12/02/2024
If an entrepreneur wants to increase sales and not get into trouble in the process, he needs to know how to conduct marketing in compliance with RODO. Processing personal data for direct marketing purposes on the basis of the controller’s legitimate interest is not enough in most cases. It is necessary to obtain marketing consent.
An entrepreneur conducting advertising activities must focus not only on creating an effective marketing strategy, but also on complying with applicable laws, including the regulations contained in the General Data Protection Regulation (RODO). However, it is worth noting that this regulation is not the only piece of legislation that business owners must take into account in their operations. Marketing issues in the context of data protection are also normalized, for example, in the Law on the Provision of Electronic Services and the Telecommunications Law.
It is not worth taking shortcuts, especially since the legality of the marketing activities of entrepreneurs is of interest to the President of the Office of Personal Data Protection (UODO), the President of the Office of Competition and Consumer Protection (UOKiK), as well as the President of the Office of Electronic Communications (UKE). The sanctions they are able to impose on business owners can be severe and are not limited to financial penalties. How to legally conduct marketing in compliance with RODO? First of all, you need to know what is involved in the legal basis for processing personal data and marketing consents.
Most companies, while doing business, process personal data. An entrepreneur can only do so on the specific legal basis indicated in Art. 6 paragraph. 1 RODO, for example, for the performance of a contract, based on the consent given to process personal data or the legitimate interest of the controller. What is the appropriate legal basis for processing personal data for marketing purposes? The entrepreneur has a choice.
As a general rule, in the case of marketing, the business owner may process personal data based on the legitimate interests of the controller or on the basis of consent obtained from the data subject. The choice of a particular option should not be haphazard – each possibility entails certain consequences. Legitimate interest is not always the right choice. On the other hand, the business owner should realize that if the personal data of a potential customer is processed on the basis of marketing consent, and the subject withdraws the consent given, the entrepreneur will not be able to suddenly base the processing of that person’s data on the controller’s legitimate interest.
An entrepreneur may process personal data of potential customers for marketing purposes based on the legitimate interest of the controller, but must meet a number of conditions when doing so. First, the interests or fundamental freedoms and rights of the persons whose data is to be processed cannot override the interests of the business owner. For this purpose, the entrepreneur should carry out a so-called “business plan”. balance test. It indicates whether the interests of the data controller, i.e. the company, outweigh the interests of the data subjects. Second, the person whose data is to be processed should expect to do so as planned by the business owner. In addition to this, an entrepreneur processing personal data on the basis of the controller’s legitimate interest must remember one more issue – fulfilling the information obligation, which many business owners forget.
The RODO requires data controllers to provide a set of specific information to the person whose data is being processed. The obligation to provide information must be fulfilled both when personal data is obtained directly from the data subject and when it is obtained from other sources, such as third-party databases or the Central Register and Information on Economic Activity (CEiDG). It is worth mentioning that an entrepreneur must also comply with the information obligation when it changes or adds a new purpose for processing or implements a request for access to data. The RODO requires business owners to provide information on the processing of personal data to data subjects in a concise and transparent manner. The information should include, first of all, a notification of the processing of the person’s data and its purpose, as well as an indication of the data controller and, if appointed, the data protection officer, an indication of the recipients of the processed data and an indication of the data storage period.
Entrepreneurs need to know when to comply with the duty of information, i.e. at what point from the moment the data is acquired, the potential customer must be informed about the data. According to the Data Protection Regulation, if personal data has been obtained directly from the data subject, the information obligation should already be fulfilled at the time of data collection. And in other cases? If personal data is obtained from other sources, the requirement to comply with the information obligation should be fulfilled as soon as possible after obtaining the personal data, but no later than within a month. On the other hand, in the case of data collection for communication purposes, the fulfillment of the information obligation should take place no later than the first contact.
Interestingly, the RODO has provided for several exceptions to the information obligation requirement. First, the entrepreneur is exempted if the personal data collected comes from the data subject and if it has a full catalog of information about the data controller. Second, you do not need to comply with the information obligation if the personal data was obtained from other sources and one of the following circumstances exists:
As a rule, when conducting marketing activities, it is not enough to invoke the processing of potential customers’ data on the basis of the controller’s legitimate interest. It is also not enough to fulfill the information obligation to legally conduct all marketing activities. This is because the entrepreneur must have regard to the provisions of national law contained in the Law on the Provision of Electronic Services and the Telecommunications Law. According to Art. 10 paragraph. 1 of the former, “it is prohibited to send an unsolicited commercial communication addressed to a designated recipient who is a natural person by means of electronic communication, in particular e-mail.” In turn, as stated in 172(1). 1 of the Telecommunications Law, “it is prohibited to use telecommunications terminal equipment and automatic calling systems for direct marketing purposes or to send unsolicited commercial information within the meaning of the Act of July 18, 2002. on the provision of electronic services, unless the subscriber or end user has given prior consent.”
Domestic law imposes certain obligations on businesses that process personal data of potential customers on the basis of legitimate interests for marketing purposes. If a business owner intends to use personal data for e-mailing campaigns, he or she must first obtain permission from the data subjects to send commercial information to them. Importantly, this consent should be given before the message containing commercial information is delivered. This means that it is illegal to send e-mails or text messages containing commercial information while asking for consent to process data for marketing purposes.
If the business owner does not obtain proper consent before sending the messages, they will be classified as unsolicited commercial information. According to Art. 10 paragraph. 2 of the Law on Providing Services by Electronic Means, “commercial information is considered to have been solicited if the recipient has consented to receive such information, in particular has provided an electronic address identifying him for this purpose.”
Legally legitimate interest is not the only legal basis for processing personal data for marketing purposes. An entrepreneur may also process personal data based on consent given under Art. 6 paragraph. 1(a) RODO. According to the law, the consent given by the data subject should have the characteristics of a voluntary, specific and informed demonstration of will and be expressed in the form of an unambiguous statement or affirmative action. What does this mean in practice? According to recital32 of the RODO, “This may consist of checking a box when browsing a website, selecting technical settings for the use of information society services, or any other statement or behavior that, in the given context, clearly indicates that the data subject has accepted the proposed processing of his or her personal data. Silence, default boxes or inaction should therefore not imply consent.” Entrepreneurs should focus on the correct construction of marketing consents. In addition, just as important as legally obtaining consents is allowing data subjects to withdraw them.
Coercing marketing consent can include using dark patterns practices and placing consent to process data for marketing purposes somewhere between the terms of use in the site or store’s terms of service. If a business does not give a choice to data subjects and prevents them from expressing an informed decision on the subject, it violates applicable laws. Companies that process personal data for marketing purposes without obtaining consent risk financial penalties that the DPA and the OCCP may impose. Besides, a data subject dissatisfied with the unsolicited commercial information he or she receives may file a claim with the competent court for SPAM redress.
12/04/2024
What is a good leaver and bad leaver in ESOPs?The terms good leaver and bad leaver allow to classify the beneficiaries of an option program leaving the company due to the way these beneficiaries part ways with the company. The former terminates cooperation for reasons not attributable to...
05/04/2024
Tax benefits of employee participation in ESOPsAn employee’s participation in an ESOP comes with financial benefits and certain tax advantages. Upon meeting certain conditions, an employee beneficiary of an ESOP does not have to pay income tax directly on the acquisition of shares under such...
18/06/2024
NIS2 – what is it, who does it affect and why should you prepare today?The NIS 2 Directive ( (EU) 2022/2555) aims to significantly improve the level of resilience against cyber attacks, strengthen the protection of personal data and increase trust in digital services in the European Union. Member states have until October...
