Marketing in light of the GDPR: When can I send advertising?

14/1/19

Marketing in light of the GDPR: When can I send advertising?

From a legal point of view, we live in times of great uncertainty, where significant regulatory changes and dispersion characterize many sectors, without a blunt stitch being made. Thus, one of the most important subjects undergoing a real revolution, including headaches, is data protection, and since it is also transversal to all areas, no one can remain indifferent. We already know that since May 25, the famous General Data Protection Regulation (RGPD) became applicable with everything it meant and with the ignorance - even of those who try to dedicate ourselves, with greater or lesser fortune, to this - of its great repercussions. Six months after that, it seems that at last the new law — Draft Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights- is about to come out, since it was unanimously approved in Congress on October 18, pending approval by the Senate; and, for its part, the Spanish Data Protection Agency (AEPD), has published the Report on Privacy and Internet Policies (Report) according to its adaptation to the GDPR. It is published with the purpose of issuing recommendations after having done a survey of different sectors in its environment online, such as the insurance sector, hospitality, transport and e-commerce. It also clarifies or, where appropriate, outlines recommendations that have already been indicated in previous guides or reports. The truth is that it would have been appreciated if these guidelines had been provided to us (not 6 months ago, but even earlier), so that the advisors that we are working on helping our clients to adapt to the GDPR, could do so with a more filtered criterion in accordance with our dear AEPD. But, in any case, it is appreciated to have this type of Report. One of the points that I would like to highlight is the study carried out by the AEPD regarding the legitimacy for direct marketing -more or less, when advertising is carried out directly with customers to boost sales-, derived from Article 6.1.f in relation to recital 47 of the RGPD which states that the legitimate interest of a data controller “could occur, for example, when there is a relevant and appropriate relationship between the interested party and the controller, such as in situations where the interested party is a customer or is at the service of the controller” and that “the processing of personal data for direct marketing purposes can be considered carried out of legitimate interest”. In other words, these provisions open up the possibility for a company to send advertising to its customers without the need to ask for consent. In this regard, it should be remembered that among the means by which a company can address its customers, there is ordinary mail, telephone, text messages and email. For the latter case, e-mail, we must remember that not only must we take into account the application of data protection, but - among others - the regulations relating to electronic commerce, represented in Spain by Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (the well-known LSSI). Well, the AEPD, as we have also indicated many, relates this regime of the RGPD to article 21 of the LSSI, “which requires that these communications have been requested or expressly authorized by the recipients of the same, or that 'there is a previous contractual relationship, provided that the provider has lawfully obtained the recipient's contact details and will use them to send commercial communications regarding products or services of their own company that are similar to those initially contracted with the customer'“In other words, when a customer ceases to be one, we can only send you advertising of all kinds by email when you previously gave us your consent (and we will have legitimate the processing with your consent of the interested party), or send you advertising only of “products or services of your own company that are similar to those that were initially the subject of contracting” (basing the legitimacy, in this case, on legitimate interest). However, remember that in any electronic communication we make in this regard, we always have to give the recipient the option to object to receiving it. But as I said before, direct advertising is not only carried out by email, but also by other means, such as postal or telephone. In these cases, the LSSI does not apply, so we must comply with the provisions of the RGPD and its applicable regulations. In these cases, therefore, as recalled by the AEPD of its Report 0195/2017, commercial communications may be sent to those who are current customers of the responsible party based on legitimate interest, without the need for their consent, provided that they refer to products or services similar to those initially contracted. But to send them advertising for other products and services, even if they are customers, we will need your unequivocal consent. Needless to say, in order to send advertising through these non-electronic means, to those who are not customers, we can only do so once we have obtained their consent. And as always, in any case, provide the possibility to object. I reiterate this idea, because the Report clarifies that the hotel sector is one where “few companies analyzed report the right of the interested party to withdraw their consent for the processing of their personal data at any time.” Finally, with regard to when to obtain such consents, taking into account that in the tourism sector the data can come either from the same interested party - in which case, there is no difficulty in requesting it when the data is collected; or, through third parties (different suppliers, OTA's, bed banks, etc.), in which case you must be informed no later than one month after the personal data were obtained, or before or at the first communication with the interested party, or before the data (if any) has been communicated to other recipients. For example, in the case of a hotel, since regardless of where the guest's data comes from, the guest has to do the Check-in, at the time of data collection and signing of the hosting contract, the interested party can be provided with information regarding data protection and also request, where appropriate, consent to the sending of advertising for products or services other than the accommodation itself. In accordance with everything indicated, it is very important that in any audit that companies are carrying out to comply with the GDPR, they take these aspects into account in order to, as we advise our customers, to be able to “clean” their databases and to be able to determine whether data were obtained lawfully, as well as if those obtained that are based on consent, that this was collected in accordance with the RGPD, since it has been a great sin to request consent again without rhyme or reason, which in addition to boring the recipient, has produced an overeffort in many companies that was unnecessary.

Georgina García-Más (T&l Attorney)

Article published in the November edition From the monthly newspaper CEHAT