The newsletter unsubscribe process and GDPR
The newsletter unsubscribe process and other email marketing communications, a seemingly simple matter, can pose a problem of compliance with the GDPR and the LOPD if not carried out correctly. For this reason, and following on from a post of mine on LinkedIn, this blog addresses this essential issue in email marketing.
Just to mention some recent and real cases, for issues related to the incorrect implementation of a unsubscribe process, the AEPD has sanctioned the following cases:
- Sending commercial emails after an unsubscription request: €600 (initial sanction €1000).
- Send advertising messages via Whatsapp after a request for data deletion: €4,200 (initial sanction €7,000).
- Impossibility to unsubscribe from SMS of a commercial nature: €2,400 (initial sanction €3,000).
Rights at stake in the newsletter unsubscribe process: right of erasure and/or objection
As indicated in previous posts, commercial email communications can be sent according to two lawful bases provided for in the GDPR: the explicit consent of the data subject (Art. 6.1. a) of the GDPR) or legitimate interest -see linked post for more information- (Art. 6.1. f) GDPR).
Email communications and newsletter unsubscribe process when data is processed based on prior consent: In general, this data processing will require a positive action from the data subject to authorise the processing of their data (email, telephone, etc.) for advertising purposes. Continuing with the GDPR in its Article 7.3: consent can be withdrawn at any time, so that whoever gave it can, at any time, withdraw it, so that the processing of their data from that time onwards would be illegal.
When to proceed with the effective removal of the email? In the event of a request for cancellation, it must be remembered that the LOPD and the data protection regulations provide for prescription periods (from 1 to 3 years) for the different infractions. Therefore, were consent withdrawn and all the information on that individual immediately deleted (including the proof of the consent given at the time), it might well be that it would not be possible to prove relevant facts in the event of a complaint being made within the prescription period. This is why, when requesting withdrawal, you must:
- Block personal data during the prescription period of the infractions. In this condition, the data must be kept in the company systems but without the possibility of being viewed. This data will be made available to the competent judges, courts, and public authorities to deal with any liabilities.
- Once this period has elapsed, the personal data must be deleted in full.
Process of deleting data processed based on the lawful interest of the controller: Remember that, in this case, to comply with the requirements of the AEPD, it must be current customer data of the company who sends the commercial email communications and, therefore, if someone requests cancellation, what they will be exercising is the right to object to their data being processed for commercial purposes (which does not mean that you no longer want to be a customer of the company). In this case, and despite the fact that consent is not required and, therefore, does not have to be proven in the event of a request, we must be able to demonstrate that:
- The customer was indeed a customer of the company when these communications were made.
- The customer was informed that their data could be processed for commercial purposes.
Failing to provide information on the purposes of processing is considered a minor infraction (Art. 74 LOPD), the prescription of which is one year. Therefore, when asking to unsubscribe from receiving any more commercial communications (right to object), the data will be blocked for one year and deleted after this period.
As said, it must be remembered that the individual can continue to be a customer and, therefore, this process should not affect the information required to maintain the contractual relationship with the customer.
To conclude, once these procedures have been considered, it must be remembered that the system (manual or automated) must be effective, as the human or technical error that many companies argue to avoid liability is insufficient in the eyes of the AEPD. Therefore, in short:
- Be clear and register the lawful basis that allows you to use data for commercial purposes: consent or legitimate interest.
- Activate an effective and simple unsubscribe system in each commercial communication.
- In case of withdrawal, apply the aforementioned criteria.
- Train your sales and/or marketing team in these aspects.
And, of course, if you need more information about the process of unsubscribing your company’s communications, do not hesitate to contact us!
Information on data protection
LEGAL IT GLOBAL 2017, SLP
Providing the service.
Sending the newsletter.
Compliance with the service provision.
Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.