Most businesses react nervously when they hear the letters “GDPR,” as in their view the regulation gets in the way of performing their day-to-day work, particularly marketing. At the same time, many businesses get lost in the tangle of regulations they are supposed to follow if they wish to lawfully direct marketing communications to individuals. What issues cause them the most difficulty?
You don’t always need consent to contact consumers
It should be remembered that the restrictions primarily apply to contacts of a marketing nature. If we need to contact a customer in connection with current performance of a contract, for example to notify them of postponement of delivery or that the website is down, we don’t need their consent. It’s enough to fulfil the informational obligation toward these persons.
You don’t always need consent to processing of personal data
Most people still seem convinced that it is essential to obtain consent to processing of personal data for marketing purposes. But under the General Data Protection Regulation, there are two main grounds for processing of personal data for marketing purposes: consent and legitimate interest. If the processing is based on a legitimate interest, obtaining consent to the processing is not required.
Of course, it is not always possible to base processing on the ground of a legitimate interest. Under the GDPR, processing of data for marketing purposes can be based on this ground if there is a “relevant and appropriate relationship” between the data controller and the data subject. Businesses must therefore evaluate whether data subjects have reasonable grounds to expect that their data may be processed for a particular purpose. A classic example of such a situation is an active contract between the data controller and its customer.
Basis for processing data under GDPR is not the same as consent to contact
Obtaining consent to processing of personal data does not mean that we can then send marketing content to that person by phone or email. In practice, the fact that we have a basis for processing a person’s data under the GDPR means that we can send marketing content to that person only in writing. To ensure the possibility of contact through other channels, we must obtain separate consent from the data subject pursuant to the Telecommunications Law or the Electronic Services Act. Such consent is independent and cannot be derived from consent to processing of personal data.
But this can lead to a curious situation where someone expresses consent to contact by telephone but not to processing of personal data for marketing purposes. Here it is worth citing the pro-business position of the Ministry of Digital Affairs stated in its Guide for the FinTech Sector: “Consent to transmission of commercial information under the Electronic Services Act constitutes a relationship between the person providing consent and the controller, as referred to in recital 47 of the GDPR. The fact of consenting to transmission of commercial information under the Electronic Services Act means that persons expressing such consent have reasonable grounds for expecting that their data may be processed for this purpose.”
This interpretation should be approached cautiously, however, as the President of the Personal Data Protection Office has not confirmed such a liberal outlook.
What sort of consent to contact should be provided?
Recently the President of the Office of Competition and Consumer Protection (UOKiK) took a position on the issue of making telephone calls to consumers for direct marketing purposes despite their lack of consent to contact by phone. The regulator found that this practice infringes the collective interests of consumers. Many practical conclusions may be drawn from this decision on how consent to contact should be formulated. Here are a few:
- Consent must be framed expressly, unambiguously and specifically. The person expressing consent must be aware of the purpose for the consent and who they are providing consent to.
- The communications channel covered by the consent must be indicated, the purpose for which consent is obtained, and the entity to whom the consent is granted. Consumers must be aware whom they are granting consent to at the time they grant consent.
- In the regulator’s view, the use of abstract terms like “third party” or “cooperating entity” does not meet the requirement of specificity.
- The authority expressed doubt as to the correctness of simultaneous consent to contact from numerous entities, without at least a link to a list of those entities.
- Consent must precede the marketing contact.
- Telephone contacts between a company and consumers aimed at obtaining consent to present a marketing offer may be deemed actions falling within the ban on contact under the Telecommunications Law.
Acquiring a database does not ensure peace of mind
The President of UOKiK also raised the issue of the responsibility of an entity that has acquired a database containing personal data of persons to whom the acquirer of the database intends to direct marketing communications. In the regulator’s view, an entity pursuing direct marketing is responsible for the correctness of consent under Art. 172 of the Telecommunications Law regardless of whether the marketer obtained the consent itself or acquired a database of consents from a third party. The regulator also indicated what should be included in the contract between the marketer and the supplier of the database, in particular provisions under which the supplier ensures that the consent:
- Is consistent with the requirements of Art. 172 of the Telecommunications Law
- Specifies the channel for future contacts with the potential customer, the aim of the contact, and the entity to whom consent is to be provided
- Is granted to one entity indicated in the wording of the consent.
Additionally, the supplier should be obliged to provide notification of any withdrawal or modification of consent, and contracts should include a mechanism for monitoring and financial responsibility of the partners. In practice, fulfilment of these requirements may prove very difficult.
Karolina Romanowska, adwokat, Employment practice, Wardyński & Partners