The EU General Data Protection Regulation (GDPR) entered into force on 25 May 2018. It imposes extensive obligations on all companies, regardless of their size, to protect personal data. But how will the new legal situation affect direct marketing?
Many companies are uncertain whether and to what extent data may be used for advertising in the future and what is better not to do due to the high fines of up to 4% of group sales or EUR 20 million. “Can we still send out our newsletter in the future?” many ask.
First of all: the new rules also apply to advertising measures. Accordingly, data processing may only be carried out if it is “lawful”, for example if the data subject has expressly consented to the processing of these data for a specific purpose or if the data must be processed in order to fulfil a contract with the data subject. Whoever concludes purchase contracts, for example, may process the data of his contractual partner required for the fulfilment of the contract without having to obtain separate consent for this.
Admissibility of direct marketing
“Direct marketing” refers to advertising measures aimed directly at potential customers, e.g. sending advertising by post or e-mail. Direct marketing may be permissible on the basis of an opt-in or opt-out procedure. In the opt-in procedure, the person addressed must have expressly given their voluntary and informed consent to receive advertising messages in advance. Consent may not be improperly linked to the performance of a contract. In the opt-out procedure, direct marketing is also permitted without consent, but the person concerned has a right of objection free of charge.
But when is consent required? The DSGVO expressly recognises that companies have a legitimate interest in contacting (potential) customers, which may override the interests of these (potential) customers not to be contacted. In principle, no consent to the processing of data for the purpose of direct marketing is therefore required if the “legitimate interests” of the company in establishing contact predominate.
Direct marketing is not permitted without the consent of the person concerned, e.g. for profiling or if health data, biometric data, data on sexual orientation, etc., (sensitive data) are involved.
Electronic direct marketing
In addition, the Austrian Telecommunications Act requires consent for electronic direct marketing for advertising (i) to non-customers and (ii) to own customers if third-party goods/services or own but other goods/services are advertised, and (iii) for telephone advertising. Anyone wishing to send advertising to non-customers by e-mail therefore always requires the recipient’s consent. E-mail advertising must also always provide an opt-out option (e.g. unsubscribe from a newsletter).
Direct marketing and other advertising measures are therefore still possible. Data processing may be permissible – even without the separate consent of the data subject – provided that it is carried out for the purpose of direct marketing, that the interests of the company outweigh and that the data subject has not objected to the processing of his data. In certain cases, however, the express consent of the person concerned is required (e.g. profiling, telephone advertising, e-mail advertising to non-customers, etc.).
Data collection must proactively comply with comprehensive information obligations (e.g. disclosure of the purpose for which the data are processed and the legal basis for processing).
There will therefore be no carte blanche for direct marketing. With regard to the high penalties, companies are advised to strictly observe the legal framework conditions for direct marketing.
The complete article by Dr. Georg Huber, LL.M. and Melanie Gassler-Tischlinger, LL.M. can be read in “DHK aspekte”, the magazine of the German Chamber of Commerce in Austria, issue 2/2018 (June 2018): When can customers be contacted?