Fed Ma Report

FEDMA Pan European Email

Marketing Benchmark Report

Sponsored by

2010 - first edtion

This report is published by FIMAC –

FEDMA‟s Interactive Marketing Council

Federation of European Direct and Interactive Marketing

439, Avenue de Tervuren, B-1150 Brussels

Tel: +32 2 779 42 69

Fax: +32 2 779 42 69

E-mail: [email protected]

Web: www.fedma.org

Copyright © FEDMA 2010

All rights reserved. No part of this publication may be reproduced, stored in a retrieval

system, or transmitted by any means, electronic, mechanical, photocopying, recording

or otherwise, without the prior permission of FEDMA.

Further copies of this report can be purchased from FEDMA at the above address, priced at

€1.200, or €349 for FEDMA members.

2

FEDMA Pan European Email Marketing Benchmark Report First edition 2010

Table of contents

3

Section I:

A. Introductions/welcome by:

1. About Nick Martin; About Field Fisher Waterhouse LLP P. 5

2. Alastair Tempest - Understanding how to engage through email marketing P. 6

B. Executive Summary P. 8

C. Sponsors:

Alterian, Opt4, Mardev, Telefaction, Fokus Integrated, PAR P.12

D. Survey - Clients:

D1. Geographical distribution of respondents P. 15

D2. Use of promotional emails as part of marketing mix P. 16

D3. Represented industries/segments P. 17

D4. Number of employees (in company, in marketing department and working with email marketing) P. 18

D5. Number of years the company is using email marketing P. 19

D6. Target groups P. 20

D7. Handling of email campaigns P. 21

D8. Campaign frequency (How often are email campaigns sent) P. 22

D9. The use of transactional emails P. 25

D10. Main motivation for the use of email marketing P. 26

D11. Expenditure prediction for the next 12 months P. 27

D12. Expectations for the next 12 months (deliverability rates, unqiue open rates, P. 28

click through rates, opt-out rates, volumes)

D13. Strategic importance of email marketing P. 30

D14. The allocation of marketing budgets to email marketing P. 30

D15. Compliance with legislation P. 32

E. Campaign metrics:

E1. Regular newsletter P. 33

E2. Sales/product service campaigns P. 34

E3. Customer/Product surveys P. 35

E4. Win-back campaigns P. 36

F. Survey - Email Service Providers:

F1. Geographical distribution of respondents P. 37

F2. Average delivery rates P. 38

F3. Average hard bounce rates P. 39

F4. Average opt-out rates P. 40

F5. Average unique click through rates P. 41

F6. Average unique open rates P. 42

F7. Volume prediction for the next 12 months P. 43

F8. Volumes for April, May and June 2009 P. 44

F9. Days of the week with largest volume of emails P. 45

F10. Days of the week with lowest volume of emails P. 47

G. ESPs and DMAs P. 49


Table of contents

4

Section II:

2010 Legal Overview – Email Marketing in Europe P. 57

Introduction by Alastair Tempest, FEDMA P. 58

About FEDMA P. 160


Data Protection and Regulations in:

Austria P. 60

Belgium P. 66

Bulgaria P. 71

Denmark P. 74

Estonia P. 78

Finland P. 83

France P. 87

Germany P. 90

Greece P. 93

Hungary P. 96

Ireland P. 100

Up to date guidelines for professional marketers, including detailed information on:

Current Data Protection Laws and Regulations

Registration of marketing lists with the National Data Commission (cost, duration)

Common legal ground for the use of electronic messages for marketing purposes

Rules on electronic communication for B-to-B marketing purposes

Collection of data (opt-in, opt-out, soft opt-in)

Notification when Collecting Data

Time limits on holding data

Purposes for processing personal data (main guidelines)

Wording of notice when collecting data

Penalties for breaching the rules on unsolicited Email messages

Online Collection & Processing of Data

Additional rules for on-time collection of data on the internet

Access and rectification of data

Codes of Practice & Preference Services (Robinson Lists)

Italy P. 107

The Netherlands P. 115

Norway P. 120

Poland P. 124

Romania P. 128

Slovenia P. 133

Spain P. 140

Sweden P. 145

Switzerland P. 148

United Kingdom P. 151

United States P. 156

With 25 years spent in marketing information services, Nick's career has

spanned market research; insourced /outsourced customer and

campaign management solutions; information products; demand

generation programmes and online marketing.

Nick spent many years at Reed Business Information (RBI), leading their

global B2B marketing services operation Mardev. Latterly he was

European Vice President and UK Managing Director at Acxiom.

He first launched a B2B email marketing service in 2000, online B2B lead

generation in 2006, before developing Acxiom's integrated

consumer demand generation solution across Europe.

Now independent, he is currently working on ventures in collaborative

outsourced solutions and online consumer engagement.

5


About Nick Martin

With thanks to Eduardo Ustaran and Michelle Levin of Field Fisher Waterhouse LLP.

Field Fisher Waterhouse LLP is a full-service European law firm with offices in London, Manchester,

Brussels, Hamburg and Paris.

Field Fisher Waterhouse LLP's market leading Privacy and Information Law Group comprises a

dedicated team of lawyers supported by an international network covering over 40 jurisdictions with

specialist knowledge across all areas of privacy and data protection law. Its work embraces all aspects

of privacy-related law, including working with regulators across the world and contributing to the

policy-making process

Eduardo Ustaran is the head of the Privacy and Information Law Group and an internationally

recognised expert in privacy and data protection law. Eduardo advises international clients, including

FTSE 100 companies and leading Internet businesses, on the adoption of global privacy strategies.

Named by Revolution magazine as one of the 40 most influential people in the growth of the digital

sector in the UK, Eduardo is co-author of E-Privacy and Online Data Protection and of the Law

Society‟s Data Protection Handbook.

Michelle Levin is a solicitor in the Privacy and Information Law Group. Michelle's practice focuses

privacy and security issues in relation to the Internet and e-commerce, marketing activities and

information sharing.

www.ffw.com

About Field Fisher Waterhouse LLP

Find him on Twitter: http://twitter.com/n1ckma , Linkedin and on his blog

http://marketingpages.typepad.com/

http://twitter.com/n1ckma /

http://twitter.com/n1ckma /

http://marketingpages.typepad.com/

6

Thanks to the national direct marketing associations (DMAs), and other sources that we had at our disposal we were

able to send at the survey to a wide range of ESPs and clients across Europe – and, indeed, far beyond.

Email marketing has not had a very easy beginning. Unlike most marketing channels, it was immediately seized upon

by unscrupulous operators, and naive amateurs who created an era of spam, which lost the trust and confidence of

consumers, and greatly irritated regulators. Email marketing was almost strangled at birth by the activities of

spammers, sending out millions of unsolicited, untargeted and unwelcomed messages, which not only clogged up

consumers‟ mail boxes, but also played havoc with the ISPs‟ systems. Since email remains a cheap marketing

medium there is a temptation to forget two of direct marketing‟s cardinal rules – always target your

communications and never over-do a good thing! Consumers who have opted in can become frustrated by too many

irrelevant messages and then opt out – when that happens the customer / potential customer is lost forever. Over-

mailing also can cause problems with ISPs and trigger other systems which block bona fide senders as well as

spammers. In 2002, the European regulators applied opt-in (consent) laws for electronic communications, and over

time there have been some successful prosecutions of spammers. But by far the most important development have

been technical solutions (firewalls, spam filters, etc). Spam volumes have continued to rise over time and are now

variously estimated to be about 40 billion messages a year, 95% of total email traffic. The European Network and

Information Security Agency (Enisa), Microsoft and Symantec all come to about the same estimate. Symantec points

out that the percentage change from 2006 to 2009 has been 39% (from 56% to 95%), which is horrific. Effective

filtering has reduced the numbers of spam actually delivered. However, in another concerning development, while

the amateur spammer is now less active, professional and highly organized criminal spam operators have appeared

with their “bots”, viruses, spyware, etc, to plague both the consumer and business. FEDMA recognized the need to

be actively engaged in the fight against spam early on, and became one of the first business organisations in the

London Action Plan (LAP) – a unique, global cooperation between the regulators, enforcement bodies and business.

However, despite the problems created by spam, email marketing has not only survived but flourished on the basis

of opt-in (consent) from the consumer (and now in some countries, also applied to business to business emailing, as

the reader will see in the section on legal requirements at the end of this report).

Email marketers are tackling the problem of getting their messages accepted both by ISPs, and also by the individual

firewalls and spam filters on personal computers. This is not easy and there are a number of national initiatives to

try to solve the problems, such as the German ISPs‟ (ECO) system, which recognizes specific ESPs (email service

providers) and provides a strict code of best practice. FEDMA does not believe that the spam issue has stopped

damaging bona fide marketing messages – far from it, spammers use sophisticated and state-of-the-art software to

avoid being blocked – however, properly done email marketing is now much better recognised and accepted.

Email is a fast, effective, and efficient medium for getting marketing messages, and supporting information (such

as regular email information sheets – “ezines” – and other supporting information alerts, customer relations info,

etc) to the recipient. Email may even be helped by its ephemeral nature – it can be easily stored in the email

mailbox of the receiver, and equally easily deleted. Interested – but not now – leave it in the inbox; not interested –

delete with a click.

IntroductionAlastair Tempest, Director General,


Welcome to this, the first pan-European email benchmark survey.

The idea for doing this study dates back a few years to a discussion with Michel Lambert of

Procter and Gamble, who said that there was a major gap in his research on European

marketing practices and wondered if we could help fill that. We knew of the UK DMA‟s

quarterly survey on email, and therefore approach them for help. The Email Marketing

Council of the UK DMA most generously offered us their template and the use of their data to

add to this report. FEDMA‟s own new media council, FIMAC, took up the challenge, and Nick

Martin, courageously, agreed to provide the expert insight into the interpretation of the

data.


7

As direct marketing has rapidly evolved over the last decade into multi-channel, convergence (relationship)

marketing, all means of communication are finding their place. Email is particularly powerful in both a “passive”

and “active” context – it is used to send information to the consumer (which can of course include active links to

websites, etc); and it is used by the consumer to send messages to the marketer. As our survey shows, email has

moved from being used by marketers simply as an acquisition tool, and is now recognized as a very effective method

for demand generation, combining push and pull, as part of integrated programme in web marketing. Email within

these parameters has proved to be the key to success for many campaigns.

As the legal section of this report shows the regulations in place within the European Union vary enormously. Opt in

is universally required in the EU, however, how that is applied is not at all consistent, with a number of the 27 EU

Member States simply ignoring part of the EU directives. This makes the email marketers‟ job difficult and raises

questions in cross border email marketing campaigns. FEDMA is constantly being approached by marketers for advice

on these issues.

FEDMA intends in the future also to produce benchmark studies for Europe on mobile marketing and multi-channel.

We expect that we will find considerable convergence between all these major marketing communications channels.

Each provides specific benefits, within the general marketing strategies of marketers. Direct mail, for example, can

help drive permission (consent) for email; SMS through short messages provides links which the consumer can either

activate to eventually receive, or send, emails to the marketer, etc. The website and the telephone also play key

roles in this convergence or integrated marketing. The new generation of mobile phones has brought email to the

handset of consumers as well as business.

As marketers, we need always to be careful to nurture the trust and confidence of our customers. Email (as spam

has shown) can become very intrusive if used unwisely. Excessive use of an opted-in email list will rapidly lead to

loss of consent. Recipients will simply exercise their right to opt out, and once that happens the contact is most

likely to be lost forever. Codes of conduct (and best practices, suggested in reports such as this one) are useful

guidance to prevent the over-use of, or even misuse of, email lists. But the most important thing an email marketer

has is the common sense to avoid over-using its email lists.

Creativity is another issue which many experts have written about. The creativity to create great email copy is

completely different from the skills needed to write a great direct mail letter! Experience is providing excellent

case studies and training courses to help the marketer / agency new to email to find its way through the pitfalls and

achieve excellent results. But training is important.

This report would never have been prepared had it not been for the work of a number of people.

We are extremely grateful to the UK DMA Email Marketing Council for allowing us to use their well-established

template and results; to Nick Martin who has carefully analysed the data and provided the commentary; to Michael

Leander Nielsen of Fokus Integrated and to all the FIMAC Council of FEDMA for their invaluable assistance. Eduardo

Ustavan of Field Fisher Waterhouse and his colleagues provided essential legal input to the Legal Section. And of

course, we are greatly indebted to the national direct marketing associations; and to all those ESPs and marketers

who took the time to fill in the questionnaire. We do hope that you will continue to answer our annual

questionnaire from now on!

The report would not have been possible without the generous support of Alterian and Opt4, and to Mardev which

sponsored its publication.

Finally, the FEDMA staff, Jorgen Andreassen, Razvan Antemir, Lena Jaggi, Salima Hassan and our intern Victory Budd

have been invaluable in bringing this baby to term!

If you see any errors, or have suggestions please let us know so that we can improve the study in the future.

Alastair Tempest, April 2010

Introduction Contd


8

Executive Summary

The first pan-European Email Marketing Benchmark Survey

FEDMA has published the first pan-European Email Marketing Benchmark Survey. This is sampled from

clients directly and Email Service Providers (ESP), comprised of 464 end users and 75 email service

providers (ESPs), with respondents operating across 16 European countries. There is broad

representation from across sectors and size of organisations.

The Survey published by FEDMA contains 31 charts. In addition there is a 102 page report on the legal

situation in 22 countries.

Email marketing benchmark survey overview

At the survey shows, over the last decade email marketing has grown from being a discrete

marketing activity, delivering exceptional rates of return, to a connected part of an organisation‟s

overall marketing mix.

Today it is rare for an organisation not to employ email marketing as a prime channel, whether for

acquisition, list building, lead generation, nurturing, customer management, up and cross sell,

retention marketing or win-back programmes.

Inevitably as its use has become embedded as an essential part of any customer communication or

engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing

in particular has moderated. Notwithstanding it is proving a phenomenally successful marketing

channel in the hands of responsible practitioners, and the vast majority of organisations now use

email as a key communication channel.

Years practised

Yet the average length of time that respondents to the benchmark report have been deploying email

marketing is just over 5 years, ranging from 3 1/2 to just under 7 years. So for many practitioners it

is a relatively new medium.

The insight challenge

Is this a determinant factor behind the extent to which end user practitioners are able to measure or

report results? Whilst everyone polled knew what volume of email had been sent, and most knew

what their open rates were, a quarter of end user respondents were unable to report hard bounce

and opt out rates, and almost a third could not say what the conversion to sale was from their sales

and product/ service information campaigns.

A quarter of email marketing practitioners still do not personalise, which also suggests that among

that group, limited segmentation and targeted list selection takes place. This will need to change if

email marketing is to justify continuing increased levels of investment based on performance due to

rising market activity levels.

With 56.7% of end users undertaking email marketing entirely in-house, there is a parallel need to

apply more rigorous analysis; and as marketing departments find themselves increasingly stretched

in an increasingly challenging world, they may well need to reconsider outsourcing key aspects of

their email marketing operations.

Executive Summary - FEDMA Pan European Email Marketing Benchmark Report First edition 2010

9

Executive Summary


Email marketing growth prospects

Email marketing activity levels are set to continue to grow, and campaigns are likely to proliferate.

72.3% of respondents plan on sending out more marketing emails, and practically no one expects to

do less. Yet opt out rates as a proportion of total volumes are expected to hold steady. This assumes

at least as much or better targeting in spite of the higher volumes.

A number of factors are driving these growth trends:

• Newsletter activity is generally undertaken monthly, reflecting a one size fits all approach. With

a likely future trend towards greater targeting will come dynamic content ordering and other

data driven personalisation reflecting transactional history, preferences and demographics, and

a 1 to 1 approach to customer management via email.

• Email marketing is gaining a greater share of the marketing wallet along with other forms of

digital media, at the expense of traditional advertising and offline media, due to immediacy of

results (notwithstanding the considerable scope for improving performance measurement).

• Driving sales is the main motivation for using email marketing, along with lead generation and

driving web traffic. A lot of that activity is in support of new customer acquisition. Whilst that

will continue, expect the biggest growth over the next year to come in customer management

cross and up sell programmes.

• Email marketing‟s expanding role within integrated marketing campaigns, lead generation, social

media and customer management programmes shows that it is ripe for further growth as more

sophisticated consumer engagement rule sets are defined and applied that reflect buyer and

customer behaviour; and permit practitioners to act upon it quickly.

Key growth factors/ inhibitors

Continued growth may well be anticipated and planned for by the majority of respondents, but it

should not be assumed at any cost. The future growth – and health – of email marketing will depend

on some key factors:

• Better targeting and the use of properly permissioned and managed customer information

databases; the relevancy of campaigns and careful application of local/ EU laws.

• Careful stewardship of customer information databases, and developing email marketing use

further into the consumer/ buyer engagement process. The impetus to increase volume and

activity can only be successfully achieved where it remains engaging.

• Delivery to inbox, which will be increasingly seen as a barrier to overcome, especially in B2C.

Deliverability and IPR

Whilst Deliverability rates are expected to improve or remain the same, this raises a key question of

how deliverability is measured. Most practitioners will determine deliverability as delivery to

Internet or to mail server as the primary measure, but delivery to inbox or Inbox Placement Rate

(IPR) is being seen as an increasingly key metric.1

1 I am indebted to Richard Gibson of Return Path for his advice and knowledge on IPR issues.

10

Executive Summary

IPR is tied in with reputation. If reputation is poor, acquired through issues like indiscriminate use or

poor targeting, large groups of consumers belonging to the same ISP domain, for example, such as

GMail or Hotmail will not receive bulk email from that source into their inbox. It is estimated as a

much as 7% of email marketing campaigns go missing, which historically has not been accounted for.

Strategic vs tactical

End users overwhelmingly believe email marketing to be strategically important, but that belief is

yet to translate into a strategic approach around execution. Poor visibility of conversions to sale and

conversions to action, and the lack of testing around aspects such as creative templates and

frequency suggests there is much more critical measurement and insight needed.

ESPs support this view, characterising end users as much more focused on tactical vs strategic use of

email marketing, according to the DMA UK benchmark survey Q3 2009. That survey also highlights

just 38% of email marketing driven by some data, and only 16% whose content is driven entirely by

data.

Compliance

Just 7% of end users polled lacked confidence in their compliance with legislation, with B2B

organisations twice as concerned by this issue compared with B2C organisations. Nonetheless there is

some evidence that in certain countries tougher regulation significantly holds back companies from

undertaking acquisition marketing based on concerns of strict legal compliance.

A full 102 page report on the legal requirements in 22 countries completes the Email Benchmark

Survey. This shows the considerable legal differences that exist between the European national laws,

despite the supposed “harmonization” of national regulations by the European Union. In particular,

there are wide differences in the local interpretation of the concept of “soft opt-in” for email

marketing. This principle in the EU directive is supposed to allow a marketer to email a customer,

whose email address has been given “in the process of sale”, without having to get any further opt in

(the customer always has the right at any time to opt out). But the national variations on this

principle vary greatly which make it impossible for an email marketer which is established in many

EU states to follow the same legal procedures.

Email marketing uses

Newsletter and related customer management activity is likely to be a key growth area over the next

12 months, with the growing recognition that email marketing is especially well suited to these

applications. This is reflected in the difference in click through rates between newsletter and sales

or product/service information campaigns, which average 17% higher.

Nearly three-quarters of end users deploy email marketing for sales or related campaign activity.

Open rates typically range 10%-25%. Unsurprisingly, sales and product/ service information

campaigns generate conversion to sales 4x better than newsletters or customer surveys.

53% of respondents do not use email marketing for customer or product (development) surveys.

Where they do, they experience excellent results.

The majority of companies do not use email marketing for win-back campaigns following the loss of

customers. The minority of respondents who do use email for win back, have experienced excellent

results, with conversion to sale or action of between 2% and 5%.


11

Executive Summary

Nor do they systematically use transactional emails for cross and up selling.

In both cases here are clearly opportunities missed, which once again suggests that email marketing

is deployed typically as a series of standalone activities, in some cases integrated with online, but

generally not implemented as an end-to-end programme or integrated with other customer channels.

ESP reported Average delivery rates

Average delivery rates of end user client organisations using ESP platforms are reported in the region

of 85-99.6%. These effectively are acceptance rates, that is a calculation based on number of emails

delivered to the Internet less the bounces.

As highlighted earlier in the report, it does not take into account missing emails that go to spam

folders or do not make it into the inbox (and where no bounce codes are received back from ISPs).

ESP reported Hard bounce rates

If hard bounce rates are a primary measure of list quality, there is scope for improvement in email

data quality, with 15% of all campaigns seeing hard bounce rates of more than 7%, and a further 20%

experiencing hard bounces of between 3%-7%.

Compared to end user respondents, results favour those campaigns conducted exclusively via ESP

platforms.

ESP reported Click through rates

Click through rates, indicating how effectively the email is engaging with the buyer or consumer,

predominantly (61%) fall within the broad range of 4-20%. Within that broad range, the tightest

distribution reported by ESPs falls into the 4-8% range. This broadly correlates with the click through

rates reported by end users.

ESP reported Open rates

Open rates reported were across a very wide range, and reflect the varying performances of

individual campaigns. There is no discernable country pattern within ESPs. This goes to show that

that campaign design, the ability to engage the consumer/ buyer and cut through the inbox clutter,

is paramount.

Practitioners would do well to test more rigorously each element of an email campaign, beyond the

generally adopted focus on subject lines, sender name, time of day and week, and spam filter

scoring.

Volume predictions for 2010-04-07

Email marketing is poised for strong growth this year, at the expense of traditional offline channels.

19% of the respondent ESP base expect their clients to increase volume of email marketing between

a quarter and a half year on year, a continuation of the shift from offline to digital channels.

Nick Martin

& FEDMA

April 2010


Sponsors

12

FEDMA would like to thank the following sponsors for their kind support:

Main sponsors:

Alterian (LSE: ALN) empowers organizations to create relevant, effective and

engaging experiences with their audience that help build value and reinforce

commitment to their brand, through the use of the Alterian Integrated

Marketing Platform. Alterian drives the transformation of marketing and

communications, making it practical and cost-effective for companies to

orchestrate multichannel engagement with the individual.

The Alterian platform combines campaign management, web content

management, email and social media monitoring tools to help marketers be

more insightful, engaging and accountable than ever before, by sending the

best, most relevant message at the right time – regardless of channel. One of

the key differentiators of the Alterian offering is that the various elements are

integrated. The marketer can move seamlessly between organizing their

resources, undertaking analytics, planning a campaign and overseeing the

approvals necessary to drive things to timely completion.

Alterian‟s unprecedented integration of analytics, content and execution

through industry leading tools, such as the Dynamic Messenger email platform,

SM2 Social Media Monitoring platform and the award winning Content

Management solutions, enables companies to build integrated communication

strategies which create a true picture of the individual.

Marketers can now orchestrate multichannel engagement with the individual as

opposed to mass marketing. This will impact businesses profitability through

integrating data from online and offline sources in order to truly engage with

the individual at every step of their customer lifecycle. Offering individuals

what is relevant to them and engaging in conversations with them generates

influence, advocacy and revenue.

Alterian is changing the rules of the game through technology – allowing

marketers to listen to the conversations their customers, prospects or

influencers are having, and engaging in conversations with them to add value.

Alterian's advanced marketing software is being used as the 'intel inside for

marketing' by many of the world's leading Agencies, Marketing Services

Providers and Systems Integrators, allowing them to deliver cutting edge

marketing solutions to many of the world‟s largest brands.

Alterian works with marketing services partners, system integrators and

agencies who recognize the need to plan and deliver coordinated customer

engagement services in partnership with their clients. For more information

about Alterian, products within the Alterian Integrated Marketing Platform or

Alterian‟s Partner Network, visit www.alterian.com or the Alterian blog at

www.engagingtimes.com.


http://www.alterian.com/

http://www.engagingtimes.com/

Sponsors

13

Mardev, the direct marketing division of Reed Business Information, helps

you to source leads and generate qualified prospects through integrated

direct marketing campaigns.

Our mission is to solve our client‟s prospecting, lead generation and business

development needs. We achieve this through a range of highly responsive

B2B contacts, an unrivalled online community of B2B decision makers, brand

leverage and our quality marketing services.

With a lists portfolio of more than 300 databases made up of business and

professional contacts from around the world we can improve the accuracy

of your business targeting.

But we appreciate that successful business targeting involves much more

than just lists. Our range of innovative services has been developed to add

value to the process of acquiring and retaining new customers.

>> database enhancement

>> predicitive modeling

>> data audit

>> lead generation

>> demand generation

We offer a complete solution, from finding your very best prospects,

improving the accuracy and profile of your customer database, and

qualifying response through lead generation. Our unique business audiences

and targeting solutions ensure that you get the high quality response you

need to build healthy profits in the future.

www.mardev.com


Opt-4 is an international permission marketing and privacy consultancy

that helps organisations to comply with the Data Protection and the

Electronic Communications regulations, providing recommendations to

minimise risks whilst maximising customer trust and interaction with

brands.

www.opt-4.co.uk

Main sponsors:

Sponsors

14

Other sponsors:

Fokus Integrated is specialized in helping B2B and B2C marketers improve

customer acqusition, retention and loyalty through cleverly designed and

highly cost effective automated marketing programs. More experienced than

most, our principals each brings 15-20 years of “hardcore” direct marketing

expertise to the table. Add to that an average of 10 years of interactive

marketing experience and you have one of Europe‟s most experienced experts

in the marketing automation space. To you that means an unparalleled focus

on implementing engaging, automated and integrated direct/interactive

marketing programs that are specifically designed to meet your critical

marketing objectives - now and in the future.

www.fokusintegrated.com

PAR is developer of direct marketing information since 1956. PAR is a database

owner and an expert at collecting and handling large volumes of information,

such as addresses, telephone numbers and market information. Depending on

your needs, we deliver the pieces of the information puzzle that are useful to you

– addresses, information handling services or long-term CRM solutions.Tell us who

you want to reach and we‟ll make sure that you really hit your target – in

Sweden, Scandinavia and Europe.

www.par.se


TeleFaction helps your organisation increase loyalty and increase sales fast and

efficiently. When it comes to increasing customer loyalty and reducing customer

defections, everyone with high contact intensity with customers and subjects

may benefit from TeleFaction‟s Return on Behavior® concept.

www.telefaction.com

The results: Client Survey

In this first section we review the benchmarking survey results of 464 end user e-marketing

practitioners, drawn from across Europe, with the highest completed samples from the following

countries:

Germany

Austria

United Kingdom

Sweden

Switzerland

Belgium

Denmark

Netherlands

Slovenia

Norway

Finland

Ireland

Italy

France

Hungary

Spain

For the quantitative benchmark questions, respondents were asked to either a) report the results of last

3 email campaigns individually, or b) the average of the last 3 email campaigns sent out.

15

SECTION I – Survey


Use of promotional emails as part of marketing mix

16

Yes; 94,2%

No; 5,8%

1.0 Does your organization use promotional emails as part of your marketing mix?

Copyright © by FEDMA



Over the last decade email marketing has grown from being a discrete marketing activity, delivering

exceptional rates of return, to a connected part of an organisation‟s overall marketing mix.

Today it is rare for an organisation not to employ email marketing as a prime channel, whether for

acquisition, list building, lead generation, nurturing, customer management, up and cross sell,

retention marketing and win-back programmes.

Inevitably, as its use has become embedded as an essential part of any customer communication or

engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing has

moderated. Notwithstanding it is proving a phenomenally successful marketing channel in the hands of

responsible practitioners.

The vast majority of organisations use email as a key communication channel. That trend is set to

continue. According to the Email Marketing Industry Census from Econsultancy (in association with

Adestra); email now accounts for 17% of brands‟ digital marketing budget, up from 14% at the start of

2009.

Represented industries/segments

17

Air

line

Bankin

g /

Fin

ancia

l Serv

ices

Busi

ness

Serv

ices

/ C

onsu

ltin

g

Consu

mer

Ele

ctr

onic

s

Educati

on /

Tra

inin

g

Energ

y /

Uti

liti

es

Ente

rtain

ment

FM

CG

(Fast

Movin

g C

onsu

mer …

Govern

ment

Hosp

itality

(hote

l, r

est

aura

nt)

Insu

rance

Inte

rnet

busi

ness

, pure

pla

y

IT h

ard

ware

IT s

oft

ware

Manufa

ctu

ring

Media

/ P

ublish

ing

Medin

cal/

Denta

l/H

ealt

hcare

Non-P

rofi

t / T

rade A

ssocia

tion

Reale

state

Reta

il (

not

e-c

om

merc

e)

Tele

com

munic

ati

ons

Tra

vel / T

ransp

ort

ati

on

Whole

sale

/ D

istr

ibuti

on

Oth

er

-sm

all m

ediu

m s

ized …

Oth

er

-sm

all m

ediu

m s

ized …

Oth

er-

larg

e b

usi

ness

B2C

Oth

er-

larg

e b

usi

ness

B2B

0,0%

2,0%

4,0%

6,0%

8,0%

10,0%

12,0%

14,0%

1.1 Which industry do you belong to?




The benchmark survey is sampled from end user practitioners directly and ESPs. Although all industries

were represented, there is a slight respondent bias towards B2B organisations, with 56.2% of companies

marketing solely to other businesses, with 28% marketing to both businesses and consumers, and the

remaining 15.8% representing consumer-only brands or offerings.

The most represented sectors are business services/ consulting and hi tech organisations (both 12%),

Media/ publishing (11%), IT small & medium sized B2B firms (9%) other large B2B organisations (7.5%),

manufacturing (5.5%) and wholesale/ distribution (4.75%).

Other sectors with less than 5% are financial services, telecommunications, ecommerce and internet

pure-plays, utilities, retail, travel, entertainment, health, education and not for profit.

Number of employees

18

12,8%

5,3%

7,6%

3,3%

13,4%

4,5%

11,6%

5,0%

12,6%

5,5%

4,3%

1,3%

2,5%

3,5%

6,8%

1-4

5-9

10-14

15-19

20-29

30-49

50-99

100-199

200-499

500-999

1000-1999

2000-2999

3000-4999

5000-9999

>10000

1.2 How many employees do you have at your company?




Sampling by company size is very evenly distributed when comparing to the business population of the

major economies in Europe by size, with 24% of responses from organisations of more than 500

employees. A further 29% of responses were from companies of 50-500 employees. 47% of respondents

belonged to companies employing less than 50 people.

Can you estimate how many employees in your marketing department work with email marketing?

European Average: 4,4

Approximately how many years has your organization practiced email marketing?


Number of employees and Number of years the company

is using email marketing

19

1 employee; 24,7%

2-4 employees; 37,9%



20+ employees; 14,0%

1.3 What are the number of employees in your marketing department?




Almost two thirds of respondent organisations employ less than 4 people in their marketing

department, with 23.7% employing more than 10 marketing personnel.

Whilst email marketing has enjoyed a decade of rapid growth, the average time that organisations have

adopted email as a marketing channel is just under 5 years.

Variation ranges between a mean average of 3.5 years for Norway, Italy, Spain, Hungary, Finland and

Slovenia, to 6.9 years in France.

Target groups

20

Only businesses; 56,2%

Only consumers; 15,8%

Both businesses and consumers; 28,0%

1.4 Which of the following groups are you primarily marketing to?




Handling of email campaigns

21

56,7%

2,3%

40,9%

1.5 How do you handle your email marketing efforts from start to finish, from a production perspective?

Everything done in house

We outsource everything

Mix of internal and outsourcing




Given the pressure on resources that many marketing teams are under (62.6% of marketing departments

are staffed with 4 or less people), it is notable that 56.7% of all companies still undertake their email

marketing entirely in-house.

Only 2.3% outsource everything, suggesting activities such as campaign definition and key parts of the

operational process are still managed in-house. 40.9% say they manage a mix of outsourced and in house

activities.

B2C brands are more likely to outsource all marketing efforts, although that still accounts for only 6% of

respondents, with most (55%) preferring to do everything in-house. B2B brands on the other hand have

not as yet considered outsourcing email marketing in its entirety, with 62% doing it all in-house.

With greater sensitivity in the practise of direct to consumer email marketing and the need for

correspondingly more support and expertise, perhaps these differences are not altogether surprising.

A few trends are likely to change that over the next couple of years, given the number of ESPs that

operate a Software as a Service (SaaS) model:

-The need for greater (ie more sophisticated) targeting and personalisation.

-Increased data mining and profiling activity, as segmentation by online personas and behaviour becomes

more widespread.

-Tighter definition and management of permissions.

-Greater use of campaign rules.

-Integrated use of email with online advertising, social media and other interactive channels.

In other words, marketing is becoming a more complicated discipline, customers need to be engaged

with and across many more channels than ever before, and are far less predictable in their purchasing

and/ or engagement patterns. It is therefore increasingly difficult to cover the ground through a

stretched, in-house resource, and increasingly unlikely that the necessary skills exist within an in-house

team to do everything.

Campaign frequency

22

4,9%

16,1%

12,5%

30,6%

21,3%

3,6%

10,9%

Daily

Weekly

Every two weeks

Monthly

Quarterly

Every six months

Don‟t send email newsletters

1.6 Do you send email newsletters and if so, how often do you send them?




Of the 79 respondents who sent newsletters via email, 70% on average were used in context of B2B

activity, 10% were a mix of B2C and B2B, whilst 20% related to B2C activity.

The most popular campaign frequency for sending email newsletters out is monthly. In Italy and

Slovakia the average frequency increases to weekly, whilst Sweden, Norway and Spain the average falls

to quarterly sends.

There appears to be no correlation between other factors, such as bounce or opt out rates, and the

frequency with which newsletters are sent.

Infrequent newsletters suggests a one size fits all approach to newsletter content, whereas the scope

for dynamic content ordering, for example, to reflect different customer segments and recent

behaviour arguably increases with frequency.

More frequent newsletters certainly demand closer integration with an up to date customer

information database to reflect recent transactional history or other pertinent factors.

Campaign frequency

23

2,9%

9,1%

4,4%

18,4%

10,5%

0,9%

53,8%

Daily

Weekly

Every two weeks

Monthly

Quarterly

Every six months

We don‟t state how often newsletters will be sent

1.7 Does your newsletter registration form say how often they will be sent and if so, what frequency do you say?




The majority of respondents do not inform newsletter subscribers of the frequency with which they will

receive them.

Whilst on the face of it this appears to be a general omission, in practise the more targeted and

„triggered‟ email newsletter content is based on a predetermined range of behaviours, the less

predictable frequency becomes. In this context, notifying customers of newsletter frequency in

advance may become restrictive.

Campaign frequency

24

3,4%

13,6%

11,0%

23,8%

18,1%

8,4%

21,7%

Daily

Weekly

Every two weeks

Monthly

Quarterly

Every six months

Don‟t send promotional email campaigns

1.8 Do you send email campaigns with promotional content, such as sales offers, and if so, how often do you send them?




21.7% of all companies do not use email for promotional content such as sales offers, whilst 41.9% send

promotional emails monthly or quarterly. 17% of companies send out promotional emails weekly or

daily, the balance of 11% sending them out every two weeks.

There are differences in the most practised frequency of promotional contact by email depending on

the country:

Weekly – Slovenia (43%), Hungary (50%), Ireland (25%) and Sweden 23.1%

Monthly – Norway (41.7%), Switzerland (27%), Finland (33%), UK (31.6%), France (50%), Denmark

(31.8%)and Germany (29.2%), Austria (27.5%)

Quarterly – Netherlands (28.6%), Belgium (32.1%) and Austria (27.5%)

In Ireland, 25% of companies only send promotional emails every 6 months.

Those countries most likely not to send promotional content by email are Finland, Spain (33.3%), Italy

(28.6%) and Germany (29%). Privacy regulation, and an organisation‟s interpretation of it, is likely to

determine corporate policy towards unsolicited commercial email (UCE) in many cases. It is surely no

coincidence that those countries with the most restrictive and/or punitive data protection laws are

those where email marketing is least used as a sales channel (see legal report in this survey from page

57).

The use of transactional emails

25

Yes; 27,0%

No; 32,5%

Don‟t use transactional emails; 40,5%

1.9 If you use transactional emails, such as order confirmations, are they an integrated part of your cross- and up selling process, for example do they

include sales offers?




Where transactional emails are generated as part of an order confirmation process, just under half do

not use them for cross and up sell strategies - what traditional direct mail order companies would have

described as „free rides‟.

Notable exceptions to the average results are Italy, where 43% of companies do use transactional

emails to cross an up sell together with Norway (41.7%), and Austria (37%).

Main motivation for the use of email marketing

26

Ranked 1 2 3 4 5

Drive web traffic 15.7% 22.7% 27.3% 16.3% 18.0%

Direct sales 32.9% 22.2% 10.5% 12.0% 22.4%

Lead generation 29.1% 22.4% 20.6% 18.2% 9.7%

Brand awareness 15.7% 21.9% 22.2% 26.5% 13.7%

Support other marketing

communications 9.5% 12.7% 19.6% 24.8% 33.4%

2.0 What purposes are most important for your email marketing efforts? Please

prioritize the purposes listed below giving 1 for the most important, 2 for the second

most important and so on.




When it comes to marketing and sales application areas for email marketing, driving sales is the

overwhelming priority, either directly (as direct sales) or indirectly (as lead generation).

In the case of lead (or demand) generation, email will most often work as part of an integrated

campaign that encompasses primarily online affiliate marketing, the use of lead generation networks,

and paid for search.

Relatively little attention tends to be paid to the continuation of email marketing in order to nuture

unconverted interest from lead generation and inbound sales channels over a longer period of time. This

is an area of considerable future development that should yield excellent returns, but requires careful

planning.

For most countries the second priority is to drive web traffic or lead generation. It should be noted that

whilst the two activities can be applied to different purposes, at least some of the responses that

identify driving web traffic will likely relate to lead generation activities as well, i.e. activity that is

designed to lead to consumer engagement with the goal of increasing sales or building an opted in

prospect base.

Brand awareness is considered the next most important use in Belgium, France and Spain.

In those countries where direct sales is not the most important motivation for using email marketing

(Austria, Norway and Finland), it is considered the second most important use.

Only in Italy, Spain, Slovakia and Ireland do companies not consider the use of email for lead generation

in their top 2 priorities.

Expenditure prediction for the next 12 months

27

Increase; 66,2%

Neither increase nor decrease;

30,8%

Decrease; 3,0%

2.1 We are trying to get a prediction of marketing spend for your email marketing in 2010. Do you think it will increase or

decrease for your organization over the next 12 months?




Spend on email is forecast to grow over the course of 2010, with 2/3rds of respondents expecting to

grow their investment in email marketing. Tellingly, only 3% would expect to decrease their spend in

this time period.

This clear trend is reflected in Ipsos Mori‟s poll for the Chartered Institute of Marketing report The

Shape of Digital to Come? Senior marketing practitioners in Q4 2009 were polled to ask how their spend

would vary year on year across different marketing activities. Email (1.6%) and online (2.5%) were

expected to be the biggest winners in attracting additional marketing investment, at the expense of

offline advertising (-3%), sponsorship (-2.3%), direct mail, and internal marketing (-1.6% each).

Geographical markets will vary according to their relative maturity.

Continued growth will depend upon a number of factors:

The first is ongoing effectiveness of email as a push marketing medium, which depends principally upon

targeting/ use of properly permissioned and managed customer information databases; the relevancy of

campaigns and careful application of local/ EU laws.

If greater spend is driven by higher volumes in conjunction with looser qualification of who receives

what and how often, then it follows that more people will receive less relevant unsolicited commercial

email (UCE), and Return on investment (ROI) will drop.

Secondly, successful growth can only come through careful stewardship of customer information

databases, and developing its use further into the consumer/ buyer engagement process.

For example, its expanding role within integrated marketing campaigns, lead generation, social media

and customer management programmes. These are ripe for expansion as more sophisticated consumer

engagement rule sets are defined and applied that reflect buyer and customer behaviour; and permit

practitioners to act upon the information quickly.

Thirdly ,delivery to inbox will be increasingly seen as a barrier to overcome, especially in B2C.

Expectations for the next 12 months

28

IncreaseRemain the

sameDecrease

Don`t

measure

Our deliverability rates will (Number

of failed emails divided by number

of emails sent):

40.8% 40.3% 13.5% 5.6%

Our unqiue open rates will (Unique

number of opens divided by number

of emails delivered):

48.3% 33.6% 10.5% 8.2%

Our click through rates will (Number

of individuals who have clicked

divided by the number of emails

delivered):

56.0% 29.0% 8.2% 6.8%

Our opt-out rates will (Number of

individuals who have opt-out divided

by the number of emails delivered):

18.1% 49.3% 22.9% 9.6%

Our volumes for email marketing

will:72.3% 21.8% 4.5% 1.7%




Deliverability rates are expected to improve or remain the same. A small percentage do not measure,

presumably those undertaking email marketing in-house using generic transmission. Just 13.5% believe

deliverability will worsen.

This raises a key question of how deliverability is measured. Most practitioners will determine

deliverability as delivery to Internet or to mail server as the primary measure, but delivery to inbox is an

increasingly key metric. This is because reputation, the measure of trust that an ISP places on the

sender, determines whether the majority of emails transmitted in a campaign are blocked.

Increasingly important, in particular in B2C, is the issue of deliverability to inbox. If reputation is poor,

acquired through issues like indiscriminate use or poor targeting, large groups of consumers belonging to

the same ISP domain, for example such GMail or Hotmail, will not receive the email into their inbox.

B2B deliverability is also an issue, albeit a different cause, due to corporate systems like Postini,

Symantec and Messagelabs.

Companies like Return Path and Pivotal Veracity use seeds or panels to measure the difference between

deliverability to Internet/ server vs inbox. Research from Return Path suggests that approximately an

additional 10% of European email volume does not make it into the intended inbox (source: The Global

Email Deliverability Benchmark Report, 2H 2009).

The same report indicates deliverability to inbox to be less of an issue in Germany (with one or two ISP

exceptions) and more of an issue in the UK and France (11%). Non delivery to inbox is accounted for by a

third being placed directly into spam folders, and two thirds going missing.

Expectations for the next 12 months

29



This often tends to be caused by certain domains rejecting the majority of a campaign, and can be

identified by looking at ESP reports that break down open rates and click through by domain name. If

Google believes your IP range has a poor reputation, you will see Gmail customers will show an

exceptionally low or non existent open and click though rate compared to other domains within the

same campaign. If ISPs migrate from identifying sender by IP range to identifying the sender by their

domain name, as some commentators believe may have already started to happen, this issue could

become even more significant.

Respondents clearly believe that their use of the email medium is improving, based on the

overwhelming majority of 56% who believe their click through rates will increase. Just 8% of

respondents expect their click through rates to decrease.

Volumes are expected to rise across the board, with 72.3% of respondents planning on sending out more

marketing emails, whilst practically no one expects to do less. Yet opt out rates as a proportion of total

volume are expected to hold steady. This assumes at least as much or better targeting in spite of the

higher volumes, which either suggests:

a) email marketing taking a greater channel share of a company‟s overall marketing plan, at the

expense of direct mail and telemarketing, or

b) Further targeting leading to a proliferation of campaigns of volumes that are more segmented than

current ones.

One thing is certain: for the expected performance improvements to occur against a backdrop of higher

volume, targeting and relevance at least will need to be maintained.

How much of the marketing budget within your company covers email marketing?


Strategic importance of email marketing and the

allocation of marketing budgets to email marketing

30

46,7%

41,4%

9,1%

1,7%

1,1%

Very important

Somewhat important

Neutral

Somewhat unimportant

Very unimportant

2.3 How strategically important do you consider your email marketing to be to meet your marketing objectives?




Not surprisingly given the growth forecasts, most respondents see email marketing as strategically

important in meeting marketing objectives, with 46.% characterising it as very important, whilst 41.4%

see it as somewhat important.

Analysis by country shows that whilst the majority see it as very important overall, companies in

Switzerland, Norway, Germany and Austria generally see it as somewhat important.

Where email is primarily used to support direct sales and lead generation programmes, its importance

will be seen as correspondingly higher.

Even where lead generation programmes are online, the added targeting of email by consumer or buyer

profile means that conversion to action is generally higher from the email push when compared to the

online pull. As a result email is an important component of most online lead generation programmes,

which are generally priced on performance.

The temptation to increase email volumes in support of lead generation at the expense of targeting

should be resisted, since this is likely to be a principal cause of reputation damage. However this is not

currently problematic based on the reported statistics. If opt-out rates are a primary measure of

relevancy, 18% of respondents reported average opt out rates of 1.5%-3%, but most (76%) were less than

1%.

Strategic importance of email marketing and the

allocation of marketing budgets to email marketing

31



Are users reconsidering how email marketing is used, in the context of how strategically important it is

considered? The relatively high proportion of practitioners who do not measure beyond the basics is

concerning: 26% of end users were not able to say what their average opt out rates were, whilst 57%

experienced rates of less than 1%.

Between a third and half of end user respondents were not able to measure conversion to sale, for

example - the rate depends on the email marketing use, with newsletters worst and acquisition best.

This echoes the Email Marketing Industry Census 2010 by Econsultancy in association with Adestra which

shows similar lack of insight.

When asked the same question about their clients, ESPs beg to differ, characterising end users as much

more focused on tactical use vs strategic use of email marketing, according to the DMA UK benchmark

survey Q3 2009. That survey also highlights just 38% of email marketing driven by some data, and only

16% whose content is driven entirely by data.

In other words, when end users overwhelmingly talk about the strategic importance of email marketing,

that belief is yet to translate into rigorous action, and there is a quite some way to go.

Compliance with legislation

32

Very confident; 57,4%

Rather confident; 35,7%

Not confident at all; 6,9%

2.4 How confident are you that all of your email marketing activities are in compliance with legislation in your country and in any other country you are

marketing to?




Hungary stands out as being only „rather confident‟ across the majority of organisations

about compliance with legislation domestically and to other marketed countries. The

majority of countries are very confident, whilst 6.9% of respondents have no confidence in

their compliance with legislation.

There is a marked difference in confidence between B2C and B2B organisations, with those

engaged in B2B only email marketing twice as likely to lack confidence in their compliance

with legislation (9.8%) compared with B2C only organisations (5.4%).

This may suggest that regulation around B2B marketing is perceived as less clear-cut, such

as for example the definition of „natural persons‟ in the case of sole traders and small

partnerships that render them subject to the same rules as apply to consumers. In this case

B2B organisations may face difficulty in identifying incorporated versus non incorporated

entities.

For the details on the legal aspects see Section II – Legal Overview.

Regular newsletter

33

Yes; 76,8%

No; 23,2%

2.5 Do you use regular newsletters as part of your communication?




Email is used for the distribution of regular newsletters by 76.8% of client (end user) respondents. The

majority of campaign open rates range from 15-37% in the UK; 10-35% in Germany and Austria; 24-46% in

Belgium.

The low completion levels of individual campaign performance for regular newsletters suggest that

organisations are less likely to measure newsletter performance to the same extent as other email

marketing purposes, such as acquisition.

Yet newsletter and related customer management activity is likely to be a main growth area over the

next 12 months, with the growing recognition that email marketing is especially well suited to these

applications. This is reflected in the difference in click through rates between newsletter which average

17% higher than sales or product/service information campaigns.

This is an area of customer engagement where companies would do well to increase their focus, since

added targeting by transactional and behavioural history, that drives dynamic segmentation, content

ordering and personalisation, is likely to generate an additional payback for a little extra time invested.

Regular newsletters are an obvious opportunity to generate cross and up sell revenues.

One in 4 organisations do not currently appear to measure opt out and hard bounce rates to keep

current their customer database and preferences, or at least do not have ready access to that data.

Sales/product service campaigns

34

Yes; 72,8%

No; 27,2%

2.6 Do you use sales/product-service info campaigns as part of your communication?




72.8% deploy email marketing for sales or related campaign activity. Open rates typically range 10-20%

in the UK; 10-23% in Germany; 10-26% in Austria; 10-26% Switzerland.

Average click through rates vary tremendously by country for this type of campaign activity, and need to

be viewed cautiously as smaller countries report results from a low respondent base. Notwithstanding

the differences are marked, with Finland reporting less than 1%, and Austria averaging 21%. This figure

reflects a spread of 13%-28%, and is typical of the distribution of answers.

Also at the low end of reported rates is Norway, with 2%, yet Sweden averages 6%, whilst Denmark sees

average rates of 11%.

UK, Germany, Ireland, Switzerland and Slovenia average 6-8%.

Spain, Belgium, Hungary, Denmark average 13-17%.

Unsurprisingly, sales and product/ service information campaigns generate conversion to sales four times

better than newsletters or customer surveys, with 12.5% of respondents claiming rates of between 2%-

2.25%.

Customer/Product surveys

35

Yes; 47,0%

No; 53,0%

2.7 Do you use Customer/product surveys as part of your communication?




53% of respondents do not use email marketing for customer or product (development) surveys.

Those that do average open rates of 36% (UK); 25% (Italy); 18% (Switzerland); 33% Denmark.

In countries where responses were isolated and therefore difficult to draw statistical conclusions from

with great confidence, nevertheless open rates ranged from the 20% to 40% range, with fewer

outlying results below 15% or higher than 50%.

These healthy open rates, whilst not necessary conclusive in their own right, are allied to high click

through rates that start at circa 7% and can top 25%+. It goes to show that customers appreciate being

asked for feedback, and represents a useful plank to a strong customer engagement strategy.

Win-back campaigns

36

Yes; 23,8%

No; 76,2%

2.8 Do you use Win-back lost customers as part of your communication?




The majority of companies do not use email marketing for win-back campaigns following the loss of

customers.

Click through rates are comparatively high, with 25% of all win-back campaigns achieving rates of

between 10%-12%. This is two times the results reported for sales and product/ service information

campaigns, and 60% better than newsletter click through rates.

The minority of respondents who do use email for win back, have experienced excellent results, with

conversion to sale or action of between 2% and 5%.

Ranges are Denmark and Netherlands (4%), Austria (3%), UK (2.5%), Germany and Switzerland (2%),

France and Slovenia (2.25%).

37



The results: ESP Survey

Next we turn to the results of the benchmarking survey undertaken among Email Service Providers

(ESP).

Each ESP may undertake hundreds of campaigns per month, representing a significant number of end

user firms who outsource their email marketing or use a Software platform as a Service (SaaS) that they

use to define, create, send and measure themselves.

A total of 75 ESPs were surveyed across Europe.

Austria

Belgium

Denmark

France

Germany

Greece

Hungary

Ireland

Italy

Netherlands

Norway

Poland

Romania

Spain

Sweden

Switzerland

United Kingdom

Average delivery rates

38Average delivery rates:

Replied 0-10%(31%)

Replied 10-85%

(3%)

Replied 85-100%

(66%)

2.9 Average delivery rates




Average delivery rates of end user client organisations using ESP platforms are reported in the region

of 85-99.6%. These effectively are acceptance rates, that is a calculation based on number of emails

delivered to the Internet less, the bounces.

As highlighted earlier in the report, it does not take into account missing emails that go to spam folders

or do not make it into the inbox (and where no bounce codes are received back from ISPs).

These are early days in terms of discussing delivery rates in terms of inbox placement rates (IPR) and

therefore would be extremely difficult to assess in a current benchmark survey. We anticipate being

able to benchmark and track these trends in future, as practitioners become more aware and adopt

seeding, panels or pixel tracking solutions, or via benchmark statistics from deliverability software/

service providers.

The highest frequency mean of distribution is 95-96%.

Variations by country fall within the wider range, but appear to be much more dependent on the

campaign (influenced by variables such as content and targeting) than on the national differences.

Average hard bounce rates

39

Replied 0-0.50%(14%)

Replied 0.50-1%(11%)

Replied 1-2%(30%)Replied 2-3%

(6%)

Replied 3-7%(19%)

Replied 7-10%(8%)

Replied 10-35%

(6%)

Replied 50-60%

(6%)

3.0 Average hard bounce rates




If hard bounce rates are a primary measure of list quality, there is scope for improvement in email data

quality, with 15% of all campaigns seeing hard bounce rates of more than 7%, and a further 20%

experiencing hard bounces of between 3%-7%.

This finding is echoed in Econsultancy‟s Email Marketing Industry Census 2010. The report highlights

quality of databases as the biggest barrier to effective email marketing. This is cited as a problem by

61% of marketers, up from 44% in 2009.

Compared to end user respondents, results favour those campaigns conducted exclusively via ESP

platforms.

ESPs report that 59% of campaigns experience hard bounce rates of less than 2%, compared with 50%

among end user respondents.

Furthermore the difference in hard bounce rates between different campaign types does not appear to

be material, suggesting there is work to be done on maintaining the quality of customer information

databases as well as selecting email cold lists.

There is little difference in hard bounce rates between countries, with France, Germany, Spain and

Italy all reporting hard bounce rates of less than 2%, whilst Sweden, Norway, Belgium, UK, Romania

averaging 4-6%.

Average opt-out rates

40

Replied 0-0.11%(21%)

Replied 0.12-0.25%

(12%)

Replied 0.26-0.50%

(15%)

Replied 0.50-1%(28%)

Replied 1.1-1.50%

(6%)

Replied 1.50-2%(12%)

Replied 2.1-3%(6%)

3.1 Average opt-out rates




Opt-out rates are a primary measure of relevancy. 18% of respondents reported average opt out rates

of 1.5%-3%, but most (76%) were less than 1%.

26% of end users were not able to say what their average opt out rates were, whilst 57% experienced

rates of less than 1%.

These ESP results are considerably better than the end user ones (of the end user sample 57% of

respondents did not outsource, either in part or whole).

This may suggest that practitioners are better able to manage, pre-screen (and filter out or correct)

their customer information data using tools provided by the ESP SaaS platforms than email marketers

which use in-house programme or processes.

Average unique click through rates

41

Replied 0-2%(12%) Replied

2.1-3%(6%)

Replied 3.1-4%(12%)

Replied 4.1-10%(37%)

Replied 10.1-20%

(24%)

Replied 21-50%

(9%)

3.2 Average Unique Click Through Rates




Click through rates, indicating how effectively the email is engaging with the buyer or consumer,

predominantly (61%) fall within the broad range of 4-20%. Within that broad range, the tightest

distribution reported by ESPs falls into the 4-8% range.

