As of May 25th 2018, the General Data Protection Regulation (GDPR) will become applicable.
In order to provide you as a marketing or sales professional more insights regarding the changes that will be relevant with this new legislation, SPOTONVISION organized a webinar ‘GDPR in aantocht: wat iedere marketeer moet weten’ in collaboration with Law Firm Kennedy Van der Laan.
The live webinar spawned such large number of questions that it was impossible to discuss them all during the broadcast. And, because we think that the answers to these questions are of value for every professional, we decided to discuss the 10 most interesting questions in this blog.
The questions were answered by Nicole Wolters Ruckert, privacy lawyer at Kennedy Van der Laan, specialized in Marketing. Please note that these answers are to be considered initial guidance and should not be used as legal advice.
Question 1: Will the GDPR initially only be applicable to larger organizations, and will SMEs follow later?
Answer: An organization’s size is not a factor that determines whether or not the GDPR will be applicable. Nothing within the new legislation singles out large organizations or multinationals above others, and there is nothing that would lean towards the idea that SMEs will be focused on after the fact, regarding compliance obligations.
In short, the GDPR is applicable to all organizations (regardless of size) that process personal information as of May 25th 2018. There are however certain aspects of the new GDPR legislation which will not influence SMEs.
Question 2: What is your advice for the implementation of the GDPR? Wait till May 2018?
Answer: Keeping the former in mind all companies must meet the criteria that arise from the GDPR. Waiting until May 2018 is not an option. In the lead up to GDPR it will be important to implement standards to ensure that the new rules are respected.
Question 3: What is the consequence for personal information obtained in the past?
Answer: All previously obtained personal information will have to abide by the new rules that come into effect on the 25th of May 2018
Question 4: When can more clarity be expected regarding e-Privacy regulation?
Answer: At present, the European Commission’s e-Privacy Regulation concept has been assessed by the European Parliament’s LIBE commission.
Approximately 700 amendments to the text have been proposed to the European Commission. These will be processed and it is expected that a text will be offered up for a vote by EU Parliament in the fall of 2017.
The ambition of the European committee is that the e-Privacy Regulation will be applicable on May 25th 2018 as well; however, various sources confirm that this is a very ambitious planning.
Question 5: Will the rules regarding how to approach existing customers (without opt-in, but with opt-out) still apply later on?
Answer: The current rules for approaching current customers via commercial electronical messages are laid down in article 11.7, paragraph 3 of the Telecommunication law. These rules can be found one-by-one in the proposal of the e-Privacy Regulation of the European Committee. It is unknown whether this will be the case in the final version.
Question 6: Regarding the communication with current customers: how does GDPR handle e-mail addresses/personal information obtained during the sale of a product or service?
Answer: From question 5, it seems that the use of e-mail addresses of ‘current customers’ (so the e-mail addresses obtained in the context of a sale of a product or service) to send commercial electronical communication will primarily be regulated in the e-Privacy Regulation and not in the GDPR.
Important to mention: under the current rules of the e-Privacy Regulation (and it seems that it will stay this way in the future), the opportunity to opt-out (or offering a right of resistance) may suffice to lawfully practice this type of e-marketing. Permission is not mandatory in this situation. The electronic communication must thereby include ‘own comparable services or products’.
Question 7: Is the obligation of opt-out also applicable to print marketing?
Answer: The specific rules for e-marketing and telephone marketing are focused on in the e-Privacy Regulation, the GDPR regulates general the rules for the use of personal information for direct marketing purposes.
The definition direct marketing contains the name addressed print marketing. When personal information is processed for this type of direct marketing purposes, a right of objection must be offered at any time or an opt-out against the associated processing of personal information.
Question 8: To what extent does the GDPR count for offline orders and visits and the processing of personal information in a CRM-system?
Answer: As indicated in question 7, there are specific rules for sending commercial electronic communication and thus for sending an electronic newsletter.
If these are sent to a so-called ‘current customer’, offering an opt-out when making use of the e-mail address will suffice. The opt-out also has to be offered in every subsequent electronic message (so in every sent electronic newsletter).
It is important to note that, the processing of personal information for direct marketing purposes (in combination with collecting personal information originating from an offline order and processing this information in a CRM-database) is subject to the criteria of the GDPR.
Question 9: Is it correct that you do not need permission to process personal information as long as the associated party is aware that the information is going to be processed?
Answer: Based on the GDPR, just like the Dutch Law for the protection of personal information (Wet bescherming persoonsgegevens, Wbp), the processing of personal information has to be able to be based on a foundation. There are six possible foundations. The permission of the person involved is one of them.
Another one is that the processing of information is necessary for the justified interest of the responsible person or a third person, except when the privacy interests of the person involved (for example the customer) is more important.
The processing of personal information for direct marketing purposes can be based on the justified interest (as appears from the explanation of the GDPR). But an opt-out (or a right to object against the information processing) has to be offered. Permission is not per se needed for the use of personal information for direct marketing purposes.
Question 10: What is the difference between justified interest and permission?
Answer: Upon permission, a person concerned, such as a customer, is asked to consent to a certain processing of personal data: “Yes, I want to …”. With the presence of a justified interest, a company assumes that she has a business interest that justifies the processing of information. This company will inform the person involved, in this case the customer, about the information and offer an opt-out with the processing of personal information for direct marketing purposes: “No, I do not want”. But if the processing of personal information is based on the justified interest, no permission will be asked.
We hope that these answers will help you in your preparation for the GDPR.