New guidelines on direct marketing issued by the Portuguese Data Protection Authority: what has to change in the way companies do marketing?
Data Protection Alert Portugal
On 25 January 2022, the CNPD issued its first guidelines on the processing of personal data in the context of direct marketing electronic communications.
Due to the exponential increase in the number of complaints in this context[1] the CNPD decided to issue the guidelines that we will summarise and systematise below:
- Electronic communications - so that there are no doubts, these include, according to the CNPD, communications such as emails, SMS/MMS and telephone calls (through automatic call systems or with human intervention);
- The sending of direct marketing electronic communications to individuals is regulated by Law 41/2004, of 18 August (Electronic Communications Privacy Law) and, additionally, by the GDPR and the Portuguese law implementing it;
- Even if the marketing activities are carried out by subcontractors (processors) or by companies hired by those subcontractors (sub-processors) with some degree of autonomy, this fact does not exempt the company that hired them and on whose behalf they act from any responsibility, since, in accordance with the GDPR, the actions of these entities should result strictly from the instructions of the company responsible for the processing.
1. Legal basis
The grounds for processing data for direct marketing purposes are legitimate interests and the consent of the data subjects.
1.1. Legitimate interest
Consent shall not be necessary and legitimate interest may be invoked under the following conditions:
- If a prior customer relationship already exists with the recipient of the communication (the concept of customer being considered in a broad sense - to encompass relationships of reciprocal knowledge and trust which allow the controllers to anticipate the expectations of the data subject, without calling into question, in the processing operations, the recipient’s interests or fundamental rights or liberties);
- If the marketing communication concerns products or services identical or similar to those transacted;
- If the data have been collected in the context of the sale of a product or service; and
- If the right to object has been made available to the data subject at the time of collection of the data (article 13-A of the Electronic Communications Privacy Law) and each marketing message contains the possibility for the customer to easily and freely refuse the use of his data for direct marketing, the identity and contact details of the supplier having to be explicit.
1.2. Consent
Consent must be express and comply with the requirements imposed by the GDPR, namely:
- Be informed, the information having to be clear, simple and concise - Which presupposes that the data subjects must be informed in advance of the information listed in article 13 of the GDPR, namely about the identity and contact details of the controller, the purpose of processing (i.e. sending direct marketing electronic communications), the legal basis for processing (i.e. consent), the retention period and the right to withdraw consent at any time;
- Be an express positive act - it is reaffirmed that pre-ticked consents and implied consents are invalid;
- Be specific - each consent must correspond to a purpose and, in the case of transfer of data, each third party receiving the data to carry out electronic direct marketing communications must be subject to an autonomous consent - in other words, the data subject must autonomously consent to each of the purposes and each of the recipients;
- Be free - being pointed out that consent will not be considered freely given if it is obtained in return for the provision of a service which requires the processing of personal data that is not necessary for the performance of the contract;
- Be fair and transparent - being stated that consent should not be used to create a false sense of comfort for the controller. Hence, even if apparently valid from a formal perspective, the proportionality of the processing must be considered, taking into account the legitimate expectations of the data subjects in relation to the contact established (in particular whether it is expected that the data subject will be surprised by the processing).
2. Data collection
Personal data (email and telephone, among others) are collected for direct marketing purposes in the following ways:
- Directly by the company that intends to promote its products or services;
- Indirectly, through third parties (social networks, contests, competitions) - in this case, the company benefiting from the action will acquire the personal contact details from these third parties.
3. The processors
- The processor acts only on instructions from the controller and if any instructions contrary to the law exist, it is the processor's obligation to immediately inform the controller of that fact (for example if the company wishing to promote its products instructs the processor to collect the consent of the data subjects in breach of the requirements identified above);
- The controller has the duty of providing instructions to the processor with regard to the performance of marketing actions through electronic means so that the processor processes the data in accordance with the law, and must also monitor its actions;
- The collection of data for direct marketing purposes by a given entity, through electronic means, may only be carried out after the contracting of that service by the controller (since that controller could never have been identified by the processor until that moment and also because there was no subcontracting relationship at the time that would justify such processing of data on behalf of the controller).
4. The third parties (data brokers and others)
- Processing operations which, under the guise of competitions or competitions, are merely aimed at speeding up the construction of databases, ready to be commercialised, in order to give rise to massive direct marketing operations should not be accepted. Likewise, the registration in a social network that subsequently transfers personal data to third parties for direct marketing operations should not be accepted;
- The sending of electronic communications for direct marketing purposes depends on the prior and express consent of the data subject, being mentioned that this is not the case with a collection carried out by third parties, namely when the transfer of data collected is mediated by brokers;
- Consents commonly used by data brokers for, for example, sharing data with "partners", "sponsors" or "group companies" will not be valid, not even if these entities are identified by sector of activity or even in lists. According to the CNPD, consent must be able to be provided specifically, entity by entity;
- Consent obtained for direct marketing as a condition for being able to consult websites or participate in activities (such as prize draws or contests) is not valid either. In practice, the CNPD rejects the possibility of data monetization.
5. The obligations of the controller (accountability principle)
- To adopt appropriate technical and organisational measures to protect personal data;
- To think, design and implement the processing operations ensuring the protection of personal data by design and by default;
- Carefully choose "processors that provide sufficient guarantees of implementing appropriate technical and organisational measures to comply with the GDPR";
- Enter into a written contract with the service providers whenever they process personal data on behalf of the controller;
- Assess the "risks associated with the processing and implement or require the implementation of measures to mitigate them";
- "Provide precise and documented instructions to the processors with respect to all aspects of the personal data concerned";
- Carry out "effective control of subsequent subcontracting, having to know or authorise it in advance";
- Carry out a data protection impact assessment, whenever it is mandatory (the CNPD highlighting "that most direct marketing actions involve large-scale data processing and the frequent use of innovative technologies");
- Keep an updated list of people who have given their consent to receive direct marketing electronic communications;
- Keep an updated list of customers who have not objected to receiving these types of communications;
- Keep proof of the consents given for the receipt of direct marketing electronic communications (logs, form used for collecting data and information note used at the time the consent was collected, privacy policy or other means used to provide the information required by law);
- Keep proof that the data subject has been provided with information on the possibility and conditions under which he/she may revoke the consent provided and exercise the right to object.
6. Conclusion
In conclusion, although almost nothing contained in these guidelines of the CNPD is really new, they allow to understand and anticipate how this authority will decide the administrative offence proceedings for breach of article 13-A of the Electronic Communications Privacy Law, in conjunction with the GDPR.
Garrigues' data protection team is available to its clients to review the compliance of their marketing and sales departments' documents/procedures with the content of these guidelines, ensuring their implementation and thereby managing the risks associated with their future business initiatives.
[1] Between May 2019 and January 2022, the CNPD received around four thousand complaints, regarding unsolicited electronic communications, with an upward trend: 528 by the end of 2019; 1256 during 2020; and 2075 during 2021.