Direct marketing and the rights and obligations of the GDPR

It will not have escaped your notice that the General Data Protection Regulation or GDPR will enter into force on 25 May 2018, ushering in a third generation of regulatory rules on data protection or the protection of the fundamental right to privacy, as it is often also known. And as a fundamental right is at issue here, legislation on this matter is imminent. What the rights and obligations of the GDPR applicable to companies in practice when they use and process personal data for direct marketing and CRM purposes? 

The GDPR expressly does not prohibit the processing of personal data but is about creating the conditions and rules to ensure that the data can be collected only under strict conditions and used only for legitimate purposes, such as direct marketing. Organizations that collect and process such personal data must therefore protect them against misuse, and must respect certain rights of the persons concerned.  

Natural persons and legal persons

The GDPR pertains in the first instance to the processing of data of natural persons. Data are considered to be personal only if the person is identifiable, directly or indirectly. When someone uses the Internet, he will often provide vital personal information such as name, address and credit card number to the Internet Service Provider and to the website that he uses. Indirect identification occurs for instance when a natural person uses his business computer and a tracking cookie is placed on it. Although identification by name, etc. is not possible, each time the tracking cookie is read, the collected data are considered to be personal data.  

If more information than just the contact data of the legal person is collected, and the information includes for instance also the name of a contact person, his registered hobbies,  age and/or other personal indications,  the data of a natural person are deemed involved and the GDPR applies also.

Consent and blocking

Opting in (consent) or opting out is required for certain electronic communication channels.  For instance, prior consent is needed to use e-mail/sms/mms with a direct marketing message (a message for commercial purposes).  

The request for consent must be made in an understandable and easily accessible form and in clear and simple language.  

The Dutch double entendre eens gegeven, altijd gegeven’ (once given, always given / once a fact (data), always a fact (data)), does not apply when it comes to consent for collecting and processing personal data. A person always has the right to block his data against processing for direct marketing purposes. A legal person does not have this right, but can only withdraw its consent for the use of the e-mail address.  The end result is the same nonetheless.  


Direct marketeers use profiling techniques for segmentation purposes or in order to select a relevant target group.  This is retained with the GDPR provided the marketing action is not geared to creating a legal consequence or significant effect.  If there is a serious legal consequence or significant effect, it is authorized only in case of the performance of an agreement, consent of the person concerned or a law, and will have to be offered adversarially.  

The existing principles (legality, appropriateness and transparency; purpose limitation and compatible use for statistical research; data minimization; accuracy; storage limitation; integrity and confidentiality) remain in force for processing. A new principle, namely, accountability, is added. With this principle, the controller becomes accountable for compliance and must be able to show such compliance each time.  

The GDPR is above all intended to provide better protection for consumers. And this naturally entails new obligations for companies in order to become GDPR compliant. At the same time, I am convinced that the GDPR can change the thinking of companies on data privacy and lead to new opportunities – an issue I shall address in greater detail in my subsequent blogs.

This is Blog 1 from a series of three that  Michiel Alkemade, general manager of  Smart Profilewrote on direct marketing and the GDPR. The next blog deals with how the GDPR changes the thinking of companies on privacy on the basis of data portability. 

Image: Descrier