For organisations
As a general rule, electronic direct marketing can only be sent to individuals with their
prior consent (opt-in). The company must be able to demonstrate afterwards that the individual has consented to their personal data being processed for electronic direct marketing purposes.
A person may be targeted with electronic direct marketing without their consent if they are a customer of the company and the contact details used for direct marketing were obtained from them in connection with a sale. The seller may contact the customer in question via electronic direct marketing without prior consent, provided that all of the following conditions are met:
- the contact information is obtained from the customer (existing customer relationship)
- the contact information is obtained in connection with the sale of products or services
- the contact information will only be used for marketing products or services that belong to the same product group or are otherwise similar
- the direct marketing involves the marketing of products and services by the same seller organisation.
An individual has the right to object to the use of their personal data for direct marketing purposes at any time. The company must allow the recipient to easily and free of charge opt out of receiving electronic direct marketing when collecting contact information and later in every marketing message. This right must be stated explicitly.
The prohibition on direct marketing must be adhered to without undue delay. If an individual objects to their personal data being processed for direct marketing purposes, the processing must cease.
Direct marketing to legal persons (i.e. communities or organisations) is subject to slightly different rules than direct marketing to private individuals. If you are planning to carry out direct marketing targeting a community or an organisation, please refer to the section entitled 'Can a person working in a company be sent direct marketing?'
See also:
The person must give their consent to electronic direct marketing with a clear expression of consent, indicating a voluntary, individualised, informed and unambiguous declaration of intent. Consent may be given in writing, verbally, or electronically. The controller must be able to demonstrate afterwards that consent has been given.
For example, a person may give their consent by ticking a box on a website, or by another active means that clearly demonstrates their acceptance of their personal data being processed for electronic direct marketing purposes. A pre-ticked box, a pre-activated selector switch or refraining from commenting on the matter does not constitute consent.
Additionally, a person should not be asked to consent to the marketing of a specific product or service via a separate message beforehand, since this message constitutes direct marketing in itself.
See also:
An automated calling system is a system that automatically contacts the recipient without human intervention. If the party making the marketing call is a human being, the consent of the person receiving the call is not required. For example, telephone contact (dialling) can be made automatically, but after the call has been initiated a human being must conduct the marketing manually.
If direct marketing takes the form of an automated (robotic) call, i.e. if the marketing is carried out by a machine instead of a person, prior consent from the person receiving the call is required.
When making robotic calls, you must ensure that individuals can exercise their data protection rights. These include the right to object to personal data being processed for direct marketing purposes and the right to be informed about how their personal data is processed.
See also:
If the company has obtained the contact information used for direct marketing from a party other than the person themself, the essential information about the processing of personal data must be provided already during the first direct marketing call. This information can be provided over the phone; there is no need to contact the person first just to inform them about the processing of their personal data. Individuals must be made aware of which company the marketing call is from and for which purpose their personal data will be processed.
Essential information that should be communicated to the person during the call:
- How where their contact details obtained?
- Who is the controller of the personal data or their representative?
- Where can they find out more about their data protection rights and how their personal data is processed?
For example, if the person requests additional information, they can be directed to more extensive data protection information available on the company’s website. Depending on the contact details that the company already has, information can also be sent by email or post. If a person is unable or unwilling to visit the company's website, the necessary information should be provided by an alternative means. The company must be able to provide the details related to its obligation to provide information during the direct marketing call.
Article 14 of the EU’s General Data Protection Regulation provides more detail on the information that must be provided to persons when personal data has been obtained from someone other than them. In addition to the above, this information must include the following:
- legal basis for processing personal data
- storage times of the data
- categories of personal data to be processed
- parties to whom personal data may be disclosed (i.e. recipients or groups of recipients)
- information on transfer of personal data outside the European Economic Area
- the legitimate interest of the company if the data is processed on that basis
- the right to withdraw consent if personal data is processed on the basis of consent
- whether the information is used for automated decision-making or profiling.
See also:
As a general rule, an email address in the format [email protected] are considered to belong to a natural person. For this reason, the main rule is that prior consent from the individual is required for electronic direct marketing.
However, consent to electronic direct marketing is not required if the person in question works in a position that is essentially linked to the goods, services or other commodities offered by direct marketing. In this case, electronic direct marketing can be sent to a person's work email address under what is called authorisation by role.
Before starting electronic direct marketing, the controller must verify the person’s role and be able to demonstrate afterwards that the processing of personal data was lawful. This can be done, for example, by documenting the assessment of the authorisation by role.
Consent from the recipient is not required for electronic direct marketing targeted at a community (e.g. sent to the company's general email address). However, the community also has the right to prohibit marketing messages.
The community or its employees must be given the opportunity to opt out of receiving electronic direct marketing messages easily and free of charge. This option must be communicated clearly.
See also:
This depends on whether the marketing is traditional or electronic, and whether the potential customer is an individual or an organisation.
When the potential customer is an individual, electronic direct marketing requires the recipient's consent, since no products or services have been sold to them yet, meaning that no customer relationship exists. To target someone with electronic direct marketing without their consent, they must already be a customer, and you must have obtained their contact information in connection with a sale. Read more about direct marketing sent to customers in 'When can a person be sent electronic direct marketing?'
Consent of the recipient is not required when electronic direct marketing is targeted at a community (e.g. an organisation's general email address). If you are planning to carry out direct marketing targeting an organisation or its employee, please refer to the section entitled 'Can a person working in a company be sent electronic direct marketing?'
Consent is not required from the recipient in the case of so-called traditional direct marketing, i.e. marketing by telephone or letter.
See also:
Customer communications that are necessary may be sent to customers without their consent. These include messages informing customers about the status or continuity of or changes to the services that they use. For example, it is not necessary to obtain separate consent for customer communications such as a text message from a garage informing its customer that their car is ready to be picked up after servicing.
However, marketing messages about the company, its other products or services may not be included in the same communication. In that case, the message would be classified as electronic direct marketing, for which the recipient's prior consent is necessary.
See also:
The website of the Finnish Competition and Consumer Authority
If the organiser of the prize draw intends to use the personal data collected for electronic direct marketing purposes, consent must be obtained from the individuals concerned. In other words, merely reporting on the use of data for electronic direct marketing in connection with the rules or terms of a prize draw is not enough.
Consent can be given, for example, by ticking a box on a website or form. No valid consent can be given by means of a pre-ticked box, a pre-activated selector switch or by simply not commenting on the matter.
See also:
If a person objects to the use of their personal data for direct marketing purposes, the controller must ensure that the data is no longer processed for this purpose. In certain situations, a person also has the right to request the erasure of their personal data.
A person can request both the deletion of their data and the termination of direct marketing at the same time. The starting point in this case is that the entry concerning the prohibition on direct marketing is also removed.
However, before deleting the data, the controller should check whether the person also wants the entry concerning the direct marketing prohibition to be deleted. In this context, it would be helpful to explain what the removal of the prohibition of direct marketing means in practical terms. The prohibition must also be removed if the person so wishes.
See also:
Yes. If the customer prohibits direct marketing during a call, the prohibition must be processed. The prohibition of direct marketing cannot be bypassed by requiring the person to use an alternative method of contact to issue the prohibition. Under the data protection regulations, companies are obliged to facilitate the exercise of individuals' data protection rights.
See also: