Personal data are often referred to as the "new gold". For the Dutch Data Protection Authority (DPA; Autoriteit Persoonsgegevens), the trade in personal data is one of the spearheads of its supervisory framework for 2018 and 2019. The DPA recently published new questions and answers in the field of marketing: "Are the persons in question your customers? If not, you usually need consent to collect their personal data and use them for direct marketing by post." The DPA takes a restrictive view in this regard.

1. Consent for e-marketing

For marketing by e-mail, sms or app, stricter rules on the basis of the Telecommunications Act already apply. You must request prior consent, unless:

  • you are approaching existing customers (consumers or businesses) regarding your own similar products or services;
  • a company has specifically created an e-mail address for this purpose, such as "[email protected]"; or
  • you are sending direct digital marketing to a company based in a country outside the European Economic Area and comply with the applicable requirements in that country for the sending of unsolicited communications.

You must, however, clearly and expressly provide an opportunity for the recipient to object when you receive personal data and each time you send direct marketing materials. You must ensure that data subjects can object to the collection and/or processing of their personal data freely and easily.

According to the DPA, an existing customer is:

"… a person that has purchased a product or service from you. There must be a purchase agreement or service agreement which obliges you to supply something and the customer to pay for it. A person who has not (yet) purchased anything or accepted a service but merely subscribed to your newsletter, completed a survey, participated in a contest or game or created a user account is not considered a customer."

2. Now also frequently required: consent for marketing by post

The DPA has currently also taken a strict stance on marketing by post, namely:

"Are the persons your customers? If not, you usually need consent to collect their personal data and use them for direct marketing by post."

The word "usually" may allow room for a basis other than consent, such as a legitimate business interest.

The DPA's positions on the right to object and the use of Postfilter are unchanged:

"Right to object

The General Data Protection Regulation (GDPR) gives data subjects the right to object to the use of their data for advertising mail. Once they have done so, you may no longer send them advertising by post. You may not ask people to provide a reason for their objection. The right to object to direct marketing is absolute. This means that you must always respect it.

Postfilter

If you wish to send someone advertising mail, you must first check if they are registered with Postfilter. If so, you may not send the person in question advertising by post. If a person registered with Postfilter is an existing customer, you may usually send him or her advertising mail.If the person does not wish to receive advertising by post, (s)he can object. In that case, you may no longer send him or her advertising mail."

3. Main rule: request consent for mailing list trading

The position of the DPA on mailing list trading is also strict. Under the old Dutch Personal Data Protection Act as interpreted by various guidelines and rulings, there was often leeway for this practice if it related to a legitimate interest and was considered 'compatible' with the purposes for which the personal data were collected. Here again, the DPA has taken as its starting point in the Q&A that consent is usually required. In the words of the DPA:

"Did you receive the contact data of the data subjects from a third party, such as an address seller? Check whether this party has informed the recipients properly. This party must always have a legal basis for the provision of data. This should usually be consent.";

"Do the data subjects know that their data are being provided to you for direct marketing? If not, you may not use the data for advertising mail, telemarketing or direct digital marketing (such as by e-mail, sms or app)."; and

"Please note that the fact that certain personal data are publicly available does not mean that the data subjects automatically agree to your processing of their personal data for marketing purposes and it will usually be necessary to request consent."

4. GDPR provides some leeway

The above positions appear quite rigid and restrictive with the exception of the word 'usually'. The DPA's Q&A does however refer to the leeway provided for by the GDPR in its recitals:

"Recital 47 of the General Data Protection Regulation (GDPR) indeed states that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest. However, this will not be the case in many situations. For example, special rules apply to digital direct marketing (e-mail, sms or app). Under the Telecommunications Act, prior consent must frequently be obtained from the data subject. If use of the legitimate interest ground is possible, you must meet various conditions in order to use this basis. If you fail to do so, you will need consent to use the personal data for direct marketing."

5. If consent is required: how should it be obtained?

According to the GDPR, consent must meet four requirements: it must be 'freely given', 'specific', 'informed' and 'unambiguous'. In the past, these requirements were often not met under the old rules, so it's time to recheck your procedures and policies. The DPA defines the consent requirements as follows:

"1. Freely given

A person must be free to give his or her consent but also to refuse or withdraw it. If a person refuses consent, it is not permissible, for example, to refuse to provide a service to this person on this basis.

2. Specific

This means that there can be no doubt as to the specific use of the data to which the data subject has consented. For example, it should be clear which data you wish to use for direct marketing.

3. Informed

You must clearly inform data subjects of the processing of their personal data before they give consent. You must do so in understandable language, so that the data subjects are in fact aware of what they are consenting to. You will therefore have to provide substantial information in an open, transparent and orderly manner. Note: if you request consent at the same time as acceptance of an agreement, you may not "hide" the consent provisions in the contract. The wording on direct marketing must be clearly and separately mentioned.

4. Unambiguous

There must be a clear action. For example, a (digital) written or oral statement. In any case, it must be absolutely clear that consent has been granted. You cannot rely on the principle that silence equals consent. The use of pre-ticked boxes is therefore not allowed.

Provision to third parties

Do you wish to provide the personal details of your customers to third parties? If so, you need separate consent. You must adequately inform your customers of the (categories of) third parties to which you will provide their personal data.

Withdrawal of consent

Persons who have consented must be able to withdraw their consent at any time, through each e-mail, SMS or app you send. You must ensure that it is possible to withdraw consent free of charge and as easily as it is to grant it. It is therefore prohibited to allow the withdrawal of consent solely by post or telephone.

Proof of consent

You must be able to prove that you actually received consent. This is required by the accountability obligation pursuant to the GDPR. Please note that in order to demonstrate valid consent, it is essential that you can show on the basis of which information a person has consented. Thus, it is not sufficient to only record the consent."