GDPR and direct marketing. What obligations do Data Controllers have?

GDPR and direct marketing.

What are the obligations of Data Controllers?  

Regulation (EU) 2016/679 started to apply on 25.05.2018 and brought numerous changes and new requirements for the protection of personal data. One of the areas affected is marketing in almost all its forms and manifestations. Particular attention is paid to so-called "direct marketing", and marketers who use this form of sending advertising messages to specific consumers have corresponding obligations as Data Controllers.

First of all, the Data Controller must have a basis for the processing of personal data. Such a ground may be one of those listed in Article 6 of the Regulation and does not have to be consent.

According to Recital 47 of the Regulation, the processing of personal data for direct marketing purposes can be considered as being carried out for legitimate (legitimate) interest.In order to use this ground, the controller should be able to demonstrate that the use of personal data is proportionate and has a minimum impact on privacy.

In other cases, consent should be used as the basis for processing. It should be:

• Freely given;
• Specific for specific purposes;
• Informed - i.e. individuals should understand what they are agreeing to;
• Unambiguous - i.e. there should be no doubt left as to the person's intention;
• Demonstrable.

The Regulation sets out the principles for processing personal data, compliance with which must be ensured by the Controller. The latter must ensure that personal data are:

• Processed lawfully, fairly and in a transparent manner;
• Collected for the specific purposes of direct marketing;
• Kept to a minimum in relation to those purposes;
• Accurate and kept up to date;
• Kept in a form which permits identification of the data subject for no longer than is necessary;
• Processed in a way that provides an appropriate level of security, using the necessary technical and organisational measures to protect them.

The controller must provide users with the necessary information on what personal data is being processed, for what purposes, for how long it will be stored and what measures have been taken to protect it.

Of course, most attention is paid to the rights of individuals regarding the processing of their personal data in relation to direct marketing.

One of their most important rights is the right to object to processingwhere the legitimate ground used by the Controller is a legitimate interest. According to Recital 70 of the Regulation, confirmed in Article 21(2), where personal data are processed for direct marketing purposes, the data subject should have the right to object to such processing free of charge and at any time. The individual must be informed of this right.

If the person has given consent to the processing, he or she may withdraw it, and the controller must ensure that this can be done easily enough, free of charge and at any time.

The administrator must necessarily comply with the person's request. The consequence of both actions is that the personal data cannot be used in the future.

Finally, attention needs to be paid to marketing aimed at children. The regulation requires special protection of personal data concerning children. To protect their personal data, even stronger technical and organisational measures should be implemented. The controller should not take advantage of children's vulnerability. Often they do not realise that their data will be used for direct marketing purposes. The controller therefore has a duty to explain in clear and accessible language what it is doing with personal data in a way that children understand. Marketing directed at children must not contain anything that is likely to cause physical, mental or moral harm. They have all the rights as any data subject.