This broadly correlates with the click through rates reported by end users, and also correlates with the

latest benchmarking results for Q3 2009 from the UK DMA, which shows average click through rates of

5.7% for acquisition marketing and 7.9% for retention (customer) marketing.

It is important to recognise that these numbers are global averages, with individual campaigns capable

of achieving click through rates of 30-50% when associated with customer marketing, retention

campaigns and surveys. Once again these variations are far more material than country differences,

which demonstrate the value of defining the correct audience for each proposition, and crafting the

communication to optimise results.

Results from the UK DMA‟s email benchmarking research shows click through rates are 40%+ higher for

retention (customer) campaigns compared with acquisition campaigns.

Average unique open rates

42

Replied 5-15%(19%)

Replied 15.1-20%

(8%)

Replied 20.1%-25%

(26%)

Replied 25.1-30%

(19%)

Replied 30.1-40%

(17%)

Replied 40.1-60%

(8%)

Replied 60.1-90%

(3%)

3.3 Average Unique Open Rates




Open rates reported were across a very wide range, and reflect the varying performances of individual

campaigns. There is no discernable country pattern within ESPs.

This goes to show that that campaign design, the ability to engage the consumer/ buyer and cut

through the inbox clutter, is paramount.

Practitioners would do well to test more rigorously each element of an email campaign, beyond the

generally adopted focus on subject lines, sender name, time of day and week, and spam filter scoring,

as illustrated in the Email Marketing Industry Census 2010 by Econsultancy.

The same report indicates that between 33% and 58% of client practitioners are not testing creative

templates, frequency, landing pages, and multivariate campaign strategies. This points to the need for

greater segmentation, and carefully planned user experience to support better engagement within the

email and online. As highlighted in the DMA UK benchmark survey Q3 2009, end users favour email

marketing for tactical campaigns (circa 65%) versus strategic campaigns (circa 35%), and this

inevitably influences the amount of time spent planning, segmenting and bespoking offers and analysis.

End users across Europe directly report lower average open rates compared with client campaigns

reported by ESPs, with 19% unable to report this statistic. Whilst 46% of ESPs‟ client campaigns see

open rates in the 20%-30% band, that falls to 24% reported by end users for acquisition related sales

campaigns, and rises to 42% for customer product survey campaigns.

Comparing the proportion of open rates between 30-40%, the end user results dissect the ESP reported

rate of 17%, between sales campaigns (12%) customer product survey campaigns (22.5%), providing

interesting insight into the possible make-up of the ESP average values.

Volume prediction for the next 12 months

43

Replied 0-15%(50%)

Replied 15.1-25%

(17%)

Replied 25.1-50%

(19%)

Replied 50.1-75%

(8%)

Replied 75.1-100%

(3%)Replied

100.1-150%(3%)

3.4 Volume prediction for the next 12 months




Email marketing is poised for strong growth this year, at the expense of traditional offline channels.

19% of the respondent ESP base expect their clients to increase volume of email marketing between a

quarter and a half year on year, a continuation of the shift from offline to digital channels.

In Ipsos Mori‟s poll for the Chartered Institute of Marketing report,The Shape of Digital to Come?, the

question was asked which activities delivered the best return on investment. Top of the charts comes

CRM by some margin, followed by online advertising (12%) and email marketing (11%). Those activities

considered to deliver the worst return were direct mail, sponsorship, and internal marketing, mirroring

the evident shift in spend.

Econsultancy‟s email marketing census 2010 also predicts a net increase in email marketing over the

course of the year, with the greater proportion coming from retention marketing, where 71% expect to

ramp up their activities in this area, and only 1% expect to reduce activity on email campaigns to their

customer base. This reflects a growing recognition that email marketing is the perfect medium for

customer management and development, and a key component within integrated multi-channel

consumer engagement.

Volumes for April 2009

44

Replied 500.001-1.500.000

(9%)

Replied 1.500.001-10.000.000

(30%)

Replied 10.000.001-100.000.000

(29%)

Replied 100.000.001-1.000.000.000

(29%)

Replied 1.000.000.001-2.000.000.000

(3%)

3.5 Volumes April 2009




The next 3 charts show activity by total volumes for April – May 2009 within the ESP sample base, and

will form the basis of year on year tracking as part of the benchmarking methodology once

comparative 2010 data is collected.

Volumes for May 2009

45

Replied 100.001-500.000

3%Replied 500.001-

1.500.0006%

Replied 1.500.001-10.000.000

27%

Replied 10.000.001-100.000.000

35%

Replied 100.000.001-1.000.000.000

26%

Replied 1.000.000.001-2.000.000.000

3%

3.6 Volumes May 2009




Volumes for June 2009

46

Replied 100.000-500.000

(6%)

Replied 500.001-

10.000.000(37%)

Replied 10.000.001-100.000.000

(27%)

Replied 100.000.001-1.000.000.000

(27%)

Replied 1.000.000.001-2.000.000.000

(3%)

3.7 Volumes June 2009




Days of the week with largest volume of emails

47

13%

26%

13%

26%

18%

0%

3%

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday

3.8 Please indicate for Q2 2009, if any, which day of the week your clients send the largest volume of emails?




Days of week with largest volume of emails cited by ESPs for sending out email marketing campaigns

are Tuesday and Thursday (26% each). Whilst overall email activity over weekends is extremely low,

there are some marked differences by country:

Saturday and Monday are the least selected to execute an email marketing campaign, which, whilst

indicating a universal experience of low responsiveness on those days, also suggests an opportunity to

re-test given a) increased email volumes, and b) the growing challenge of „cut through‟ in an

increasingly media-cluttered landscape.

Days of the week with lowest volume of emails

48

27%

0%

3%

0%

24%

11%

35%

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

Sunday

3.9 Please indicate for Q2 2009, if any, which day of the week your clients send the lowest volume of emails?




The diapositive of most activity by volume for email campaign execution, shows Sunday and Monday

as the least popular days by volume (62%) as cited by ESPs, with Friday running a close third (24%).

Email Service Providers

49

Email marketing service providers (ESPs) who contributed

to this report

Alterian´s Integrated Marketing Platform empowers organizations to

create relevant, effective and engaging experiences with their audiences

that build value, generate revenue and reinforce brand.

Web:www.alterian.com

As a software independent consultancy, 22 Times offers independent

advice and execution, fully tailored to your situation and needs. We help

from the start of an emailing to the finish and beyond, constantly

improving your results.

Web: www.22times.com

Addemar - On-Demand Marketing Intelligence & Campaign Management

Software

Aggregation / Analysis & Rapporting / Automatisation

Communicating at the right moment, with the right target group, through

the right channel and with the right message. Seems simple and it is: with

the help of Addemar.

Addemar develops intelligent, do-it-yourself webbased marketing

solutions: both personalised one-to-one dialogues based on behavioral

segmentation and former marketing campaigns as well as data

aggregation. More info? Surf to www.addemar.com or mail to

[email protected].


Adestra is an industry leading, UK based international email service

provider (ESP). We combine the best email technology and marketing

expertise to deliver results for our clients.

Our platform MessageFocus… Developed entirely by Adestra staff, you can

manage your entire email marketing program using Message Focus, from

data segmentation, to full and complete reporting.

The Adestra difference can be summed up in two ways - our approach and

our people. Underpinning this is our technology which is cutting edge,

user-friendly and is relied upon by well over 3,500 marketers to support

their email marketing programs. Our approach to email marketing is

focused on working with leading publishers, who deploy our technology

and use it to achieve their goals and targets.

We have the largest support team of any UK based ESP and unlike most

other companies we actively recruit email marketers to work alongside

you. This collaborative approach ensures that Adestra work with you as a

partnership to evolve and deliver your email marketing objectives.

Web: www.adestra.com

http://www.22times.com/

http://www.addemar.com/

mailto:[email protected]


50

Apsis makes good email marketing easier. We supply Apsis Newsletter Pro, a

user friendly, powerful and flexible solution used by over 5 000 customers to

create, personalize, deliver and analyze email marketing. We take pride in

our solution, our commited support and in our email marketings handbooks

containing research and email marketing knowledge.

Web: www.apsis.com

Web: www.bring.no/dialogue

BusinessFinder is the leading provider of B2B email marketing services in Italy; its

database is made by 600.000 opt-in e-mail addresses of Italian companies

selectable by geographical area, industry, legal status and size (employees and

turnover).

Web: www.businessfinder.it

Communicator Corp is a leading global Enterprise Email Management company,

providing technology based solutions, strategy and expertise.

From email marketing to transactional receipts and service messaging, we

deliver our clients proven cost savings and increased revenue for all their digital

communications.

Our intuitive email platform, Communicator®, enables clients to send

sophisticated, targeted and relevant communications.

Our services range includes integration, data analysis and enhancement, fully

managed campaigns, delivery solutions and support through to email design and

creation.

At Communicator Corp, we work with our clients every day to ensure delivery

beyond expectation.

Communicator Corp provides exceptional service, expertise and industry defining

technology to a broad range of clients across diverse sectors.

Web: www.communicatorcorp.com


Concep is the digital agency for B2B. If your business is serious about digital we

need to talk. Concep understands your market, understands digital

communications, but above all understands that it‟s about people. We go the extra

mile to really understand your business and its requirements. Concep‟s clients

value our people and our personality, not just our technology. Our expert

knowledge of digital channels and unrivalled sector knowledge allows us to cut

through the confusion and provide your business with insight that will increase

profit, build client loyalty and push your marketing to work harder.

Web: www.concepglobal.com

AGNITAS AG offers e-marketing solutions for direct and dialog marketing in the

form of services, software and consultation.

Successful email marketing campaigns can be developed, implemented and

evaluated with the AGNITAS E-Marketing Manager email marketing platform. E-

Marketing Manager services can be used as full service, ASP or license

solutions. The AGNITAS AG product portfolio was supplemented by the free

OpenEMM email marketing software in mid-2006. OpenEMM was derived from

E-Marketing Manager and further developed with the aid of the open source

community. AGNITAS, founded in 1999, counts among its customers such well-

known companies as Daimler, IBM, Siemens and Tomorrow Focus.

Web: www.agnitas.de

C:/Users/lena.jaggi/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.Outlook/YMLTQ8EB/www.apsis.com

http://www.bring.no/dialogue

http://www.businessfinder.it/

http://www.concepglobal.com/

http://www.agnitas.de/


51

dotMailer makes powerful email marketing easy - whether you‟re

brand new to email marketing or a seasoned hand.

Web: www.dotmailer.co.uk

EmailGarage unifies great email campaign management features with

customer intelligence. EmailGarage helps you create, plan and send

email campaigns. Webservices, project management and consulting are

available on demand.

Web: www.emailgarage.com

E-Village is the multi-awarded and leading Dutch email marketing

software developer. Our passion is to deliver the cutting edge of email

marketing technology, taking the personalized online marketing

experience to the next level. The recently introduced Clang represents

the new generation of Event Driven Marketing software. Clang is a

powerful mix of CRM, Campaign Management and Email Marketing put

into one application. Clang takes online campaign personalization and

engagement to a new level. Clang simply increases R.O.I. Clang is

already available to professional marketers and organizations wishing to

extract greater value and profitability from customer relationships such

as Albelli, Bakker.co.uk, BP, Brantano, General Motors Mexico,

MySecurityCenter and The Phone House.

Web: www.createaclang.com

eCircle is one of Europe‟s largest digital direct marketing companies,

owning the most comprehensive permission marketing database for email

campaigns and lead generation as well as a state-of-art technology

solution for digital direct marketing. Since 1999 eCircle has stood for

innovative and efficient online marketing for customer acquisition and

retention. Leading organisations including Argos, HBOS and Samsung trust

our consistent customer care, our long-term experience and not least our

highly motivated and committed employees. The company has more

than 160 employees, with headquarters in Munich and additional offices

in London, Paris and Milan.

Web: www.ecircle.com/en


ContactLab is the leading Italian provider of solutions relating to e-mail

and digital direct marketing. The company offers a mix of technology

and consultancy, from "turnkey" products to customized solutions for

management of international campaigns.

Web: www.contactlab.com

http://www.dotmailer.co.uk/

http://www.emailgarage.com/

http://www.createaclang.com/

http://www.ecircle.com/en

http://www.contactlab.com/


52

Quattro Internet Solutions (Ltd) t/a GraphicMail has been in

operation since 2004. Based in Jersey, the email marketing company

has a client volume of 13'000 end users, resellers and private label

partners. GraphicMail is currently represented in 14 countries and is

available in 6 different languages.

Web: www.graphicmail.de

Httpool Online Advertising is one of the leading, international full-

service online advertising providers, with global reach and focus on

emerging markets. Httpool is an optimal partner for international clients

addressing emerging markets, local advertisers seeking a one-stop

solution, large publishers struggling to monetize their international

traffic, and local publishers trying to increase their revenue potential.

Web: www.httpool.com

Kern develops integrated systems for document processing and

packaging for medium and large companies. As one of the leading

suppliers, Kern develops innovative solutions, so that you are always one

step ahead of the continuously changing market. With the software

solution mailFactory, mailroom processes can be monitored and

optimized.

Together, Kern establishes your requirements and works out an

individually solution for your company - and this all over the world.

Web: www.kern.ch

GetResponse has been an innovation leader since 1998, providing easy-

to-use, feature-rich email marketing services − from video recording,

social media, and iPhone applications to world-class support.

Web: www.getresponse.com

MailDirect is one of Sweden‟s leading services for directed digital

mailings. We offer a dynamic price model which ensures that companies

of all sizes have the possibility to take part of the benefits of our

software service. We also provide our customers with free support and

education.

Web: www.maildirect.us and www.maildirect.se


http://www.graphicmail.de/

http://www.httpool.com/

http://www.kern.ch/

http://www.getresponse.com/

http://www.maildirect.us/

http://www.maildirect.se/


53

Our job is to identify sales problems and bring relevant solutions to them by

using our capability to integrate direct & digital communication channels.

Web: www.mediapost-hitmail.ro

optivo is a professional email marketing provider, including sms and fax. The

company's product portfolio encompasses the permission-based distribution of

electronic mailing and email newsletters via an efficient and secure platform

(optivo® broadmail), consulting and strategic advice as well as professional

services and tailor-made customer solutions.

More than 500 customers from all sectors rely on optivo, including renowned

companies such as Tchibo, Henkel, Jack Wolfskin, Accor Hotels,

ArabellaStarwood, Europcar, Germanwings, German Railways, Siemens, Sixt,

Bosch and HypoVereinsbank. optivo is actively committed to promoting high

standards of quality and transparency in the field of email marketing through

its memberships of the German Direct Marketing Association (DDV), the Federal

Association of the Digital Economy (BVDW) and the Association of the German

Internet Economy (eco).

Moreover, optivo is participating at the world's leading white list programme

Sender Score Certified. The company is also a member of the Certified Senders

Alliance - the first German white list project. Both programmes increase

customer‟s delivery rate significantly.

Web: www.optivo.net

Netoptions is one of Scandinavia's leading suppliers of tools for digital

marketing and communication by e-mail, social media, mobile phone and the

Internet.

The company has developed the BizWizard eMarketing Suite, which is the ideal

solution for companies wanting to work with permission-based marketing and

communication.

The BizWizard system provides users with a common work platform offering

rich functionality, so that they can work without external tools to produce,

distribute, measure and follow up newsletters, product information,

campaigns, events, invitations, training courses and surveys. BizWizard

eMarketing Suite is a Web-based system which can be used entirely

independently or integrated with the company's other information systems

(CRM, ERP, CMS, etc.). This system is based on Microsoft .NET, IIS and SQL

Server, and is offered as a service via the Netoptions Hosting Center or as

packaged software for installation in the company's own operating

environment.

www.netoptions.se


http://www.mediapost-hitmail.ro/



http://www.netoptions.se/


54

rabbit eMarketing is an independent advertizing agency with currently

35 employees in Frankfurt, Germany, specialized in electronic customer

dialog, focusing on full-service e-mail marketing. In German-speaking

Europe, rabbit eMarketing is among the leading e-mail marketing

providers, and offers professional e-mail marketing campaigns, IT

integration, strategic and operational services as well as consulting in

the selection of e-mail marketing software.

Since 2009 rabbit has been offering also the development of

applications for the iPhone and social networks. Among rabbit

eMarketing‟s clients, there are medium-sized businesses and public

institutions as well as multinational corporations, e.g. the Hotel Adlon

Kempinski Berlin, DocMorris, Dresdner Bank, Electrolux, Epson, Hanse

Merkur, Hottinger Baldwin Messtechnik, Novell, Osram, Siemens

Medical, T-Systems, Telekom Training, VDMA, WWF, and World Vision.

Web: www.rabbit-emarketing.de

Relation & Brand is a leading provider of both boxed and tailored e-mail

marketing solutions with state of the art measuring functionality helping

companies to build strong and profitable relationships.

Web: http://www.relationbrand.com

Reputy is Europe‟s first Delivery Service Provider. We optimize

commercial and transactional email deliverability. Through Reputy‟s

Managed Deliverability Service, businesses realize enhanced Trust, Click

Through and Turnover.”

Web: www.reputy-europe.com

Schober is the leading provider in Europe for data and services for

interactive marketing. We have a consolidated invoicing of 130 million

Euros and more than 400 employees present in 15 countries, providing

information and marketing services to more than 25,000 customers each

year. Schober is the owner and developer company of the eCRM solution,

Xprofiler, eMailing technology solution used by more than 350 current

successful mailers in Europe.

Web: www.schober.es


http://www.relationbrand.com/

http://www.reputy-europe.com/




55

White Image is a leading provider of loyalty and email marketing

solutions, dedicated to develop a highly specialized and strong

software platform, able to face the biggest challenges of the online

environment. Focused on creating insightful and innovative tools that

can provide its clients with highly effective feedback, White Image is

committed to deliverability and to highest standards in email

marketing.

Web: www.whiteimage.net

Winholistic: any action should always be based on facts rather than

beliefs and feelings. And interventions that do not provide the desired

result must be eliminated and the ones that does should be optimized.

Finally attention must be pointed towards learning and innovation from

the performance, as it must be the drivers of future continuous

improvement.

That is what we mean, when we say we are working with Holistic

Customer Life Cycle Management.

Web: www.winholistic.dk


http://www.whiteimage.net/

C:/Users/lena.jaggi/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.Outlook/YMLTQ8EB/www.winholistic.dk

DMAs who contributed to this report

56


Austria

Dialog Marketing Verband Österreich (DMVÖ)

Heumühlgasse 11

1040 Vienna

AUSTRIA

Tel: +43 1 911 43 00

Fax: +43 1 911 2972


Website: www.dmvoe.at

Greece

Hellenic Association of Communications Agencies (HACA)

7, Ypereidou Street

105 58 Athens

GREECE

Tel: +30 210 3246 215

Fax: +30 210 3246 880


Website: http://www.edee.gr/

Portugal

Associação Portuguesa de Marketing Directo, Relacional e

Interactivo (AMD)

Estrada de Queluz 91

2794-100 Carnaxide

PORTUGAL

Tel: +351 21 436 67 27

Fax: +351 21 436 78 45


Website: www.amd.pt

Belgium

Belgian Direct Marketing Association (BDMA)

Noordkustlaan 1

1702 Groot-Bijgaarden

BELGIUM

Tel: +32 2 477 1797

Fax: +32 2 479 0679


Website: www.bdma.be

Hungary

Direkt Marketing Szövetség (DMSZ)

Tuzér u. 39

H-1134, Budapest

HUNGARY

Tel.: +36-1-413-6397

Fax: +36-1-342-0536


Website: www.dmsz.hu

Romania

Asociatia Romana de Marketing Direct (ARMAD)

ntrarera Ghioceilor Nr. 11

Sat Petresti, Com. Corbeanca Jud. IIfov

SECTOR 3

031911 BUCURESTI

ROMANIA

Tel: +40 723339983

Fax: +40 318164263


Website: www.armad.ro

Croatia

CRODMA

C/O Kompass Info Doo

Langov trg 4

HR -10000 Zagreb

Tel: +385 1 489 3300

Fax: +385 1 489 3310

Website: www.kompass.hr

Ireland

Irish Direct Marketing Association (IDMA)

8 Upper Fitzwilliam Street

Dublin 2

Tel: +353 1 661 0470

Fax: +353 1 830 8914


Website: www.idma.ie

Slovenia

Zdruzenje za Direktni Marketing Slovenije (ZDM)

Tabor 5a

1380 Cerknica

SLOVENIA

Tel: +386 1 7090 777

Fax: +386 1 7090 779


Website: www.zdms.org

Czech Republic

Asociace Direct Marketingu a Zásilkového Obchodu (ADMAZ)

Senovázné náměstí 23

110 00 Praha 1

CZECH REPUBLIC

Tel: +420 222 241 386

Fax: +420 222 241 387


Website: www.admaz.cz

Italy

AIDIM-Associazione Italiana per il Direct

Via M. Gioia, 70 20125 Milano ITALY Tel: +39 02 2901 4157 Fax: +39 02 2901 3172E-mail: [email protected]:www.aidim.org

Spain

Federación Española de la Economía Digital (FECEMD)

Avenida Diagonal, 437, 5ª 1ª

08036 Barcelona

SPAIN

Tel: +34 93 240 40 70

Fax: +34 93 201 29 88


Website: www.fecemd.org

Denmark

Danish Direct Marketing Club

Nordre Fasanvej 113-115

2000 Frederiksberg

DENMARK

Tel: +45 38 11 87 87

Fax: +45 38 11 87 47

Email: [email protected]

Web: www.dmklubben.dk

Latvia

Latvian Direct Marketing Association

International Airport "Riga" 30/6

1044 Riga

Latvia

Tel: +37167509060

Fax: +371 67509065


Website: http://www.ltma.lv/

Sweden

Swedish Direct Marketing Association (SWEDMA)

David Bagares Gata 3

111 38 Stockholm

SWEDEN

Tel: +46 8 534 802 60

Fax: +46 8 534 802 61


Website: www.swedma.se

Finland

Finnish Direct Marketing Association (ASML)

Bulevardi 44

00,120 Helsinki

FINLAND

Tel.+358 207 699 811

Fax +358 9 6121039


Website: www.ssml.fi

Netherlands

Dutch Dialogue Marketing Association (DDMA)

W.G. Plein 507/508

1054 SJ Amsterdam

Postbus 12408

1100 AK AMSTERDAM

THE NETHERLANDS

Tel: +31 (0)20 – 452 84 13

Fax: + 31 (0)20 - 452 83 95


Website: www.ddma.nl

Switzerland

Schweizer Direktmarketing Verband

Postfach 616

8501 Frauenfeld

Switzerland

Tel: + 41 52 721 61 62

Fax: +41 52 721 61 63


Website: www.sdv-asmd.ch

France

Union Française du Marketing Direct (UFMD)

60 rue La Boétie

75008 Paris

FRANCE

Tel: +33 1 42 56 38 86

Fax: +33 1 45 63 91 95

Website: www.ufmd.org

Norway

Norsk Direkte Markedsføring Forening (NORDMA)

Postal Address: PO Box 150, Oppsal. 0619 0slo

Visiting Address: Olaf Helset vei 6, Growth Center - Skullerud

Tel. +47 22 62 70 17

Fax: +47 22 62 70 11


Website: www.nordma.no

Turkey

Turkish Direct Marketing Association

Vefa Bayiri Sokak

Sisik Han N°: 22 Kat: 5

Gayrettepe

34394 Istanbul

Turkey

Tel: + 90 212 212 8537

Fax: +90 212 212 8538


Website: www.dpid.org.tr

Germany

Deutsche Dialogmarketing Verband (DDV)

Hasengartenstraße 14

65189 Wiesbaden

GERMANY

Tel: +49 611 97 79 30

Fax: +49 611 97 79 3 99


Website: www.ddv.de

Poland

Stowarzyszenie Marketingu Bezposredniego (SMB)

Stowarzyszenie marketingu Bezpośredniego

ul. Wybieg 21 (wejście od ul. Słonecznej)

00-788 Warsaw

Tel. +48 22 / 849 35 00

Fax +48 22 / 848 89 41


Website: www.smb.pl

United Kingdom

The Direct Marketing Association (DMA UK)

DMA House

70 Margaret Street

London W1W 8SS

UNITED KINGDOM

Tel: +44 20 7291 3300

Fax: +44 20 7323 4426


Website: www.dma.org.uk


http://www.dmvoe.at/


http://www.edee.gr/


http://www.amd.pt/


http://www.bdma.be/


http://www.dmsz.hu/


http://www.armad.ro/

http://www.kompass.hr/


http://www.idma.ie/


http://www.zdms.org/


http://www.admaz.cz/


http://www.fecemd.org/




http://www.dmklubben.dk/


http://www.ltma.lv/


http://www.swedma.se/


http://www.ssml.fi/


http://www.ddma.nl/




http://www.sdv-asmd.ch/



http://www.ufmd.org/

mailto:[email protected]?subject=

http://www.nordma.no/


http://www.dpid.org.tr/


http://www.ddv.de/


http://www.smb.pl/


http://www.dma.org.uk/

SECTION II – Legal Overview

57

Section II – Legal Overview – Email Marketing in Europe

Edited by Field Fisher Waterhouse LLP in collaboration with Legis (Austria), Noblex Ltd (Bulgaria),

Plesner Svane Grønborg (Denmark), Luiga Mody Hääl Borenius (Estonia), HH Partners (Finland),

Avramopoulos & Partners (Greece), Bogsch & Partners (Hungary), Beauchamps Solicitors (Ireland),

La Scala & Associati (Italy), Kennedy Van der Laan (The Netherlands), Thommessen Krefting Greve

& Lund (Norway), Laszczuk & Wspólnicy (Poland), Nestor Nestor Diculescu Kingston Petersen

(Romania) Colja, Rojs & partnerji (Slovenia) Fylgia (Sweden), Python & Peter (Switzerland) and

Minnesota Privacy Consultants (United States).

Data Protection and Regulations in:

Austria P. 60

Belgium P. 66

Bulgaria P. 71

Denmark P. 74

Estonia P. 78

Finland P. 83

France P. 87

Germany P. 90

Greece P. 93

Hungary P. 96

Ireland P. 100

Up to date guidelines for professional marketers, including detailed information on:

Current Data Protection Laws and Regulations

Registration of marketing lists with the National Data Commission (cost, duration)



Collection of data (opt-in, opt-out, soft opt-in)

Notification when Collecting Data


Purposes for processing personal data (main guidelines)

Wording of notice when collecting data






Italy P. 107

The Netherlands P. 115

Norway P. 120

Poland P. 124

Romania P. 128

Slovenia P. 133

Spain P. 140

Sweden P. 145

Switzerland P. 148

United Kingdom P. 151

United States P. 156


58

SECTION II – Introduction

SECTION II – THE LEGAL INS AND OUTS OF E-MAIL MARKETING IN EUROPE

This section is designed as a detailed guide to the data protection regulations which impact on email

marketing in Europe today. We have prepared, with the invaluable help from Field Fisher Waterhouse, an

overview of the relevant laws in 22 countries – 19 from the European Union, two from the European

Economic Area (Switzerland and Norway), and also the USA. In the future we hope to be able to complete a

report on all 27 European Union countries.

Inevitably any section covering regulations is legalistic – and I am afraid this section cannot dodge the legal

issues and texts, however, also inevitably, if you want to avoid legal problems, or embarrassing and costly

complaints, you need to study these pages.

