The principle of lawfulness as held under article 5(1)(a) of the General Data Protection Regulation (GDPR) is that organisations acting as controllers shall always have a lawful basis for processing personal data. Marketing is treated similarly to any other data processing operation; therefore an organisation shall ensure that its processing activities comply with the principles of processing and at least rely on one of the lawful bases laid down in article 6(1) of the GDPR. Consent and legitimate interests are the most common legal bases used by controllers in the marketing world to legitimise their processing activities. This ensures that any organisation wishing to process personal data for direct marketing purposes shall demonstrate either consent from the marketing recipient, or that the direct marketing is within the data controller's legitimate interests.
Aside from demonstrating that a controller has a lawful ground for the processing under the GDPR, the recipient shall always be given the opportunity to object, free of charge and in an easy and simple manner from receiving further marketing electronic communications. It is imperative that the opt-out clause is included in every marketing communication. Disguising or concealing the sender’s identity runs counter to the transparency principle and is prohibited by law.
Alongside the Regulation, the process of sending of electronic communications for the purpose of direct marketing is regulated by means of the lex specialis ‘Processing of Personal Data (Electronic Communications Sector) Regulations’ (Subsidiary Legislation 586.01 issued under the Data Protection Act 2018), which law transposes the provisions of the e-Privacy Directive 2002/58/EC.
The law stipulates that no person shall send such communication (including communications made by means of an automatic calling machine, a facsimile machine, or email) without having sought the prior consent of the intended recipient prior to the communication of any marketing or promotional material. However, this is subject to an exception, whereby the controller may send marketing material to data subjects provided that the contact details were collected in relation to an earlier sale of a product or service (soft-opt-in). In this eventuality, the controller shall ensure that the communication of the marketing material shall solely promote a product or service, similar to the one previously sold or rendered. In these instances, consumers shall be given the opportunity to opt out, free of charge and in an easy and simple manner, at the time of the collection and in each marketing communication.
The law makes provision for the sending of marketing communications by conventional postal services and lays down that such communications shall have a valid lawful basis to process personal data in terms of article 6(1) of the GDPR. In principle, personal data processed for direct marketing purposes may be legitimised under the legitimate interest ground provided under article 6(1)(f) GDPR.
Where marketing communications are addressed to ‘The Occupier’ and do not contain personal data, the law does not apply due to the exclusion of the processing of personal information.
Cold calling systems that specifically involve human intervention are permissible, provided that the requests of the called party not to be contacted again are fully respected by the controller making the call. An exclusion list is normally set up so that the number is not generated again by the machine.
Personal data shall be obtained legitimately and not processed for a purpose which is incompatible with that for which the information has been collected. For instance, the telephone directory, a publicly available register, may be used by any person to contact a subscriber whose name appears thereon.