Designing marketing initiatives in an organisation so they comply with the regulations, including data protection rules, can be problematic. The situation becomes even more complicated if marketing for several companies within a group is carried out by one of the companies, designated through informal internal arrangements (often without concluding any contracts).
In this scenario, the complexities appear essentially on two levels. The first is the interweaving of data protection regulations with rules set forth in the Telecommunications Law and the Electronic Services Act. This concerns the manner and form for obtaining consent to transmit commercial information, such as a newsletter. We discuss this topic in detail in the article “Marketing communications to individuals: What’s the story with consent?”
The second area is determining the roles played by particular entities in data processing. This first involves mapping data processes within the organisation, and second, concluding the data processing contracts required by the General Data Protection Regulation between entities taking part in direct marketing activities within the corporate group.
The essence of this issue is bringing the practice of corporate groups, including international groups, into compliance with the requirements of the existing legal regulations, including the GDPR. Often flows of data between companies within a single capital group are not regarded for internal purposes as transferring data to third parties. But under the GDPR there is no basis for applying different rules for flows of data between companies within a single group than for flows of data between independent companies. In other words, the fact that a company assigns some of its activity, e.g. marketing, to another company within the same group (and not to an entirely independent company) has no impact on the obligation to conclude a data processing contract as referred to in Art. 28 GDPR, nor on the existence of restrictions on the basis for transferring data to countries outside the European Economic Area. For example, if under the specific intra-group arrangements a newsletter is sent to customers of a Polish company by a company from the same group but registered, say, in the United States, there is no basis for finding that the transfer of personal data to the US in connection with such activities is exempt from the requirements of Chapter V GDPR or that such entity does not have be covered for example by the Privacy Shield programme for the data transfer to be lawful.
Of course it should also be remembered that within the corporate group, there must be mechanisms in place for responding effectively to any data-protection breaches in the entity entrusted to perform specific activities connected with direct marketing, in light of the civil and administrative liability provided for in the GDPR and the Telecommunications Law. These mechanisms must not only enable prompt reporting of breaches, but also assessment of the related risks. Guidelines should be introduced allowing the designated persons to determine whether a data breach should be notified to the competent supervisory authority, and also what measures should be implemented to minimise the potential negative consequences of the breach for data subjects. This is essential, as under the GDPR the supervisory authority must be notified of a data breach within 72 hours after the breach is discovered.
Katarzyna Szczudlik, adwokat, New Technologies practice, Wardyński & Partners