The key question we receive constantly form members is – “how on earth can I do a cross-border email

campaign covering a number of European countries when the national laws are so different?”

At present the good news is that you should, in theory, only have to apply one national law – that of your

“controller of the data”. In other words, if you have a central database (say you create one for the

campaign), and there is one controller (a data privacy officer, or a subsidiary company, etc), so long as the

data are correctly collected at national level, and the data security is correctly done, then the central (EU

based) controller can use those data under his/her own national law to send out an email (some applies

most other DM campaigns across Europe).

This makes doing a centrally organized EU-wide email campaign more simple. Some countries may not

agree (for example, Spain may prove a challenge), in which case at national level it may be advisable to

approach and discuss the issues with the national Data Protection Authorities (DPAs).

To help strengthen your case there is always the FEDMA code, which was negotiated with the national

DPAs, and the annex to that code which is now being finalized, and also there are many national codes

negotiated between the local direct marketing associations (DMAs) and the DPAs. Examples, France, UK,

Italy, the Netherlands, Belgium, Sweden, etc. These are referred to in this section.

It likely that the European Union will revise its present Data Protection regulations (the 1995 Directive)

over the coming year. This will be an opportunity for business to explain the difficulties they face when

trying to meet the demands of all the national regulatory differences to the European Institutions (the

Commission, Parliament and Council).

This report clearly shows the practical differences between the national laws. In addition, FEDMA will be

collecting evidence and case studies to help us make the case to the regulators. Please let us have your

experiences and your help to ensure better, not tougher, regulations will result from this present review.

In particular, our sector must protect the right to use only one regulation (that of the data controller) when

emails are sent out in a cross-frontier campaign. If we fail to protect that principle, and all national

regulations are applied, it will become extremely difficult to undertake any cross-border campaigns.

National laws, unfortunately, fail dismally to be comparable, despite the ideal of a “Single European

Market”, and FEDMA has noted a worrying trend towards increasing regulation with little regard for the

EU‟s central principles of compatibility and harmonization. The latest major change has been the new

German Data Protection Law of August 2009 which has introduced more restrictions.

Some of these are still unclear at the time of writing: we have attempted to give an interpretation of the

new law which should be of help to the marketer, but the German regional (Land) DPAs and courts may

change the way in which the new law is applied.


59

SECTION II – Introduction Contd

Fortunately not all EU Member States have such a regional structure as Germany, however, changes in

national regulations have in most cases been more, rather than less, strict. A notable exception is Latvia,

where the national law has been brought more into line with the 1995 EU Directive. Previously it had been

far more restrictive than the Directive.

Any report on the national regulations of 23 countries can only expect a limited shelf life: regulations – and

particularly their interpretation by the local data protection authorities – change regularly. If you have

information on new rules or interpretational regulations please share with us. FEDMA wants to keep its

information up to date, and members are always most welcome to ask questions, and get updates. This is

an important membership service which we provide. However, as data protection regulations become

increasingly complex and variable across frontiers, and marketers use a far great mix of media and

techniques - from email to SMS; from viral marketing to online behavioral advertising – it becomes

necessary to be very sure of the detailed ins and outs of data protection in multiple countries.

Law firms, such as Field Fisher Waterhouse, are essential advisors on these complexities across the EU, the

EEA, and in the main markets outside Europe from the USA to Russia, Australia to China. FEDMA strongly

advises its members to be safe rather than sorry when dealing with complex data protection issues – and in

particular with some of the stricter countries, such as Spain, or the new law in Germany. As this section

shows many of the national data protection authorities now have the ability to impose fines and / or to

seize databases, etc. Making a mistake when applying data protection rules can be an expensive error.

Finally, we would like to stress that the information we have provided here is in good faith, but neither

FEDMA, nor Field Fisher Waterhouse can guarantee its accuracy for liability purposes. As we point out, the

interpretation of national regulations continually evolves. In particular the DPAs produce new

interpretations of the relevant laws on a regular basis. The material in this report is therefore a guide to

assist the email marketer; not a firm recipe.

Alastair Tempest


April 2010


60

SECTION II – Legal Overview - Austria

Austria

Major Current Data Protection Laws

The Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000) implements

Directive 95/46/EC and provides a fundamental right to data protection regulating all processing of

personal data, including collection, storing, committing and transmission of data.

The Telecommunication Act (Telekommunikationsgesetz 2003) implements Directive 2002/58/EC and

regulates (among other things) data processing in the electronic communication sector.

Section 151 of the Trade Act (Gewerbeordnung) contains specific data protection provisions for direct

marketing businesses and list brokers.

Registration of marketing lists with the Data Commission (DPA)

In general, every controller has to file a notification with the data processing register

(Datenverarbeitungsregister) before commencing a data processing activity (a data application).

Notification is not required in the case where the data application corresponds to a so called standard

application (Standardanwendung). Processing data for the controller‟s own customer support and

marketing purposes are examples of the standard applications. Therefore, a person can operate a

marketing list without notifying the authority if the list meets the requirements of a standard

application. The rule is defined in an ordinance (Verordnung) of the Federal Chancellor.

Expected time duration for registering marketing lists with the DPA

The notification process in Austria is quite simple. The Data Protection Authority provides forms on its

website. These can be found at: http://www.dsk.gv.at.

The process takes several months. However, in most cases the data application may be run as soon as

the notification is filed, unless the application contains sensitive data.

Registration costs

The authority does not charge fees for notification.

Non Sensitive/Sensitive Information

Common legal grounds for the processing of (non-sensitive) personal data for marketing purposes

carried in all media

Overriding legitimate interests of the controller, such as execution of a contractual obligation to

the data subject

Consent by the data subject

For (licensed) direct marketing businesses and list brokers only: explicit statutory authorisation

(sec. 151 Trade Act)

How the data subject exercises „consent‟

The Data Protection Act requires “informed consent”. In order to obtain valid consent the controller

has to inform the data subject of:

the types of data being processed;

the purposes of the processing;

in the event of a data transfer:

• the type of data to be transferred;

• the purpose of the transfer; and

• the (specific) recipients of the transfer and

the right to withdraw its consent at any time.


http://www.dsk.gv.at/

61

Generally no specific form of consent is required. If the data are non-sensitive then implied consent is

sufficient. The data subject can revoke his or her consent at any time.

Implied consent

The Datenschutzgesetz 2000 does not require a specific wording for collecting data. Generally,

consent, including implied consent, must be informed consent –see above.

A tick box is not required by law. However, providing a check box linked to, or placed next to, the

statement of consent helps the controller to prove that the data subject approved of the data

processing.

Sensitive Data: Required form of consent for the processing of sensitive data

Sensitive data may only be processed under very strict conditions; the most important is to have prior,

expressed consent from the data subject. The consent does not have to be in writing but written

consent is recommended for purposes of proof.

Types of data considered “sensitive”

Sensitive data is defined (in section 4 no. 2 of the Datenschutzgesetz) as data relating to natural

persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious

or philosophical beliefs, and data concerning health or sex life.

Information on (alleged) criminal behaviour and criminal convictions relating to the data subject, as

well as information on the data subject‟s credit history (if processed for the purpose of providing such

information to third parties) are by definition not sensitive data, but are subject to specific

restrictions.

Electronic Communication and the Opt-in

Common legal ground for the use of electronic messages for marketing

Direct marketing is regulated in the Telecommunication Act (Telekommunikationsgesetz 2003), in

sections 5a – 5h, and 28a of the Consumer Protection Act (Konsumentenschutzgesetz) and the Federal

Act concerning the Protection of Personal Data (Datenschutzgesetz 2000).

Telemarketing in terms of unsolicited marketing by phone, email, SMS or MMS is regulated in the

Telecommunication Act (Telekommunikationsgesetz 2003). Section 107 paragraph 1, generally forbids

phone calls and communications by fax for marketing purposes without the prior consent of the

addressee. Furthermore, section 107 paragraph 2 forbids sending electronic mail (including SMS)

without the prior consent of the addressee if:

the message is sent for Direct Marketing purposes, or

the message is addressed to more than 50 addressees.

Electronic mail for direct-marketing purposes is illegal if the identity of the sender is concealed or if

there is no address displayed in the mail to which the addressee can send his request for removal

from the mailing list.

Definition: soft opt-in for electronic communications

“Soft opt-in” is referred to in section 107 paragraph 3 of the Telekommunikationsgesetz. Prior

consent in terms of paragraph 2 is not necessary if:

the sender has received the contact information of the addressee in connection with a sale or a

service to his customers;



62

the direct marketing message relates to the sender‟s own (similar) products and the addressee

was given the opportunity (from the date of acquiring the data onwards) to refuse such a use of

his electronic contact information, easily and without any cost;

the address is not registered in the so-called “§ 7 ECG-Liste”, (i.e. a Robinson list for electronic

mail).


Since March 2006 the above stated rules apply to both B2C and B2B. There is no difference any more.

Purposes

Provided that the controller gives the data subject a very detailed list of purposes, the data subject‟s

(implied) consent will cover all such purposes.

Generic terms

Generic terms describing purposes and destination of data transmission may be insufficient –

especially in respect of consumers. However, “direct marketing” and “market research” may be

sufficient for the purpose of data processing. Wording like “transmission to all linked companies of

the X-group” was considered too vague by the courts.

Notifying when Collecting Data

Wording for collecting data

There is no required or recognised form of wording for collecting data in Austria.

When collecting data the controller must inform the data subject of:

the purpose of the processing

the name and address of the controller

and provide such additional information as required from time to time for fair data processing, in

particular, if the data subject has a right to object against the processing; if it is not clear to the data

subject whether or not he/she is obliged to provide certain data; or if data are processed in a data

pool where the data are equally accessible to multiple controllers (Joint Information System /

Informationsverbundsystem).

Do the purposes for processing personal data have to be given only to prospective clients or also

each time an existing client is approached?

The purposes for processing should be provided each time data are collected or used for

alternative/additional purposes. It is irrelevant whether or not the data subject is an existing client.

Opt-out

There is no specific form or wording for opting-out. Data subjects can revoke their consent at any

time in any form, thus making further data processing illegal. Data subjects also have the right to

rectification and/or erasure of his/her data. In regards to addressed mail, email and SMS the

addressee can opt-out by registering with a Robinson list (see below).

Do you have to offer the opt-out each time when approaching the customer?

When using email and SMS for marketing purposes, you have to give the addressee the opportunity to

refuse the use of his electronic contact information in every single message.



63

Data Storage

Data confidentiality clause

(Section 15 of the Datenschutzgesetz) imposes a general obligation on controllers, processors and

their respective employees to keep data accessible to them in their professional capacity

confidential. Additional confidentiality requirements apply to certain professions.


Data may only be kept in a form which permits identification of data subjects for as long as this is

necessary for the purpose for which the data was collected. No specific period is stated by law.

(Section 6 paragraph 1 of the Datenschutzgesetz)

As far as standard applications are concerned, the ordinance of the Federal Chancellor limits the

storage period to a specific time.

Every controller has to erase or make anonymous data he has stored as soon as the data (or its link to

a specific person) are not necessary for the purpose for which the data were collected.

When the controller uses a standard application, he may only store data for the time stated in the

Ordinance of the Federal Chancellor. If the controller holds the data for a longer period, he exceeds

the requirements of a standard application and therefore must notify the application to the DPA.

Security of data

Section 14 of the Data Protection Act provides several measures to ensure data security, which have

to be taken by the Data Controller or Processor.

Among them are:

The use of data must be tied to valid orders of the authorised organisational units or operatives;

Every operative must be instructed about his duties according to the Datenschutzgesetz and the

internal data protection regulations, including data security regulations;

The right of access to the premises, data and programmes of the data Controller or Processor has

to be regulated;

The right to operate the data processing equipment has to be laid down and every device has to

be secured against unauthorised operation by taking precautions with the systems and

programmes used.

Costs associated with security of data

The Data Protection Act states: “These measures must, taking into account the technological state of

the art and the cost incurred in their execution, safeguard a level of data protection appropriate with

regard to the risks arising from the use and the type of data to be protected.”

Protection for database owners

The owner of a database, who has made a substantial investment, whether qualitatively and/or

quantitatively, in either the obtaining, verification or presentation of the contents, has the right to

prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively

and/or quantitatively, of the contents of that database. Databases are protected under the Copyright

Act (Urheberrechtsgesetz)



64

Penalties

National penalties the DPA can apply

Technically the DPA has now power to issue penalties. If it becomes aware of a criminal or

administrative offense regarding the unlawful use of data it has to notify the respective criminal

prosecution or administrative penal authorities, as the case may be. Unlawful use of data for the

purpose of monetary gain or with the intent to cause harm is a criminal offense punishable by

imprisonment of up to one year.

The Datenschutzgesetz defines certain violations as administrative offense punishable with a fine of

up to EUR 25.000,00 or 10.000,00, as the case may be.

Penalties for breaching the rules on unsolicited for Email message:

Administrative penalty up to EUR 37.000,00.



All “traffic data” must be erased or made anonymous when they are no longer needed for the purpose

of the transmission of a communication. (Section 99 of the Telekommunikationsgesetz)

Log files may only be stored for as long as they are necessary for the purposes of subscriber billing and

interconnection payments. Log files may be stored for some marketing purposes to the extent and for

the duration necessary for such services or marketing, provided the subscriber has given his/her

consent.


Every data subject is given the right to information about, rectification and erasure of his/her data.

The data subject may demand information about processing of his/her data in writing and on

production of proof of his/her identity. The controller has to give such information in writing within

eight weeks, or explain why he is not able to provide such information.

Every controller has to rectify or erase data as soon as he becomes aware of any inaccuracies in the

data or inadmissibility of processing. If a data subject requests the deletion or rectification of his/her

data, the controller must act on this request within eight weeks.


A Robinson list concerning electronic mail is operated by the Rundfunk- und Telekom Regulierungs-

GmbH. For more information, please visit:

http://www.rtr.at/web.nsf/deutsch/Telekommunikation_Konsumentenservice_E-Commerce-Gesetz

A list concerning mailings by post is operated by the Fachverband Werbung und Marktkommunikation

der Bundessparte "Gewerbe, Handwerk, Dienstleistung" der Wirtschaftskammer Österreich. For more

information, please visit: http://www.fachverbandwerbung.at/de-service-robinsonliste.shtml

The above-mentioned Robinson lists do not concern collecting of addresses, but the sending of

unsolicited mail. The DPA is not the competent authority in the field of unsolicited mail.








http://www.fachverbandwerbung.at/de-service-robinsonliste.shtml





65

Consumer Protection Legislation

The term “inbound telemarketing” does not exist in Austrian law. When a consumer calls a company

to get information about a product or to order a product on a hot-line or via a call-centre, this

situation would be regulated by the Consumer Protection Act (Konsumentenschutzgesetz).

Call monitoring for quality control/training

There are no specific rules for monitoring calls of call centre agencies. However, the general

provisions of labour law, data protection and unfair competition law apply.

Internet

National laws specifically on eCommerce

In implementing the Directive 2000/31/EC, Austria established the Federal Act concerning certain

legal aspects of electronic business and legal relations (E-Commerce Gesetz), which became effective

on January 1st 2002.

The E-Commerce Act (E-Commerce-Gesetz) regulates the accreditation of service providers in

electronic business and legal relations, their duty to supply information, the conclusion of contracts,

the responsibilities of the service providers, the country-of-origin principle and the cooperation with

other

member states.

Service provides are defined as every individual or legal person or other construct with legal capacity

who/which provides an information society service.



66

Belgium


« Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère

personnel / Wet tot bescerming van de persoonlijke levensfeer ten opzichte van de verwerking van

persoonsgegevens » (Data Protection Act) dated 8 December 1992, as amended especially by the law

of 26 February 2003.


When acquiring or starting a marketing list in Belgium, you are required to notify the “Commission de

la protection de la vie privée / Commissie voor de bescherming van de persoonlijke levenssfeer”).

There is however an exception where there is no need for such a notification: If (i) the marketing list

will only be used for client management (i.e. not for direct marketing), (ii) the data collected are not

sensitive data, (iii) the data have been obtained directly from the data subject and (iv) there will not

be any transfer of those data to another person or company.


Under Belgian law, only processing of personal data for marketing purposes needs to be registered

with the DPA. The marketing list as such does not need to be registered. The notification process

approximately takes 4-6 weeks.

Registration costs

The costs for such a notification amount to 25 Euros if it is done by Internet, but increase to 125 Euros

if the notification is submitted on a paper form. The cost to modify notifications is 20 Euros.


Common legal grounds for the processing of (non-sensitive) personal data for marketing

purposes

Article 5 of the Data Protection Act states the legal grounds that allow for the processing of personal

data in general. As far as marketing is concerned, in order to process personal data an opt-in is

generally required, and in some instances mandatory (see below). Therefore, the DPA is of the

opinion that obtaining the data subjects consent is best practice.

However, the DPA recognises that processing of personal data for marketing purposes may in some

cases be justified if the processing is necessary for the performance of a contract to which the data

subject is party (existing clients) or in order to take steps at the request of the data subject prior to

entering into a contract (prospects), provided that no express consent is required by law.

In certain (more exceptional) cases, the processing could even be justified based on the fact that the

processing is necessary for the purposes of the legitimate interests pursued by the controller or by the

third party to whom the data are disclosed, provided the interests or fundamental rights and

freedoms of the data subject are not infringed.

SECTION II – Legal Overview - Belgium


67


The data subject, whose data are collected and processed, has to give his/her unambiguous consent

(i.e. freely given, specific and informed). (Article 5.a of the Data Protection Act)

Consent can be given by checking an opt-in tick box.

Implied consent

In principle, the consent has to be unambiguous (i.e. freely given, specific and informed). Implied

consent may be acceptable in certain circumstances, but it may lead to uncertainty, especially if the

existence of the data subject‟s consent is the only legal ground for the processing of his personal

data.

In certain cases, soft opt-in, which is a form of implied consent, can be expressly considered to be a

valid consent.

Consent by data subject is required when using the following communication media:

Subject to the soft opt-in and opt-out exceptions set out below, express consent (opt-in) shall be

mandatory by virtue of the law for the following categories: SMS, MMS, EMAIL, Telephone, Fax, Mail

and Chat


In principle, it is prohibited to process sensitive data. However, there are some exceptions, the most

important one being the written consent of the data subject (unless prohibited by law). (Articles 6 §

2, a-e, 7 § 2 a-k and 8 § 2 a-e of the Data Protection Act)

Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,

health, and trade union memberships

Personal data relating to litigation that have been submitted to courts or administrative judicial

bodies, relating to allegations, charges, or convictions in matters of criminal offences,

administrative sanctions or security measures.

Biometric data may be sensitive if they can be considered as health related data (e.g. DNA).



The Act of 11 March 2003 on the information society, together with the Royal Decree of 4 April 2003

regulate marketing by electronic communication. These transpose parts of the EU Directive

2000/31/CE and specifically apply to e-commerce.


The Act of 11 March 2003 imposes an opt-in system in Belgium, but the Royal Decree of 4 April 2003

provides for two exceptions:

The first one concerns direct marketing sent electronically to a person whose data have been

obtained at the occasion of a previous sale if: - (i) at the time of collection it had been mentioned

that the person could refuse such use; (ii) the marketing message concerns the same kind of product

or service as the one the person had previously bought, and (iii) the marketing message is sent by the

entity that was involved in the previous sale (soft opt-in for existing clients).



68

The second exception concerns emails sent to impersonal email addresses belonging to legal entities,

for example [email protected] (but not [email protected]). But these should still be opt-out

for impersonal email addresses of legal entities.


As far as B-to-B is concerned, the same opt-in rules apply as in case of B-to-C. The two exceptions set

out above also apply to the same extent.

Purposes

If the personal data are obtained directly from the data subject, the data subject must be informed

of the purpose of the processing no later than at the moment at which the data are obtained.

If the personal data are not obtained from the data subject, the data subject must be informed of the

purpose of the processing at the time the personal data are recorded, or, if a transfer to a third party

is envisaged, no later than the moment at which the data are first disclosed.

Generic terms

Generic terms are not acceptable in the following instances:

When notifying a declaration to the DPA, the controller has to select the most appropriate

purpose from a list of purposes proposed by the DPA (e.g. direct marketing, trade of commercial

information); and

When the data are effectively collected. When a data subject is asked whether she/he agrees to

give personal data, this person needs to know exactly the reason why these data are being

collected. The data cannot be used for another purpose other than the one mentioned.



There is no required or recognized form of wording for collecting data. However, the DPA has given an

example information clause for collecting data:

In French:

“Vos données sont reprises dans le fichier [d‟adresses] de [nom du responsable de traitement] pour

[finalité du traitement]. Vos données seront communiquées par [nom du responsable de traitement]

à [catégories de destinataires] à des fins de [finalité du traitement].

Vous diposez à tout moment d‟un droit d‟accès et de rectification de vos données et du droit de vous

opposer, gratuitement, à leur traitement et à leur communication”

In Dutch :

“Uw gegevens worden opgenomen in het [addressen]bestand van [naam van de verantwoordelijke van

de verwerking] met het oog op [doeleinde van de verwerking]. Uw gegevens worden door [naam van

de verantwoordelijke van de verwerking] meegedeeld aan [categorie van ontvangers] met het oog op

[doeleinde van de verwerking].).





69

U beschikt te allen tijde over een recht op toegang en op verbetering van uw gegevens en u heeft het

recht om u kosteloos te verzetten tegen de verwerking en de doorgifte van die gegevens”.

(“Marketing direct et Protection des données” / “Direct marketing en bescherming van

persoonsgegevens” , www.privacycommission.be).

This example clause mentions the purpose of the data processing, the name of the controller, the

identity of the people who will have access to the data and the rights of the data subject.



The purposes have to be given when collecting personal data from both existing and prospective

clients.

Opt-out

The data subject may choose to opt-out, free of charge, at any time, without any justification.


The controller must inform the data subject of this right each time an electronic marketing message is

sent and must offer the data subject the possibility to exercise this right electronically (i.e. either by

clicking on a link or via an email address for this purpose).

Data Storage


Article 16 of the Privacy Act obliges the data controller to take the necessary security measures to

guarantee the integrity of the personal data processed.


Personal data must not be kept longer than is necessary for the purposes for which the data are

collected or for which they are further processed. (Article 4, § 1, 5° of the Data Protection Act)


The DPA may investigate complaints but has no enforcement powers. It can however issue an opinion

and inform the Public Prosecutor of an infringement. The criminal courts can impose ffines, which

may vary between 550 EUR and 550.000 EUR.



All the above mentioned principles apply to the on-line collection of data on the Internet and have to

be adapted to this media. For example, the fact that the consent has to be unambiguous implies that

a pre-ticked box on a web page is not sufficient.


The data subject has a free of charge right of access and rectification to his/her data. He/She only

needs to send a written and signed request and a copy of his/her identity card, to the person who is

responsible for this data processing.



http://www.privacycommission.be/

70


There is a “Code de déontologie” (professional Code of Ethics) that is published by the Belgian Direct

Marketing Association (BDMA) and that is available on its website (www.bdma.be). This code was

drawn up together with the DPA.

The DPA also published a recommendation on direct marketing and the protection of personal data,

which contains guidelines on the matter ( “Recommandation 04/2009 du 14 octobre 2009 concernant

le marketing direct et la protection des données à caractère personnel /Aanbeveling 04/2009 van 14

oktober 2009 betreffende direct marketing en bescherming van persoonsgegevens”).

Internet


The Act of 11 March 2003 on the information society and the Royal Decree of 4 April 2003, both

transposing part of the EU Directive 2000/31/CE, specifically apply to e-commerce.

Rules to apply for the use of new media such as Bluetooth or other mobile messaging

The above mentioned regulations apply to the use of new media.

Rules on the use of viral advertising

Strictly speaking, some aspects of viral advertising are contrary to the Data Protection Act and the

regulations on direct marketing (Act of 11 March 2003 and the Royal Decree of 4 April 2003),

specifically member get member/friend get friend campaigns. According to the DPA, these are only

compliant with the requirements of electronic marketing where the friend‟s prior consent is obtained.

Moreover, there is a general requirement that, upon receipt of the (viral) advertising message, it

should be clear to the recipient that the message has an advertising purpose. The (viral) advertising

message should mention the word “publicité / reclame” [advertisement] as well as the identity and

address of the sender.



http://www.bdma.be/

71

Bulgaria


Promulgated State Gazette No. 1/4.01.2002, effective 1.01.2002, supplemented,

SG No. 70/10.08.2004, effective 1.01.2005, SG No. 93/19.10.2004, No. 43/20.05.2005, effective

1.09.2005, amended and supplemented, SG No. 103/23.12.2005, amended, SG No. 30/11.04.2006,

effective 12.07.2006, amended and supplemented, SG No. 91/10.11.2006, supplemented, SG

57/13.07.2007, effective 13.07.2007, emended, SG No.42/05.06.2009

Extent of DPA‟s Assistance with Enquiries

The DPA will assist with enquiries.

Registration of marketing lists with the Data Commission

Each entity that operates and/or maintains databases containing personal data is obliged to make a

registration with the Commission for Protection of Personal Data (DPA). The registration must be

made before the operation/maintaining of the database commences.


2 months

Registration costs

Registration as an administrator is free.



purposes

There must be a legitimate interest from the direct marketer.

How „consent‟ is exercised by the data subject

The data subject‟s consent is implied when he/she voluntarily provides his/her personal data. When

this is not the case, the failure to opt-out is regarded as consent. Where consent is needed, it has to

be explicit and unequivocal.

Implied consent

Implied consent is acceptable in Bulgaria. A tick box is not a compulsory element.

Consent by data subject is required when using the following communication media: SMS, MMS,

EMAIL, Telephone, Fax, Mail


There must be explicit consent from the physical person.



Data about the ethic origin, philosophical conviction and genetic make-up of the data subject.

SECTION II – Legal Overview - Bulgaria


72



Sending unwanted commercial communications to consumers without their prior consent is forbidden.

Electronic messages are regulated by the Electronic Commerce Law and by the Electronic

Communications Act. These two Laws transpose the provisions of Directive 2000/31/EC and of

Directive 2002/21/EC..


There is no soft opt-in for electronic communications in Bulgaria.

There are no rules on electronic communication for B-to-B marketing purposes.

Purposes

When giving the purposes for processing personal data generic terms are acceptable.



There is no requirement for a recognised form of wording for collecting data in Bulgaria.



Legally, the purposes for processing personal data only need to be given to prospective clients

Opt-out

The laws provide the right for the consumer to object to the processing of his/her personal data for

the purposes of direct marketing. It is not necessary to offer opt-out each time when approaching a

customer.

Data Storage


There are data confidentiality clauses in Bulgaria.


There are no time limits on holding data. Every data administrator has to specify the terms for holding

collected data when registering with the DPA.

National penalties which the national DPA can apply

The DPA can issue fees and the penalty rates are between 250 and 50 000 EUR. In cases of repeated

violations the sanctions are double that of the original penalty. The law provides the possibility for

the DPA to suspend, upon prior notification, the processing of personal data where such processing

violates the provisions on the protection of personal data, but the DPA can not order the destruction

of the database etc.



73

Penalties for breaching the rules on unsolicited electronic communications for Email are between

2500 - 5000 Euros.



Any person whose personal data is processed has the right to file a request in writing for access to

and/or rectification of the data related to him.

