Advertising
Do you want to collect and use personal data for sending direct marketing, such as a newsletter? Then you will need consent for this in many cases. For the best possible protection of personal data, the General Data Protection Regulation (GDPR) sets strict requirements to this consent. Including to the quality and understandability of the information that organisations provide about their direct marketing practices.
On this page
Collecting and using personal data
An organisation always needs a legal basis for collecting personal data that this organisation later uses for direct marketing purposes.
For example, it may be necessary for a (web)shop to collect personal data of customers for finalising the purchases. But suppose this (web)shop also wants to use the collected personal data for sending direct marketing? Then strict rules apply for this.
Which rules apply depends on the type of direct marketing and whether it is addressed to existing customers. There are 3 types of direct marketing, each with their own rules:
• digital direct marketing;
• telemarketing;
• advertising mail.
Consent
Is direct marketing based on the legal basis of consent? Then you, as an organisation, must be able to demonstrate that you have actually received consent. In the GDPR, this is called the duty of accountability.
Informing
Do you want to collect and use personal data for direct marketing purposes? Then the people concerned must be provided with clear and clearly structured information about the processing of their personal data.
You must inform them in understandable language, to ensure that they really know what happens with their data. And that they can choose whether or not they want to receive direct marketing from you.
Quick answers
When is someone an existing customer?
Someone is an existing customer if this person has purchased a product or service from you. There must be a purchase contract or a service contract under which you are obliged to deliver something and the customer is obliged to pay for this.
Someone is not a customer if that person has not (yet) purchased a product or a service, but only has registered for your newsletter, completed a survey, participated in a competition or game, or has created a user account.
How long am I allowed to retain customer data under the GDPR?
The General Data Protection Regulation (GDPR) does not mention specific retention periods. The starting point is that you are not allowed to retain personal data longer than necessary for the purpose of your processing. How long you are allowed to retain data varies from case to case.
Retention periods in other laws
Does legislation apply that prescribes specific retention periods? Then you have to apply these periods. For example: under the tax legislation, you are obliged to retain certain data for a period of 7 years.
Purpose of customer data
Consider the reason you might need the data of your customers. Primarily, you’ll need it for completing the purchases of your customers. But you may also want to use the contact details of your customers for direct marketing.
Check for each of these purposes when you have achieved your purpose. Once this is the case, you will probably no longer need the personal data.
In this way you can determine a retention period for each purpose for which you retain customer data. You are therefore free to determine these periods yourself but you must be able to substantiate how long you retain your customer data.
Informing
You have to include the retention periods in your privacy statements to ensure that your customers know how long you will retain their data.
After the end of the retention period
Has the retention period expired? Then you have to destroy or anonymise the customer data. You may have to do this sooner, if a customer objects to direct marketing or withdraws a consent previously given for this purpose.
Is an organisation allowed to record a telephone conversation with me?
Are you calling an organisation? Or is an organisation calling you? Then the telephone conversation may be recorded. This is also called voice logging. The organisation does not have to ask you for consent for this purpose if the recording is necessary for the performance of a contract with you, for example.
Examples of recording of telephone conversations
Organisations may record telephone conversations, for example:
- if you buy something or conclude a contract by telephone;
- if you have a complaint, to check if this complaint is well-founded;
- to improve the provision of the telephone services by the employees of the organisation (e.g. of a call centre).
Informing about recording of the telephone conversation
The organisation has to inform you at the start of the conversation that this conversation will be recorded. You also need to be informed for what purposes the organisation uses the recordings of the conversation, such as for training purposes.
Requesting a recording
You have the right to request the recording if you want this. You do this by making a written request for access to your personal data to the organisation.
Do you think that something is not correct or that certain data are not relevant? Then you can ask the organisation to rectify or supplement your data if your personal data are not correct or certain data are not relevant, for example.
Rectifying or supplementing your data during a telephone conversation is technically impossible but the organisation can compile a file with corrections and additions.
You can also ask the organisation to remove the recording, for example if your data are no longer necessary, if the organisation is not allowed to process your data, or if the organisation retains your data for too long.