Email Marketing and the GDPR
Posted on 29th August 2019 at 14:44
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Processing is only allowed under GDPR if either the data subject has consented, or there is another legal basis. This could be, for example, preserving the legitimate interest of the controller to send e-mail marketing. Recital 47 of the GDPR expressly states that the law also applies to the processing of personal data for direct marketing as a legitimate interest.
In addition, such an interest could be seen, for example, if there is a relevant and proportionate relationship between the data subject and the controller. This could be the case if the data subject is a customer of the controller or is in the latter’s service.
Therefore e-mail marketing is allowed without consent, at least for existing customers. If the company has a justified interest in ‘cold’ calling through e-mail marketing, the marketing e-mails may be sent to potential customers without consent.
To receive no further information by newsletter or e-mail, the customer receiving them need only object to processing (unsubscribe) for marketing purposes. According to Art. 21(2), (3) GDPR the data subject always has the right to object the processing of personal data for direct marketing purposes.
If the data subject objects, the controller only has to stop the processing for marketing purposes, but can still process the data for other purposes, e.g. for the performance of a contract.
The legitimate interest of the controller to process data for marketing purposes can never outweigh the objection of the data subject. However, according to Art. 95 of the GDPR, this applies to all data protection-related purposes unless special rules with the same regulatory scope are contained in the ePrivacy Directive (see also recital 173).
The consequence is that e-mail marketing is currently only allowed with the consent of the parties concerned (Art. 13(1) of Directive 2002/58/EC). We must wait to see whether the coming ePrivacy Regulation provides more clarity about this issue.
Regardless of whether a company bases its marketing measures afterwards on its legitimate interest or on consent, the controller has to adhere to the data subject’s right to be informed.
Share this post: