State Data Protection Inspectorate updated information regarding personal data processing for direct marketing purpose and announced the guidelines on how data processing of such persons should be carried out and what rights have data subjects.
Processing of personal data for direct marketing purpose is regulated by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter – GDPR), Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Republic of Lithuania Law on Legal Protection of Personal Data (hereinafter – LLPPD), as well as, Republic of Lithuania Law on Electronic Communications (hereinafter – LEC), therefore, when assessing whether personal data is being processed for the purposes of direct marketing, the provisions of this legislation must be analyzed in a comprehensive manner.
Below we list the main rules to keep in mind when sending and receiving such messages.
– Article 69 Part 1 of LEC states that direct marketing offers made by call, e-mail or short message service (SMS) may be provided only with the prior consent of the subscriber or registered user of an electronic communications service.
– Exeption from this general rule is provided in Article 96 Part 2 of the LEC, which indicates that direct marketing offers may be sent to existing customers via email contact details without prior consent, if customers are provided with clear, free of charge and easily realisible option not to accept or to refuse such use of the contact details for the purposes set out above, when such data is collected, and, if the customer has not initially objected to such use, by sending each message.
– Therefore, in accordance with these provisions of LEC, direct marketing offers may be sent only to the existing customers, subject to set out conditions, and sent to other persons only with their prior consent.
– Article 69 Part 3 of LEC states that e-mail message which is used for direct marketing purpose must include the identity of the sender on whose behalf the information is being sent or a valid address at which the person receiving the electronic message may request termination of the provision of such information.
In case where data subject got direct marketing offer, State Data Protection Inspectorate first of all recommends contacting data controller and in accordance with Article 15 of GDPR request providing the information on the purpose for which the personal data is processed and in accordance with which legal condition of processing the personal data is processed.
If the response of data controller does not satisfy data subject or rights of data controller are breached, such actions or inactions of the sender of direct marketing messages may be appealed to the State Data Protection Inspectorate. Requirements for the appeal are listed in Article 24 of LLPPD. All information regarding appeal of complaint to the State Data Protection Inspectorate can be found at: https://vdai.lrv.lt/atmintine-asmenims-ketinantiems-kreiptis-i-valstybine-duomenu-apsaugosinspekcija-del-skundo-pateikimo/.
In accordance with recommendations of the State Data Protection Inspectorate we suggest companies to revire the following processes:
– Make sure that direct marketing offers via electronic channels are sent only with the prior consent of the customers, except in the case of an LEC:
When such direct marketing offers are sent to the existing clients via email contact details, if clients are provided with a clear, free of charge and easily realizable option to object and if clients initially did not object to such use of the data;
– Prior consent of the data subject to make direct marketing offers by telephone (calls) must be obtained in all cases;
– Make sure that direct marketing offers include contacts of data contoller and / or way in which the data subject can easily refuse of receiving such offers;
– Evaluate whether the process of implementation of data subject’s rights is regulated and effectively in place within the company to justify the use of contact details for direct marketing upon request from the data subject.