How to avoid gdpr penalties in email marketing
Posted: Tue Dec 03, 2024 6:53 am
The new General Data Protection Regulation represents a small revolution in the processing of personal data. This particularly affects email marketing, a case we already analyzed in a previous post.
In this article we focus on the aspects that an advertiser who creates or commissions email marketing campaigns must focus on in order to carry them out in accordance with the new regulations , thus avoiding sanctions from the Spanish Data Protection Agency.
The key element for creating an email campaign is to have an updated database so that we can send our commercial communications to these contacts electronically.
It is essential that this database has vp financial email lists been prepared in a lawful manner , that is, in accordance with the regulations that establish that it is a sine qua non condition to have had the express consent of the user to process their data for commercial purposes. In our blog we have already discussed the issue of our NOT recommending the purchase of databases to carry out email marketing campaigns.
Following the guide on consent published by the Spanish Data Protection Agency, we conclude that this consent must have been collected by the data controller using a layered model:
1.- First layer of information : The user must be able to easily access basic information on how their data will be processed by the controller. For example, in a contact form and at the bottom of the form, the purpose of the processing of their data and its objective must be detailed.
2.- Second layer of information : Through the Privacy Policy, where the user can easily access more detailed information regarding the processing of their personal data . In the same example of the contact form, it should indicate in the footer and in a visible place a link to the Privacy Policy.
Transfer of databases
What happens in the case of a campaign that goes to a database provided to or purchased by the advertiser? We have previously discussed our position regarding the purchase of databases , which we advise against for several reasons, including to avoid possible sanctions from the AEPD.
Even so, if you decide to run a campaign or use a database that is transferred or purchased, you should contractually require the person or company that provided you with the database to comply with all the obligations required by the regulations.
It should be noted in this regard that the users of this database have had to individually and expressly accept the transfer of their personal data to a third party, detailing the specific purpose , in this case to receive commercial communications through electronic means. It is important to note that this consent must be express and that the purpose and object of this transfer of data must be clearly stated.
To avoid penalties, in cases where responsibilities may arise for the issuer of the campaign, we recommend including a limitation of liability clause in the contract with the person responsible for the file.
Another option is for the advertiser to take out data protection insurance, in case they might be subject to a sanction by the AEPD or another competent body.
GDPR sanctions
The amount of fines for non-compliance with regulations has been increased, and can reach up to €20 million or 4% of the business's annual turnover , whichever is greater.
This is certainly a motivating factor, although not the only one, for capturing leads and carrying out email marketing campaigns, as indicated in the new General Data Protection Regulation.
And you, are you ready?
In this article we focus on the aspects that an advertiser who creates or commissions email marketing campaigns must focus on in order to carry them out in accordance with the new regulations , thus avoiding sanctions from the Spanish Data Protection Agency.
The key element for creating an email campaign is to have an updated database so that we can send our commercial communications to these contacts electronically.
It is essential that this database has vp financial email lists been prepared in a lawful manner , that is, in accordance with the regulations that establish that it is a sine qua non condition to have had the express consent of the user to process their data for commercial purposes. In our blog we have already discussed the issue of our NOT recommending the purchase of databases to carry out email marketing campaigns.
Following the guide on consent published by the Spanish Data Protection Agency, we conclude that this consent must have been collected by the data controller using a layered model:
1.- First layer of information : The user must be able to easily access basic information on how their data will be processed by the controller. For example, in a contact form and at the bottom of the form, the purpose of the processing of their data and its objective must be detailed.
2.- Second layer of information : Through the Privacy Policy, where the user can easily access more detailed information regarding the processing of their personal data . In the same example of the contact form, it should indicate in the footer and in a visible place a link to the Privacy Policy.
Transfer of databases
What happens in the case of a campaign that goes to a database provided to or purchased by the advertiser? We have previously discussed our position regarding the purchase of databases , which we advise against for several reasons, including to avoid possible sanctions from the AEPD.
Even so, if you decide to run a campaign or use a database that is transferred or purchased, you should contractually require the person or company that provided you with the database to comply with all the obligations required by the regulations.
It should be noted in this regard that the users of this database have had to individually and expressly accept the transfer of their personal data to a third party, detailing the specific purpose , in this case to receive commercial communications through electronic means. It is important to note that this consent must be express and that the purpose and object of this transfer of data must be clearly stated.
To avoid penalties, in cases where responsibilities may arise for the issuer of the campaign, we recommend including a limitation of liability clause in the contract with the person responsible for the file.
Another option is for the advertiser to take out data protection insurance, in case they might be subject to a sanction by the AEPD or another competent body.
GDPR sanctions
The amount of fines for non-compliance with regulations has been increased, and can reach up to €20 million or 4% of the business's annual turnover , whichever is greater.
This is certainly a motivating factor, although not the only one, for capturing leads and carrying out email marketing campaigns, as indicated in the new General Data Protection Regulation.
And you, are you ready?