HOMEPAGE >> BLOG >> Trends in the web >> GDPR in marketing – the golden rules

GDPR in marketing – the golden rules

25 May 2018 saw the introduction of the General Data Protection Regulation (GDPR) which set new rules for the processing of personal data, also in the context of marketing, advertising and PR information. Non-compliance with the regulation may result in fines of up to EUR 20 million or 4% of the company’s turnover. In Poland, the two highest fines to date, i.e. almost PLN 1 million and PLN 3 million, were awarded in 2019. Considering the level of the penalties, every company should go about processing personal data very carefully. Do you know what you should pay special attention to?



Personal data mean information which makes it possible to identify a given person, however, the same information will not always be personal data for different entities (e.g. the IP address of the user’s computer is personal data for the internet operator but not necessarily for a website because it does not make it possible to unequivocally identify the user). In the marketing sector, the most frequently processed personal data include the first name, surname and address of residence in the case of more common surnames; or just the first and last name for unique ones, e-mail address when it contains e.g. first name, surname and company name or direct telephone number.



For marketing purposes, the legitimate interest of the controller or the consent of the data subject is the most common legal base for personal data processing. Examples of a legitimate interest of the controller include direct marketing (recital 47 of the GDPR). It is worth adding that the consent obtained from users before the adoption of the GDPR is valid provided that the conditions stipulated in the Act are met. It is particularly important for Poland because we were previously subject to the Personal Data Protection Act of 1997, which largely exhausts the requirements set by the GDPR, which include:

  • Unambiguity

Obtaining consent from the user should be unambiguous, i.e. we cannot offer the user access to a free e-book sent to their e-mail address and then send a newsletter to that address without the user’s consent. The user’s consent cannot be presumed (i.e. the user must always confirm the consent, e.g. by checking the appropriate checkbox which must be unchecked by default). The GDPR requires the inquiry to be clear and concise and tailored to the recipient.

  • Specificity

The consent given by the user should be specific. It is no longer possible to provide collective consent in one field, e.g. consent to the processing of personal data for order or payment processing and marketing purposes. The purpose of personal data processing should be specific and each consent to processing should be separated. Importantly, the mere consent to “marketing purposes” is not specific. If we plan to use the user’s data to send them a newsletter or promotional codes, we should mention these purposes in the consent obtained from them.

  • Awareness

The form of the consent we are soliciting should be clear, simple and concise and the language used should be adapted to the recipient (we will describe the consent we need from a programmer on a specialized portal with different words than that for a 16-year-old on a youth portal) and adapted to the profile of our activity (the form of communication used by a private IT corporation, bank, or a law firm will be different than that used by a fashion portal).

  • Voluntary consent

The consent must be voluntary and it has to realistically mean the option of a voluntary choice, it cannot be forced, e.g. by a refusal to process an order in an online store without the user’s consent to the sending of marketing information which is not required to complete the order.

  • The right to object

Under Recital 70 of the GDPR, the controller of personal data is obliged to inform the person whose personal data are processed under the legitimate interest of the controller that they can object to their processing, in a clear and simple form, separate from other information.



The GDPR admits obtaining consent in writing (also electronically) or orally but it should be remembered that the controller is responsible for proving that such consent was obtained from the user (e.g. date, time and IP address of the user’s computer). The regulation does not exclude the use of modern forms of obtaining consent, e.g. a gesture made on the smartphone screen or the use of the fingerprint reader on the smartphone. When consent is being obtained, the data subject should be informed about the following: the personal data controller, the purpose of processing the data, the right to withdraw consent to the processing, the automation of data processing (e.g. profiling), communication of the data to third countries (outside the EU, Iceland, Liechtenstein, Norway, United Kingdom if relevant provisions are made in the Brexit agreement) or international organizations, the time of data processing. Importantly, the right to withdraw consent does not override, for example, laws obliging the entity to store them (e.g. for accounting purposes) but it does not exempt it from the obligation to delete some data that were obtained only for marketing purposes. For example, data about orders in an online store stored for statistical purposes should be anonymized after the legal warranty period for the purchased products. Under the Telecommunications Law, in the case of telephone marketing (calling), consent to the processing of personal data should be granted before the telephone call is made. The Personal Data Protection Office rules out the possibility of obtaining such consent during the first call made to a natural person while in the case of a business owner there are interpretational problems.



The introduction of the information obligation is a significant new feature of the GDPR. The data processor should inform the data subjects about the possession and processing of such data, regardless of the purpose of their processing. It is a good practice to include an information clause also in the footer of the e-mail in which personal data is processed.



The GDPR introduces special protection of personal data of children under 16 (in Poland, the age has been lowered to 13). If we want to process such data to offer information society services (e.g. streaming, VOD, music services), we have to get the consent of their legal guardian. The Act does not cover, for example, orders and deliveries from online stores because they do not meet the definition of an information society service and since that may cause interpretational problems, it is recommended to obtain consent from the parents of a minor under the age of 13 also for orders unconnected with small everyday errands (e.g. buying a newspaper, book or movie).



If we outsource the activities to a marketing agency and have it process personal data, we need to remember to draw up a personal data processing agreement. In such a situation, the company which commissioned the marketing activities is the controller and the agency is the processor. As a result, in the event of e.g. leakage of personal data, the personal data controller will be notified by the processor and will be able to report the incident to the Personal Data Protection Office.


System developer in PSMM Monitoring&More. Passionate about programming, good pizza and Coca-Cola Zero. A fan of Lech Poznań and Robert Kubica.
Similar posts
PSMM Monitoring & More / 15.11.2022
How to use Business Insights for decision making in your company?
“And what next” are 3 words spoken by business owners when they feel that they have already hit the wall….
See more
PSMM Monitoring & More / 09.09.2022
ESG: 3 letters that can influence the future of your company
ESG is an element that investors and your customers will pay attention to more and more often. By taking care…
See more
PSMM Monitoring & More / 10.02.2022
User-generated content in marketing activities
Content marketing is extremely important today, it is an indispensable part of creating brand image and promotional and sales strategies….
See more
PSMM Monitoring & More / 10.02.2022
Customer segmentation – how to do it?
If you want your marketing and promotional activities to be effective and your sales profits to be satisfying and still…
See more
PSMM Monitoring & More / 10.02.2022
Media monitoring – why should it be used?
The uncertainty of tomorrow, which has been with us for more than 1.5 years due to the Covid19 pandemic, has…
See more
PSMM Monitoring & More / 10.02.2022
Find out what social selling is
Social selling is a strategy used in social media that combines communication and building a positive brand image with sales….
See more
PSMM Monitoring & More / 10.02.2022
Viral marketing – what is it and when to use it?
Viruses have the ability to spread very quickly. Sometimes it is so fast that a very large segment of the…
See more
PSMM Monitoring & More / 10.02.2022
Best practices of image creation in social media
According to Hootsuite’s Digital 2020 report, there are currently 3.80 billion social media users which is almost half of the…
See more
PSMM Monitoring & More / 10.02.2022
How to use the potential of memes in marketing communication?
Memes have become part of our culture – not just online, but socially as well. Increasingly, many companies are trying…
See more