What does the GDPR actually have to say on this matter?
In 2016, when the General Data Protection Regulation (GDPR) was adopted, international community came with numerous questions regarding the brief provision contained in the last sentence of Recital 47 “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” The most common of these questions was whether this provision is intended to enable data controllers to also send direct marketing communications (inter alia, by means of electronic means of communication) without obtaining the data subject’s prior consent. It is surprising that questions as to the meaning of this provision (including questions from GDPR experts) can be heard even today, when less than two months remain until the date the GDPR will become effective.
The provision in consideration is of particular interest in the context of Article 69 of the Law on Electronic Communications of the Republic of Lithuania (hereinafter the LEC), which obligates obtaining an individual’s consent prior to sending any direct marketing communications to the individual (subject to an exception related to existing customers, in respect of which the so called opt-out consent may be used, which enables an individual to disagree to data use for the purpose of direct marketing, but does not require expressing consent by any active actions).
Several important observations should help to understand the seemingly ambiguous relation between the regulation and the law:
Firstly, it should be noted that the entry into force of the GDPR will not annul the LEC and/or the provisions of this law implementing the ePrivacy Directive (2002/58/EC). The mandatory provisions of the law will remain effective, which means that the duty to obtain consent provided for in Article 69 will also remain effective. Therefore, I would not recommend e-mailing any newsletters after 25 May and pointing out to Recital 47 of the GDPR.
Secondly, data processing for direct marketing purposes is an extensive term, which covers much more than just sending of marketing communications based on Article 69 of the LEC. The said term also covers other data processing actions, including profiling and marketing personalisation. The latter data processing actions may be highly dynamic and complex, as a result of which the obtaining of consent compliant with the requirements of the GDPR becomes very complicated and unpractical. It is in these cases that Recital 47 of the GDPR becomes relevant.
This means that, although the duty to obtain consent pursuant to the LEC remains, Recital 47 of the GDPR provides for an opportunity to carry out some data processing actions, which are carried out for the purpose of direct marketing, for a legitimate interest.
Certainly, the legitimate interest grounds should not be viewed as a cure against the stringent GDPR requirements concerning obtaining of consent, since the use of the legitimate interest ground also brings about certain conditions, including the following:
- The duty to perform evaluation of the legitimate interest (in most cases the evaluation must be documented), which must reflect that the data controller has implemented internal interest balancing procedures and, according to it, there are no interests, rights or freedoms of data subjects which are superior to the legitimate interest of the data controller; and
- The duty to notify data subjects about how and for what legitimate interest their data will be processed (it should be mentioned however that, compared to consent, in this case there is considerably more flexibility, although the controller should not forget to provide the respective information prior to starting any specific (new) data processing actions (e.g. profiling) and to provide the data subject with an opportunity to disagree to the processing of his data (e.g. by providing data subjects with an opportunity to choose whether any received proposals are individualised or are of general nature), i.e. in essence the provision of the aforementioned opt-out mechanism under the legitimate interest cover).