Article 21 provides for the data subject’s right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. It also provides that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. Infringement of Article 21 shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The rules and restrictions are many and it’s also important to note the relationship between the GDPR’s requirements and those of the e-Privacy Directive (soon, itself to become a Regulation). The rules on calls, texts and emails are stricter than those on mail marketing, and consent must be more specific. Organisations should not take a one-size-fits-all approach. There are also a number of other rules and industry codes of practice affecting marketing, which are regulated by other bodies. Organisations should always ensure that they are familiar with all laws and standards of conduct which apply to them.
There shall be no unsolicited communications for direct marketing purposes. Organisations must not send marketing texts or emails to individuals without their specific prior consent. There is a limited exception for previous customers, known as the soft opt-in. This means organisations can send marketing texts or emails if the following condition prevails - they have obtained the person’s contact details in the course of a sale (or negotiations for a sale) of a product or service to that person; they are only marketing their own similar products or services; AND they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.
In many cases organisations will need consent to send people marketing, or to pass their details on to other parties. Organisations will need to be able to demonstrate that consent was knowingly and freely given, clear and specific, and should keep clear records of consent. Note that organisations cannot email or text an individual to ask for consent to future marketing messages. That email or text is in itself sent for the purposes of direct marketing, and so is subject to the same rules as other marketing texts and emails. And calls asking for consent are subject to the same rules as other marketing calls. Organisations can make live marketing calls to numbers not registered with the national ‘do-not-contact’ service (like the UK’s ‘TPS’), if it is fair to do so. But they must not call any number that’s on the ‘do-not-contact’ list without specific prior consent. Organisations must not make any automated pre-recorded marketing calls without specific prior consent.
If you would like to know how our service might enable your organisation's GDPR compliance journey, please visit us here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018