As of the 1st of January, the new Code Email is enforced in the Netherlands. This code will replace the already existing codes for commercial emails to businesses and consumers and will be part of the Advertising Code. What do you need to know about this code and what rules do you have to follow? Learn more under the header Code Email.
Personal details are:
- Every piece of information that contains data on a natural person
- Information that makes a person identifiable
Think of phone numbers for example, name and address information, email addresses, IP addresses, bank account numbers, photos or cookies (as far as these can be tracked to a certain individual).
Information about companies or organizations generally aren't personal details. So if your database only contains data on companies, these details aren't personal details. Data on contact persons at these companies however, should be considered as personal details.
Processing personal details
You are processing personal details whenever you are performing actions that apply to personal details: so whenever you have control over personal details.
When processing personal details, this has to happen in a fair way. This means the processing has to take place:
- According to the law. Meaning that besides the Data Protection Act, you also have to consider other laws, like the legislation around telecommunications.
- In a proper and careful manner.
- For predetermined, explicitly explained and justified goals. Determine a clear and concrete goal you want to gather the personal details for.
- When the person in question is effectively and fully informed about the circumstances the details are gathered in. Always be clear and inform proactively what will happen with the details!
Processing the details, among other reasons, may be done based on:
- Unambiguous permission
- Necessity for execution of an arrangement
- Representation of legitimate interest, except if it's overruled by the interest of privacy
The first requirement to be able to process personal details is that you have to have unambiguous permission. The person in question has to have given permission voluntarily, that permission has to be given aimed at a certain data processing and there should be no doubt about where the given details are used for. If there is any doubt, this first has to be taken away and you have to re-ask for permission.
Executing and agreement
If you made an agreement with someone, you are allowed to use their personal details as far as necessary to execute the agreement. You are also allowed to use the personal details in the phase before the agreement is executed, should this be necessary.
Representation of a legitimate interest
You are allowed to use personal details when this is necessary for your or a third party's legitimate interest, unless the interest or fundamental rights of the concerned person are more important than that legitimate interest. A legitimate interest has to always be described concretely. Examples of legitimate interests:
- Promoting sales
- Advertising, also for a third party
- Sharing information with a third party
- Direct marketing
In the case of a legitimate interest like direct marketing, you are allowed to process personal details without permission and without executing an agreement, BUT:
- To send emails or SMS text messages you always need permission = opt-in
- With direct marketing activities you always need to offer the possibility to object = opt-out
Note: Personal details may not be processed in a way that is incompatible with the goals they were obtained for. So sharing personal details with a third party is only allowed if it fits the goals the details were provided for.
Duty to inform and opt-out
As responsible party you always have the duty to inform the concerned party. Someone whose personal details are being processed, should always be able to check where his or her details are being used for. Also, someone always has the right to object to the processing of his or her personal details.
The duty to inform means you have to inform someone about, inter alia:
- Who you are (the identity of the responsible party)
- For what purpose you're collecting and processing personal details
- The concerned party's right to view and correct his or her personal details
- The right to object
In the case of sharing details with a third party, you have to inform the concerned party about:
- The category the third party is part of
- The right to object to the sharing of details with a third party
Like mentioned before, for email marketing it's necessary that you obtain an opt-in from your commercial and business relations. This means you will have to get an opt-in for the following goals:
- Commercial and charity goals
- Press releases
You don't need an opt-in whenever you approach your own existing clients for similar products and offers = soft opt-in. You do however have the obligation to always offer an opt-out. You can use a soft opt-in when you deploy email marketing:
- Within your own company context
- To an existing client relation
- To sell an own product or service
- Where the given information can be reasonably expected by the recipient
As of the 1st of January, the new Code Email is enforced in the Netherlands. This code will replace the already existing codes for commercial emails to businesses and consumers and will be part of the Advertising Code. According to the DDMA, as a result of the new code, companies will communicate in a more transparent way about their email marketing towards the consumer. The advertiser will become more responsible and the recipient will be better protected.
But what does this code mean for users of Copernica? What do you have to know and what rules should you follow?
- Make sure you have permission for sending email. Are you using an address database from a third party? Make sure that the party you are receiving the addresses from (the data owner) has permission from the addressee to send advertisements. The principle of unambiguous permission still applies: the addressee must actively and consciously give permission. The addressee must also give the data owner explicit permission to share his or her email address with third parties.
- For the addressee it has to be clear where his or her email address is used for. This may no longer be hidden somewhere in the Terms and Conditions or the Privacy Statement.
- The soft opt-in is still allowed. You don't need prior permission when using email addresses to send similar products or services.
- In a newsletter sign up, you have tell the addressee what he or she can expect. "Yes, I want to sign up for the newsletter" is no longer sufficient.
- The Code requires the database owner or the advertiser to include his or her label (or company name) in the 'From field'. The addressee should always have the possibility to opt out at the party that has permission to send him or her advertisements. .
- The addressee has to be able to opt-out at the level where he or she signed up. Example: a publisher has multiple products or titles and sends out commercial emails for all of them. The addressee then has the right to opt-out for all emails from that publisher at once. He or she doesn't have to opt-out for every product or title separately.
- The 'reply to' field has to include a working address, a 'no reply' address is not allowed. There should always be a contact option for the addressee in the email.
- In the case of 'Tell a friend' systems, the name of the friend that sends the message has to be in the 'from' field. This way the addressee has the option to directly answer his friend, and indicate if he or she wants to keep receiving these kind of emails.
- In the Code an advice is included on the adding of attachments to emails. It's recommended to send none at all. Emails with attachments are blocked by spam filters more than average and contribute to a bad reputation of the email. If you want to send attachments anyway, always keep the file size below 150 kb.
Tell a friend
Tell a friend is the option where someone can send an email to someone he or she knows through a website, without prior permission. In a lot of cases, this is an important part of viral marketing. The CBP and OPTA decided that tell a friend is allowed, as long as the following requirements are met:
- The sharing is initiated by the internet user on his or her own initiative. The website may not offer a reward or a chance to win a prize in return, for as well the sender as the recipient.
- For the recipient, it should be perfectly clear who initiated the email, giving him or her the chance to approach this party and indicate if he or she wants to keep receiving these kind of emails.
- The sender has to be able to get a full preview of the message that's sent on his or her behalf, offering the chance to take full responsibility for the personal contents of the message.
- The concerned website is not allowed to use the email addresses and other personal details for any other goal than to send a message on behalf of the sender. The website is also required to secure the system against abuse, such usage by spam bots.
According to the Email Code, tell a friend has to meet the following additional requirements:
- Personal relation of addressee is allowed to send advertisements without prior permission.
- The name of the personal relation has to be included in the 'from' field.
- The sender has to be able to get a full preview of the message before its sent.
- A reply by the recipient should be sent directly to the personal relation's mailbox. The email address of the personal relation should be in the 'reply to' field.
- Using email addresses and other personal details for other purposes is only allowed if advertiser has explicit permission from the person concerned to do so.
- Harvesting is forbidden. It's not permitted to store entered addresses in the commercial database.