The GDPR (General Data Protection Regulation) has entered into force and it has certainly not gone unnoticed: in the past few days, a large number of emails have been sent through our software. Since it was not Christmas or Black Friday, we concluded that it had something to do with the GDPR. We have seen a lot of untruths in the media in recent times, which is why we have written this blog to help clear up some misunderstandings. It would be a pity if you wrongly halved your list of email addresses because you were misinformed.
If you met the requirements to send emails before the 25th of May, you will still meet them. Not a lot has changed; most rules already existed under the Personal Data Protection Act (Wbp). The difference now is that data subjects have gained more control over their personal data and companies must be more transparent on how they process this data. This means that the privacy statement had to be adjusted and a Data Processing Agreement and a processing register had to be drawn up. You can send your customers an email to inform them about these changes, but it is not mandatory. If you prefer, you can simply report this on your website.
If you bought email addresses and you emailed these persons without an opt-in, you were already breaking the old legislation. Now that the GDPR has entered into force, it is certainly advisable that you only send emails to persons who have opted-in to receive emails. However, if you send emails to persons who were already registered for your newsletter, there is no reason to panic and you can continue to mail without re-asking for consent.
A common misunderstanding regarding the GDPR concerns the soft opt-in exclusion. The Wbp from 2001 obliged senders of newsletters to obtain consent. However, the more specific Telecommunications Act made an exception: the soft opt-in exclusion. This means that you are allowed to send commercial communications for similar services and products to people with whom you have a customer relationship, as long as this data subject can unsubscribe at any time. The GDPR replaces the Wbp, but the Telecommunications Act is still in force (the European regulation that will replace the Telecommunications Act is not yet finished). So it’s still possible to send emails based on this soft opt-in exclusion, as the DDMA writes.
Lastly, there is the possibility to process personal data on the basis of the legitimate interest. The GDPR explicitly states that the processing of personal data for direct marketing can be seen as such a legitimate interest. A condition for this is that the (marketing) interest of your organization must outweigh the interest of the data subject. It is also required to inform the data subject of your intention to process his or her personal data. Additionally, you have to provide information on how objection can be made against this. However, it is not advisable to process personal data on the basis of the legitimate interest, because a weighing of interests must be made continuously.