GDPR. Legitimate interest and email marketing
Legitimate interest is an unknown figure for Marketing departments or managers and is something worth exploring, as it allows you to send commercial communications without the consent of the recipient.
If you focus on email marketing campaigns in the B2C sector and consider email as personal data, it must be considered that the GDPR allows up to six lawful bases to process such personal data.
These six cases are completely independent, so if one is fulfilled then you are fully GDPR-compliant. Among these lawful bases are both consent and legitimate interest (in addition to 4 others).
It is well known that with the entry into force of the GDPR, back in May 2018, our inboxes were filled with emails from companies requesting consent to continue sending advertising or commercial communications. Many of these companies did not really explore the legitimate interest.
When can legitimate interest be used in an email marketing campaign?
As said, if the conditions included below are met, the rule of legitimate interest will apply and, therefore, the express consent of the recipient is not necessary to commercial campaigns to be sent by email.
These are the conditions:
- The recipient must be a current customer of the company sending the commercial communication. It is important to indicate here that the Spanish Data Protection Authority (AEPD) enforces the validity of this commercial relationship. Therefore this rule cannot be applied in the case of former customers or, of course, in the case of leads.
- The advertising must be on similar products or services to those that the customer purchased or contracted in the first place. This being a somewhat subjective description, the AEPD reminds us that this similarity must be in line with the criteria of the recipient and not of the issuer of the advertisement.
- Advertising can only be from the same company with which it was originally contracted or purchased. This excludes using legitimate interest to send advertising from collaborators, group companies or similar.
- The option to unsubscribe must be given in each commercial communication.
Finally, when you collect customer data, explain very clearly in your Privacy Policy what you are going to do with it, and clearly justify this legitimate interest.
The ICO (British Data Protection Authority) explained very well the use of the legitimate interest in marketing. See link here.
If you need legal advice for a GDPR compliance email marketing campaings in Spain, please contact us.