GDPR for Marketing - Consent
Updated
How can we ask consent?
There are a number of requirements for consent to be valid. Consent has to be a freely given, specific, informed and unambiguous indication of the data subject’s wish. This can be an (oral) statement, or a clear, affirmative action. ‘Inaction’, not doing anything specific (‘implicit consent’) is no longer acceptable under GDPR.
Examples of valid consent include:
- Ticking an (empty!) checkbox on a form where you ask consent for a specific purpose e.g. to subscribe for the weekly newsletter,
- A prospect who leaves you with his/her business card at a commercial or network event, after having asked to learn more about SD Worx services,
- A website visitor who clicks ‘accept all cookies’ on the cookie banner.
Consent must always be specific. This means we collect consent for separate purposes. Bundling consent, like “I agree to receive SD Worx’ marketing communication and for my contact details to be shared with its business partners” is not allowed.
Can we send marketing emails without consent ?
General principle: no commercial e-mail without a prior (explicit) consent.
Ø Exception: marketing emails to existing customers about similar services
Existing customers
- Can be emailed for surveys, events and specific commercial offers (similar services/products) on the basis of our legitimate interest (‘opt out’)
- Postal marketing can be sent on the basis of our legitimate interest (‘opt out’)
- Offer preference center to indicate their emailing preferences and respect these choices
- Always offer possibility to easily opt-out (e.g. unsubscribe buttons via email that flag Pardot correctly)
Prospects
- Always opt-in (prior consent) before contacting for marketing and related purposes
Can we send one to one sales emails without consent ?
We can send one to one emails or individual emails to prospects or customers without explicit consent (eg. via Outlook). If a prospect or customers ask us to unsubscribe from this type of communication, we should respect this choice and we should prevent that further emails being sent.
Do we also need consent for service/operational (eg. Information about price indexations, downtime applications, …) communication to our customers ?
No. These communications take place on our contract with the customer, and/or our legitimate interest in providing service communications.
Do we also need consent to send out NPS surveys or event invitations ?
We can send this to customers who didn't opt-out for surveys.
Do we need double or confirmed opt-in?
Double or confirmed opt-in is not a GDPR requirement, but is a general best practice for data quality. In some countries, like Germany, double opt-in is a legal requirement for consent to be valid.
Can we still email on external databases/data brokers?
Only if the data is obtained according to GDPR (with specific consent to be shared with SD Worx for commercial use), if the broker can evidence this, and if appropriate contractual arrangements are in place. See the guidance on Third Parties
Does a visitor has to approve explicitly the use of cookies on our websites ?
Yes, we have a cookie consent solution on our website where visitors can approve all cookies or only a specific type of cookies. Only cookies essential for the functioning of the website do not need consent. All other cookies (tracking, analytics), even if they do not process personal data, can only be placed after the website visitor has opted in.
Can we still run telesales/telemarketing campaigns?
Yes, unless someone explicitly says they don't want to be called. Before kicking off a telesales/telemarketing campaign, validate your list against local ‘do not call me’ lists.
If you engage a partner, make sure that either the partner receives these validated lists, or that the partner is under obligation to carry out this validation prior to carrying out the campaign.
Can we still send direct mailings (postal) without consent ?
Yes, unless they explicitly opted out. Before kicking off a postal campaign, validate your list against local ‘do not send me marketing’ lists (if applicable).
If you engage a partner, make sure that either the partner receives these validated lists, or that the partner is under obligation to carry out this validation prior to carrying out the campaign.
Can we show the names of the attendees of an event we organize on our event website ?
This is not recommended. This is possible only where an attendee has consented to this during registration. Alternatively, consider displaying the names of the companies for which attendees work. This is not personal data, meaning no consent or other GDPR requirements apply.
Can we send a follow-up email to somebody who filled in a form to download a white paper, but didn't opt-in for further commercial emailings?
You can still send him/her an email (max. 2) regarding the white paper or the subject of the white paper. Unless they explicitly consent to this, their contact details cannot be used for marketing purposes (e.g. adding the prospect to your recurring mailing lists).
