Close
  • Home
  • About us
  • Practice areas
  • Blog
  • Contacts
  • EN
  • BG
kgk_logo_dark_red
  • Home
  • About us
  • Practice areas
  • Blog
  • Contacts
  • EN
  • BG

kgk_logo_dark_red
  • Home
  • About us
  • Practice areas
  • Blog
  • Contacts
  • EN
  • BG

GDPR and direct marketing. What obligations do Data Controllers have?

sc_admin
July 22, 2019
Blog

GDPR and direct marketing.

What are the obligations of Data Controllers?  

Regulation (EU) 2016/679 started to apply on 25.05.2018 and brought numerous changes and new requirements for the protection of personal data. One of the areas affected is marketing in almost all its forms and manifestations. Particular attention is paid to so-called "direct marketing", and marketers who use this form of sending advertising messages to specific consumers have corresponding obligations as Data Controllers.

First of all, the Data Controller must have a basis for the processing of personal data. Such a ground may be one of those listed in Article 6 of the Regulation and does not have to be consent.

According to Recital 47 of the Regulation, the processing of personal data for direct marketing purposes can be considered as being carried out for legitimate (legitimate) interest.In order to use this ground, the controller should be able to demonstrate that the use of personal data is proportionate and has a minimum impact on privacy.

In other cases, consent should be used as the basis for processing. It should be:

  • Freely given;
  • Specific for specific purposes;
  • Informed - i.e. individuals should understand what they are agreeing to;
  • Unambiguous - i.e. there should be no doubt left as to the person's intention;
  • Demonstrable.

The Regulation sets out the principles for processing personal data, compliance with which must be ensured by the Controller. The latter must ensure that personal data are:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for the specific purposes of direct marketing;
  • Kept to a minimum in relation to those purposes;
  • Accurate and kept up to date;
  • Kept in a form which permits identification of the data subject for no longer than is necessary;
  • Processed in a way that provides an appropriate level of security, using the necessary technical and organisational measures to protect them.

The controller must provide users with the necessary information on what personal data is being processed, for what purposes, for how long it will be stored and what measures have been taken to protect it.

Of course, most attention is paid to the rights of individuals regarding the processing of their personal data in relation to direct marketing.

One of their most important rights is the right to object to processingwhere the legitimate ground used by the Controller is a legitimate interest. According to Recital 70 of the Regulation, confirmed in Article 21(2), where personal data are processed for direct marketing purposes, the data subject should have the right to object to such processing free of charge and at any time. The individual must be informed of this right.

If the person has given consent to the processing, he or she may withdraw it, and the controller must ensure that this can be done easily enough, free of charge and at any time.

The administrator must necessarily comply with the person's request. The consequence of both actions is that the personal data cannot be used in the future.

Finally, attention needs to be paid to marketing aimed at children. The regulation requires special protection of personal data concerning children. To protect their personal data, even stronger technical and organisational measures should be implemented. The controller should not take advantage of children's vulnerability. Often they do not realise that their data will be used for direct marketing purposes. The controller therefore has a duty to explain in clear and accessible language what it is doing with personal data in a way that children understand. Marketing directed at children must not contain anything that is likely to cause physical, mental or moral harm. They have all the rights as any data subject.

Prepared by:
Iliyana Todorova - Legal Assistant at KGK Law Firm


Lawyer

Related Articles


rear view businessman talking phone top building
Appointment and replacement of а manager in a Limited Company
June 29, 2023
Blog
Support in the form of creative grants for independent artists
Support in the form of creative grants for independent artists
April 23, 2020
Blog

Bulgaria between the Fourth and the Fifth Directives on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing
Bulgaria between the Fourth and the Fifth Directives on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing
Next Article

kgk_logo_dark_red
Renovating the legal service industry
Pages
  • Home
  • About us
  • Practice areas
  • Blog
  • Contacts
Traditional services
  • AML and CFT Compliance
  • Competition
  • Personal data protection,
  • Intellectual Property
  • Litigation & Arbitration
  • Corporate & Commercial
  • Bad Debt Collection
  • Tourism
  • Public Procurement
  • Energy Law
  • Transportation
  • Real Estates
  • TMT
  • M&A
  • Labor and Employment
Innovative services
  • Blockchain & Crypto
  • NFTs & Virtual Reality
  • Artificial Intelligence
  • Social Media and Marketing
Contact us
Facebook Linkedin Instagram
+359 2 423 2273
office@kgk.bg
We accept payments from
  • revolut
  • binance
emea-leading-firm-2023
innovation_award
druzhestvo s promenliv kapital
Manage Cookie Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
General Terms and Conditions

Functional Винаги активен
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Управление на опциите Manage services Manage {vendor_count} vendors Прочетете повече за тези цели
View preferences
{title} {title} {title}