On May 25th, 2018, the European Union General Data Protection Regulation (GDPR) and the amendment to the Austrian Data Protection Act will enter into force. The provisions contained therein set out new requirements for the processing of personal data in Austria. Many businesses are uncertain whether and to which extent they will be able to use personal data for marketing purposes in the future. What will remain possible and what should businesses try to avoid in view of the high penalties that can be imposed for infringements against the GDPR?
“Will we be still be allowed to send out our newsletter?” This is one of the questions legal advisers in the field of data protection are being asked most frequently these days. It reflects the uncertainty of many businesses as to how the new data protection rules will affect their advertising activities, in particular with regard to direct marketing.
In less than 4 months the new laws will enter into force. The good news is that direct marketing and other forms of advertising will continue to be possible. However, to avoid severe penalties, businesses should make sure they “play by the data protection rules”.
Marketing activities are subject to both the general provisions of the GDPR as well as to national legislation. As a consequence, data processing can only be carried out if it is “lawful”. Data processing is considered to be lawful, for instance, if the data subject (i.e. the person whose data is being processed) has expressly consented to the processing of their data for a specific purpose, or if processing is necessary for the performance of a contract to which the data subject is a party. For example, a party to a sales contract may, to the extent necessary, process the data of their contractual partner without having to obtain that partner’s express consent.
Furthermore, businesses must proactively comply with their extensive information duties at the time of data collection. This means that they must inform the data subjects about the purpose and the legal basis of the processing.
2. When is Direct Marketing Permitted?
“Direct marketing” is any form of advertising that involves addressing a potential customer directly. A company that sends newsletters by post or e-mail to a personal (e-mail) address of certain (groups of) persons with the intention of eliciting an individual, measurable reaction, is doing direct marketing.
Under the GDPR, direct marketing is permitted either on an “opt-in” or an “opt-out” basis. Under the “opt-in” procedure, recipients must have explicitly given their prior consent, meaning they have to have agreed to receive advertising material, in order for the advertising to be permissible. Under the “opt-out” procedure, direct marketing is generally permissible without the need for the recipient to have given their consent, but recipients must have the right to object to being contacted. As long as they do not object, the direct marketing measures remain permissible.
2.2. When is the Data Subject’s Consent Necessary?
So when is the data subject’s consent necessary and when is it not? Broadly speaking, the answer is that under data protection law, the data subject’s consent is not required if the “legitimate interests” of the business doing direct marketing are considered to be greater than the interests of the recipient not to have their personal data processed. The GDPR expressly stipulates in Recital 47 that direct marketing can be seen as a “legitimate interest” to process data, thereby acknowledging that businesses have a legitimate interest in contacting customers and potential customers, which may override the interests of the recipient.
This means that under the GDPR, direct marketing will generally be permissible in many cases. However, each recipient will have the right to opt out. The right to opt out must be free of charge and must be possible electronically. Businesses will be under a duty to comply immediately, but at the latest within a month’s time, if a recipient objects to their data being processed.
Direct marketing will not be permissible without the consent of the recipient in cases where either the data processing involves high intensity intervention (e.g. in certain cases of profiling – see below) or where sensitive data is concerned. Sensitive data includes all health data, biometric data, data concerning sexual orientation, political or religious beliefs, etc. (Art. 9 GDPR).
For further information: GALA Gazette
Foto: ©Blickfang (Julia Türtscher)