Do you still receive advertising emails to which you did not give consent?

Did you receive dozens of requests last year to confirm subscriptions to newsletters under the GDPR? You did not renew them, or did not authorize them to continue to be sent, and yet many still arrive in your mailbox? Know what to do.

May 25, 2018 was the day the General Data Protection Regulation (“GDPR” – Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April) began to enter into full effect.

This date has not gone unnoticed by anyone. In the preceding and subsequent weeks, email and message boxes were flooded with consent requests for the continued use of personal data.

Some companies did not need to request consent for the use of personal data, since the legality of the processing was based on the existence of contracts in which the data subjects were party or in compliance with a legal obligation to which the controller was bound to. And this may have led to the unnecessary deletion of some databases. But the truth is that in many situations, such as marketing and advertising, without no other legal basis, the maintenance of data processing required obtaining the consent of the data owners.


Rights that the GDPR provides and reinforces

In fact, the GDPR reinforced the conditions for consent, requiring “a clear positive act indicating a free, specific, informed and unequivocal expression of willingness of the data subject to consent to the processing of data concerning him, such as written declaration, including in electronic form “(see recital 32). And to impose, with respect to ongoing treatment activities based on consent, that if the form in which the consent was given had not fulfilled the conditions set out in the RGPD, it should be obtained once again (see recital (171)).

Thus, if a company collected its data, when for example it made a purchase or registered in a certain website, or bought its data to third parties, without its express, clear, free, specific and informed consent, it was obliged to obtain authorization. And it was not enough to send an email requesting his consent to comply with this obligation, but he had to be able to demonstrate that that consent was obtained.

Companies which continue to use personal data without the consent of data subjects, where this is the sole legal basis for data processing, incur a fine of up to € 20,000,000.00 or 4% of their annual turnover corresponding to the previous financial year, whichever is the higher.


Know what you can do

Thus, if you continue to receive e-mails with advertising and marketing content without giving your consent to this effect, under the conditions of the GDPR, you can request the cessation of the processing of your data and its deletion with the controller, as well as lodge a complaint with the National Data Protection Commission (CNPD). According to information on the CNPD website:

“To file a complaint with the CNPD, you may use postal mail or electronic mail, sending your reasoning to and writing in the subject [Complaint]

Describe the facts accurately and synthetically. Please attach all the information and documentation you have about the case (telephone numbers, message content, contracts, text of consents, etc.) that can support the complaint and support the analysis of the CNPD.”

Be sure to exercise the rights that the RGPD has given you.


Jane Kirkby, lawyer and partner at BAS

More in Communication