The processor has to reply within a definite period and no response is considered a refusal for

access/rectification. Access may be denied if there is an adequate reason, and access by third parties

is restricted.


There are no industry codes of practice in place.


The Regulations under the E-Commerce Law govern this area.



74

Denmark


Persondataloven (Personal Data Act)


The mere holding of a marketing list does not require that person to register with the DPA.

There is no expected time duration for registering marketing lists with the DPA.



purposes

Personal data may be processed only if:

1. the data subject has given his explicit consent; or

2. processing is necessary for the performance of a contract to which the data subject is a party, or

in order to take steps at the request of the data subject prior to entering into a contract; or

3. processing is necessary for compliance with a legal obligation to which the controller is subject;

or

4. processing is necessary in order to protect the vital interests of the data subject; or

5. processing is necessary for the performance of a task carried out in the public interest; or

6. processing is necessary for the performance of a task carried out in the exercise of an official

authority vested in the controller or a third party to whom the data are disclosed; or

7. processing is necessary for the purposes of the legitimate interests pursued by the controller or by

the third party to whom the data are disclosed, and these interests are not overridden by the

interests of the data subject. (Sections 6(1)(1) or 6(1)(7) of the Personal Data Act. Section 6(1))


The data subject's consent shall mean any freely given specific and informed indication of his wishes

by which the data subject signifies his agreement to personal data relating to him being processed.

Implied consent

Implied consent is as a general rule is not acceptable in Denmark. In certain cases, the disclosure of

non-sensitive data may be deemed to be implied consent to the processing for which the data was

disclosed.

Consent by data subject is required when using the following communication media: SMS, MMS,

Email, Telephone (except if the call concerns the sale of insurances, books or newspapers/magazines

in which case consent is not required. The Robinson list must, however, still be observed), FAX, Mail

(normally consent is not required for Mail, unless the data subject has signed up to the Robinson list,

in which case consent is required).


The consent must be explicit and informed.

SECTION II – Legal Overview - Denmark


75



Under the Personal Data Act, in addition to the above, there is a special category called "semi-

sensitive data", which covers data about criminal offences, serious social problems and other purely

private matters. In practice, “semi-sensitive data” are subject to the same limitations/conditions as

sensitive data.



Consent, cf. Section 6(1) of the Danish Marketing Practices Act.


A trader that has received a customer‟s electronic contact details in connection with the sale of

products or services may market his own similar products or services to that customer by electronic

mail, provided that the customer has been given the option, free of charge and in an easy manner, of

declining this both when providing his contact details to the trader and in the event of subsequent

communications.

Opt-in is required for electronic communication for B-to-B marketing purposes is required for:

Automated Calling Machines, SMS, MMS, EMAIL, Telephone, FAX, Mail

Purposes

It is necessary to be precise when providing the purposes for processing personal data.

Generic terms

It is necessary to be precise to a certain extent.



There are no required or a recognized form of wording for collecting data in Denmark.



The purposes only have to be stated once.

Opt-out

The opportunity to opt-out must be easy and free of charge.


Yes, if the customer is approached by email. For communications by ordinary mail to consumers, the

opt-out must be stated in the first letter to the customer.



76

Data Storage


There is a data confidentiality clause in Denmark.


There are no exact time limits on holding data, but the data may not be kept in a form which makes it

possible to identify the data subject for a longer period than is necessary for the purposes for which

the data are processed.

Transfers of data between companies

Model clauses to govern the rules

There are no model clauses governing the rules of data transfer between companies.

Transfer of data from one company to another for marketing purposes requires active or passive

consent, depending on the categories of data being transferred.

Penalties


Fines, imprisonment, orders or prohibitions.


Fines and damages/compensation claims



None


The following Sections of the PDA apply:

31. – (1) Where a person submits a request to that effect, the controller shall inform him whether or

not data relating to him are being processed. Where such data are being processed, communication

to him shall take place in an intelligible form about:

1. the data that are being processed;

2. the purposes of the processing;

3. the categories of recipients of the data; and

4. any available information as to the source of such data.

(2) The controller shall reply to requests as referred to in subsection (1) without delay. If the

request has not been replied to within 4 weeks from receipt of the request, the controller shall

inform the person in question of the grounds for this and of the time at which the decision can be

expected to be available.



77

33. A data subject who has received a communication in accordance with section 31 (1) shall not be

entitled to a new communication until 6 months after the last communication, unless he can prove

that he has a specific interest to that effect.

34. – (1) Communication in accordance with section 31 (1) shall be in writing, if requested. In cases

where the interests of the data subject speak in favour thereof, the communication may, however,

be given in the form of oral information about the contents of the data. (2) The Minister of Justice

may lay down rules for payment of a fee for communications, which are given in writing by private

companies, etc.


There are codes of practice in Denmark, and it is possible to obtain these by contacting the individual

industries' organisations.

The Robinson list is operated by the Det Centrale Personregister (CPR register). For more information

please visit: www.cpr.dk



http://www.cpr.dk/

78

Estonia

Major Data Protection Laws

The Constitution – basic principles

Personal Data Protection Act came, into force 01/01/2008

Public Information Act, came into force 01/01/2001

Information Society Services Act, came into force 01/05/2004


The mere holding of a marketing list does not require that person to register such list with the

Estonian Data Protection Inspectorate (DPA).

The processor of personal data is only required to register the processing of personal data with the

DPA in cases where the marketing list, or creation, involves the processing of sensitive personal data,

and the processor has not appointed (and informed the DPA) a person responsible for the protection

of personal data.

Expected time duration for registering marketing lists with the DPA:

Marketing lists do not have to be registered.

The registration of processing of sensitive personal data with the DPA (as referred to above) takes up

to 20 working days; but the DPA may extend this period by up to 10 working days. A registration

application shall be submitted to the DPA at least one month before processing of sensitive personal

data commences.

Registration costs

There are no specific fees for the registration of the processing of sensitive personal data.



purposes

As a general rule - processing of personal data is permitted only with the consent of the data subject,

unless otherwise provided by law.

The law provides that processing of personal data without the consent of a data subject is permitted,

if the personal data are to be processed:

1) on the basis of law;

2) for performance of a task prescribed by an international agreement or directly applicable

legislation of the EU Council or the European Commission;

3) in individual cases for the protection of the life, health or freedom of the data subject if

obtaining the consent of the data subject is impossible;

4) for performance of a contract entered into with the data subject or for ensuring the performance

of such contract, unless the data to be processed are sensitive personal data.


The declaration of intention of a data subject whereby the person grants the consent for processing of

his or her personal data (hereinafter “consent”) is valid only if it is based on the free will of the data

subject.

SECTION II – Legal Overview - Estonia


79

In order to obtain valid consent the data subject shall be clearly informed of:

the data to which the permission relates,

the purpose of the processing,

the persons to whom the data may be transferred,

the conditions for communicating the data to third persons, and

the rights of the data subject concerning further processing of his or her personal data.

Silence or inactivity shall not be deemed a declaration of intention to grant the consent.

Before obtaining a data subject's consent for the processing of personal data, the processor of

personal data shall notify the data subject of the name, address and other contact details of the

processor of the personal data. If the personal data is to be processed by the chief processor and

authorised processor then the name of the chief processor and authorised processor or their

representatives, and the address and other contact details of the chief processor or authorised

processor shall be communicated and made available.

For processing sensitive personal data, the data subject must be informed that the data to be

processed are sensitive personal data, and the data subject's consent has be obtained in a format

which can be reproduced in writing.

A data subject has the right to prohibit, at all times, the processing of data concerning him or her for

the purposes of marketing research or direct marketing, and communication of data to third persons

who intend to use such data for market research or direct marketing.

In the case of a dispute it shall be presumed that the data subject has not granted consent for the

processing of his or her personal data. The onus is on the processor to provide proof of the consent of

a data subject.

Implied consent

The law says that silence or inactivity does not mean that consent has been given. Consent shall be

given in a format which can be reproduced in writing, unless this is not possible due to a specific

manner of data processing (the last exception does not apply to sensitive personal data).

Consent by data subject is required when using the following communication media

As a general rule under Personal Data Protection Act - any kind of data processing requires the

consent of the data subject.

In the case that the use of data involves sending commercial communications to natural persons (not

processing), then the Information Society Services Act provides the following rule - the service

providers may transmit digital commercial communications to natural persons through a public data

communication network only with the prior consent of the addressee. The term “public data

communication network” is not currently defined in the law, therefore we suggest that it is

interpreted widely to cover not just e-mail, but also telephone, SMS; MMS; and fax.

Thus, consent is required for SMS, MMS, EMAIL, Telephone, FAX but not for Mail.



80


For processing sensitive personal data, the person must be informed that the data to be processed is

sensitive personal data and the data subject's consent shall be obtained in a format which can be

reproduced in writing.



Besides those above the following si also considered to be sensitive data:

data concerning genetic information, philosophical beliefs, ethnic origin, biometric data

(particularly fingerprints, palm prints, eye iris images and genetic data), information concerning the

commission of an offence or falling victim to an offence before a public court hearing, making of a

decision in the matter of the offence or termination of the court proceeding.



Information Society Services Act provides that a "Commercial communication" is any form of

communication designed to promote, directly or indirectly, the goods, services or image of a service

provider.

A commercial communication shall comply with the following conditions:

1) the commercial communication shall be clearly identifiable as such;

2) the person on whose behalf the commercial communication is made shall be clearly identifiable;

3) promotional offers, such as discounts, premiums and gifts, promotional competitions and games,

shall be clearly identifiable as such;

4) the conditions for participation in the promotional offers and commercial lotteries shall be

presented clearly.

Service providers are permitted to transmit digital commercial communications to consumers (natural

persons) through a public data communication network only under the following conditions:

1) with the prior consent of the addressee,

2) if the addressee is informed, in a clear and unambiguous manner, of how to cancel the

commercial communications in the future;

3) if the addressee is guaranteed the actual opportunity to exercise the right to refuse the receipt of

the commercial communication through the public data communication network.

The service provider must record the consent, or refusal of an addressee. The obligation to prove the

consent rests with the service provider.

Rules on electronic communication for B-to-B marketing purposes, specified by subject

Currently the law only regulates, and the above-referred restrictions only apply to, transmission of

the digital commercial communications to natural persons; not to legal entities.

Purposes

The consent of the data subject shall clearly determine the purpose of the processing of the data.



81

Generic terms

See section on “How consent is exercised by the data subject”. Provided those requirements are

fulfilled, there are no restrictions on the use of generic terms.



There is no required or recognized form of wording for collecting data in Estonia. However, the DPA

has published on their web-site certain examples that could be used in particular cases.



The purposes for processing should be stated each time data are collected or data are used for

alternate/additional purposes. It does not matter whether the data subject is an existing client or

not.

Opt-out

The consent of the data subject may be withdrawn by the data subject at any time. The law requires

that while asking for the consent of the data subject, the controller shall clearly state, among other

things, the rights of the data subject concerning further processing of his or her personal data and

his/her possibility to withdraw the consent at any time. (Personal Data Protection Act)

Information Society Services Act provides additional rules for transmission of digital commercial

communications to natural persons through a public data communication network. It states that when

sending commercial communications through the public data communication network the addressees

must be informed, in a clear and unambiguous manner, of the right (and how to exercise this right) to

cancel the commercial communications and there sender must provide the opportunity to exercise

this right.


In case of general data processing, when covered by wider consent of the data subject, there is no

such need, as the right of the data subject to withdraw the consent was offered when the consent

was obtained.

In case of sending commercial communications to natural person through a public data communication

network, then the Act provides the additional rule, described above, which specifically requires that

the opt-out must be offered.

Data Storage


There is a personal data confidentiality clause in Estonia. The law provides that a processor of

personal data is required to take organisational, physical and information technology security

measures to protect the personal data against unauthorised processing.


The data shall only be kept for a period of time during which they are necessary. The law provides

that a processor of personal data is required to immediately delete, or close, personal data which are

no longer necessary for achieving the purposes for which the data were collected, unless otherwise

provided by law.



82

Penalties


The DPA may impose fines for the violation of personal data processing requirements. For natural

person the fine is up to EEK 18,000 (approx. EUR 1,150); for legal entity up to EEK 500,000 (approx.

EUR 31,900).

Criminal sanctions (monetary penalty or imprisonment) may also apply to unlawful disclosures of

sensitive personal data.


A natural person may be fined up to EEK 18,000 (approx. EUR 1,150). For a legal entity this maximum

increases to EEK 50,000 (approx. EUR 3,190).


There are no additional rules for on-time collection of data on the internet


At the request of a data subject, a processor of personal data must communicate the following to the

data subject:

1) the personal data concerning the data subject;

2) the purposes of processing of personal data;

3) the categories and source of personal data;

4) third persons or categories to whom transmission of the personal data is permitted;

5) third persons to whom the personal data of the data subject has been transmitted;

6) the name of the processor of the personal data or their representative and the address and other

contact details of the processor of the personal data.

The processor of personal data is required to provide a data subject with information and the

requested personal data, or state the reasons for refusal to provide data or information, within five

working days after the date of receipt of the corresponding request.

The rights of a data subject to receive information and personal data concerning him or her upon the

processing of the personal data shall be restricted only if this may:

1. damage rights and freedoms of other persons;

2. endanger the protection of the confidentiality of the filiation of a child;

3. hinder the prevention of a criminal offence or apprehension of a criminal offender;

4. complicate a criminal proceeding.

A data subject has also the right to demand the correction of his/her inaccurate personal data from

the processor.

The processor must immediately perform the correction and notify the data subject that that has

been done. Reasons for denial shall be provided to the data subject.


A Direct Marketing Association exists in Estonia but there was no information available on codes of

practice or preference lists.



83

Finland

Major Data Protection Laws

The Personal Data Act requires that the purpose of processing personal data; the regular sources of

personal data; and the regular recipients of the personal data shall be defined before personal data,

which are intended to be recorded, are collected. Personal data must not be used or otherwise

processed in a manner incompatible with these purposes. The controller has to describe the personal

data files for which it (he/she) is responsible.

The Data Protection Ombudsman (DPA) has right of access to personal data that are being processed

and also has the right to inspect personal files. The Personal Data Act contains provisions on the

processing of personal data for special purposes such as research, statistics, official plans and reports,

direct marketing and other personalized mailing.

The Personal Data Act, PDA

The Personal Data Act (523/1999) based on Directive 95/46/EC came into force on 01/06/1999 and it

repealed the Personal Data File Act (471/1987). The provisions of the Act apply to the processing of

personal data. Translations (Swedish and English) can be found in the web pages of the office of the

Data Protection Ombudsman.

Act on Privacy in E-Communications

Act (516/2004) based on E-communications Directive 2002/58/EC came into force September

01/09/2004 and repealed previous Act (565/1999). Translation will be available on the DPA‟s website.

Act on Data Protection Working Life

The Act on Protection of Privacy in Working Life (759/2004) came into force from the beginning of the

October 2004. The Act incorporates the main data protection issues relating to working life by

creating procedures for the needs of working life in particular email usage and supervision of it;

camera surveillance at the workplace and tests. The Act supplements the Personal Data Act. A

translation is available on the DPA‟s website. Further material in English related to Act is available in

the web pages of the Ministry of Employment and the Economy

http://www.tem.fi/index.phtml?l=en&s=2313

Registration of Marketing Lists with the DPA

Registration with the DPA is essential for marketing lists. The Act states that the controller shall

notify the DPA of automated data processing by sending a description of the file to that authority.

All direct marketing and other personalized mailing files stored in a relevant system (an ADP system)

must be notified. The duty to notify the DPA does not apply to the files concerning data subjects who

are a client or member of, or in the service of, the controller or, if the data has been entered into

the register with the consent of the data subject. There is a light notification procedure, the model

form is available at the DPA‟s website.

Non-Sensitive Data

Opt-in is just one ground for collecting/processing non-sensitive data. General processing purposes

like relevant connection and collection of payment, etc. are mentioned in the PDA (Article 8).

Opt-in is generally required for email, SMS, MMS and other so-called automatic systems such as

communications via fax where the marketing is targeted to consumers.

SECTION II – Legal Overview - Finland


http://www.tem.fi/index.phtml?l=en&s=2313

84

However, there is an exception for e-mail, text, voice, sound or image messages where the service

provider or product seller obtains the consumer‟s contact information in the context of the sale of a

product or service. In such cases that marketer may use this contact information for direct marketing

of its own similar products or services and for those products in the same product group. This

exception only applies if the marketer provides the consumer with the opportunity to opt-out, easily

and at no charge, from future marketing at the time when the data are collected, and in any

subsequent e-mail, text, voice, sound or image message.

Purposes

Basic purposes in common terms should be given.

Wording for Collecting Data

There is no specific wording for collecting data, various forms and ways are used. A data subject has

the right to prohibit the controller from processing personal data for purposes of direct advertising,

distance selling and other direct marketing. The right is exercisable by contacting the controller and

asking for the processing to cease. With the exception of e-marketing, opt-out does not have to be

offered each time a customer is approached though generally, access to an opt-out mechanism must

be continually available and that possibility must have been informed to the customer.

Robinson Lists/Preference Service Lists

The Finnish DMA (FDMA) keeps mailing and telephone preference services. Member companies of

FDMA shall ensure that the requests of the consumers are observed.

Please contact the Finish Direct Marketing Association for more information:

Finnish Direct Marketing Association

Bulevardi 44

00120 Helsinki

Finland

Tel. + 358 20 699811


Special Requirements for Sensitive Data

The processing of sensitive data is, in general, prohibited. A personal identity number may be

processed with the consent of the data subject or where the Act allows such processing. Personal data

are deemed to be sensitive, if they relate to:

Religion, Trade Union Members, Race, Politics, Sexual Interests, Health, Criminal act, punishment

or other criminal sanction, Social welfare of a person or the benefits, support or other social

welfare assistance received by the person.

Data Storage

There are no specific limits on the retention periods for data. It depends on the defined purposes of

processing and the duration of the relationship with the customer, which may vary in different sectors

of business.

Data Confidentiality Clause

Anyone who has gained knowledge of the characteristics, personal circumstances or economic

situation of another person while carrying out data processing shall not disclose the data to a third

person (PDA, Article 33).



85

Penalties

The DPA may impose a conditional fine to enforce his right of access to a data file and to enforce his

decision on the data subject‟s right of access and right to have erroneous data corrected. At the

request of the DPA, the Data Protection Board may prohibit processing of personal data which is

contrary to the provisions of this Act or the rules and regulations issued on the basis of this Act. The

Board may enforce its decision with a conditional fine. In addition, certain breaches of the data

protection legislation are subject to penal sanctions.

On-Time Collection of Data on the Internet

There are no special rules with regard to on-time collection of data on the internet. With respect to

cookies, special rules exist in the Act on Protection of Privacy in Electronic Communications.

Access and Rectification of Data

See articles below:

Section 28 – Realisation of the right of access

1. Anyone who wishes to have access to the data on himself/herself, as referred to in section

26, shall make a request to this effect to the controller by a personally signed or otherwise

comparably verified document or by appearing personally in the premises of the controller.

2. The controller shall without undue delay give the data subject an opportunity to inspect

the data referred to in section 26 or, upon request, provide a hard copy of the data. The

data shall be given in an intelligible form. If the controller refuses to provide access to the

data, a written certificate to this effect will be issued. The certificate shall also mention the

reasons for the refusal. A failure by the controller to give a written response to the data

subject within three months of the request is deemed equivalent to a refusal to provide

access to the data. In this event, the data subject may bring the matter to the attention of

the Data Protection Ombudsman.

3. Anyone who wishes to have access to data on himself/herself in the files of the health

care authorities and institutions, physicians and dentists or other health care professions and

relating to their state of health or illness, shall make a request to this effect to a physician

or another health care professional, who shall obtain the data with the consent of the data

subject and provide him/her with access to the entries in the file. The provisions in

paragraph 2 apply to the procedure in the realisation and refusal of the right of access.

Section 29 – Rectification

1. The controller shall, on its own initiative or at the request of the data subject, without

undue delay rectify, erase or supplement personal data contained in its personal data file

and erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.

The controller shall also prevent the dissemination of such data, if this could compromise the

protection of the privacy of the data subject or his/her rights.

2. If the controller refuses the request of a data subject to rectify of an error, a written

certificate to this effect shall be issued. The certificate shall also mention the reasons for

the refusal. In this event, the data subject may bring the matter to the attention of the Data

Protection Ombudsman.

3. The controller shall notify the rectification to the recipients to whom the data have been

disclosed and to the source of the erroneous personal data. However, there is no duty of

notification if this is impossible or unreasonably difficult.



86

Section 30 - Right to prohibit processing.

A data subject has the right to prohibit the controller to process personal data for purposes

of direct advertising, distance selling, other direct marketing, market research, opinion

polls, public registers or genealogical research.

B2B Sales Promotion

One rule on B2B sales promotion exists in the Unfair Competition Act, section 3. A benefit that

depends on a lottery or that is otherwise based on chance may not be promised if the benefit is

conditional on a sale, purchase or ordering of a product or otherwise requires consideration. However,

this rule shall not apply to prize competitions organised in newspapers and periodicals as customary

entertainment.

If discounts, additional benefits or other specific benefits are offered in the marketing, or if the

marketing involves lottery, prize contests for the public, or games, the conditions for receiving the

benefits or for participating in the lottery, contest or game shall be stated in a clear and

comprehensible manner and be easily accessible (461/2002).

Other Regulation

Public authorities have to follow rules regarding the Swedish and Sami languages.

Other Information

The Finnish Direct Marketing Association (FDMA) approved, in June 2000, the Code of Practice for the

use of personal data in B to C marketing. The Code is based on the Personal Data Act. The Act states

that the controllers of the personal data files or their representatives may draft Sectoral codes of

practice for the application of the Act and the promotion of good processing practice. The Data

Protection Ombudsman has stated that the Code of Practice is in conformity with the Act and other

provisions relating to the processing of personal data.

FDMA, with three other organisations, published in December 2002 the Code of e-Commerce, which

also contains guidelines regarding on-line marketing and data protection issues. FDMA has also

published two Codes on Telemarketing in March 2004, updated in 2008 and complemented with a

separate supplement in 2009. FDMA has issued further guidelines on mobile marketing in 2008, which

also address data protection issues.



87

France


The Data Protection Act No. 78-17 of 6 January 1978 (La Loi relative à l‟Informatique, aux fichiers et

aux libertés) is the cornerstone of data protection in France. It was amended by a bill implementing

the European Directive No. 95/46/EC of 24 October 1995 into French law. This bill was published on 6

August 2004. A draft Bill is presently before the Senate and time of writing (February 2010), which

will make new changes to the data privacy rules for e-communications following the recent adoption

of the EU Telecoms Package.

Registration of Marketing Lists with the Data Commission

The creation of most databases and the use of a computer to process information must be notified to

the French Supervisory Authority, the Commission Nationale Informatique et Libertés (CNIL). For

certain files, for example those resulting from the combination, or which require the collection of

sensitive data, registration consists of a request for authorisation to be approved by the CNIL. For

others, the notification simply consists of declaring the database, which the CNIL acknowledges.

In some cases, exemptions are granted and no notification is required. In other cases, only a

simplified notification must be provided. A controller must therefore check whether his processing of

personal data needs to be notified to the CNIL and, if this is the case, which of the above categories

his processing falls. When a company contracts with a French data processor, the contract must

contain clauses addressing the data protection obligations. Since the of 6 August 2004, any company

having appointed a personal data protection officer (“correspondant Informatique et Libertés (CIL)”)

is exempt from the declaration formalities, except where data are transferred outside of the EU.

According to this Act, the CNIL keeps a record of all databases registered. Any member of the public

can consult this record, which contains the major characteristics of the registration.

Principles (Fair processing, subject information, purposes)

Collecting data, to compile mailing lists for instance, is allowed by the Data Protection Act provided

that such collection is not unfair, fraudulent or illegal, and provided that the person in charge of the

processing (“controller”) informs the person whose data are collected and processed (“data subject”)

of the identity of the controller and, where applicable, of his representative; the purposes of the

processing; the recipients or categories of recipients of the data; of his rights to object to the

collection and to access, modify, update, delete his data.

In addition, in most cases, the data subject must consent to the collection and processing of his data.

Failure to comply with these principles will lead to penal sanctions.


Collecting sensitive data without the data subject‟s consent is usually prohibited. This involves data

referring directly or indirectly to racial or ethnic origin, political opinions, philosophical or religious

beliefs or trade-union membership or data concerning health or sex life (sensitive data). However,

derogations are possible. In all cases involving the processing of sensitive data, authorisation from the

CNIL is required.

SECTION II – Legal Overview - France


88

Opt-In, Opt-out

Specific provisions apply to the electronic sending of direct marketing information. Direct marketing

by phone, fax or automatic calling machine is today governed by two distinct bodies of law, the

Consumer Code and the Posts and Telecommunications Code.

The law on the Confidence in Digital Economy, adopted by the Parliament on 21 June 2004, provides

the following (Law No. 2004-575 Article 22-I4):

-“Sending direct marketing by automated calling system, fax machines or electronic mails by

using, in any form whatsoever, the contact information of an individual who has not express

his prior consent to the receipt of direct marketing materials via this mean is strictly

prohibited”.

Another interesting point of the Confidence in Digital Economy Bill is that it defines “consent”: “For

purposes of this Article, „consent‟ shall mean any freely given specific and informed indication of his

wishes by which the data subject signifies his agreement to personal data relating to him used for

direct marketing purposes.” (Article 22.5)

Direct marketing sent by those means must obtain the prior consent of the data subjects. The new

law thus adopts an "opt-in" approach for the internet user to receive advertising messages.

Exemptions are nevertheless provided for emailing. Companies may send advertising messages to their

clients for "similar products and services" to those previously purchased by these clients on the

condition that:

“the recipient is expressly and unambiguously offered the possibility, at no cost, except

those related to the transmission of the refusal, to object in a simple manner to the use of

his contact information when the latter are collected and every time a direct marketing

electronic mail is sent to him”.

Data Storage

For computerised data storage, the law states that data shall be stored for a period no longer than is

necessary for the purposes for which they are obtained and processed.


No information available.

Security of Data

The data controller must ensure the security of the collected and processed data by, in particular,

protecting the network from unauthorised access and by protecting the data. Where data are

disclosed to third parties, the data controller must complete a very detailed document concerning the

IT environment which will be attached to its CNIL declaration.

Penalties

Penalties may be imposed either by the CNIL (French Data Protection Authority) or by the criminal

courts. The penalty imposed by the CNIL must be proportional to the severity of the breaches

committed and the profits obtained from the breach. In case of a first breach, the penalty may not

exceed 150,000 Euros. In the event of a second breach within five years from the date on which the

preceding penalty was imposed, it may not exceed 300,000 Euros.



89

The processing of personal data without complying with the French Data Protection Act, is punishable

by five years‟ imprisonment and a fine of up to 300,000 Euros, for individuals, and up to 1,500,000

Euros for legal entities.

Where the criminal courts and the CNIL pursue actions against a controller for a breach on the same

or related facts, the criminal courts have the power to order that the fine they impose is reduced by

an amount equivalent to the CNIL penalty .


There is no specific rule concerning on-time collection of data on the Internet.


