The charity notes that the impact of a fundraising sending on these individuals is likely to be minimal, but includes details in the sending (and any subsequent submissions) about how individuals may choose to stop receiving postal marketing in the future. Although you cannot use legitimate interests as a basis for processing your duties as a public authority, this does not mean that this can never apply. A number of factors could indicate that legitimate interests are unlikely to constitute an adequate legal basis for your processing. For example, you should avoid choosing legitimate interests if: The table below provides you with a slightly more structured overview of the possible legal bases for direct marketing activities under the GDPR and the ePrivacy Directive. Using this processing base, which is expected and has little impact on privacy, can help you avoid bombarding people with unnecessary consent requests and can help avoid “consent fatigue.” It can also, if done correctly, be an effective way to protect the interests of the individual, especially when combined with clear privacy information and an initial opt-out. Of the six legal bases for processing offered by the GDPR, two in particular stood out – consent and legitimate interests – and one question we`ve often heard at OneTrust is: which one should I rely on when sending direct marketing emails? This is a difficult question to answer and, as most lawyers will tell you, “it depends.” A retailer runs a loyalty program. Individuals sign up to be part of the program and earn loyalty points by providing personal information in exchange for special offers. The retailer processes personal data for various purposes and wishes to use legitimate interests as a legal basis. In other words, even if no opt-in consent is required before sending marketing emails, the GDPR still requires that the recipient always has the option to opt out of receiving such emails. Recital 47 of the GDPR provides an additional explanation of the legitimate interest and states that legitimate interests may exist if there is a relevant relationship between the data subject and the controller, for example if the data subject is a customer or uses services provided by the controller.1 In addition, recital 47 expressly states that the processing of personal data for the purposes of direct marketing can be considered to have a legitimate interest. Make sure that every employee in the marketing department knows the rights of data subjects and knows how to react and react when such a request crosses their path. Yes, in some cases, public authorities may consider the use of legitimate interests as a legal basis.
No. Although legitimate interests are a flexible concept and are often relevant, they do not apply to everything and you cannot use it as a standard basis for all your processing. If you intend to process personal data for direct marketing purposes electronically (by e-mail, SMS, robocalls, etc.), legitimate interests may not always constitute an appropriate basis for the processing. Indeed, privacy and electronic communications laws on electronic marketing – currently the Regulation on the Protection of Privacy and Electronic Communications (PECR) – require individuals to give their consent to certain forms of electronic marketing. Due to the effect of Article 94 of the GDPR, the GDPR consent standard applies. However, these obstacles are not insurmountable. Overcoming them should be a joint effort of the organizations` stakeholders, and the way you approach them will affect the success of your marketing. In addition to the Regulation, the process of transmitting electronic communications for direct marketing purposes is governed by the lex specialis “Regulation on the processing of personal data (electronic communications sector)” (subsidiary legislation 586.01 under the Data Protection Act 2018), which implements the provisions of the ePrivacy Directive 2002/58/EC. The Dutch Data Protection Authority has concluded that data sharing by the KNLTB does not meet the requirements of the LIA, as the monetisation of members` personal data is not an interest that has a legal basis and does not follow any legal standards. According to the Dutch Data Protection Authority, these requirements are necessary for an interest to be considered legitimate. The Dutch data protection authority also stressed that the interest is not an urgent need to process personal data. Finally, the Netherlands Data Protection Authority considered that a commercial purpose could not in itself be regarded as a legitimate interest.
You should always choose the base that best suits the particular circumstances. If they understand each other, they can create a compliance program that is flexible enough for marketing to continue to achieve its goals while maintaining compliance and protecting the company from reputational damage, GDPR violations, and extreme fines. Invalid: “By registering, you agree to receive email marketing messages from us. If you do not wish to receive such messages, tick here: “If the marketing communications are addressed to “The Occupant” and do not contain personal data, the law does not apply due to the exclusion of the processing of personal data. Compliance with these rights affects the data processing activities of organizations (including processing activities for marketing purposes). This means that there may be a legitimate interest if there is a “relevant and appropriate relationship” between you and the individual. For example, if the person is your customer or employee. However, it does not say that the basis of legitimate interests still applies.
You continue to process personal data if you use and store the names and contact details of your individual contact persons in other companies. You must have a legal basis to process this personal data. You may also need to specify your purposes for certain elements of your processing in order to demonstrate that the processing is necessary and to assess the benefits in the balancing test. For example, if you use profiling to target your marketing. In the past, consent was one of the most common legal bases on which the processing of personal data was based. However, under the GDPR, additional conditions must be met, making it more difficult to use consent as the legal basis for processing. According to Article 4(11) of the GDPR, consent is defined as “any specific, informed and unambiguous indication of the freely expressed, specific, informed and unambiguous wishes of the data subject, by means of a statement or other clear positive action by which the data subject indicates that he or she consents to the processing of personal data concerning him or her”. It is important for a CMO to understand the meaning and legal requirements of transparency and how to present it to data subjects, to choose the right wording and form, and to make it available to their website visitors, newsletter subscribers and other contacts. Personal data is collected lawfully and is not processed for a purpose incompatible with that for which the information was collected. For example, the telephone directory, a publicly accessible registry, can be used by anyone to contact a subscriber whose name appears on it.
The purpose of direct marketing the charity to obtain funds to promote its cause is a legitimate interest. Privacy solutions, such as Data Privacy Manager (there are other options, of course), are specifically designed to address marketing challenges such as managing consent and preferences, data subject requests or deleting data with a better understanding of the GDPR and allow you to collaborate with other departments.