In the past in Sweden, the processing of personal data for marketing purposes has been regulated by the Swedish Personal Data Act (“PUL”) and the Swedish Marketing Act. But on 25 May 2018, a new EU regulation, GDPR, will replace the Swedish Personal Data Act. So what does the new regulation entail for those who work with marketing?
Increased requirement on consent
The requirement to obtain consent for the storage of personal data is in itself nothing new – it has existed in the past and has been regulated by the Swedish PUL. The greatest change associated with the introduction of GDPR is an increased requirement to demonstrate active consent. In order to have obtained consent, a confirmation is now required from the data subject. Non-response, pre-checked boxes or the like are no longer considered sufficient to indicate consent. During an audit you will be forced to demonstrate that an approved form of active consent has been received from the data subject. However, an exception exists in the case of direct marketing where a legitimate interest is deemed to exist.
The increased requirement on consent is an aspect of the new regulation about which many people are concerned. For Paloma, who offer tools for purposes like newsletter mailings and invitations to events, there are great demands on finding out what the new regulation actually entails. So what does the term “legitimate interest” actually mean? In the Swedish PUL there is a special section entitled ”Balancing of interests” which addresses this very matter, and which means that you may store personal data in the marketing of specific products where a particular interest is deemed to exist for the recipient of the data. More or less the same balancing of interests principle also applies with GDPR, although it is now referred to as “Legitimate interest”. The greatest difference when it comes to legitimate interest applies to the storage of personal data belonging to children, for which there are greater requirements on the protection of personal data:
Processing is only lawful if and to the extent that at least one of the following conditions is fulfilled:
The processing is necessary for purposes that have to do with the legitimate interests of the controller of personal data or a third party, unless the interests or fundamental rights and freedoms of the data subject outweigh such legitimate interests and require protection of personal data, in particular when the data subject is a child.
Subsection f (i.e. the above provision) shall not apply to processing that is carried out by public authorities in the performance of their duties.
Regulation on Privacy and Electronic Communications
Work is currently underway on a new regulation that focuses on privacy and electronic communications and which is of the utmost relevance to those who send out newsletters, customer mailings and invitations. At present this is no more than a proposal, which was submitted in January 2017. The proposal contains, among other things, a definition of direct marketing communications as:
all forms of advertising that are sent to one or more identified or identifiable end-users of electronic communications services, including automated calling and communication systems with or without human interaction, email, SMS, etc.
The proposal entails that consent should apply in accordance with the definition contained in GDPR, in other words that active consent should also be received from the data subject in this context. The next step in the legislative process is that the European Parliament and the EU Council are to consider the matter of the proposed regulation, and the intention is for this to happen prior to 25 May 2018.
Regardless of the reason why personal data is being stored, the requirements on security, consent and data management are going to increase. The issue of consent has been brought into focus by the new regulation (GDPR), and as the controller of personal data you have a responsibility to weigh up whether a legitimate interest exists in relation to your particular newsletter mailings and/or event invitations. Because the work regarding the proposed regulation on privacy and electronic communications is not yet finished, it is difficult for us to provide exact advice as to how you should proceed. However, the weighing-up of the possible existence of a legitimate interest must take place in every individual case, and our advice as a provider of services intended to be used for direct marketing, is to always collect addresses in the future with GDPR in mind. An approved form of consent should always be obtained and be able to be demonstrated, regardless of the possible existence of a legitimate interest. You may not necessarily need to obtain consent from addresses you already have and recipients who are established contacts, although you should definitely consider doing so if you feel it would provide you with a greater sense of security in your work, in which case you are more than welcome to use our template for obtaining consent.