Whether you are a digital marketer, data protection officer, data analyst or CRM manager, the GDPR regulation has certainly had an impact on the way you do marketing. A year after its implementation, you are certainly still asking yourself questions.
How to obtain formal consent? To whom can you send commercial suggestions? Can collected data be reused? In this webinar, Adeline Balza, Lawyer at Belgian firm law Lex4u, and Tabata Vossen, Product Marketer at Qualifio, answer the most frequently asked questions by marketing about the GDPR.
4. What is personal data?
Example: a name, a number, an email address, location
data, etc.
ANY information relating to an
identified or identifiable NATURAL
person.
“
8. How to obtain consent?
Consent must be expressed by simple and specific
means.
It must be:
● Freely given
● Specific
● Informed
● Unambiguous
9. Question 2
How to send commercial
solicitations electronically, without
violating privacy rights, in a B2C
relationship?
“
10. How to send commercial solicitations electronically,
without violating privacy rights, in a B2C relationship?
● The controller needs the prior consent of the consumer to receive such
messages (opt-in).
● The data subject can retrieve his consent anytime
● The controller is required by the GDPR to provide clear information for
both commercial and other forms of direct marketing.
11. How to send commercial solicitations electronically,
without violating privacy rights, in a B2C relationship?
Postal & Telephone = not necessary to obtain consent, as
long as the person has not exercised his or her right to
object.
Digital = need to obtain consent.
12. How to send commercial solicitations electronically,
without violating privacy rights, in a B2C relationship?
What uses should be excluded in commercial prospecting?
Avoid collecting email addresses of individuals on websites
or discussion forums.
Do not, NEVER, pre-ticked opt-in boxes.
Never make access to a service or the purchase of a good
conditional on the acceptance.
14. How to send commercial solicitations electronically in
a B2B relationship?
● Prior information is required
● Right to object (and it has to be simple and free)
● The subject of the solicitation must be related to
the profession of the data subject.
15. How to send commercial solicitations electronically in
a B2B relationship?
Can we still send marketing emails to info@,
contact@ addresses?
YES - They are not personal data.
Except if...
The address contains the first and last name of the
professional.
17. In which cases you do not need to obtain
consent?
If...
● Business email address
● Message subject is related to
the profession of the data
subject
If...
● Similar products or services
have been acquired previously
from the same company
B2B B2C
But…
● Information of the data subject
● Right to object
18. Question 5
Is it allowed to reuse collected
data for purposes other than those
for which they were initially
collected?
“
19. The purpose of data processing
No
1 consent ↔ 1 purpose
(consent is specific)
Examples:
Subscribe to a newsletter
VS Receive offers from partners
VS processing of data in the context of an online contest
...
20. Question 6
Can I transmit the collected data
to business partners?
“
21. Can I transmit the collected data to business partners?
● The person must give his or her consent before any transmission to
partners.
● Information about the identity of the partners must be provided to the
data subject.
● The person must be informed of changes and modifications to the list
of partners, in particular when it comes to the arrival of new partners.
● The consent that the company has obtained to collect data on behalf of
its partners is only valid for the latter.
Yes but..
22. Can I transmit the collected data to business partners?
Some essential information needs to be provided
● The name of the company that transmitted the data to the
partners
● The identity of the partners and an updated list of them
The purposes of the processing
● The rights of the data subjects.
The right to object shall be exercised either with the
partner or with the company initiating the initial
collection of data.
24. What about Switzerland, the USA and the UK?
Central point of the GDPR = the individual, the European
citizen.
...Therefore, the GDPR also applies beyond the EU, when
the processing of personal data concerns an EU
resident.
25. Switzerland
Adequacy decision = a third country provides a comparable
level of protection of personal data to that in the European
Union
Third countries that are concerned:
Switzerland, Andorra, Argentina, Canada, the Isle of Man,
Guernsey, Israel, Jersey, New Zealand, Uruguay and Japan.
What about Switzerland, the USA and the UK?
26. The United-States
No general data protection law but a self-certification
mechanism, better known as Privacy Shield.
Privacy Shield = "partial" adequacy decision because data transfer is
only facilitated for companies that are committed to the principles of
this Privacy Shield.
July 2018: the European Parliament discredited this system.
What about Switzerland, the USA and the UK?
27. The UK (and the Brexit)
● If the agreement with the EU is approved: There will be a
transitional period of 2 years.
● If no agreement: the UK will be considered a third country
from the 1st
of November 2019.
What about Switzerland, the USA and the UK?
29. GDPR and social media marketing
Collecte through a Facebook page
Wirtschaftakademie: the page owner is co-controller
The use of publicly available data
(and the example of election propaganda)
31. Data security and retention
Physical security = locked closets.
IT security
Security passwords (regularly
changed) & a unique identifier per
person.
34. What about the sanctions’ status?
The French Data Protection Authority sanctions both large companies,
such as Google and smaller ones, see the example of Grand Optical.
Examples:
● Google: fined €50 million for its lack of transparency and information.
● Real estate: approached owners of real estate properties for sale by
phone message without their consent.
● Facebook: £500.000 in the UK, €10 million in Italy, a bit more than a
million euros in Spain, €150.000 in Belgium and France.
38. What will happen in terms of GDPR and e-Privacy in the
future?
● New sanctions, especially in Belgium;
● Extend international trade with new agreements of the same type;
● E-privacy Regulation Proposal concerning the protection of personal
data and privacy in the electronic communications sector.
40. How to motivate consumers to share their personal
data?
● Monetize the sharing of personal data.
● Privacy policy: clear & transparent information.
43. The GDPR Toolbox
Goal: give the DPO a total control
over any data manipulation within
Qualifio
● Erasure
● Export
● Data protection texts
● Logs
● Advanced management of
access rights
● ...