Email Marketing | General Data Protection Regulation (GDPR)
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Basically, the principle that processing is prohibited but subject to the possibility of authorisation also applies to the personal data which is used to send e-mails. Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller to send e-mail marketing. Recital 47 of the General Data Protection Regulation expressly states that the law also applies to the processing of personal data for direct marketing as a legitimate interest of the controller.
In addition, such an interest could be seen, for example, if there is a relevant and proportionate relationship between the data subject and the controller. This could be the case if the data subject is a customer of the controller or is in the latter’s service. Therefore, much indicates that e-mail marketing is allowed without consent, at least for existing customers. If the company has a justified interest in ‘cold’ calling through e-mail marketing, the marketing e-mails may be sent to potential customers without consent. To receive no further information by newsletter or e-mail, the customer receiving them need only object to processing for marketing purposes. According to Art. 21(2), (3) GDPR the data subject always has the right to object the processing of personal data for direct marketing purposes. If the data subject objects, the controller only has to stop the processing for marketing purposes, but can still process the data for other purposes, e.g. for the performance of a contract. The legitimate interest of the controller to process data for marketing purposes can never outweigh the objection of the data subject. One must note, however, that according to Art. 95 of the General Data Protection Regulation, this applies to all data protection-related purposes unless special rules with the same regulatory scope are contained in the ePrivacy Directive (see also recital 173). The consequence is that e-mail marketing is currently only allowed with the consent of the parties concerned (Art. 13(1) of Directive 2002/58/EC). One must wait to see whether the coming ePrivacy Regulation provides more clarity about this issue.
Regardless of whether a company bases its marketing measures afterwards on its legitimate interest or on consent, the controller has to adhere to the data subject’s right to be informed. The content of said information depends on which justification reason is used. Please be aware that there might be certain additional national laws (e.g. competition law) which might be slightly stricter or which may impose additional restrictions.
Suitable GDPR articles
Art. 6 GDPR Lawfulness of processing Art. 7 GDPR Conditions for consent Art. 21 GDPR Right to object Art. 95 GDPR Relationship with Directive 2002/58/EC
Suitable Recitals
(32) Conditions for Consent (33) Consent to Certain Areas of Scientific Research (39) Principles of Data Processing (40) Lawfulness of Data Processing (41) Legal Basis or Legislative Measures (42) Burden of Proof and Requirements for Consent (43) Freely Given Consent (47) Overriding Legitimate Interest (171) Repeal of Directive 95/46/EC and Transitional Provisions (173) Relationship to Directive 2002/58/EC
Key Issues Table of contents