Email editor
Follow-up manager
Push notifications
SMS module
Layered database
Native integrations
Testing mailings
REST API/Webhooks
Website forms
Website tracker
Website crawler
Coupons
Frequently asked questions about the GPDR
by Chloë van der Woude
Since 25 May 2018, the General Data Protection Regulation (GDPR) has been in force. This European regulation affects how companies must handle data. Copernica’s software fully complies with the GDPR. All data is processed within the EU, with strict security measures and 2FA authentication. We have listed a few of the most important things you need to know below.
1. How can you sign Copernica’s data processing agreement?
The GDPR requires that an agreement be drawn up between the data controller (our customer) and the data processor (Copernica). This data processing agreement must set out the arrangements and obligations between the controller and the processor. We have prepared an agreement that our customers can sign digitally via the Copernica.com dashboard. If you have not yet signed this data processing agreement, we kindly ask you to do so as soon as possible. In the near future, an email will also be sent to our customers containing a link that allows the authorized signatory to (have it) signed easily.
2. Do you need to ask for consent again to email customers in your database?
The GDPR is quite strict when it comes to consent, and it may therefore be necessary to ask your newsletter subscribers for consent again in order to send mailings. Under the GDPR, you must have very explicit consent to send mailings, and you must also be able to prove that people subscribed to your newsletter. If, in the past, you collected addresses in a less strict manner, or if you can no longer prove that someone actually signed up, you will need to request consent again.
Under the GDPR, consent must be informed. This means that the data subject (the recipient of the email) must be informed of all information relevant to giving consent. It is therefore not sufficient to use a sentence such as: “Would you like to receive emails?” This does not make clear what exactly will be sent (newsletter, promotions, etc.), how often something will be sent, or who the sender is. If you do not provide this information, consent may be considered an invalid legal basis for sending emails. In addition, consent must be given by means of a statement or an active action, for example by ticking a checkbox. It is therefore not sufficient for the box to be pre-checked or for consent to be included in the general terms and conditions.
Furthermore, the data controller must be able to prove that valid consent was obtained. You should therefore verify whether the way in which the current opt-ins were obtained is (or was) in accordance with the GDPR requirements. If you cannot prove this, you will need to ask for consent again. Finally, Copernica strongly recommends using a double opt-in, even though this is not a legal requirement.Do you want to ask your database for consent again and will this result in an extra-high sending volume? Then please contact our support team regarding sending reputation.
3. Are you allowed to continue emailing existing customers without an opt-in?
Many of our customers wonder whether existing customers who have not given an opt-in may be emailed. It is important to note that someone can only be regarded as an existing customer if they have actually purchased something — not if they merely participated in a contest or filled out a survey.
The Telecommunications Act states that you may email existing customers about similar products or services, provided that, at the time the customer data was obtained, you indicated that the customer could easily object to the use of these details. You must also provide an easy and free unsubscribe option with every message you send. This is also known as the soft opt-in. This is stipulated in the Telecommunications Act, and nothing about this law changes, so you may continue to email existing customers on the basis of this soft opt-in.
4. Is there another way to be allowed to send emails?
If you want to email someone who has not given consent and who is also not an existing customer, you will need to assess whether there is another legal basis that allows you to send emails. In addition to consent, there are other legal grounds on which you may process personal data — for example, when you have a legitimate interest that outweighs the interests of the data subject. When sending emails for direct marketing purposes, this may constitute such a legitimate interest under the GDPR. In those cases, you must always carry out a balancing test: does your (marketing) interest outweigh, for example, the recipient’s right to privacy?
In addition, it is important that the recipient of the email could reasonably expect that emails would be sent. This is related to the so-called “right to object.” Under the GDPR, the data subject must be informed at the first point of contact that their email address will be used to send emails, and they must be given the opportunity to object to this. You must also provide an easy way to unsubscribe in every email. If these requirements are met, it appears that you may send emails for direct marketing purposes without a (soft) opt-in.
A caveat is that it is safer to have a (soft) opt-in from all individuals in your database. In those cases, you do not need to carry out a balancing test beforehand.