii) for which specific products or services they will receive marketing information. That is, marketing emails must not disguise or conceal the identity of the sender and products/services promoted.

Transparency obligations

The recipient must be informed about the purpose and circumstances of processing in line with Art. 13 GDPR and either (i) about the right to object at any time to processing of personal data concerning him or her for direct marketing as stipulated under Art. 21(2) GDPR, or (ii) in case of any other marketing purpose but direct marketing about the right to withdraw consent at any time as stipulated under Art. 7(3) GDPR.

This can be done in practice by providing a weblink to a specific privacy notice or respective email attachment comprising all information stipulated under Art. 13 GDPR in the first email to be sent to the recipient.

Specific national regulations

National laws implementing the ePrivacy Directive may provide for specific regulations in respect of contacting customers for commercial purposes. In Germany, for example, section 7 German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG) stipulates that the express consent of the respective customer must be obtained prior to any processing of customer data in connection with commercial communication via phone, letter or email. Similar rules apply in other European jurisdictions.

Sanctions

Processing personal data for electronic marketing purposes without a valid legal basis or not complying with the transparency obligations can lead to administrative fines imposed by the competent data protection authority of up to EUR 20 Mio. or 4% of the worldwide group turnover, whichever is higher (Art. 83(5) lit. a), b) GDPR). To our knowledge, no fine under GDPR has been imposed for data protection infringements in relation to electronic marketing as of September 2019.

Moreover, data subjects can be entitled to damages where they suffered material or non-material damage as a result of an infringement of the GDPR.

Guidelines by major European data protection authorities on electronic marketing

France: https://www.cnil.fr/en/node/14686 (French only)

Germany: https://www.datenschutzkonferenz-online.de/media/oh/20181107_oh_werbung.pdf (German only)

Spain: https://www.aepd.es/media/informes/2018-0164-comunicaciones-comerciales-por-medios-electronicos.pdf (Spanish only)

UK: https://ico.org.uk/for-organisations/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

Tags
  • DSGVO
  • Datenschutz
  • Marketing
  • GDPR
Über den Autor

Dr. Frank Schemmel

Senior Privacy Expert

Frank Schemmel is a Senior Data Protection Officer at DataGuard. He has several years of experience as a Data Protection Specialist and Legal Project Manager at the major law firm, Allen & Overy LLP. His work focused on advising national and international companies and groups on data protection and IT security law (including telemedia and telecommunications law). As a project manager, he was also responsible for the management and coordination of national and international projects in the area of data protection and compliance. After studying law and economics at the University of Augsburg and spending a semester abroad at Kwansei-Gakuin University in Nishinomiya (Japan), he earned his doctorate with a thesis on the topic of "Liability: Burn-out". He bridges the gap between jurisprudential research and practice by lecturing at various universities and regularly publishing in relevant specialist media.

Unsere Empfehlung

Angebot erhalten
089 442 550 - 62649 deutschlandweiter Service