Blog
HOMEPAGE >> BLOG >> GDPR in marketing – the golden rules

GDPR in marketing – the golden rules

25 May 2018 saw the introduction of the General Data Protection Regulation (GDPR) which set new rules for the processing of personal data, also in the context of marketing, advertising and PR information. Non-compliance with the regulation may result in fines of up to EUR 20 million or 4% of the company’s turnover. In Poland, the two highest fines to date, i.e. almost PLN 1 million and PLN 3 million, were awarded in 2019. Considering the level of the penalties, every company should go about processing personal data very carefully. Do you know what you should pay special attention to?

 

WHAT ARE PERSONAL DATA EXACTLY?

Personal data mean information which makes it possible to identify a given person, however, the same information will not always be personal data for different entities (e.g. the IP address of the user’s computer is personal data for the internet operator but not necessarily for a website because it does not make it possible to unequivocally identify the user). In the marketing sector, the most frequently processed personal data include the first name, surname and address of residence in the case of more common surnames; or just the first and last name for unique ones, e-mail address when it contains e.g. first name, surname and company name or direct telephone number.

 

DATA PROCESSING IN ACCORDANCE WITH THE LAW (Article 6, item 1 of the GDPR)

For marketing purposes, the legitimate interest of the controller or the consent of the data subject is the most common legal base for personal data processing. Examples of a legitimate interest of the controller include direct marketing (recital 47 of the GDPR). It is worth adding that the consent obtained from users before the adoption of the GDPR is valid provided that the conditions stipulated in the Act are met. It is particularly important for Poland because we were previously subject to the Personal Data Protection Act of 1997, which largely exhausts the requirements set by the GDPR, which include:

  • Unambiguity

Obtaining consent from the user should be unambiguous, i.e. we cannot offer the user access to a free e-book sent to their e-mail address and then send a newsletter to that address without the user’s consent. The user’s consent cannot be presumed (i.e. the user must always confirm the consent, e.g. by checking the appropriate checkbox which must be unchecked by default). The GDPR requires the inquiry to be clear and concise and tailored to the recipient.

  • Specificity

The consent given by the user should be specific. It is no longer possible to provide collective consent in one field, e.g. consent to the processing of personal data for order or payment processing and marketing purposes. The purpose of personal data processing should be specific and each consent to processing should be separated. Importantly, the mere consent to “marketing purposes” is not specific. If we plan to use the user’s data to send them a newsletter or promotional codes, we should mention these purposes in the consent obtained from them.

  • Awareness

The form of the consent we are soliciting should be clear, simple and concise and the language used should be adapted to the recipient (we will describe the consent we need from a programmer on a specialized portal with different words than that for a 16-year-old on a youth portal) and adapted to the profile of our activity (the form of communication used by a private IT corporation, bank, or a law firm will be different than that used by a fashion portal).

  • Voluntary consent

The consent must be voluntary and it has to realistically mean the option of a voluntary choice, it cannot be forced, e.g. by a refusal to process an order in an online store without the user’s consent to the sending of marketing information which is not required to complete the order.

  • The right to object

Under Recital 70 of the GDPR, the controller of personal data is obliged to inform the person whose personal data are processed under the legitimate interest of the controller that they can object to their processing, in a clear and simple form, separate from other information.

 

THE FORM OF OBTAINING CONSENT

The GDPR admits obtaining consent in writing (also electronically) or orally but it should be remembered that the controller is responsible for proving that such consent was obtained from the user (e.g. date, time and IP address of the user’s computer). The regulation does not exclude the use of modern forms of obtaining consent, e.g. a gesture made on the smartphone screen or the use of the fingerprint reader on the smartphone. When consent is being obtained, the data subject should be informed about the following: the personal data controller, the purpose of processing the data, the right to withdraw consent to the processing, the automation of data processing (e.g. profiling), communication of the data to third countries (outside the EU, Iceland, Liechtenstein, Norway, United Kingdom if relevant provisions are made in the Brexit agreement) or international organizations, the time of data processing. Importantly, the right to withdraw consent does not override, for example, laws obliging the entity to store them (e.g. for accounting purposes) but it does not exempt it from the obligation to delete some data that were obtained only for marketing purposes. For example, data about orders in an online store stored for statistical purposes should be anonymized after the legal warranty period for the purchased products. Under the Telecommunications Law, in the case of telephone marketing (calling), consent to the processing of personal data should be granted before the telephone call is made. The Personal Data Protection Office rules out the possibility of obtaining such consent during the first call made to a natural person while in the case of a business owner there are interpretational problems.

