Nowadays communication methods have changed and so have business rules. Therefore, when talking about data protection when sending commercial communications, we must distinguish two types of communications:
Electronic Communications
We are referring, fundamentally, to emails or emails; although faxes, WhatsApp messages, SMS and MMS and other similar means also fall into this category.
When communications are carried out by electronic means, the provisions established in the art. 21 of Law 34/2002, of July 11, Information Society Services and Electronic Commerce.
Two conclusions are drawn from this article:
- It is expressly prohibited to send emails without having the consent of the recipient (whether a natural person or a company).
- There is only one exception in this regard: we may send commercial emails, even without the consent of the recipient, if we have already maintained a prior contractual relationship with said recipient and provided that they involve products or services similar to those that were initially contracted. There are no more exceptions. We could consider then that the legal basis in this case would be that contained in art. 6.1.b of the GDPR: the processing is necessary for the execution of a contract to which the interested party is a party or for the application at the request of the interested party of pre-contractual measures.
In any case, we will have to provide the recipient with the possibility of opposing the sending of advertising, including an email address in each of the commercial communications that we send to request the opposition/unsubscription of these shipments.
Non-electronic communications
In other cases, that is, when communications are made by non-electronic means, the processing must be covered by the following two legal bases:
- Good in providing consent.
- Well, the article is applicable 6.1 f) of the Regulations, according to which the processing may take place, in the private sector, if it “is necessary for the satisfaction of legitimate interests pursued by the person responsible for the processing or by a third party, provided that said interests do not prevail over such interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child.
In relation to the first base, the consent, this must be express. It cannot be tacit and must be differentiated from the rest of the purposes for which the person responsible will use the personal data.
As regards the second, that is, legitimate interests pursued by the data controller or by a third party, Recital 47 recalls that the legitimate interest of a controller, an assignee or a third party, “may constitute a legal basis for the processing, provided that the interests or rights and freedoms of the interested party do not prevail, taking into account reasonable expectations. of the interested parties based on their relationship with the controller", later adding that "in any case, the existence of a legitimate interest would require a meticulous evaluation, including whether an interested party can reasonably foresee, at the time and in the context of the collection of personal data, that processing may occur for this purpose.
In particular, the interests and fundamental rights of the data subject may prevail over the interests of the controller when processing personal data in circumstances where the data subject does not reasonably expect further processing to take place.
This weighting must take into account:
- That it is a similar product or service to the one previously contracted by the client, not extending to others.
The concept of “similarity between services or products” will have to be exhaustively determined, since there are situations in which it is not clear and we will have to wait for further clarifications from the AEPD.
- It must be done whenever the interested party maintained a relationship with the entity, without affecting those cases in which the client has ceased that relationship.
When it comes to the provision of successive services, with a specific period of time, it is clear that there is a specific period in which we can consider whether a person is a client of the entity or not.
In cases where it is not a service that is provided, but rather the purchase of a product; We could consider that a commercial relationship continues to exist for the duration of the product warranty.
However, there are other cases, such as the provision of instant services or the purchase of a perishable product, that does not have sufficiently extensive legal guarantees, where determining whether it is an active customer or an ex-customer is not so simple.
In these cases, we recommend obtaining the consent of the interested party to be able to use their data for advertising purposes.
- That marketing or sending communications cannot be based on the preparation of exhaustive profiles of the interested party by combining different sources of information for which you have not given consent.
In these cases, when combining the advertising purpose with that of profiling the interested party, it requires the study of various connotations and possibilities that will be seen later in this report.
On the other hand, it follows that the development of exhaustive profiles is only possible through advanced technological treatments, which is why it should not be possible in manual treatments.
In addition, the General Data Protection Regulation lists some assumptions that can be taken into consideration to determine the applicability of said rule.
Thus, it is noted that “The processing of personal data for direct marketing purposes can be considered carried out out of legitimate interest.”
On the other hand, if the regulations governing privacy in electronic communications, which establish a particularly strict regime when obtaining the consent of the interested party, exempt from said consent the case referring to communications related to "products or services of your own company that are similar to those that were initially contracted with the client", it can be deduced that this rule would be applicable by analogy to cases in which said requirements are less enforceable; that is, to the actions carried out through other communication channels. For the legality of processing based on legitimate interest, it is also necessary to comply with the rest of the requirements established in the data protection regulations, among which it is worth highlighting the following:
- Compliance duty of information provided for in articles 13 and 14 of the RGPD. These aspects will be reported in each commercial communication.
- Likewise, the regulation of the advertising exclusion systems contained in article 23 of the aforementioned Organic Law 3/2018; That is, the advertising exclusion systems must be consulted unless the affected person has given, in accordance with the provisions of this organic law, his or her consent to receive the communication to whoever intends to make it.
- It must be guaranteed exercise of the right of opposition in accordance with the provisions of sections 2 and 3 of article 21 of the GDPR; That is, the interested party may object to the processing of his or her personal data for the purpose of direct marketing (including profiling to the extent it is related to said marketing).
A simple and free means must be provided to exercise the right to object to data processing for marketing purposes without affecting other treatments. In these cases, the controller may retain the necessary identification data of the affected person in order to prevent future processing for direct marketing purposes.
Do you want to be up to date with the Compliance & Data Protection Department and become an expert? With our Master in Compliance & Data Protection Management you can be a highly qualified professional in just 12 months
