25 May 2018 saw the introduction of the General Data Protection Regulation (GDPR) which set new rules for the processing of personal data, also in the context of marketing, advertising and PR information. Non-compliance with the regulation may result in fines of up to EUR 20 million or 4% of the company’s turnover. In Poland, the two highest fines to date, i.e. almost PLN 1 million and PLN 3 million, were awarded in 2019. Considering the level of the penalties, every company should go about processing personal data very carefully. Do you know what you should pay special attention to?
WHAT ARE PERSONAL DATA EXACTLY?
Personal data mean information which makes it possible to identify a given person, however, the same information will not always be personal data for different entities (e.g. the IP address of the user’s computer is personal data for the internet operator but not necessarily for a website because it does not make it possible to unequivocally identify the user). In the marketing sector, the most frequently processed personal data include the first name, surname and address of residence in the case of more common surnames; or just the first and last name for unique ones, e-mail address when it contains e.g. first name, surname and company name or direct telephone number.
DATA PROCESSING IN ACCORDANCE WITH THE LAW (Article 6, item 1 of the GDPR)
For marketing purposes, the legitimate interest of the controller or the consent of the data subject is the most common legal base for personal data processing. Examples of a legitimate interest of the controller include direct marketing (recital 47 of the GDPR). It is worth adding that the consent obtained from users before the adoption of the GDPR is valid provided that the conditions stipulated in the Act are met. It is particularly important for Poland because we were previously subject to the Personal Data Protection Act of 1997, which largely exhausts the requirements set by the GDPR, which include:
Obtaining consent from the user should be unambiguous, i.e. we cannot offer the user access to a free e-book sent to their e-mail address and then send a newsletter to that address without the user’s consent. The user’s consent cannot be presumed (i.e. the user must always confirm the consent, e.g. by checking the appropriate checkbox which must be unchecked by default). The GDPR requires the inquiry to be clear and concise and tailored to the recipient.
The consent given by the user should be specific. It is no longer possible to provide collective consent in one field, e.g. consent to the processing of personal data for order or payment processing and marketing purposes. The purpose of personal data processing should be specific and each consent to processing should be separated. Importantly, the mere consent to “marketing purposes” is not specific. If we plan to use the user’s data to send them a newsletter or promotional codes, we should mention these purposes in the consent obtained from them.
The form of the consent we are soliciting should be clear, simple and concise and the language used should be adapted to the recipient (we will describe the consent we need from a programmer on a specialized portal with different words than that for a 16-year-old on a youth portal) and adapted to the profile of our activity (the form of communication used by a private IT corporation, bank, or a law firm will be different than that used by a fashion portal).
The consent must be voluntary and it has to realistically mean the option of a voluntary choice, it cannot be forced, e.g. by a refusal to process an order in an online store without the user’s consent to the sending of marketing information which is not required to complete the order.
Under Recital 70 of the GDPR, the controller of personal data is obliged to inform the person whose personal data are processed under the legitimate interest of the controller that they can object to their processing, in a clear and simple form, separate from other information.
THE FORM OF OBTAINING CONSENT
The GDPR admits obtaining consent in writing (also electronically) or orally but it should be remembered that the controller is responsible for proving that such consent was obtained from the user (e.g. date, time and IP address of the user’s computer). The regulation does not exclude the use of modern forms of obtaining consent, e.g. a gesture made on the smartphone screen or the use of the fingerprint reader on the smartphone. When consent is being obtained, the data subject should be informed about the following: the personal data controller, the purpose of processing the data, the right to withdraw consent to the processing, the automation of data processing (e.g. profiling), communication of the data to third countries (outside the EU, Iceland, Liechtenstein, Norway, United Kingdom if relevant provisions are made in the Brexit agreement) or international organizations, the time of data processing. Importantly, the right to withdraw consent does not override, for example, laws obliging the entity to store them (e.g. for accounting purposes) but it does not exempt it from the obligation to delete some data that were obtained only for marketing purposes. For example, data about orders in an online store stored for statistical purposes should be anonymized after the legal warranty period for the purchased products. Under the Telecommunications Law, in the case of telephone marketing (calling), consent to the processing of personal data should be granted before the telephone call is made. The Personal Data Protection Office rules out the possibility of obtaining such consent during the first call made to a natural person while in the case of a business owner there are interpretational problems.
OBLIGATION TO PROVIDE INFORMATION
The introduction of the information obligation is a significant new feature of the GDPR. The data processor should inform the data subjects about the possession and processing of such data, regardless of the purpose of their processing. It is a good practice to include an information clause also in the footer of the e-mail in which personal data is processed.
BETTER PROTECTION OF MINORS
The GDPR introduces special protection of personal data of children under 16 (in Poland, the age has been lowered to 13). If we want to process such data to offer information society services (e.g. streaming, VOD, music services), we have to get the consent of their legal guardian. The Act does not cover, for example, orders and deliveries from online stores because they do not meet the definition of an information society service and since that may cause interpretational problems, it is recommended to obtain consent from the parents of a minor under the age of 13 also for orders unconnected with small everyday errands (e.g. buying a newspaper, book or movie).
OUTSOURCING MARKETING OPERATIONS
If we outsource the activities to a marketing agency and have it process personal data, we need to remember to draw up a personal data processing agreement. In such a situation, the company which commissioned the marketing activities is the controller and the agency is the processor. As a result, in the event of e.g. leakage of personal data, the personal data controller will be notified by the processor and will be able to report the incident to the Personal Data Protection Office.