According to the Guidance, the CNPD has been receiving an increasing number of reports from citizens related to unsolicited electronic communications for direct marketing purposes, made by (or on behalf of) various entities, most of which concern marketing actions carried out by entities with whom the data subjects have no client relationship, or for which they do not recall having granted any type of consent.

Notwithstanding our understanding that the Guidance does not introduce any novelties in relation to the legal framework applicable to the processing of personal data for direct marketing purposes, some concepts and principles that should govern such processing are highlighted and clarified and, thus, should be subject to reassessment both by data controllers and by data processors.

Legal framework

One of the fundamental principles laid down in the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is the principle of lawfulness, fairness, and transparency, under which personal data must be processed lawfully, fairly, and transparently in relation to the data subject.

As a consequence of the Privacy by Design principle, the CNPD emphasises that any direct marketing activity should be designed, from its creation, so as to ensure compliance with this principle. In particular, any entity should, prior to sending electronic communications for marketing purposes, ensure that there is a valid basis of lawfulness for this processing operation. The GDPR provides for six grounds for lawfulness which may and must be considered in the processing of personal data, and in this specific case, as a direct consequence of the provisions of Law No. 41/2004 of 18 August (Law on Privacy in Electronic Communications) ('LPEC'), only two of those grounds can be deemed as applicable: the legitimate interest of the data controller and the data subject's consent.

Assessment of legitimate interest and consent

The CNPD recalls that the two grounds for lawfulness indicated above are not alternative or dependent on an arbitrary 'choice' of the data controller, and the provisions of the LPEC must be taken in account while assessing which ground is applicable. Thus, the data controller must assess the existence of a customer relationship and the specific content of the marketing communication as follows:

• if a customer relationship already exists, the applicable lawfulness ground will depend on the promotional content of the marketing communication, i.e.:
• if the marketing communication relates to products or services similar to those previously purchased by the customer, their consent is not required and the data controller's legitimate interest will be the applicable lawfulness ground for processing; or
• if the marketing communication relates to products or services other than those previously purchased by the customer, the only applicable lawfulness ground for processing is the customer's prior and express consent;
• if there is no prior costumer relationship between the data controller and the recipient of the marketing communication, the only applicable lawfulness ground for processing will be the customer's prior and express consent.

The rationale underlying this assessment is that if a customer purchased a certain product or service, they will also be in interested in knowing about future marketing communications regarding similar products or services or, at least, they have a reasonable expectation of receiving marketing communications on such goods or services.

Right to object

In any case, regardless of the applicable lawfulness ground for processing, the data controller must guarantee the data subject's right to object in all marketing communications, allowing the data subject to unsubscribe from future marketing communications from the data controller.

Consent

In the Guidance, the CNPD points out that, given the reference of the LPCE to the general data protection legal regime, consent for sending marketing communications must fulfil the requirements set forth in the GDPR and, as such, consent will only be valid if it is provided through a clear positive act that indicates a free, specific, informed, and unequivocal expression of will that the data subject consents to the processing of their personal data.

On the other hand, consent should precede any marketing communications and should be informed, which means that before obtaining a data subject's consent, said person should obtain all relevant information about the data processing, namely, the identity and contact details of the data controller, identification of the electronic marketing communications as the purpose of the processing and consent as the respective basis of legitimacy, as well as identification of the right to withdraw consent at any time and the applicable retention period.

Ambiguous and non-transparent consent

The CNPD identifies some examples of ambiguous and non-transparent consent that has been used in data processing for direct marketing purposes and which should be avoided, as these will violate the principle of lawfulness, fairness, and transparency, namely:

• consent collected for participation in online activities or competitions, which seek by this means to obtain authorisation to transfer data to third parties or to develop direct marketing campaigns on behalf of third parties;
• consent collected by a particular entity, seeking the data subject's authorisation for processing by a third party, which do not expressly identify, in a clear and transparent manner, the identity of said third party and the specific context in which the subsequent data processing operation will take place; and
• forced consent, i.e. consent obtained as a requirement for the data subject to have access to a website or to participate in certain activities.

Data processors

Aware of the current commercial practices, the CNPD highlights that the fact that the data controller usingt data processors to organise/promote marketing campaigns on its behalf, with such data processors carrying out acts such as the collection of personal data or the effective sending of the marketing communications, does not exonerate the data controller of its responsibility regarding the data processing and compliance with applicable laws.

In fact, the data controller must ensure that any data processor will act in strict compliance with applicable laws and that any data processing relationship is subject to proper formalisation through a binding written contract that meets the minimum requirements provided for in the GDPR.

Databases obtained/acquired from data processors or third parties

Once again, based on an existing commercial practice in the Portuguese market, the CNPD notes that in case a data controller obtains/acquires, from a data processor or a third party, a database in which the personal data subjects have already given their consent for marketing purposes, said data controller will not be able to send marketing communications based on the consent previously obtained, since:

• it is highly unlikely that the previous consent was so specific that it already identified the data controller; and
• taking into account the principle of lawfulness, fairness, and transparency, this could be seen as a formal web which, in apparent conformity with the law, defrauds the expectations of the data subjects, so as to lead them to results they could hardly foresee or consent to, if they had been presented with the necessary transparency.

Accountability

Finally, the CNPD highlights some of the data controller's obligations while processing personal data, especially in a direct marketing context, in accordance with the accountability principle, namely:

• the data controller must adopt appropriate technical and organisational measures to protect personal data;
• the data controller must ensure Data Protection by Design and by Default;
• the data controller must select data processors who give sufficient guarantees of implementing appropriate technical and organisational measures to comply with the GDPR, regulating the data processing relationship through a written contract;
• the data controller must provide clear and documented instructions to the data processors concerning the processing of personal data in question;
• the data controller must exercise effective control over any sub-data processing;
• the data controller must assess the risks associated with each marketing activity to be implemented and carry out, when applicable, a Data Protection Impact Assessment in accordance with the GDPR;
• the data controller must keep the record of processing activities updated;
• the data controller must keep an updated list of people who have expressly and freely given their consent to receive this type of communication, as well as the customers who have not objected to receiving it; and
• the data controller must ensure compliance with the GDPR regarding any transfers of personal data to countries outside the EU within the scope of the concerned marketing activity.

Conclusion

As indicated above, the Guidance is a direct consequence from the provisions applicable to the processing of personal data provided in particular in the GDPR and in the LPCE.

Notwithstanding, the Guidance is important to generate awareness on the matter, and it is essential that both data controllers and data processors involved in marketing activities in Portugal reassess the processing of personal data in such activities and, specifically:

• verify, based on the criteria identified in the Guidance, in particular, the customer relationship and the specific promotional action, and whether the assessment of the applicable lawfulness grounds for processing is adequate and in compliance with the applicable laws;
• assess the terms under which the data subject's consent was obtained; and
• audit and formalise, if they have not done so yet, their relationships with the involved data processors.

João Peixe Senior Associate
[email protected]
Vasconcelos Arruda & Associados, Lisbon