And that is where the GDPR becomes relevant again. You can’t develop an e-mail campaign without processing personal data (a quick reminder that an firstname.lastname@example.org address is not considered personal data and that its processing is therefore not subject to the GDPR).
And you will say that you need consent to process personal data.
Yes and no: most of the senders I referred to above are wrong in thinking that consent must always be sought for data processing. Nothing could be further from the truth.
Consent is just one of the circumstances under which data processing is lawful (in a sense, it is the “mother of all justifications for the processing of personal data”). When a company bases itself on the person’s consent to process their personal data, it must demonstrate the exact scope of this consent (when was the consent given, through which channel, and so on).
Other circumstances include the law that may require you to process certain data, the performance of a contract and legitimate interests.
Legitimate interests are the exact reason why the GDPR was drafted in the first place. And sometimes they used to justify all kinds of things.
Recital (47) of the GDPR (which can be used for its interpretation) however unambiguously states that commercial prospection can be a legitimate interest.
If we combine this recital with what I said under point 1, you can draw some interesting conclusions:
For B2B (Business to Business):
No prior consent is needed for data processing or for sending prospection e-mails to companies. As companies, which are legal entities, are represented by natural persons, you can send prospection e-mails to an address of the email@example.com type.
The French data protection authority CNIL has corroborated this (https://www.cnil.fr/fr/la-prospection-commerciale-par-courrier-electronique), stipulating that e-mail prospection is still possible without consent under the GDPR.
However, note that the situation differs slightly among countries of the EU. For example, in Belgium, the “Arrêté Royal » of April 4, 2003 (which regulates the sending of e-communications) states that consent is required in order to send prospection e-mails to such addresses.
You must make reasonable use of this consent however. For example, your prospection efforts must solely relate to products and services that may be relevant to the company. You cannot, for example, try to sell a game console to the holder of an firstname.lastname@example.org address without prior consent.
What’s more, the recipient must be able to object to the processing of their data for marketing purposes at all times.
So there is no need for a re-opt in for a B2B prospection database. That said, it may be worth reminding the data subjects whose personal data is contained in this database of the extent of their rights (more specifically of the right to object to the processing of personal data for marketing purposes), inviting them to unsubscribe if the messages do not seem relevant to them. This is simply a case of common sense.
For B2C (Business to Consumer):
This is a more complex matter. Even if commercial prospection aimed at consumers falls under the scope of Recital (47), it should still be noted that the Directive of 2002 prohibits the use of their e-mail address without prior consent.
The only case where you may use e-mail to send a marketing message to a consumer without specific prior consent is if that consumer has purchased goods or a service, if their e-mail was collected in the margin of this transaction and if you use it to promote similar goods and services (i.e., promote MP3 music to someone who already bought a song).
In that case, this is considered an example of legitimate interests. The data processing is obviously lawful because it is authorised by the law (which transposes the directive).
Here too however, you must give consumers the right to object to this data processing and therefore to all subsequent communication.
In short, for B2C communication, you only have two options for e-mail based marketing communication:
• Either you obtain specific consent from the consumer, entitling you to send marketing communication by e-mail and nothing in the GDPR prohibits you from continuing to rely on this consent.
• Or you have a business relationship with the consumer and rely on this to continue to send the consumer e-mails about products and services that are similar to those he already bought from you. Here again, nothing in the GDPR prevents you from continuing to send the consumer messages based on this relationship.
However, you may not send an e-mail to the consumer asking him to register (or re-register) for your e-mail marketing programme if any of the above situations do not apply to you. And that is exactly what the majority of the e-mails we are all getting lately are asking us to do. In our opinion, they are therefore illegal.
That said, it could be interesting for marketing professionals who can base themselves either on e-mail consent or on the opt-out in the framework of an existing commercial relationship to send consumers an e-mail reminding them about their rights and inviting them to modify their preferences, where applicable.
I hope I was clear. If not, please share your reservations, questions and opinions on linkedin or send me an e-mail at email@example.com
Good luck with your compliance... ."
Benoît de Nayer
Director and co-founder