A data subject, on providing proof of identity, has the right, at any time, to access and ask the data

controller to rectify his personal data. The data subject may request to receive a copy of the personal

data. The data controller may require payment of a sum of money for the delivery of the copy and

this may not exceed the cost of the copy.

National DPA‟s Contact Details

Commission Nationale de l'Informatique et des Libertés (CNIL)

8, rue Vivienne; CS 30223; 75083 Paris cedex 02

Tel : 01 53 73 22 22; Fax : 01 53 73 22 00



Forbidden Forms of Selling

The practice known as “forced sending” consisting of sending goods or services to persons who have

not asked for them and expecting that due to their negligence or indifference they will make a

purchase they did not desire, is prohibited by: Article R. 635-2 of the Penal Code, and Article L.122-3

of the Consumer Code.

Under the Penal Code it is prohibited to “(i) send to someone any good, (ii) without

permission, (iii) where the goods are accompanied by a letter indicating that the goods may

be accepted on the payment of a fixed price or returned to the sender, even if there is no

cost to return the goods.” This action may be punished by a fine of up to 1,500 Euros.

Under the Consumer Code it is prohibited to demand money for any good or service from a consumer,

without prior order from the consumer. In such circumstances, the consumer will not be obliged to

pay the money and the vendor must reimburse any money paid by the consumer.

The practice known as “pyramid selling” is prohibited. This consists, in particular, of offering the

public goods in the hope that they may obtain goods free of charge or cheaper than their real value

and making the sales subject to the placing of forms or tickets with third parties or the collection of

memberships or registrations, or of proposing to persons that they collect memberships or register on

a list in the hope of financial gain resulting from a geometric progression of the number of people

recruited or registered. (Article L.122-6 of the Consumer Code)

The Consumer Code also prohibits, in its article L.121-35, the sale or offer for sale of goods or any

provision, or offer to provide services made to consumers and giving entitlement, free of charge,

immediately or at the end of a fixed period, to a bonus consisting of products, goods or services, if

these are identical to those forming the subject of the sale or the service provision.



90

Germany


Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), Version of 14.8.2009

Telemedia Service Act (Telemediendienstegesetz, TMG) Version of 14.8.2009

Telecommunication Act (Telekommunikationsgesetz, TKG) Version of 14.8.2009


In general no registration is required; however, where transfers of data are central to the main

business of a company e.g. address trading and credit agencies, the company will have to notify the

relevant Data Protection Authority (DPA).

Furthermore, every company with more than 9 people permanently dealing with automated

processing of personal data, or any company with more than 20 employees, is obliged to register with

the DPA unless it appoints a Data Protection Officer (DPO).


3 – 6 weeks, if necessary

Registration costs

There are no registration costs when registering with the DPA.



purposes

Balance of Interest Clause, Sect. 28 SS. 1 No. 2 BDSG.

Consent of the data subject is necessary to create a detailed profile for marketing purposes


According to the BDSG (Federal Data Protection Act), consent must generally be in writing unless the

circumstances allow for a different form (i.e. with call centers). In addition, consent can be given

electronically according to a special provision in the TMG (Telemedia Services Act).

The following conditions are required:

An unambiguous and deliberate act by the user;

The consent is recorded;

The text of the consent is accessible to the user at any time, and

The controller has informed the data subject about his right to revoke consent at any time in the

future.

Implied consent

Implied consent is acceptable in Germany. However, this is on the precondition that the controller

has clearly informed the data subject about the further use of the contact details presented.

Consent by data subject is required when using SMS, EMAIL, MMS, Telephone (for B2B assumed

consent), Fax.

SECTION II – Legal Overview - Germany


91

Required form of consent for the processing of sensitive data

In Germany, it is required to have consent in writing.



This definition is slightly modified in Sect. 3 SS. 9 BDSG as it includes race and ethnic origin, and

religion or philosophical beliefs.



There must be consent from the recipient of the electronic messages.

Definition: soft opt-in for email communications

For email communications, a soft opt-in is sufficient as defined in Sect. 7 SS. 3 Unfair Competition

Act (UWG) as follows:

A company has received the email address in the context of the sale of a product or a service,

The company uses the email for direct marketing of its own similar products or services,

The customer has not objected the use of the email address, and

The customer has clearly and distinctly been informed about the opportunity to opt out the use of

the email address upon collection and upon each use of the email address.


Consent is required for all electronic communications media. Telephone is considered to be assumed

consent.

Purposes

Purposes

When giving the purposes for processing personal data, it is necessary to be precise.

Generic terms

These terms are commonly used, but the DPA requires a more detailed description of a consent clause

especially when a data warehouse is established.



There are no required or a recognized form of wording for collecting data in Germany.



The purposes only have to be given when collecting personal data from prospective clients and not

from existing clients, however the existing clients will have to be informed of the opportunity to opt-

out within each email sent to him based on the soft opt-in.



92

Opt-out

There are no legal requirements on how opt-out is exercised. Normally controllers mention a certain

postal address or an email address for exercising an opt-out.


Yes.

Data Storage


There is a data confidentiality clause in Germany, specifically upon entering into a controller

processor agreement strict former rules need to be considered.


Time limits on holding data depend on the legal basis for processing personal data. If consent is the

legal basis, there is generally no time limit for storing personal data. If the balance of interest clause

is the legal basis, a controller may process personal data for direct marketing purposes only for a

limited time; generally, about 3 to 4 years after the contractual relationship has been terminated,

personal data have to be erased afterwards. In specific branches such as telecommunications,

retention times are significantly shorter.

Penalties


The DPA can apply several penalties, such as:

Fines;

Right to initiate a court trial (could lead to imprisonment for up to two years);

Right to oblige controllers to undertake the necessary security measurements


Letter of abstention & declaration of discontinuance with a contractual penalty clause; contract

penalty in the case of a repeated violation; moreover fines can be issued (and have been issued) for

such breaches.



In Germany, there are additional rules for on-time collection of data. The Telemedia Act has special

regulations concerning information and communication services.

The main difference is the exclusion of the balance of interest clause. A controller needs consent

from the data subject for a further use of personal data incurring when using a Telemedia service – in

particular for direct marketing purposes.


The rule for access and rectification of data is that a data subject may at any time file a request to a

controller to retrieve and see their personal information stored in a database. The data subject is also

allowed to see the origin of the retrieved data (if stored by the controller), the purposes of

processing, and the categories of recipients. If any of the personal information is incorrect, a data

subject has the right to correct the mistakes.



93

Greece


Law 2472/97 - Protection of the individual and the elaboration of personal data

Law 3471/06 - Protection of personal data and privacy in electronic communications

Law 2774/1999 - Protection of personal data in the sector of telecommunications (the law was

replaced by Law 3471/06 on 29.07.2006).

Law 3783/2009 – Identification of users and holders of telecommunications equipment and

services (this law was essentially a security and anti-terrorism measure)


Marketing lists are deemed to be personal data by the DPA and therefore processing and collection of

such data must be notified in accordance with the provisions of Law 2472/97.

Expected time duration for registering marketing lists with the Data Commission:

The notification is effective immediately upon submission, provided the processing and collection

does not involve sensitive data.

Registration costs

No costs to register marketing lists.



purposes

Consent from the Data Subject must be obtained.


Data subjects have to specifically consent.

Implied consent

Implied consent is not acceptable..

Consent by data subject is required when using SMS, MMS, Email, Telephone, Fax and Mail.


The collection and processing of sensitive data is generally prohibited. However, the collection and

processing of sensitive data, as well as the establishment and operation of the relevant file, will be

permitted by the DPA, when certain conditions are met including the specific explicit consent of the

Data Subject.


The definition of "Sensitive data" in Law 2472/1997 is broader than most European territories and

includes data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs,

membership to a trade-union, health, social welfare and sexual life, criminal charges or convictions

as well as membership of societies dealing with these areas

SECTION II – Legal Overview - Greece


94



There is no way to opt-in for all electronic messages, except e-commerce when the specific website

provides such a facility.

There is no soft opt-in for electronic communications. There are no rules on electronic

communication for B-to-B marketing purposes.

Purposes

Personal Data, in whatever medium, in order to be lawfully processed, must be: (a) collected fairly

and lawfully for specific, explicit and legitimate purposes, and fairly and lawfully processed in view of

such purposes, (b) adequate, relevant and not excessive in relation to the purposes for which they are

processed at any given time, (c) accurate and, where necessary, kept up to date, (d) kept in a form

which permits identification of Data Subjects for no longer than the period required, according to the

DPA, for the purposes for which such data were collected or processed.

Generic terms

Generic terms are not acceptable when giving purposes.



There is no required or recognised form of wording for collecting data.



If the purposes for processing personal data have altered and/or changed then existing and

prospective clients must be notified again.

Opt out and Robinson lists

Greek Law provides the following opt-out provision: Any person shall be entitled to declare to the DPA

that s/he does not wish data relating to him to be processed in order to promote the sale of goods or

long distance services. The DPA shall keep a register for the identification of such persons. The

Controllers of the relevant files must consult the said register prior to any processing, and clean their

lists of those names that are on the DPA‟s file.


The opt-out must be offered each time when approaching a customer.

Data Storage


Greek Law expressly states that the “processing of personal data shall be confidential and shall be

carried out solely and exclusively by persons acting under the authority of the Controller or the

Processor and upon his/her instructions”. Greek Law also implies obligations of confidentiality as the

processing and collection of personal data, in most instances, require the prior consent of the Data

Subject.



95


Greek Law expressly states that personal data should be kept “for no longer than the period

required, for the purposes for which such data were collected or processed. Once this period of time

is lapsed, the Authority may, by means of a reasoned decision, allow the maintenance of personal

data for historical, scientific or statistical purposes, provided that it considers that the rights of the

data subjects or even third parties are not violated in any given case”. Personal data collected by

CCTV however cannot be kept for longer than 15 days.

Penalties

National penalties which the national DPA can apply, including Penalties for breaching the rules

on unsolicited Email messages

Fines and penal responsibility for data managers.



None


Greek Law provides for the following rights of the Data Subject: (a) the right to information, (b) the

right to access, and (c) the right to object.

INFORMATION

The Controller must, during the stage of collection of Personal Data, inform the Data Subject in an

appropriate and express manner of the following data:

a) his/her identity and the identity of his/her representative, if any,

b) the purpose of the Data Processing,

c) the recipients or the categories of recipients of such data,

d) the Data Subject‟s right of access.

ACCESS

All persons are entitled to know whether Personal Data relating to them are being processed or have

been processed. The Controller must respond in writing to any enquiry.

OBJECT

The Data Subject shall be entitled to object at any time to the processing of data relating to him.

Such objections shall be addressed in writing to the Controller and must contain a request for a

specific action, such as correction, temporary non-use, locking, non-transfer or deletion. The

Controller must reply in writing within a deadline of fifteen days.



96

Hungary


Act No LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest

(Data Protection Act)

Act CXIX of 1995 on the Use of the Name and Address Information for Research and Direct

Marketing (Direct Marketing Act)

Act XLVII of 2008 on Unfair Commercial Practices against Consumer (UCP-Act)

Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising

Activity (Advertising Act)

Act CVIII of 2001 on on certain issues of electronic commerce services and information society

services (E-Commerce Act)

Act C of 2003 on Electronic Communications


The DPA (the Data Protection Commissioner‟s Office) will assist with enquiries by phone, however,

formal (written) enquiries may take 6-12 months answered.

Registration of marketing lists with the DPA

It is required to notify marketing related data processing activities with the Registry of the DPA

before commencing such activity. Notably, the Direct Marketing Act only requires that the notification

is filed prior to the start of the processing activities, therefore it is not necessary to wait for the

formal decision of the DPA.


Registration (release of the DP registry number) might take 12-18 weeks following the filing of the

notification.

Registration costs

There are no registration costs/charges



purposes

Prior, express, specific, voluntary and informed consent of the individual to marketing

communications must be obtained. (The Advertising Act and the Data Protection Act.)


Consent from the data subject can be sought in any form , however, it is strongly recommended that

written consent is obtained or that the consent is recorded in writing as the obligation to prove that

the data subject expressly consented to such communications and that the consent complied with the

requirements of the law lies with the data controller.

Implied consent

In relation to recipients of communications who are also natural persons, implied consent is not valid

under the law, since the consent must be clear and express. However, implied consent is acceptable

in relation to legal entities (including legal entities without legal personality).

SECTION II – Legal Overview - Hungary


97

Consent by data subject is required when using SMS, MMS, Email, Telephone and Fax. For the

Direct Mail opt out is allowed for bulk mailings (over 500 items), but opt in is still required for

non-bulk mailings.


Sensitive data cannot be processed in relation to marketing activities.


„Sensitive data‟ has been defined by the Data Protection Act as any personal data relating to:

a) racial, or national or ethnic minority origin, political opinion or party affiliation, religious or

ideological belief , or membership in any interest representing organization;

b) state of health, pathological addictions, sexual life, or data on criminal issues.



As previously stated, prior, express, specific, voluntary and informed consent is required.

Definition: Soft opt-in for electronic communications

Under the E-Commerce Act so called “permission e-mails” are also prohibited unless expressly

consented to by the individual. There are two requirements to obtain opt-in consent in case of

electronic communications addressed to private individuals. However, provided that the contact

information of the individual has been obtained in connection with the sale of a product or service

(soft opt-in), an e-mail requesting the individual‟s permission can be sent to natural persons.

Accordingly, if the individual does not respond to such inquiry (the permission e-mail), further

communications and permission e-mails cannot be sent to such individuals.

Rules on electronic communication for B-to-B marketing purposes: If the mobile phone or email

address provided by a company to a person can be used also for private purposes, then consent from

the person is necessary. Without this consent their data cannot be used for marketing purposes.

Consent (Opt-in) is required for Automated Calling Machines (both natural and legal person); Fax

(Opt-out, in case of legal persons and persons without a legal personality); Email Opt-in (in case of all

natural person and Opt-out in case of legal persons (including persons without legal personality)); SMS

(Opt-in in case of natural persons and Opt-out in case of legal persons (including persons without

legal personality)); MMS (the same as for SMS, EMAIL).

The law does not recognize B2B communications in the electronic marketing context, since the opt-in

requirement generally applies to all kind of natural persons even if the individual subscribed to the

marketing e-mail in his capacity as a professional.

Purposes

The controller must precisely state the purposes for processing personal data, in clear language. The

Direct Marketing Act provides that the purposes shall be provided in written form to the recipients.

Generic terms

Generic terms are acceptable (e.g. direct marketing, market research, etc.)



98



The consent of the individual to marketing messages must include the name of the recipient, and, if

the message may only be communicated to persons over a certain age, the date and place of birth, as

well as any other personal data necessary for data processing.

The Direct Marketing Act also lays down requirements as to the information to be provided to data

subjects. This information must be provided in writing and shall include detailed information on the

source of data, the time, method, purpose as well as the duration of data processing and details as to

the identity of the data controller and any data processors. Furthermore, the notice shall state that

the data processing is voluntary and that the data subject may at any time request deletion of his/her

personal data.

All advertisements must be clearly identified as marketing material. The law requires the inclusion of

this information in the subject line of the message. If the marketing e-mail involves a promotion,

promotional game or prize draw, the conditions of rebates, gifts, prize draws or games shall be also

clearly disclosed. The conditions of participation in a prize draw or promotional game must be made

easily available to the recipients;



No, in the case of existing clients, the purposes do not have be stated in every communication,

provided that the client is clearly aware of the purpose of the message.

Opt-out

There must be the possibility to opt-out in each marketing message.


Yes. All marketing messages must clearly and conspicuously state the e-mail and postal address of the

sender where opt-out requests may be sent if the recipient does not wish to receive further marketing

messages. This information must be provided in every marketing message.

Penalties


The DPA may launch an investigation and may request the data controller ceases infringing activities.

If the data controller does not suspend illegal data processing, the DPA has no power to impose a fine,

but he may release an order to delete illegally processed data. The DPA may also inform the media

and release a press statement on the infringement.

Penalties for breaching the rules on unsolicited email

If the e-mail marketing information requirements are breached, the National Consumer Protection

Authority, the Competition Office or the National Finance Supervision Authority have jurisdiction

under the provisions of the UCP-Act. These Authorities may issue an order to cease and desist all

infringing behaviour, and/or may impose a fine.

On the part of the National Communication Authority the maximum fine is 500 000 HUF, however, the

authorities have the power to impose this repeatedly.



99

The addressee of unsolicited e-mails may file an action before the ordinary courts with respect to the

infringement of general personal rights. If the Court finds that the personal rights/privacy rights have

been infringed, it can issue a cease and desist order, require the organisation to give satisfaction,

impose a public fine (the amount of which is not limited); or the court may award immaterial and

material damages to the claimant.

Finally, regarding illegal data trafficking, it must be noted that the Hungarian Penal Code (Act IV of

1978) criminalises the misuse of personal data (up to one year imprisonment) if committed for

unlawful personal benefit or if it causes significant detriment to the data subject.



The general rules apply.


According to the general provisions of the Data Protection Act enquiries must be answered within 15

days in writing.


The Robinson list for individuals (on name and home address) is maintained by the Hungarian Central

Office for Administrative and Electronic Public Services. Furthermore, each organization engaged in

marketing activities shall maintain a list of persons who have indicated a wish not wish to receive

such communications.

Data Protection Code for privacy and cross-border direct marketing

Not used



100

Ireland


The Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003 (referred to

as “DP Acts”)

Extent of Data Protection Commissioner‟s (DPA) Assistance with Enquiries

The Commissioner will assist with enquiries.


The mere holding of a marketing list does not require that person to register with the Office.

However, if the person‟s business consists wholly or mainly of direct marketing, then registration is

required.


If all information required is provided registration can be done within a week.

Registration costs

The cost of registration depends on the number of employees in an organisation.



purposes

Personal data may be processed for marketing purposes, where the following four conditions are met:

Condition 1. Compliance with the Data Protection Principles

Where personal data is retained for processing for any purpose, including marketing, the following

principles must be met:

The data shall be accurate and complete and where necessary kept up to date;

The data shall be kept only for one or more specified, explicit and legitimate purpose(s);

The data shall not be processed in a manner incompatible with that purpose; or those purposes;

The data shall be adequate, relevant and not excessive in relation to the purpose or purposes for

which they were collected;

A copy of the data held must be given to the data subject on request;

• The data shall not be kept longer than is necessary for that purpose; and

• Appropriate security measures shall be taken against unauthorized access to the data.

Condition 2. Consent to the Processing

The data subject has given his or her consent to the processing for marketing purposes.

Condition 3. Fairness

The data must be obtained fairly and processed fairly. Where a data controller is obtaining data from

the data subject, processing of that data will only be considered fair where the data controller

ensures that the following information is readily available to the data subject:

The identity of the data controller;

The identity of the data controller‟s representative for the purposes of the DP Acts (if any);

SECTION II – Legal Overview - Ireland


101

The purpose or purposes for which the data are intended to be processed;

The persons or categories of persons to whom the data may be disclosed;

Whether replies to questions asked are obligatory and the consequences of not providing replies

to those questions;

• the existence of the right of access to their personal data;

• the right to rectify their data if inaccurate or processed unfairly; and

any other information which is necessary, having regarding to the specific circumstances in which

the data are to be processed, such as, information as to the recipients or categories of recipient

If the data controller does not obtain the data from the data subject, processing will only be fair

where all the above information is provided to the data subject and they must also be informed of the

identity of the original data controller from whom the information was obtained and the categories of

data concerned.

Condition 4: Compliance with Request that Processing for Direct Marketing Ceases

In respect of data held for direct marketing purposes, the DP Acts places a specific obligation on the

data controller to cease processing the data within specific timetables, if requested by the data

subject.


Depending on the circumstances, consent may be exercised on an opt-out or opt-in basis.

Implied consent

Implied consent is acceptable in Ireland but it can be withdrawn at any stage.

Consent by data subject is required when using SMS, MMS, Email, Fax and Mail, Telephone:

although first check the National Directory Database.

Consent for any processing is always required, unless consent does not need to be obtained, because

the processing falls within certain necessity grounds set out in the DP Acts


In respect of the nature of consent in respect of processing sensitive data, the Commissioner notes:

“When processing sensitive personal data, the level of consent must be explicit. This means

that a data subject must be aware of and understand the purposes for which his/her data are

being processed. Explicit consent need not require a data subject to sign a form in all cases.

Consent can be understood to be explicit where a person volunteers personal data after the

purposes in processing the data have been clearly explained. Thus a clear explanation on a

form, a web page, or the delivery of a script by properly trained telephone staff might be

sufficient to demonstrate consent has been explicitly given.”



Philosophical beliefs, ethnic origin, the commission or alleged commission of any offence by the data

subject or any proceedings for an offence committed or alleged to have been committed by the data

subject, the disposal of such proceedings or the sentence of any court in such proceedings.



102



Specific rules govern the use of email and mobile phone numbers for unsolicited direct marketing.

The Irish rules on email and SMS unsolicited direct marketing are based on the concept of a

“subscriber”. A subscriber can be a natural person or legal entity, but, either way, he or she or it,

will only be a “subscriber” if he/she/it are the party to a contract with the provider of the publicly

available electronic communications services.

So, an individual at home, presuming that they have signed the contract with the telephone company

for the telephone service, would be a subscriber in respect of their home telephone number. By way

of contrast, they would in all likelihood not be a subscriber with respect to their work telephone

number, as more than likely, that person‟s employer will be the party to the contract with the

telephone provider.

Unless certain conditions are met (sometimes referred to as the Soft Opt-In Condition – as set out

below), a marketer requires opt-in consent to send unsolicited emails or SMS messages for the purpose

of direct marketing to a subscriber who is a natural person.

Opt-out consent is only required if a marketer is sending unsolicited emails or SMS messages for the

purposes of direct marketing to a subscriber who is not a natural person.


An unsolicited SMS or email may be sent by any person (“the marketer”) without obtaining opt-in

consent from a natural person (“the consumer”) who is a subscriber where:

The mobile phone number or email of the consumer was obtained by the marketer in accordance

with the DP Acts and specific regulations on email and SMS marketing;

Explicit consent was given within the last 12 months;

The consumer is of a customer of the marketer;

The consumer‟s mobile phone number or email is obtained in the context of a sale of a product or

service;

The consumer‟s mobile phone number or email are only used for direct marketing of the

marketer‟s own similar products or services; within the last 12 months;

The consumer is clearly and distinctly given the opportunity to object, in an easy manner and

without charge, when the mobile phone or email address is collected;

The consumer is clearly and distinctly given the opportunity to object, in an easy manner and

without charge on the occasion of each message, if the customer does not initially refuse the use

BtoB marketing requires the opt out for approaches by any media.

Purposes

The DPA has indicated that where the data controller is collecting the data, the purpose for

processing must be given at the time of collection. The DPA further notes that:

“If a data controller has information about people and wishes to use it for a new purpose

(which was not disclosed and perhaps not even contemplated at the time the information was

collected), he or she is obliged to give an option to individuals to indicate whether or not

they wish their information to be used for the new purpose.”



103

Different rules apply if the personal information is not obtained from the data subject. In that case,

the data subject must be informed of the purpose of processing not later than the time when the data

controller first processes the data or if disclosure of the data to a third party is envisaged, not later

than the time of such disclosure.

Generic terms

Once it is clear to the data subject the purpose of processing, generic terms are acceptable.



There are no required or a recognized form of wording for collecting data in Ireland.



Both prospective and existing clients will need to be informed of the purpose of processing personal

data.

Opt-out

There are no set rules regarding the exercise of opt-out. It can take the form of any communication

of an objection to processing, or a wish not to be included within data processing. So it can range

from telephoning the data subject, to writing to them, or by ticking a tick box.


No, once they have given their consent, that is sufficient, however, opt out must always be given in

respect of email and SMS marketing if relying on the Soft-Opt In basis for unsolicited direct marketing

by email and SMS.

Data Storage


There are no data confidentiality clauses in Ireland.


There are no time limits on holding data, however the Commissioner does note:

“If there is no good reason for retaining personal information, then that information should be

routinely deleted. Information should never be kept "just in case" a use can be found for it in the

future.”

Security of data

The DP Acts provide that as a condition to processing, appropriate security measures be taken against

unauthorized access to or unauthorized alteration, disclosure or destruction of the data, in particular

where the processing involves the transmission over a network.

In assessing the appropriate security measures, and in particular, where processing involves

transmission of data over a network, a data controller may have regard to the state of technological

development and the costs of implementing the measures and shall ensure a level of security

appropriate to:

the harm that might result from unauthorized or unlawful processing, accidental or unlawful

destruction or accidental loss of, or damage to the data; and



104

the nature of the data concerned.

The data controller or processor must ensure that persons employed by them and other persons at

the place of work are aware of and comply with relevant security measures.

Where a processor is carrying out processing for a controller, the data controller must ensure that

the processing is carried out as the result of a written contract, which contains provisions that the

controller complies with relevant security obligations; and

the processor provides sufficient guarantees in respect of the technical security measures and

organisational measures governing the processing; and

the processor takes reasonable steps to ensure compliance with the measures.

Further, an undertaking providing a publicly available electronic communications service must take

appropriate technical and organisational measures to safeguard the security of its services, if

necessary in conjunction with undertakings from those upon whose networks such services are

transmitted with respect to network security. These measures must ensure the level of security

appropriate to the risk presented, having regard to the state of the art and the cost of their

implementation.


There are no statutory fees imposed in respect of security arrangements, but there may be a cost to

the business in ensuring PCs have appropriate password protection, internet access has firewalls and

other appropriate security arrangements in place, files are kept secure, access to rooms or buildings

are subject to password key entry, etc.


Under the Copyright and Related Rights Act 2000 (as amended) an original database is subject to

copyright protection. Therefore, it is a breach of the copyright in an original database to copy it,

make it available, issue copies of it to the public, rent or lend it, or make an adaptation of the

original database. An "original database" means a database in any form which by reason of the

selection or arrangement of its contents constitutes the original intellectual creation of the author.

The Copyright and Related Rights Act 2000 (as amended) provides protection in respect of databases

where there has been a substantial investment in obtaining, verifying or presenting the contents of

the database. It is a breach of the rights in a database if a person extracts or reutilises the database

without the consent of the owner of the rights in the database. This is known as the sui-generis

database right.

For the purpose of copyright and sui-generis protection "database" is defined as a collection of

independent works, data or other materials, arranged in a systematic or methodical way and

individually accessible by any means but excludes computer programs used in the making or operation

of a database.

Section 9(1) of Criminal Justice (Theft and Fraud Offences) Act 2001 contains a general offence in

respect of a person who dishonestly, whether within or outside the State, operates or causes to be

operated a computer within the State with the intention of making a gain for himself or herself or

another, or of causing loss to another.



105

The Criminal Damage Act 1991 contains an offence of unauthorized access to a computer. The Act

also includes “data” within its definition of property, and so makes it an offence to damage data.

Damage is defined as to:-

“Add to, alter, corrupt, erase or move to another storage medium or to a different location

in the storage medium in which they are kept (whether or not property other than data is

damaged thereby) or . . .do any act that contributes toward causing such addition,

alteration, corruption, erasure or movement …”

Penalties

National penalties which the Commissioner can apply

Normally offences in Ireland are brought and prosecuted by the Government agency responsible for

the prosecution of offences on behalf of the State, namely, the Director of Public Prosecutions (DPP).

