In recent years, the European General Data Protection Regulation (GDPR) has fundamentally changed the lives of marketing experts and companies, as well as the way we think about direct marketing in general. Electronic direct marketing (eDM) activities can continue to be widespread, but it is more important than ever to send out such materials in compliance with applicable data protection laws.
Even though the GDPR has introduced strict rules and generally expects a higher level of organization and privacy awareness from companies, it also leaves a significant playground for marketing related data processing. For example, it basically allows a company to send e-direct marketing inquiries to its customers based on its own legitimate business interests, even without the consent of the person concerned. Therefore, with the holiday season approaching the companies are not necessarily required to build a completely new customer database for e-direct marketing purposes, because their existing customer or contact database can be used for sending promotional materials online. However, this requires an assessment of whether there is a relevant and appropriate relationship between the company and the customer and to what extent the customer can reasonably expect the company to send eDM materials to her.
Is it legal to send an email on the company’s Christmas promotions?
„There is indeed a relevant and appropriate relationship, for example, when the company contacts one of its customers who recently ordered something in its webstore and provides her Christmas promotions, discounts or offers” – explains dr. Daniel Necz, lawyer at SimpLEGAL. In such cases, however, the company must consider with particular care whether the data subject could have reasonably expected to be contacted for marketing purposes in the holiday season. In this respect, the type of service used or the products previously purchased from the company must be taken into account. For example, if the customer concerned has ordered food or household products from a supermarket’s webstore, the company is entitled to send similar store offers to the customer without its consent, based on the company’s legitimate business interest. However, a customer who has previously purchased such products cannot reasonably expect to receive, for example, offers on car parts or coupons related to the services of other data controllers, such as the company’s suppliers or partners. Accordingly, in the latter cases, the company must seek the prior consent of the customer to send her such materials. Based on the prevailing practice of the data protection authority, offers or contents formulated by taking into account the personal preferences and interests of customers (i.e. by profiling) cannot be sent to those concerned without their specific prior consent. Thus, for example, the company should definitely request the consent of the data subjects beforehand, if it analyzes the customers’ specific shopping habits in addition to taking into account the fact of their ordering of food or household products and as a result of this analysis it wishes to send coffee vouchers or information on a prize game related to certain coffee brands to those typically buying coffee on a regular basis or other chosen group of consumers. The reason why the customer’s consent is required for such data processing is that in this case the “in-depth” data processing already goes way beyond just considering whether the data subject could have expected the sending of marketing materials. It should be emphasized, however, that there is often a “thin line” between considering the reasonable expectations of the data subject and profiling. Accordingly, it is strongly recommended that companies wishing to send eDM materials without the consumers’ consent contact a legal expert with vast experience in data protection related issues.
In connection with the above, it should be emphasized that the Hungarian legal provisions on data processing concerning electronic direct marketing are not yet in line with the above mentioned GDPR rules. However, the practice of the Hungarian Data Protection Authority suggests that the GDPR’s direct marketing data rules may be considered applicable until the full harmonization is achieved. It should also be emphasized that comprehensive changes to the EU regulatory environment concerning electronic communications are expected soon, so the current rules may be further clarified in the future.
Business and private clients
An important practical survival tip for marketing specialists as the holiday season approaches: t is often easier to target business clients or contact persons (e.g. contacts of business partners or self-employed professionals) with electronic marketing materials than private customers (qualifying as “consumers” under Hungarian law). In case business contacts, it is often the case that no natural person can be identified directly or indirectly at all based on the email address at the company’s disposal, given that the address belongs to an organization (for example, iroda@cégnev.hu.hu). „These email addresses may be used for electronic direct marketing purposes, regardless of privacy laws, since they are not regarded as personal data” – highlights the expert of SimpLEGAL. However, we generally have a wider range of options for using standard business contact information — even those qualifying as personal data, for example, a business email address including the contact person’s first and last name — to send electronic direct marketing materials. The reason why we have a greater leeway is that the business contact persons are acting in their professional or business capacity, therefore they can reasonably expect to receive business offers from their partners. Nevertheless, it should be assessed from time to time, in the light of any previous or current professional or business relationship with the business contact person concerned, whether she could have expected to receive the particular marketing materials. This expectation is of course the least likely in case there was no previous business relationship at all. Additionally, in case of existing business relationships, it is important to keep in mind that contracts with business partners typically contain provisions on communication between the parties and any reference to the contractual relationship and any business or professional cooperation. These provisions must be complied with in the course of the business relationship. Therefore, it is recommended to modify the concerned business contract templates to be applied in the future so that they fit in the company’s business and support the company’s electronic direct marketing activities.
Making cold calls by using company records
In view of the above, if there has not been a previous contractual or other business relationship between the company and the target audience of the electronic direct marketing, i.e. the company wishes to target potential future business partners, caution should be exercised when sending any electronic direct marketing messages as the holiday season approaches. „A common mistake made by many companies, for example, that they unlimitedly use the company email addresses that they find in the public company register, which often includes surnames and given names” – explains the expert. „The data published in the company register do not serve the facilitation of the companies’ direct marketing activity, but the transparency of the registered entity, namely the use of the given contact email address for official administration purposes. Other means of using these publicly available contact details, such as usage for marketing purposes, may constitute a breach of data protection requirements. Therefore, it is always important to carefully assess and review from a legal point of view what contact information are we planning to use, with what content and exact purpose do we target potential business partners with electronic direct marketing materials”.
The data processing should be clear and transparent
Whether we send electronic marketing materials to private clients or business contacts regarding the holiday season, the professional, accurate and clear wording of the company’s privacy policy is always essential and can be considered as a cornerstone for the company’s data protection ecosystem. To this end, overly general wording in privacy policies without defining the exact purpose of data processing should be avoided, such as “data processing for direct marketing”, “service development” or simply “marketing activity”. However, not only the overly general wording infringes the data subject’s right to information, but also the use of jargon that may be incomprehensible to her. Based on the applicable guidelines of the data protection authority, the use of technical terms without explanation may also appear to be misleading or difficult to understand for the data subject. Therefore, it is strongly recommended to make each and every data processing operation completely transparent to data subjects, namely described in a concise and comprehensible manner by using a language commonly understood by the relevant group of data subjects. The required transparency can be catalyzed by various visual solutions, as well as the use of charts, diagrams or icons.
Source of cover photo: Unsplash