 

OBLIGATION TO PROVIDE INFORMATION

The introduction of the information obligation is a significant new feature of the GDPR. The data processor should inform the data subjects about the possession and processing of such data, regardless of the purpose of their processing. It is a good practice to include an information clause also in the footer of the e-mail in which personal data is processed.

 

BETTER PROTECTION OF MINORS

The GDPR introduces special protection of personal data of children under 16 (in Poland, the age has been lowered to 13). If we want to process such data to offer information society services (e.g. streaming, VOD, music services), we have to get the consent of their legal guardian. The Act does not cover, for example, orders and deliveries from online stores because they do not meet the definition of an information society service and since that may cause interpretational problems, it is recommended to obtain consent from the parents of a minor under the age of 13 also for orders unconnected with small everyday errands (e.g. buying a newspaper, book or movie).

 

OUTSOURCING MARKETING OPERATIONS

If we outsource the activities to a marketing agency and have it process personal data, we need to remember to draw up a personal data processing agreement. In such a situation, the company which commissioned the marketing activities is the controller and the agency is the processor. As a result, in the event of e.g. leakage of personal data, the personal data controller will be notified by the processor and will be able to report the incident to the Personal Data Protection Office.

Sources:

https://prawo.gazetaprawna.pl/artykuly/1119302,rodo-przetwarzanie-danych-osobowych-marketing-reklama-pr.html
http://wyborcza.pl/7,156282,23369992,rodo-czym-sa-dane-osobowe.html

System developer in PRESS-SERVICE Monitoring Mediów. Passionate about programming, good pizza and Coca-Cola Zero. A fan of Lech Poznań and Robert Kubica.
PSMM_CTA_bottom_250x213px
PROTECT BRAND IMAGE,
REACH CUSTOMERS,
BOOST SALES
Similar posts
Artur Bartkowiak / 06.01.2021
How to define your target group?
Most people are likely to know what a target group is and how important is it to choose a proper…
See more
Artur Bartkowiak / 26.02.2021
Media monitoring at the service of influencers
Translated literally, an influencer is a person of influence. Many experts and market analysts present the influencer as a profession…
See more
PRESS-SERVICE Monitoring Mediów / 07.01.2021
E-mail marketing as an effective sales tool
Should the effectiveness of e-mail marketing be questioned in the era of social media expansion? Should we undermine its positive…
See more
PRESS-SERVICE Monitoring Mediów / 07.01.2021
What keywords should each brand monitor?
Keywords are a very important element of search engine positioning process. Their proper selection, use in the right way on…
See more
PRESS-SERVICE Monitoring Mediów / 07.01.2021
Which tools can help you analyse your competition?
Competition analysis is the activity undertaken by each company with a high market position. Monitoring the achievements of current and…
See more
PRESS-SERVICE Monitoring Mediów / 07.01.2021
What are hashtags and how to use them in marketing?
The hash symbol, or #, is a character without which it is difficult to imagine Instagram today. It is thanks…
See more
PRESS-SERVICE Monitoring Mediów / 08.01.2021
How to use emojis in marketing communication?
Social media users very often use emoticons in their posts to express their mood or evoke a specific reaction in…
See more
PRESS-SERVICE Monitoring Mediów / 08.01.2021
How to use Slideshare in marketing activities?
Facebook, Instagram and YouTube are the leading social media tools. Twitter is also very popular. However, many marketers forget that…
See more
PRESS-SERVICE Monitoring Mediów / 08.01.2021
Content marketing tools that will improve your work
Virtually the entire marketing community believes that “content is king”. However, not every company fully capitalizes on the potential of…
See more