However, the DP Acts contain an exception to this rule and grant the DPA the right to bring and

prosecute summary proceedings for an offence. Summary proceedings for an offence are reserved for

minor breaches. The DPA also has the power to prosecute offences in relation to unsolicited

marketing. The penalties on summary conviction are a fine of €3000. For a conviction on indictment

(more serious offences), which may only be brought by the DPP, the maximum penalty is €100,000.

The following are the offences under the DP Acts:

Requiring someone to make an access request in connection with recruitment, employment or the

provision of services;

Failing or refusing to comply with a requirement of an enforcement notice;

Failing to comply with a prohibition contained in a prohibition notice;

Failing or refusing to provide information as required by an information notice or knowingly

providing false information in response to an information notice;

Processing personal data where it may cause in the opinion of the Commissioner substantial

damage or substantial distress to data subjects, without compliance with conditions laid down by

the Commissioner;

The keeping and processing of personal data by a data controller who is required to register under

the DP Acts and fails to so register;

Failing to notify the change of address of a data controller registered under the DP Acts;

Providing information known to be false and misleading in respect of an entry in the register;

Disclosure of data by a data processor without the prior authority of the data controller;

Disclosure of data by a person whom obtains it without the authority of the data controller or

data processor; and

Obstructing or impeding an authorised officer of the Commissioner.


The penalties are up to €5000 per email sent in contravention of the applicable rules.

There are no rules for on-time collection of data on the internet


The data subject has the right to be informed within 21 days of the date of the request, whether a

person keeps data regarding them, and if they do keep data, the person must indicate the description

of the data and the purposes for which they are kept;



106

In addition, where a data subject makes an access request, they are entitled to receive in intelligible

form, relevant personal data, and any information known or available to the data controller as to the

source of those data; and the following information:

whether data processed on behalf of the data controller includes personal data relating to them;

if the data controller is processing the subject‟s personal data, the data subject is entitled to a

description of:

the categories of data being processed by or on behalf of the data controller;

the personal data constituting data of which that individual is the data subject;

the purpose or purposes of the processing; and

the recipients or categories of recipients to whom the data are or may be disclosed, and

where the processing by automatic means of the data of which the individual is the data subject

has constituted or is likely to constitute the sole basis for any decision significantly affecting him

or her, be informed free of charge of the logic involved in the processing.

An individual has the right to request in writing, that a data controller rectify, block or erase any data

in relation to which there has been a breach of the data protection principles.

An individual is may write at any time to the data controller to request it to cease within reasonable

time, or not to begin, processing or processing for a specified purpose, or in a manner specified by

the individual, any personal data in respect of which they are the data subject where the processing

is likely to cause damage or distress. This right of objection only applies to processing that is

necessary:-

1. For the performance of a task carried out in the public interest or in the exercise of official

authority vested in the data controller or in a third party to whom the data are or are to be

disclosed; or

2. For the purposes of the legitimate interests pursued by the data controller to whom the data are

or are to be disclosed, unless those interests are overridden by the interests of the data subject in

relation to fundamental rights and freedoms and, in particular, their right to privacy with respect

to the processing of personal data.


The Irish Direct Marketing Association has codes of practice in place with respect to data protection

and e-commerce.

Irish Direct Marketing Association: www.directbrand.ie



http://www.directbrand.ie/

107

Italy


“Personal Data Protection Code”, Legislative Decree No. 196 of June 30, 2003 (hereinafter “PDPC”).


The individual can first access to the general enquiries office (“URP”, Ufficio Relazioni con il

Pubblico) that provides general information regarding any issues related to processing of personal

data. It is also possible to make enquiries to the relevant departments. Email: [email protected];

tel:(+39)06.69677.917.


The mere holding of a marketing list does not require that the data controller notifies the processing

of data to the DPA. For the purposes of notification, the data shall be processed with the help of

electronic means aimed at profiling the data subject and/or his/her personality, analysing

consumption patterns and/or choices, or monitoring use of electronic communications services except

for those processing operations that are technically indispensable to deliver the aforesaid services to

the users.

The notification to the DPA must be submitted only once, prior to starting the processing, regardless

of the number of operations to be performed, the duration of the processing and it may concern one

or more processing operations for related purposes also in case of transfer of data abroad. It must be

transmitted via electronic networks by using the form made available by the DPA on its website

(https://web.garanteprivacy.it/rgt/.) and following the instructions indicated therein, also with

regard to the arrangements applying to digital signature and receipt confirmation. The relevant

provisions in connection with the registration with the DPA are set forth in Sections 37, 38, 154,

paragraph 1, l), 163, 168, 181, para. 1 c), 16, 162, para. 1, of the PDPC. Please notice that such

obligation stands on the subjects processing certain kind of data, depending on the way the data are

processed but irrespective of the specific number of marketing lists. In other terms it is not a list to

be notified but a subject (data controller) and the way a certain data controller is processing the data

it has been collecting.

Only some categories of data processing must be notified to the DPA. In particular, the processing of

personal data must be notified to the DPA if such processing concerns (Section 37 of the PDPC):

i. genetic and biometric data;

ii. (ii) data processed with the help of electronic means aimed at profiling the data subject and/or

his/her personality, analysing consumption patterns and/or choices, or monitoring use of

electronic communications services except for those processing operations that are technically

indispensable to deliver the aforesaid services to the users and

iii. (iii) data stored in ad-hoc data banks managed by electronic means in connection with

creditworthiness, assets and liabilities, appropriate performance of obligations and unlawful

and/or fraudulent conduct.

The DPA, in its resolution of 31st March 2004, specified that the data controller does not have to

notify the processing of personal data stored in databanks and used for supplying the data subject

with goods or services, or for accounting or tax purposes (including cases of breach of an agreement

entered into with the data subject, debt collection and legal disputes vis-à-vis the data subject.)

SECTION II – Legal Overview - Italy



https://web.garanteprivacy.it/rgt/

108

Expected time duration and costs for registering marketing lists with the DPA:

1 – 3 weeks; The cost involved is 150.00 Euros.

Non-Sensitive/Sensitive Information


purposes

The use of automated calling systems, without human intervention, for the purposes of direct

marketing or sending advertising materials or else for carrying out market surveys or interactive

business communication shall only be allowed with the data subject‟s consent (opt-in.) (Section 130

paragraph 1 of the PDPC)


The data subject‟s consent is deemed to be valid only in cases where: (i) it has been freely and

specifically provided in respect to a clearly identified processing operation, (ii) it is documented in

writing and (iii) the data subject has been provided with the information referred to in Section 13 of

the PDPC (Section 23, paragraph 3 PDPC.) In particular, In order to allow the data subject to express

his/her informed consent, the data controller must provide an information document. The data

subject as well as any entity from whom personal data are collected shall be preliminarily informed,

either orally or in writing, as to:

the purposes and modalities of the processing for which the data are intended;

the obligatory or voluntary nature of providing the requested data;

the consequences if he/she fails to reply;

the entities or categories of entity to whom the data may be communicated, or who may get to

know the data in their capacity as data processors or persons in charge of the processing, and the

scope of dissemination of the aforesaid data;

the identity of the data controller and, where applicable, the data controller representative in

Italy and the data processor (Article 5 and Article 13 of the PDPC);

the rights of the data subject to order the data to be updated or amended, the deletion or

anonymisation of data which have been processed unlawfully and the right to object to processing

of data for marketing purposes, opt-out.

The data subject‟s consent can be orally expressed but it must be proved in writing. The data

subject‟s consent is not required when the processing is necessary to perform obligations arising from

a contract entered into by the data subject or in order to comply with specific requests made by the

data subject prior to entering into a contract (Section 24 PDPC). In this case, nevertheless, the

subject has the right to be informed as to the purposes of the processing of his/her data and to object

to the processing of his/her data.

In case of direct mail addressed to a consumer under a business-to-consumer scheme (“B2C”), the use

of telephone, email, automated calling system, without human intervention or fax by a good supplier,

always requires the consumer‟s prior consent (Article 58 paragraph. (Legislative Decree No. 206 of 6th

September 2005 (“Consumer Code”))

However, distance sale communications other than those mentioned above, if personally addressed,

can be used by a good supplier if the consumer does not explicitly oppose to them (Article 58

paragraph. 2 of the Consumer Code.) A subsequent law No. 51 of 23rd February 2006, clarified that

Article 58 paragraph. 2 of the Consumer Code shall apply derogating from the provisions of the PDPC.



109

Further to this subsequent legislative intervention, in case of direct mail the data subject‟s previous

consent has become irrelevant. Therefore, companies are entitled to contact consumers by direct

mail addressed to them until do expressly object (opts out).

A decision issued by the DPA on June 19th, 2008, which covers B2C schemes and B2B as well, the

suppliers of good or services are entitled to use the ordinary mail address provided by their

customers, for direct marketing, in order to carry out market research and in order to send

commercial communications, provided that the activities relate to products or services which are

similar to the ones previously sold to the recipients by the suppliers.

The data subject must be adequately informed of the possibility not to receive further commercial

communications when the data are collected and in subsequent communications, a soft opt-in.

Implied consent

Implied consent is usually not accepted. A tick-a-box on a form is the minimal form of evidence that

the consent has been given and it is normally used in case of distance sales (e.g. direct marketing on

the telephone or on internet).

Processing by telephone of the data contained in publicly available paper or electronic directories,

for direct marketing purposes, shall be allowed for consumers or other entities who have not opted

out in the public register, via simplified mechanisms including the use of electronic networks.

(Section 130 paragraph 3 bis of the PDPC).

Such an opt out list shall be set up by a decree of the President of the Republic, still to be adopted,

in accordance with general standards and principles. Marketers must ensure presentation of calling

line identification and provide the appropriate information to users, specifically in relation to the

possibility and arrangements to have their data entered in the register so as to object to being

contacted in future.

The DPA expressed its concerns with regard to the new amendment to Section 130 PDPC - added on

November 20th, 2009 – as it represents a considerable exception to the opt in principle and specified

that, until the opt out list is set up, the only data banks that can be used lawfully for direct marketing

purposes, without an express consent of the data subjects, will be the ones created on the basis of

telephone directories issued before August 1st, 2005.

Consent for any processing is always required, unless consent does not need to be obtained

because the processing falls within certain necessity grounds set out in Section 24 of the PDPC.

However, there are two exceptions: Telephone (consent is not needed only for the cases covered by

Section 130 paragraph 3 bis of the PDPC); Mail ( consent is not needed only for the cases covered by

Section 58 paragraph. 2 of the Consumer Code and/or decision of the DPA on June 19th, 2009)


The general rule applied to the processing of sensitive data requests the data subject‟s prior consent

expressed in writing and subject to the DPA authorisation. The DPA shall communicate its decision

concerning the request for authorisation within forty-five days; the request shall be regarded as

dismissed in case of no reply at the expiry of this time. Along with, or subsequent to, authorisation,

the DPA may prescribe additional measures and precautions in order to safeguard the data subject,

which are binding for the data controller (Section 26 PDPC.)



110


Sensitive data are personal data allowing the disclosure of racial or ethnic origin, religious,

philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or

organisations of a religious, philosophical, political or trade-unionist character, as well as personal

data disclosing health and sex life. (Section 4 of the PDPC)

Although separately regulated within the PDPC, besides the sensitive data there are also judicial data

i.e. data related concerning criminal offences or administrative sanctions related to criminal offences

or the status of being either defendant or subject to investigation as provided by the Italian Code of

Criminal Procedure. Processing of judicial data by private entities or profit-seeking public bodies shall

be permitted only where expressly authorised by law or by a DPA order and always specifying the

reasons under which a public interest to such a processing exists, the purposes of the processing, the

categories of data processed and kind of processing allowed.



Electronic communications, performed by email, fax, MMS (Multimedia Messaging Service) or SMS

(Short Message Service) messages or other means for the purposes of direct marketing or sending

advertising materials or else for carrying out market research or interactive business communication

are subject the opt-in rule and therefore always require the data subject‟s previous consent.


The opt-in rule applies to email advertising although with an exception, provided by law, in the case a

commercial relationship already exists (so called “soft opt-in”.) The law allows the data controller to

use the electronic contact details, already provided by the data subject, for direct marketing of his

own products or services, provided that the products or services are similar to those previously sold.

Furthermore, the data subject must be adequately informed of the possibility not to receive further

commercial communications either initially or in connection with subsequent communications (Article

130, paragraph. 4 of the PDPC). Apart from this exception and in contrast with other European

countries, Italy has adopted a 'hard opt-in' method. This means the data subject must have given

explicit consent to the data controller allowing contact for marketing purposes by him/it or by third

parties.

The DPA clarified that the consent cannot be gathered by sending the data subject a first email with a

promotional or advertising content, or which offers an opt-out in order to no longer receive messages.

The fact that email addresses can be easily found on the Internet does not imply the right to use them

for advertising messages, since they can only be used exclusively for the purposes for which they have

been published on the Web.


The opt-in rule applies to unsolicited commercial communications addressed to both individuals and

companies.



111

Purposes

The individual‟s consent must given on the basis of the information provided by the data controller as

to the nature of data collected, the purposes and means of the processing, the subjects to whom the

data can be communicated and the individual‟s rights to have access to his/her data and to oppose to

their processing. The aforesaid information must be accurate. (Section 13 of the PDPC)

Generic terms

The DPA stated that the data controller must clearly indicate the purposes of the data collection and

the modalities of their processing. Moreover, the controller must specify whether the data will be

processed for purposes strictly related to services requested by the data subject or for other purposes

(i.e. studies or market surveys.)

As far as the transfer of data is concerned, the DPA specified that the controller must inform the data

subject that his/her per personal data may be transferred to a third party for specific purposes: at

this regard, the DPA has considered it insufficient that the third party be indicated as a company

“entrusted” by the controller, but it has accepted the possibility that data can be disclosed to “other

companies operating in the same area of industry”. The name and addresses of these entities must be

available upon the subject‟s request or on the company‟s website.



There is no required or recognised form of wording for collecting data. The information to be

provided to the data subject can be given in a simplified fashion although it must be exhaustive. It

really depends on the type of data collected and the related processing purposes.



All the information related to the processing of data must be provided before the data are processed.

Once the data subject has been given properly the consent and provided that the data are processed

in accordance to the purposes originally disclosed, there is no need for the data controller to restate

the purpose for processing personal data.

Opt-out

Appart from the above mentioned provision regarding telephone communications, included in Section

130 paragraph 3 bis of the PDPC, there are no opt-out lists prescribed by law. AIDiM (Associazione

Italiana per il Direct Marketing) created a voluntary opt-out list available on-line

(www.cancellami.it). Consumers who do not wish to receive unsolicited commercial communications

may register on Cancellami. The means of communications covered by Cancellami are the mail, fax,

telephone, email and SMS. Members of AIDiM are required to “clean” their direct marketing databases

from data registered through Cancellami.


The data subject has always the right to object, in whole or in part, on legitimate grounds, to the

processing of personal data relating to him. Such a right must be notified at the time the consent is

gathered.



http://www.cancellami.it/

112

Data Storage


Personal data must be guaranteed a high level of confidentiality. As a general principle governing

contractual obligations, a data confidentiality clause is normally imposed on the person in charge of

the processing and, in any event, on the data controller.

Retaining Data

Section 11 of the PDPC states that personal data shall be collected and recorded only for specific

purposes and for a period of time that cannot exceed the period that is necessary to achieve the

purpose for which the data have been collected or subsequently processed.

Specific provisions are set forth for specific data:

Communications service providers are entitled to retain data for a six-month period in order to

deal with disputes over billing and subscriber services (Section 123 PDPC.)

Communications service providers are also required to retain telephone traffic and electronic

data for the purpose of detecting and preventing crime for twenty-four months (Section 132

PDPC.) As far as “data retention” is concerned, Italy should implement EU Directive 2006/24 on

the retention of data generated or processed in connection with the provision of publicly

available electronic communications services or of public communications networks and the

Telecoms Package. According to the Directive, all data specified in Article 5 are retained for

periods of not less than six months and not more than two years from the date of the

communication for the purpose of the investigation, detection and prosecution of serious crimes.

The DPA produced a Code of Conduct and Professional Practice on 16 November 2004 which entered

into force as of January 1, 2005. The code applies to information systems managed by private entities

with regard to consumer credit, reliability, and timeliness of payments. Personal data related to

credit applications as communicated by participants may be retained in a credit information system as

long as it is necessary in order to deal with the applications and - in any event - for no longer than

one hundred and eighty days as of the date of submission of the applications.

There are no specific rules on data erasure. According to Section 16 of the PDPC, once the data

processing has been terminated the data must be either destroyed or assigned to another data

controller provided that they are intended to be processed under terms that are compatible with the

purposes for which the data have been collected.


Omission or incomplete information: Breach of the provisions referred to Section 13 of the PDPC

for omission or incomplete information are punished by a fine between 6000 and 36 000 Euros (the

payment may be increased up to three times, should the fine be considered ineffective, provided

the economic status of the offender) (Section 161 PDPC.)

Transfer of data when the processing has been terminated and the transfer is not compatible with

the purposes for which the data have been collected is punished by a fine between 10 000 and 60

000 Euros (Section 162 paragraph 1 of PDPC.)

Failure to provide information or to produce documents to the DPA is punished by a fine between

10 000 and 60 000 Euros (Section 164 PDPC.)



113

The processing of personal data in breach of the minimum security measures provided by Section

33 and/or the provisions laid down in Section 167 of the PDPC (Unlawful Data Processing) is

punished with a fine between 10 000 Euros and 120 000 Euros (Section 162 paragraph 2 bis PDPC).

As well, any breach of the data subject‟s right to object in accordance with the mechanisms set

forth in Section 130 paragraph 3 bis PDPC and the respective regulations shall be punished with

the same fine (162 paragraph 2 quater PDPC).

Should any of the above mentioned violations be less serious, in consideration of the social and

business features of the activities at issue, the upper and lower thresholds may be reduced by two-

fifths.

Should one or more of the above mentioned provisions be violated repeatedly, on different occasions,

in connection with especially important and/or large databases, an administrative sanction shall be

applied as consisting in payment of a fine ranging from 50 000 and 300 000 Euro. In such a case,

reduction of the applicable fine will not be allowed.

With specific regard to more serious cases, in particular if the prejudicial effects produced on one or

more data subjects are more substantial or if the violation concerns several data subjects, the upper

and lower thresholds of the applicable fines shall be doubled.

Finally, the fines referred above may be increased up to four times if they may prove ineffective on

account of the offender‟s economic status.

Should the DPA apply a fine, it may also publish the injunctive order, in whole or in part, in one or

more daily newspapers.(Section 165 PDPC)

Besides the financial penalties that the DPA can apply, a breach of the PDPC also involves the

possibility of a criminal offence – prosecuted by the competent judicial authority - for:

Unlawful processing of data: any person who, with a view to gain for himself or another or with

intent to cause harm to another processes personal data without the data subject‟s consent shall

be punished, if harm is caused by imprisonment for between six and eighteen months or, if the

offence consists in data communication or dissemination by imprisonment for between six and

twenty-four months, unless the offence is more serious or by imprisonment between one and

three years in case of judiciary or sensitive data (Section 167 PDPC.)

Omission or incomplete notification to the DPA: for failure to submit timely the notification

required under Sections 37 and 38 of the PDPC, or who provides incomplete information in breach

of his/her duties, shall be punished by a fine consisting in a payment of between 10.000 and

60.000 euro as well as by the additional sanction of publication of the relevant injunction/order,

in whole or in part, in one or more daily newspapers (Section 163 PDPC.)


In principle, unsolicited commercial communications are allowed only with the data subject‟s

consent. Therefore, with the sole exceptions mentioned above and until when the opt out list will be

set up, processing of data without the data subject‟s consent represents both an administrative illicit

and a criminal offence and is punished according to the criteria indicated above.

In any case, the data subject must always be adequately informed of the possibility not to receive

further commercial communications either initially or in connection with subsequent communications

(Section 130, paragraph. 4 of the PDPC).



114



N/A


The data subject has always the right to access and request the rectification of his/her data. The

rights referred to in Section 7 of the PDPC may be exercised by making a request to the data

controller or processor without formalities, also by the agency of a person in charge of the processing.

A suitable response shall be provided to said request without delay. Any requests of access and/or

rectification is free of charge.

The data subject may grant, in writing, a power of attorney to natural persons, associations or

organisations in order to exercise the rights set forth in Section 7 of the PDPC. The rights indicated in

Section 7 which concern deceased persons can be exercised by subjects who have a personal interest

related thereto or by subjects acting on behalf of the deceased or for family-related reasons

deserving to be protected.

An individual may also file a circumstantial claim pursuant to Section 142 of the PDPC, in order to

point out an infringement of the relevant provisions on the processing of personal data. This claim

must contains, with as many details as possible, the facts and circumstances on which the complaint

is grounded, the allegedly infringed provisions and the remedies as well as to the identification data

concerning the data controller, data processor, if available, and claimant. The claim shall be

undersigned by the data subjects or by associations representing them and shall be lodged with the

DPA without any specific formalities being required.



115

The Netherlands


Personal Data Protection Act (Wet bescherming persoonsgegevens), 1 September 2001;

Telecommunication Act (Telecommunicatiewet), 19 October 1998,

Article 11.7 Telecommunication Act (version of 1 October 2009).


The DPA has amended its policy as of 2008. The DPA has considerably reduced its assistance with

enquiries and has shifted towards strict enforcement.


If the controller has a marketing list, it is assumed that the controller already processes personal

data, or is intending to. Before the controller uses the list for direct marketing purposes, the

controller has to notify the data processing to the DPA (article 27 Personal Data Protection Act).

Exempt from this notification requirement are the data processing conditions, by general

administrative regulation, in article 11 or article 13 or article 42 Vrijstellingsbesluit Wbp (7 May

2001).

Organisations can also appoint their own internal supervisor, the Data Protection Officer, who is

(publicly) registered with the DPA. The marketing list must be notified to the Data Protection Officer,

instead of the DPA.

On the website of the Dutch DPA (College Bescherming Persoonsgegevens, www.cbpweb.nl) a public

register of the data processing activities by Controllers and a public register of Data Protection

Officers are available (also in English).


Registering a marketing list is not a lengthy process for the Controller. Any change in the contact data

of the Controller (for example address, residence) needs to be notified within a week after the prior

notification. Structural changes related to the purposes of the data processing have to be notified to

the DPA or the Data Protection Officer of the Controller. Changes are to be kept on file by the

Controller (or its data protection officer) for a minimum of three years.

SECTION II – Legal Overview - Netherlands

Time

0 - 1 week (after the prior notification) Any change in the name or address of the Controller

1-3 weeks

4-6 weeks Expected time duration for a market list to be

published in the public register by the DPA

Within 1 year (after the

prior notification)

Structural changes related to:

-the purposes of the data processing;

-the categories of data subjects and personal data;

-the receivers to whom the date are disclosed;

the transfer of data to countries outside the European

Union; and

-security measures to protect personal data.


http://www.cbpweb.nl/

116

Registration costs

There are no costs involved.



purposes

The legal ground for processing (non-sensitive) personal data for marketing purposes is based on the

„legitimate interests of the controller or third party to whom the data are disclosed‟. The consent of

the data subject (opt-in) is often not necessary. As a rule it is sufficient to give the data subject the

opportunity to opt-out if (non-sensitive) personal data are processed for marketing purposes.


The consent of the data subject (opt-in) is often not necessary. As a rule, it is sufficient to give the

data subject the opportunity to opt-out, if (non-sensitive) personal data are processed for marketing

purposes.

Consent or opt-in is defined as: „any freely given, specific and informed expression of will by which

the data subject agrees to personal data relating to him being processed‟. (Article 1 section in

Personal Data Protection Act1)

For sensitive data, as defined in article 16 Personal Data Protection Act, the explicit consent of the

data subject is required. Implied consent is not sufficient. To give expressed consent the data subject

must indicate his wishes orally, or in writing, or by his/her behaviour.


Consent is needed for: SMS, MMS, EMAIL, Fax, Automatic Calling Machines, Voice Mail

Consent is not needed for: Telephone and Mail


Sensitive data cannot be processed (article 16 Personal Data Protection Act), except as otherwise

provided in the articles 17–23 Personal Data Protection Act. Note that the processing of sensitive

personal data must fully comply with all the requirements for legitimate personal data processing

under the Wbp. The processing of sensitive personal data is allowed where the processing is carried

out with the explicit consent of the data subject. Written opt-in can be considered as explicit consent

of the data subject. Explicit consent may also be indicated orally or by behaviour.

In particular circumstances the data subject‟s confirmation of its consent to the processing of the

sensitive data may be necessary, as the Controller may have to prove the express consent. It is not

clear how this burden of proof is achieved in practice.



Other types of data considered „sensitive‟, are data concerning a person‟s criminal behaviour or

related data. Whether data are considered sensitive depends on the nature of the corporate culture.

1 Dutch original: (artikel 1 onderdeel i Wet bescherming persoonsgegevens): „elke vrije, specifieke en op informatie berustende wilsuiting waarmee de

betrokkene aanvaardt dat hem betreffende persoonsgegevens worden verwerkt‟.



117



The legal ground for the use of electronic messages for marketing purposes is based on the prior

consent of the subscriber (article 11.7 section 1 Telecommunications Act). The sender of the

electronic messages, like email, needs to prove the prior consent of the subscriber.

Prior consent can be proven by the use of double unticked boxes (□ Yes □ No). The sender must

provide sufficient information on the use of the email address for commercial purposes, just above

the frame where the subscriber actually can fill in his or her email address. These requirements for

(prior) consent are applicable online and offline.


“Anyone who obtained electronic contact data for electronic messages in the context of the sale of a

product or service, may use these data for the communication of commercial or charitable purposes

of its own similar products or services, provided that when the contact data were collected the

customer clearly and distinctly was given the opportunity to object, free of charge and in an easy

manner to such use of electronic contact details, and, in case the customer has not made use of this

opportunity, the customer is offered the possibility to object against further use of his electronic

contact data in every communication under the same conditions. Article 41 section 2 Personal Data

Protection Act is applicable in a similar manner.” Article 11.7 section 3 Telecommunication Act2.


As a result of the amendments of 1 October 2009 of the Telecommunication Act, the obligation to

obtain prior consent (opt-in) also applies to legal persons.

The new subsection 2 of Section 11.7 of the Telecommunications Act stipulates a number of

exceptions to the general obligation to obtain consent. According to this subsection, the (legal)

person that sends electronic messages (email, SMS, MMS) to legal persons and natural persons as part

of their professional and business practice, may assume that consent has been given under certain

circumstances. The first is that consent can be assumed where the legal persons have made it

generally known that they want to receive unsolicited marketing messages, they have given their

contact details where commercial messages can be send to, and, if desired, have indicated the types

of messages they want to receive. Making their contact information available will be put on par with

the giving of prior consent for receiving unsolicited commercial electronic messages. However, the

mere exchange of business cards cannot be considered as giving of consent, according to the

Supervisory Authority OPTA.

A sender is furthermore not obliged to gain prior approval if an electronic message is sent to a

subscriber based in a country outside of the European Economic Area (the European Union, Iceland,

Norway and Liechtenstein) and the sender has satisfied the applicable provisions in that country with

respect to sending unsolicited communications.

