This year's first guidelines from the Portuguese Data Protection Supervisory Authority (“CNPD”) are on direct marketing electronic communications (Guidelines/2022/1).
They address a topic that is still under revision, mainly, in the framework of the (future) EU ePrivacy Regulation, which since 2017 has been subject to successive delays due to lack of consensus among Member States within the Council of the European Union.
These Guidelines were essentially motivated by the increasing number of reports addressed to the Supervisory Authority, regarding unsolicited electronic communications, having the CNPD registered more than two thousand reports in 2021.
However, difficulties arise not only for data subjects, but also for companies who face several challenges when planning their electronic communications for direct marketing purposes. Within the questions that arise, the most relevant and frequent are those related to the possibility of sending electronic communications to professional contact data (for instance, professional e-mail) and also, those related to the indication of the data retention period to be adopted, regardless of consent. Although other National Supervisory Authorities have already issued guidance on these topics, these (and other) aspects which still need further guidance, have been left outside the scope of these Guidelines.
Notwithstanding, and regarding the sending of direct marketing electronic communications addressed to individuals, the CNPD has clarified the legal regime provided for in the Law on Privacy in Electronic Communications (Law 41/2004 of 18 August), highlighting the associated provisions of the GDPR and of Law 58/2019 of 8 August, applicable here.
In this context, we have prepared this information, emphasizing the most relevant aspects of the Guidelines:
- The legal grounds for sending electronic communications:
Prior to sending marketing communications, the data controller must ensure that there is a valid and lawful ground for the processing in question.
The Law on Privacy in Electronic Communications distinguishes the legal grounds for processing, according to the relationship with the data subject:
- Where a prior "customer" relationship already exists, i.e. a relationship of mutual knowledge and trust enabling the data controller to anticipate the expectations of the data subject:
The sending of electronic communications will be based on (i) the legitimate interest of the controller, in the situation where the marketing concerns products or services similar to those previously purchased by the customer; or (ii) the customer's prior and express consent, if the marketing communications concern products or services other than those previously purchased by the customer.
- In the absence of a prior legal relationship between the controller and the recipient of the communications, the only basis of lawfulness applicable to such data processing shall be the prior express consent of the data subject.
- Legitimate interest as a lawful ground
Legitimate interest may be used as a legal ground only in the context of the aforementioned situation, where the controller may use its customers' contact details, obtained in the context of the purchase of a product or service, for the purpose of sending direct marketing communications.
It is considered that in this specific circumstance, the customer will have an interest or reasonable expectation in being informed of promotions and services similar to those already acquired by the customer. It is also crucial that the electronic communications to be sent are relevant to the data subject.
Nevertheless, the customer must always have the possibility of refusing the use of his or her data for this purpose, easily and free of charge, both at the time of collection and in each electronic communication sent.
- The prior and express consent of the data subject as a lawful ground
CNPD clarifies that the consent of the data subject for the sending of direct marketing electronic communications must be obtained in compliance with the provisions of the GDPR in this regard, namely, it must correspond to a "free, specific, informed, unequivocal and explicit" declaration of will and must be obtained in compliance with the principles of fairness and transparency.
In addition to complying with all the provisions of the GDPR, consent must also be given prior to the sending of the electronic communication.
In this regard, the CNPD clarifies that it will not be considered an explicit consent of the data subject if it is it is not a positive and explicit act, i.e., if it is collected through forms or other models in which the field to confirm consent is already filled in.
CNPD further enumerates certain situations in which consent will also not be considered valid:
(i) when consent is provided by the customer without having been given all the information required by Article 13 of the GDPR.
(ii) when consent is collected as a result of an online contest or promotion, where authorization is obtained to transfer data to third parties or for the development of direct marketing campaigns by third parties, and the data subject is effectively required to give consent to be contacted for direct marketing purposes by entities other than those promoting the online contest or promotion.
(iii) when consent is collected by a certain entity that requests the data subject to provide consent for the processing of his/her data by a third party, whose identity is not identified in a clear, express and transparent manner.
(iv) when consent is provided through a form in which the data subject has filled in a consent option for, namely, data sharing with sponsors, partners or Group companies. The CNPD clarifies that consent will have to be provided specifically for each entity and not for a group of entities presented in a generic way.
(v) when consent is a condition to access or visit websites or engage in activities, i.e., in situations where the data subject must consent to the sending of marketing communications in order to access or consult websites or engage in any activity.
Under Law No. 41/2014, the controller must record all data processing operations associated with direct marketing actions, as well as maintain an updated list of persons who have expressly consented to receive these communications and of customers who have not objected to receiving them.
The CNPD also underlines that the orientations provided in Guidelines/2019/1 on the processing of personal data in the context of electoral campaigns and political marketing, should continue to be considered.