On the 25th of May 2018, the General Data Protection Regulation (GDPR) comes into effect. This European regulation has far-reaching consequences for companies that send emails. We have listed a few of the most important things you need to know.
1. How can I sign Copernica’s data processing agreement?
The GDPR stipulates that an agreement must be drawn up between the controller (our customers) and the processor (Copernica). In this processing agreement, obligations and agreements are laid down between the controller and the processor. We have drawn up an agreement that our customers can digitally sign through the Copernica.com dashboard. If you have not done so yet, we ask you to please sign the processing agreement as soon as possible. In short term, an email will be sent out to our customers which contains a link that enables an authorized person to easily sign the processing agreement.
2. Do you have to re-ask for consent to email customers in your database after the 25th of May, 2018?
The GDPR is rather strict as far as consent is concerned. Therefore, it might be necessary to re-ask consent from your newsletter subscribers. According to the GDPR, you have to receive explicit consent in order to be allowed to send emails. You also have to be able to prove that a person has subscribed to your newsletter. If you are unable to show that someone has actually subscribed to your emails, you are required to ask for consent again.
The GDPR states that consent must be based on accurate information. This means that the person concerned (the recipient of the email) must be informed of all relevant information in order to give valid consent. It is insufficient to use a sentence like: “Would you like to receive emails?”. This sentence does not indicate what exactly will be sent (newsletters, promotions, etc.), nor how often ‘something’ will be sent, or who the sender is. If you fail to deliver this information, this can lead to consent that is granted on invalid grounds. Consent must also be granted by means of a declaration or an active action, for example by clicking on a box. It is not sufficient that the box is already checked or that the consent is included in the Terms and Conditions.
Furthermore, the controller must be able to prove that consent has been legally obtained. You have to check whether the way in which your current opt-ins are obtained is in accordance with the requirements of the GDPR. If you are unable to prove this, you have to re-ask for consent. Lastly, despite it not being a legal requirement, Copernica strongly recommends using a double opt-in.
Do you want to re-ask your database for consent and will this lead to an extra high volume? Please contact our Support department regarding the sender reputation.
3. Can you continue to email existing customers who did not grant an opt-in after the GDPR comes into effect?
Many of our customers wonder whether they can still send emails to existing customers after the 25th of May 2018, who did not opt-in. First of all, it is important to note, that someone can only be viewed as an existing customer when the person has actually purchased something. So not when he or she participates in a contest or when they complete a survey.
The Telecommunications Act states that you may mail existing customers about similar products or services if, when the contact details were acquired, the customer was clearly and explicitly given the opportunity to object to the use of the contact details. This option needs to be given free of charge and in a simple manner. You must also offer an easy and free opportunity to unsubscribe during every instance of communication. This is called the soft opt-in. This is stipulated in the Telecommunications Act and this Act will remain the same after the GDPR has entered into force, so you still have the possibility to mail existing customers on the basis of this soft opt-in.
4. Is there another possibility to send emails?
If somebody has not opted-in to receive emails and is not an existing customer, you will have to look for other possibilities that allow you to send email to that person. In addition to consent, there are several other legal grounds on which you may process personal data. For example, when you have a legitimate interest that outweighs the interest of the data subject. If you send email in the context of direct marketing, the GDPR states that this can yield such a legitimate interest. In these cases, you always have to make a weighing of interests. Does your (marketing) interest weigh more heavily than, for example, the right to privacy of the data subject?
Additionally, it is important that the data subject can expect that emails will be sent to him or her. This concerns the ‘right of objection’. The GDPR states that, at the latest at the time of the first communication with the data subject, the data subject must be informed that his or her email address will be used to send emails. Furthermore, an opportunity must be offered to object to this and you have to offer the recipient the possibility to easily unsubscribe from every email. If these requirements are met, it appears that you can send emails without (soft) opt-in in the context of direct marketing.
A side note here is that it is safer to have a (soft) opt-in from all persons in your database. In that case, you don’t have to make a weighing of interests.