The General Data Protection Regulation (GDPR) had a direct impact on marketing practices, including email marketing or otherwise known as newsletters. Even though the GDPR became effective a few years ago, a lot of marketers are still struggling to adapt and are concerned with the need to change rapidly how they seek, obtain and save consent.
Background
The European Union Agency for Cybersecurity (ENISA) was using the services of a newsletter service provider based in the EU, but had sub-processors in the US, all while using the European Commission’s Standard Contractual Clauses (SCC). Following the ECJ’s Schrems II judgment, it became clear that the SCC alone are not enough for the purpose of data transfer to third countries.
For this reason, ENISA reached out to the European Data Protection Supervisor (EDPS) for a consultation regarding personal data transfers to US.
The lawfulness of the data processing
Before assessing the transfer of personal data to third countries, it must be assessed whether the processing of personal data is lawful at all.
The following essential points must be evaluated:
- Legal basis for data processing. The lawfulness of the data processing under Article 5 of the GDPR must be ensured. In some cases, for example, when the processing is necessary for the performance of a task for the public interest, this step can be skipped.
- Policy statement. The data controller must ensure inter alia that data subjects are informed about the processing of their personal data under Articles 13 and 14 of the GDPR. When the processing includes transfers to third countries, the information must be easily accessible, transparent and understandable.
- Choice to opt-out. If data subjects consent is needed as legal basis for the processing, they also need to be given a genuine choice to opt – out voluntarily.
Additional legal grounds for internationals transfers – use of derogations
If no adequacy decision or appropriate safeguards for data transfers to third countries exist, derogations, according to Article 49 of the GDPR, must be used.
One of the main derogations for transfers to third countries is the data subjects‘ consent. While this may seem like an easy task to gain such consent, some specific requirements exist:
- Data subjects need to be fully informed that their data is going to be transferred to third countries and, if no adequacy decision or appropriate safeguards are set, the risks of such transfers must be mentioned explicitly.
- The consent must be explicit, meaning it should be freely given, specific, informed and unambiguous. For example, silence, pre-ticked boxes, information without a clear affirmative act, do not constitute an explicit consent.
- The consent must be specific, meaning consent given regarding a previous activity will not constitute as consent for future processing, thus a specific consent for each separate situation must be exclusively given.
- Data subjects‘ consent must be documented for each specific transfer and an easy way to withdraw from such transfers should be given throughout. If explicit consent is used for specific data protection risks, the subjects must be informed that this creates a “double consent” and withdrawal from such is separate from the general consent for data processing.
If you transfer personal data to third countries for direct marketing purposes, you must obtain consent not only for direct marketing, but also consent to transfer the data to third countries. The possible risks of such transfer must be exclusively mentioned to consenting data subjects.
If your organization is struggling with adapting to data protection changes, especially when it comes to data transfers to third countries, do not hesitate to contact data protection experts at ECOVIS for more information or help.
Prepared by Brigida Bacienė, Data Protection Expert of ECOVIS ProventusLaw, and Gabija Bacevičiūtė, junior lawyer of ECOVIS ProventusLaw.