Below are recommendations for implementation by the personal data controllers (i.e. entrepreneurs) in the area of personal data protection and protection of data subjects (i.e. their customers) against unsolicited commercial communications on their part.
It is always necessary to ensure that personal data (including those processed in commercial communications and cookies) are processed on the basis of the applicable and most appropriate legal grounds, ensuring the legality processing.
The following sections of this Annex are therefore designed in a way that the appropriate legal ground for the processing is identified and that any specifics of processing in relationships between the controller and the data subject are described.
This information is not a legal advice, but only basic informative recommendations for persons processing personal data. Completeness or correctness of this information is not guaranteed.
In the areas of “general” processing of personal data, i.e. not in connection with the sending of the Commercial Communications or with the collection of so-called cookies (see below), the general rules on the processing of personal data apply.
In order for personal data to be processed in accordance with the laws on personal data protection, it is necessary to:
Primarily, all processing of personal data relating to the business activity of the controller will be performed on the basis of performance of the contract with the data subject (processing necessary for the sale of goods and provision of services)
For sending of commercial communications (which is not a processing necessary for the performance of the contract), which will be identical for all data subjects or defined on the basis of the transaction history of the data subjects, a legitimate interest of the controller may be used. The legal ground of legitimate interest is also used for processing of cookies (although it will probably be necessary to obtain an explicit consent in the future). On the other hand, in the case the performing advanced analytics or other personal data operations that by their nature differ from plain “direct marketing” was to be performed, it would be necessary to obtain the prior consent of the subject to processing of personal data for these purposes – such consent may for example be a condition for inclusion into controller’s discount or loyalty program.
However, it is necessary to point out that the boundary where only legitimate interest can be used instead of consent to processing is not clearly defined (it depends on the reasoning and justification of such processing by the controller) and it cannot be guaranteed that certain processing could be performed on the basis of a legitimate interest.
In any case, the data controller must inform the subject about obtaining his or her personal data, irrespective of the legal basis used for processing (performance of the contract, legitimate interest of the controller, consent of the subject). If the consent is used, provision of the consent cannot be enforced.
Where personal data are collected from data subjects, data subjects must be informed of the following:
In the case where processing is based on the legitimate interest of the controller, the data subject has to be explicitly informed, clearly and separately from any other information, about the right to object to the processing.
Please note that the rights of data subject include, for example, the right to request from the controller access to personal data relating to the data subject, their rectification, erasure or restriction, and the right to object to processing. It is always necessary to appropriately respond to a request by the data subject to exercise these rights. Under specific conditions, for example, it may be necessary to terminate the processing of the personal data for certain purposes or to completely erase the personal data.
In relation to the sending of commercial communications, it is necessary to ensure compliance with the laws on personal data protection and the general regulation on sending commercial communications.
Regarding the laws on personal data protection, the forms of processing of personal data are in this context the act of sending a commercial communication to the subject’s e-mail address as well as all previous and subsequent analyses of the behaviour and possible demographic characteristics of the subject, including the collection of data itself (both based on information from the subject or on its tracking on the website).
All these forms of processing mentioned above, however distinct from each other, are directed towards one common goal, namely marketing communication in relation to the subject. For this reason, it is useful not to divide this purpose to base it on a common legal ground (the combinations of personal data obtained for different purposes is very problematic). An appropriate legal ground may be the legitimate interest of the controller in supporting his/her business and addressing the subjects (its customers), or the subject’s consent in the case of a more advanced analysis of the behaviour of data subjects and the monitoring of their behaviour.
The following consequences are associated with using the legitimate interest:
Furthermore with regard to the general regulation on sending commercial communications, which is aimed at preventing the sending of unsolicited commercial communications, it can generally be noted that in order to ensure compliance with the applicable legislation, relatively strict conditions have to be met. Therefore, it is not possible to send to data subjects:
At the moment, cookies can be processed in opt-out mode. This means that it is possible to store them in the end device of the subject and further process them without the explicit consent of the data subject, but the data subject must be informed of this fact and allowed to refuse such processing without any significant deterioration of the service (or its parts, which are not dependent on cookies).
In the case of cookies the above-described rules on objections to processing apply accordingly, including the “do not track” requests. However, an implementation of the opt-in mode in the future is considered.
In the case that cookies are eligible to be assigned to an identifiable data subject (e.g. when monitoring registered data subjects), the laws on personal data protection also apply. It is then necessary to comply with all obligations relating to the protection of personal data (Part A), including the legal ground for processing, fulfilment of the duty to inform and handling the “do not track” requests.