The Information Commissioner’s Office (ICO) got many inquiries from people who got newsletters from the Swedish financial services group Klarna recently. Applicants questioned this event because they never had business with the payment firm mentioned above.
A marketing email from Klarna was followed by another message, which stated that the email had been sent accidentally and that they had not been added to a marketing database. However, the recipients were surprised why Klarna had their data in the first place.
The company spokesman apologized and explained, that their checkout technology is a product some retailers use to process payments on their website, which means that Klarna processes all credit and debit card transactions for these retailers, and also mentioned, that this email was sent to customers, who have recently used its services. It turned out, that when users use this payment technology while they agree to terms and conditions and privacy notice that allows Klarna to promote its products and services to them.
Within the European Union, direct marketing activities are subject to both the GDPR and the ePrivacy Directive. Article 4(11) of the GDPR stipulates that consent must be given by expressing one’s will, by making a clear statement, or by unambiguous action. This means that consent requires an active declaration of will and consent cannot be considered as an omission. According to guidelines issued by EDPB consent of the data subject means any:
- freely given,
- informed and
- unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
According to GDPR consent cannot be obtained in the same way as when agreeing to sign a contract or agreeing to the general terms of a contract. Such an action will not be in line with the form of expression of the data subject’s will, as the data subject will be forced to give consent on two issues that are not separated.
The main rule, embedded in the ePrivacy Directive, is that the consent of the data subject must be obtained before direct marketing communications can be sent. The ePrivacy Directive applies to direct marketing by all electronic means (such as e-mail, SMS).
Although there is a general rule that the consent of the data subject is required for the sending of advertising messages, the ePrivacy Directive provides for one exception when e-mail contact details may be used without the individual consent of the data subject. Recital 41 in the preamble of the Privacy Directive states that “(41) Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services, but only by the same company that has obtained the electronic contact details in accordance with Directive 95/46/EC. When electronic contact details are obtained, the customer should be informed about their further use for direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage. This opportunity should continue to be offered with each subsequent direct marketing message, free of charge, except for any costs for the transmission of this refusal. “.
In conclusion, although there are exceptions to obtaining the consent of the data subject in both the Directive and the Regulation, we would recommend that you follow the practice of always obtaining the consent of the recipients of your direct marketing campaign. And remember the times when accepting general t & c’ s was considered to be a consent has passed away and there is no place for careless marketing campaigns in the EU anymore.
Prepared by assistant attorney at law Brigida Bacienė and legal assistant Nojus Antanas Bendoraitis