2Dutch original article 11.7 section 3 Telecommunication Act:

Een ieder die elektronische contactgegevens voor elektronische berichten heeft verkregen in het kader van de verkoop van zijn product of dienst mag

deze gegevens gebruiken voor het overbrengen van communicatie voor commerciële, ideële of charitatieve doeleinden met betrekking tot eigen

gelijksoortige producten of diensten, mits bij de verkrijging van de contactgegevens aan de klant duidelijk en uitdrukkelijk de gelegenheid is geboden

om kosteloos en op gemakkelijke wijze verzet aan te tekenen tegen het gebruik van die elektronische contactgegevens, en, indien de klant hiervan geen

gebruik heeft gemaakt, hem bij elke overgebrachte communicatie de mogelijkheid wordt geboden om onder dezelfde voorwaarden verzet aan te

tekenen tegen het verder gebruik van zijn elektronische contactgegevens. Artikel 41 lid 2 Wet bescherming persoonsgegevens is van overeenkomstige

toepassing.



118

Purposes

Article 7 of the Personal Data Protection Act stipulates that personal data shall be collected only for

specific, explicitly defined and legitimate purposes. A purpose that is too widely formulated almost

always generates data that cannot be used in practice; therefore, the purpose should be precise.

However, it is not advisable to be too precise, as the purpose could limit the use of the data too

much.

Generic terms

It is advisable to be specific when stipulated in the Personal Data Protection Act (the Wbp -for

example contains certain provisions related to direct marketing purposes). Otherwise, sector specific

self-regulation defines generic terms.



The data subject must be informed of his right to block personal data (opt-out), when personal data

are collected for marketing purposes (article 33/34 Personal Data Protection Act). However, there is

no recognized form of wording on this subject.



Both prospective and existing clients will need to be informed of the purpose of processing personal

data.

Opt-out

The data subject exercises opt-out by sending a note or email directly to the Controller or by using an

unsubscribe hyperlink. The Controller must flag the concerned contact data as not to be used for

direct marketing purposes.


Each time when the Controller informs the customer for commercial or charitable purposes, the data

subject needs to be informed of the right to opt-out.

Data Storage


A data confidentiality clause is stated in article 9 section 4 Personal Data Protection Act: the data

processing shall not take place when there is an obligation of confidentiality by virtue of function,

profession or legal provision.

Another confidentiality clause, in general, is stated in article 12 Personal Data Protection Act: anyone

acting under the authority of the Controller or the Processor, as well as the Processor itself, when

they have access to personal data, shall only process such data in accordance with the instructions of

the Controller, except when otherwise required by law (article 12 section 1 Personal Data Protection

Act).

These persons are required to treat the personal data as confidential, except when any legal provision

or the performance of their duties requires communication of such data (article 12 section 2 Personal

Data Protection Act).



119


There is a specific time limit on holding data. Article 10 section 1 Personal Data Protection Act states

that data may no longer be kept in a form that identifies a person, if the purposes for which the data

are processed are accomplished. Historical, statistical or scientific purposes are exempted (article 10

section 2 Personal Data Protection Act).

Penalties


The administrative infringements are categorized in „less serious and serious‟ infringements, with

regard to the duty to notify the data processing to the DPA (article 66 Personal Data Protection Act /

Policy rules DPA for fining):

Notification after the deadline;

An incorrect or incomplete notification;

Notification of changes after the deadline;

Not capturing the data in relation to a different processing of personal data.

Maximum administrative fine for less serious infringements is €1500,--;

Maximum administrative fine for serious infringements is €3000,--;

Maximum administrative fine for repeated offenses is €4500,--.

The DPA is also authorized to apply administrative measures of constraint, which can lead to halting

the processing of personal data (article 65 Personal Data Protection Act).


The Independent Post & Telecommunications Authority, OPTA, which is authorized to enforce article

11.7 Telecommunication Act, regards a breach of the rules on unsolicited electronic communication

for commercial or charitable purposes as „less serious infringements‟. The maximum administrative

fine is € 100.000,-- for „less serious infringements‟. The amount of the fine depends on the criteria:

the number of complaints;

repeated infringement;

several infringements;

the particular damage of the message according to end-users;

the damage, caused by the message, according to ISP‟s and hosting providers;

the damage of the message to end-users;

number of messages sent.

Maximum fine of € 450.000, -- („very serious infringement‟), if the obtained benefit or damage caused

justifies this.



There are no specific special rules concerning on-time collection of data on the internet. The Personal

Data Protection Act is equally applicable in the online and offline area.


Article 35 Personal Data Protection Act: request for access by the data subject, reaction by the

Controller within 4 weeks. Compensation of costs is possible: maximum of €0,23 for one page with a

maximum of €4,50 for one message. Article 36 Personal Data Protection Act: request for rectification

by the data subject, reaction by the Controller within 4 weeks.



120

Norway


Personal Data Act, 14. April 2000 nr 31

Marketing Control Act, 9. January 2009 nr 2

Norway is a member of the European Economic Area (EEA) and its Data Protection laws are recognised

by the EU.



Obligations in relation to marketing lists with the Data Protection Authority (Datatilsynet)

The processing of personal data in relation to marketing lists must as a main rule be notified with the

DPA.

To the extent that the processing involves sensitive personal data, a licence will, in principle, be

required.

Expected time duration for notification and application for a licence to the DPA

Notification: The DPA does not provide companies with permission; they only use the notification in

their role as supervisors. For licences the time varies. Normally it is approximately 8 weeks.

Registration costs

There are no registration costs



purposes

The person have given his/her consent

To fulfill a contract to which the data subject is a party (§ 8 a)

The interest of the controller overrides the interest of the data subject (§ 8f)


Valid consent is obtained when a freely given, specific and informed declaration is made by a data

subject, in which they agree to the processing of their personal data .

Implied consent

Implied consent (i.e. if a consumer provides details – address, phone number or email) is generally not

acceptable.

SECTION II – Legal Overview - Norway


121


* Consumers may opt out of marketing by telephone or addressed mail by registering their names,

addresses and telephone numbers in the Central Marketing Exclusion Register. Marketing lists must be

compared against the Central Marketing Exclusion Register before a consumer is contacted for the

first time, and subsequently on a monthly basis.

** It is prohibited in the course of trade to telephone marketing to consumers on Saturdays, Sundays or

public holidays, or on weekdays before 09:00 or after 21:00.


The required form of consent for sensitive and non-sensitive data is the same.



Data on whether a data subject has been suspected of, charged with, indicted for ,or convicted of a

criminal act.


Common legal ground for the use of electronic messages for marketing

Prior consent, opt–in, is required.


There is no soft opt-in in Norway.

Rules on electronic communication for B-to-B marketing

Not in general – but if the marketing is to a specific person in a company, you will need that person‟s

consent before approaching them.

Purposes

When giving the purposes for processing personal data, it is necessary to be precise.

Category Yes No N/A

SMS MMS Email Telephone *

**Fax Mail Other, please specify:

Addressed mail*



122

Generic terms

Generic terms are acceptable. For example, „fax direct marketing‟ is sufficient.



There are no required or a recognised form of wording for collecting data in Norway.



If the purposes are clearly stated and consent has been given, it is not necessary to detail the

purposes each time an existing client is approached. Only prospective clients need to be informed of

the purposes for processing.

Opt-out


Yes, if you use electronic media such as email, SMS or MMS.

Data Storage


This is a data confidentiality clause in Norway.

Time limits on storage of data

Data may not be stored for longer than is necessary in order to fulfill the purpose of the processing of

personal data.



There are no national model clauses governing the rules of data transfer between companies. The EU

standard model clauses are accepted.

Transfer of data to non-EU countries

Procedure for transferring data to non-EU countries

There has to be a model clause in place or an agreement between the parties. Alternatively, the data

subject must consent.

Security of Data

Security of data

“The controller and the processor shall by means of planned, systematic measures ensure

satisfactory data security with regards to confidentiality, integrity and accessibility in connection

with the processing of personal data”


There are no costs associated with the security of data to the DPA.



123


There are several rules that must be fulfilled.

Penalties


Fines

order to change or cease unlawful processing

imprisonment

compensation


Fines

order to change or cease unlawful processing

imprisonment

compensation


None.


You may only have access to the information that you need in your job –“need to have” and not “nice

to have” information.

Data subjects are entitled to have access to, information about, and rectification of their own data.


There are no industry codes of practice as there is a duty to clean list against the state operated

“central marketing exclusion register” as mentioned in the Data Protection Act.

For more information please contact:

Brønnøysundregistrene

Tel. + 47 75 00 75 00


www.brreg.no



124

Poland


the Act of August 29, 1997, on the Protection of Personal Data (hereinafter called the PDPA);

the E-Commerce Act of July 18, 2002, on providing services by electronic means (hereinafter

called the e-Commerce Act); deals with processing of personal data in respect of e-commerce

(art.16-22);


The Polish DPA‟s (Inspector General for Personal Data Protection, “Generalny Inspektor Ochrony

Danych Osobowych”, or “GIODO”) policy is to answer all questions concerning clarification of

regulatory issues or processing of personal data. On the other hand, if GIODO fails to answer a

question, there is no legal means to force it to do so.


Marketing lists (marketing data files) shall be in general registered with the DPA. The only exception

applies to marketing data files consisting of so-called business contact data (B2B relationship) and the

lists consisting solely of generally accessible data such as data published on websites. Such files do

not have to be registered.

In case of non-sensitive data, the controller may start processing personal data after submitting a

marketing data file for registration.

In case of sensitive data, controller may start processing personal data after registration of the data

file.


4 – 6 weeks.

Registration costs

There are no administrative fees to be paid.

The fee for the certificate of registration of the data file amounts to PLN 17 (approx. EUR 3.50).



purposes

The possible legal grounds are the prior consent of the data subject, obtained by an opt-in (otherwise

the consent may be invalid) or under a provision of PDPA allowing the data controller to process the

data for marketing purposes, provided the data subject does not object to it (opt-out), cf. art. 23

item 4 point 1 of DPDA.

However, it should be stressed that the latter possibility is limited only to processing of personal data

in the context of marketing by a controller of his own products or services. Opt-out may never be

used in the case of the processing of personal data in an e-commerce context.


Consent may be expressed by any declaration by which the data subject unequivocally expresses his

or her agreement to personal data relating to him or her being processed. The consent cannot be

implied or presumed on the basis of the declaration of will on another issue (e.g. a contract with a

controller). Written consent is only required in limited cases (e.g. for processing of sensitive data).

SECTION II – Legal Overview – Poland


125

Implied consent

Implied consent is not acceptable under PDPA.


* in communications regarding marketing of the controller‟s own goods or services

** in case of other types of marketing communication


The consent must be expressed in writing. Verbal or non-durable explicit (express) consent is not

sufficient. This requirement is regarded to be a serious hindrance for telemarketing and Internet

industries in Poland.



Apart from the above, personal data revealing ethnic origin, philosophical beliefs, as well as the

processing of data concerning, genetic code, addictions and data relating to convictions, decisions on

the penalty, fines and other decisions issued in court or administrative proceedings shall be

considered sensitive data. The exhaustive list of sensitive data is provided for in art.27 of PDPA.



Only explicit consent shall be acceptable.


There is no soft opt-in possibility.

Opt-in is required for all electronic communication for B-to-B marketing purposes.

Purposes

When giving purposes for processing personal data, it is necessary to be precise.

Category Yes No N/A

SMS MMS Email

Telephone *Fax Mail **Automatic calling

machines



126

Generic terms

Generic terms are acceptable



There are no required or recognized form of wording for collecting data, however, it is advisable to

use the same wording as are used in PDPA.



The purposes for processing personal data shall be given only to prospective clients. The obligation of

notification has to be fulfilled by a controller only once. The data subject has a right to obtain

information as to the purpose, scope, and the means of processing of the data contained in the

system once for six months.

Opt- out

PDPA does not provide for any specific requirements as to exercise of opt-out. Thus, a controller has

to accept a data subject‟s objection raised in any form. Opt out does not have to be offered each

time when approaching the customer.

Data Storage


There is a data confidentiality clause in Poland.


There are no time limits on holding data, however a general preservation principle applies. According

to this, personal data shall not be kept in a form that permits identification of the data subject longer

than it is necessary for the purposes for which they are processed.

“Passive” holding of data is regarded as falling within the scope of “processing of personal data”.



None. The contract in writing is required for appointing the data processor.

Transfer of Personal Data to a Third Country

The transfer of personal data to a third country may take place only, if the country of destination

ensures at least the same level of personal data protection in its territory as that in force in Poland.

The standard EU clauses are used in Poland.

Penalties


In case of any breach of the provisions on personal data protection, GIODO ex officio, or upon a

request of a person concerned, will make an administrative decision, which requires the restoration

of the proper legal state, and in particular:

to remedy the negligence,



127

to complete, update, correct, disclose, or not to disclose personal data,

to apply additional measures protecting the personal data, which has been collected,

to suspend the transfer of personal data to a third country,

to safeguard the data or to transfer them to other subjects,

to erase the personal data.

No administrative fines can be imposed by GIODO.

Penalties for breaching the rules on unsolicited Emails and other means of electronic

communication:

In case of sending unsolicited communications by email or other means of electronic communication,

a fine up to PLN 5,000 (approx. EUR 1,250) may be imposed by a court.



No. General rules are applicable.


The data subject has a right to control the processing of his or her personal data contained in the

databases, and in particular he or she has the right to demand the data to be completed, updated,

rectified, temporarily or permanently suspended, or erased, in case they are not complete, outdated,

untrue or collected in the violation of the act, or in case they are no longer required for the purpose

for which they were collected.


Poland has Codes of Practice & Preference Services (Robinson Lists). They can be found at the Polish

Direct Marketing website www.smb.pl. The DPA has been consulted on the direct marketing code.



http://www.smb.pl/

128

Romania


-Law no. 677/12.12.2001

-Law no. 506/2004

-Law no. 682/21.12.2001

-Law no. 102/03.05.2005

-Law no. 365/2002

-Decision no. 95/2008

-Decision no. 11/2009


The National Authority on the Supervision of Personal Data Processing (the DPA) will assist with

enquiries.


When starting to collect personal data to be included in a marketing list in Romania, you are required

to notify the DPA. If existing marketing lists are transferred from the initial holder to another entity,

such transfers have to be reflected in the initial holder‟s and the receiving entity‟s, respective

notifications.


6 – 8 weeks

Registration costs

Currently there are no registration costs applicable for filing notifications concerning marketing

processing (and marketing lists) with the DPA.



purposes

The common legal ground for the processing of personal data for marketing purposes is that there has

to be a legitimate interest from the direct marketer.


In the cases where consent is needed, it has to be explicit and unequivocal.

Implied consent

Implicit consent is acceptable in Romania, but it is not recommended in situations where the law

requires opt-in.


Consent is required for SMS, MMS, EMAIL, FAX, and Voice Mail

Consent is not required for Telephone and Mail

SECTION II – Legal Overview – Romania


129


When processing sensitive data, the consent has to be explicit and unequivocal. The DPA has

sometimes expressed the view that processing sensitive data for marketing purposes is excessive and,

thus, not justified.



Categories of sensitive data include ethnic origin, philosophical beliefs or similar nature, personal

numeric code, ID card/passport series and number, genetic and biometric data, data on criminal

offences, criminal convictions/security measures, disciplinary sanctions, administrative sanctions,

criminal record.



Explicit consent of the recipient is required.


There is no soft opt-in for electronic communications in Romania.

Opt-in is required for all electronic communication for B-to-B marketing purposes (it is not

required for direct mail).

Purposes

It is not necessary to be precise when giving the purposes for processing personal data, as long as it is

clearly indicated that the data shall be used for future marketing purposes.

Generic terms

Generic terms are acceptable.



There is a required or a recognized form of wording for collecting data in Romania (included in DPA

guidelines available on its official website:

http://www.dataprotection.ro/?page=ghid_notificare&lang=ro). It is as follows:

Romanian:

For collection via participation tickets or similar means:

“............................................................. (se indică identitatea operatorului sau a

reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) prelucrează datele cu

caracter personal furnizate de dumneavoastră prin acest document.............(se precizează

categoriile de date, dacă acestea nu sunt colectate direct de la persoanele vizate) în scopul

............(se precizează scopul). Datele vor fi dezvăluite ..................................(se precizează

destinatarii cărora le vor fi dezvăluite datele). Pe viitor, aceste date/datele .............. (se

precizează concret datele) ne permit să vă ţinem la curent cu activitatea noastră.



http://www.dataprotection.ro/?page=ghid_notificare&lang=ro

130

În cazul în care nu doriţi aceasta, bifaţi NU

Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul

de a nu fi supus unei decizii individuale. Aveţi dreptul să vă opuneţi prelucrării datelor personale

care vă privesc şi să solicitaţi ştergerea datelor. Pentru exercitarea acestor drepturi, vă puteţi

adresa cu o cerere scrisă, datată şi semnată la .................................................(se precizează

serviciul, organismul sau persoana responsabilă). De asemenea, vă este recunoscut dreptul de a vă

adresa justiţiei.

Datele dumneavoastră vor fi transferate în ............... (precizaţi statele), în

vederea....................(se precizează scopul transferului datelor în străinătate).“

For collection of data online: “Conform cerinţelor Legii nr. 677/2001 pentru protecţia persoanelor cu

privire la prelucrarea datelor cu caracter personal şi libera circulaţie a acestor date, modificată şi

completată şi ale Legii nr. 506/2004 privind prelucrarea datelor cu caracter personal şi protecţia

vieţii private în sectorul comunicaţiilor electronice (se precizează şi acest act normativ, după

caz)..............................................(se precizează denumirea operatorului sau a

reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) are obligaţia de a administra

în condiţii de siguranţă şi numai pentru scopurile specificate, datele personale pe care ni le furnizaţi

despre dumneavoastră, un membru al familiei dumneavoastră ori o altă persoană. Scopul colectării

datelor este:.............................. (se indică scopul prelucrării).

Sunteţi/nu sunteţi obligat(ă) să furnizaţi datele, acestea fiind necesare................................(se

precizează scopul). Refuzul dvs. determină.................. (se precizează consecinţele refuzului).

Informaţiile înregistrate sunt destinate utilizării de către operator şi sunt comunicate numai

următorilor destinatari:................. (se precizează destinatarii).

Doriţi să primiţi informaţii despre produsele, serviciile, evenimentele etc. oferite de.................(se

precizează denumirea operatorului sau a reprezentantului, precum şi, dacă este cazul, pe cea a

împuternicitului)?

DA NU

Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul

de a nu fi supus unei decizii individuale şi dreptul de a vă adresa justiţiei. Totodată, aveţi dreptul să

vă opuneţi prelucrării datelor personale care vă privesc şi să solicitaţi ştergerea datelor*. Pentru

exercitarea acestor drepturi, vă puteţi adresa cu o cerere scrisă, datată şi semnată la

.................................................(se precizează serviciul, organismul sau persoana

responsabilă). De asemenea, vă este recunoscut dreptul de a vă adresa justiţiei. Datele

dumneavoastră vor fi transferate în ............... (precizaţi statele), în vederea....................(se

precizează scopul transferului datelor în străinătate)."

Dacă unele din datele despre dumneavoastră sunt incorecte, vă rugăm să ne informaţi cât mai curând

posibil.”

English:

For collection via participation tickets or similar means:

“............................................................. (the identity of the data controller or its

representative and, if the case, of the data processor shall be inserted) processes the personal data

made available by you through this document.............( the categories of data and whether the data

is collected directly from data subjects shall be indicated herein) for the following purpose

............(the purpose shall be inserted). The data shall be disclosed to

..................................(the recipients of the data shall be mentioned herein). In the future,

these data / the following categories of data.............. (the categories of data shall be mentioned)

will allow us to maintain you informed on our activity.



131

If you do not wish to receive such information, please select NO

According to Law no. 677/2001, you have the right to access and intervene on the data, the right not

to be subjected to automated individual decisions. You have the right to object to the processing of

your personal data and to request the deletion thereof. For exercising these rights, you may send a

written, dated and signed request at ................................................. (the office, body or

person responsible for receiving these requests to be inserted). Moreover, you are entitled to address

the competent court of justice. Your personal data shall be transferred to ............... (countries of

destination to be inserted) in order to .................... (the purpose of the transfer to be inserted).”

For collection of data online: “Pursuant to the requirements of the Law No. 677/2001 on the

protection of individuals with regard to the processing of personal data and the free movement of

such data, as amended and completed, and of the Law No. 506/2004 on the processing of personal

data and the protection of personal life in the electronic communication field (such piece of law is

also specified, as the case may be)………………………………………..(it is specified the name of the data

controller or of the representative thereof and, if the case, the name of the data processor) has the

obligation to administrate in safe conditions and only for the specified purposes the personal data

belonging to you, to a member of your family or to any other person which are provided to us. The

purpose of data collecting is:………………………………(the purpose of the processing is specified).

You are/ you are not compelled to provide the data, which is necessary……………………….(the purpose is

specified). Your refusal triggers …………………….(the consequences of the refusal are specified).

The registered information are destined for the use of the data controller and are communicated

only to the following recipients:…………………………… (the recipients are specified).

Do you want to receive information on the products, services, events, etc. offered by ……………………(it

is specified the name of the data controller or of the representative thereof and, if the case, the

name of the data processor)?

YES NO

According to Law no. 677/2001, you have the right to access and intervene on the data, the right not

to be subjected to automated individual decisions and the right to address the competent court of

law. Moreover, you have the right to object to the processing of your personal data and to request

the deletion thereof. For exercising these rights, you may send a written, dated and signed request

at .................................................(the office, body or person responsible for receiving these

requests to be inserted). Moreover, you are entitled to address the competent court of justice. Your

personal data shall be transferred to ............... (countries of destination to be inserted) in order to

....................(the purpose of the transfer to be inserted)."

If some of your data are incorrect, please indicate this as soon as possible.”



Legally only to prospects.

Opt-out

Opt-out is exercised by written request. The possibility to opt-out should be mentioned in each

marketing message.



132

Data Storage


There are data confidentiality clauses in Romania.


There are no time limits on holding data, but such should be held only as long as necessary for

fulfilling the processing purposes.

Penalties


Fines, suspension or ceasing of the processing, partial or total destruction of the database, legal or

criminal action.


Fines will be imposed.



The consumers have the right to access and rectify the data by sending a written request.


There are codes of Practice in Romania. These can be found on the website of the Romanian DMA,

www.armad.ro. These codes are also agreed by the DPA.



http://www.armad.ro/

133

Slovenia


ZVOP-1 (Personal Data Protection Act)

ZEKom (Electronic Communications Act)

ZEPT (Electronic Commerce Market Act)

ZVPot (Consumer Protection Act - official consolidated text)

ZASP (Copyright and Related Rights Act)


The DPA is willing to answer questions and provide information regarding these matters.


Companies that keep and process personal data must transmit information about personal data

processing to the DPA except for those companies that use lists of less than 50 people and that do not

process sensitive data.


1-3 weeks

Registration costs

The registration itself is cost free. However, gathering the required data and creating the required

internal guidelines on processing personal data generates internal costs.



purposes

1) Individual‟s consent is the most common legal ground for the processing of personal data for

marketing purposes

2) Marketing databases can also be compiled from publicly available sources (Article 71 of ZVOP-1),

but should not be used for marketing purposes unless addressees consent (opt-in principle). The

processor then has to comply with the demands of the data protection act (ZVOP-1) – including

the requirement to submit information to the DPA and enact internal rules for the processing of

personal data.


Personal consent is a voluntary statement of an individual‟s free will that his personal data can be

processed for a specific purpose and is based upon information the data processor is obliged to

provide. Personal consent can be written, verbal, or in another appropriate form.

Written consent is required for sensitive personal data.

As a rule, written consent is usually acquired because verbal consent is harder to prove. An electronic

form that is not verified with a safe electronic signature counts is of equivalent evidentiary

significance as verbal consent.

Implied consent

Implied consent is not acceptable.

SECTION II – Legal Overview – Slovenia


134

Consent by the data subject is required for SMS, email, MMS, fax, telephone, but not mail.

No consent is necessary for the collection of data from publicly available sources according to the

Data Protection Act, but this does not apply to electronic communications. Consent is necessary when

using this data to address consumers according to the Electronic Communications Act (ZEKom) ,

Consumer Protection Act (ZVPot) and Electronic Commerce Market Act (ZEPT ).

The use of automated calling systems for making calls to the subscribers‟ telephone numbers without

human intervention (e.g. automatic calling machines), facsimile machines or electronic mail for the

purposes of direct marketing may only be allowed if the addresses have given their prior consent (opt-

in).

Irrespective of this, natural persons or legal entities that obtain electronic mail addresses from the

customers of their products or services may use such addresses for direct marketing of their similar

products or services, but they shall be obliged to give their customers the possibility, at any time,

free of charge and by using simple means, of preventing such use of their electronic address (soft opt-

in)


In the private sector processing of sensitive data is only allowed if an individual gave his explicit

(express) written consent.



Categories of Sensitive data also include national or nationalistic origin, philosophical beliefs, criminal

and minor offense records and biometric characteristics if they can identify an individual. The

provisions of the Slovenian Data Protection Act are very similar to the EU Data Protection Directive.



ZEKom (which sets the rules for electronic communications for both businesses and consumers)

defines the (soft) opt-in principle. See below.

ZVPOT (which sets the rules for automatic means of communication with consumers, physical persons,

at the receiving end) defines the opt-in principle (prior consent of the consumer).


Natural persons or legal entities that obtain electronic mail addresses from the customers of their

products or services may use such addresses for direct marketing of their similar products or services,

but they shall be obliged to give their customers the possibility at any time, free of charge and by

using simple means, of preventing such use of their electronic address (soft opt-in)


The same opt-in rules apply to B-to-B and to B-to-C with the same two exceptions as defined in the

ZEPT (Electronic Commerce Market Act).

Purposes

When providing the purposes for processing data, the purposes must be precise. Generic terms are

acceptable.



135



There is no required or recognized form of wording for collecting data. However, we recommend

something on the following lines:

Spodaj podpisani ___________, dovoljujem, da podjetje __________________ moje zgoraj navedene

osebne podatke obdeluje v svojih zbirkah ter jih uporablja za sledeče namene:

statistične obdelave, segmentacijo kupcev, obdelave preteklega nakupnega

obnašanja, izpolnjevanje pogodbenih obveznosti, obveščanje kupcev o morebitnih

napakah na izdelkih, pošiljanje ponudb, reklamnega gradiva, revij in vabil na

dogodke ter za telefonsko, pisno in elektronsko anketiranje.

Moje osebne podatke lahko __________________obdeluje za dobo _____ let oziroma do preklica moje

pisne privolitve.

Seznanjen sem, da bo __________________ v primeru preklica moje pisne privolitve moje osebne

podatke še naprej uporabljala, vendar le za izpolnjevanje pogodbenih obveznosti in

uveljavljanje pravic iz pogodbenega razmerja.

In English:

I, the undersigned _________ agree that company ___________ may collect my personal data in their

databases for market segmenting, statistical needs, past purchase statistics (add

appropriate) and marketing and surveying activities.

My data can be used for ____ years or until my written cancellation.

I understand that the company ______ will use just contractual data after my cancellation.



The purposes must be given the first time a client is approached. If the relationship is an on-going

one, it is only necessary to provide the purposes once. Should the scope of the processing expand,

consent is to be obtained once again.

Opt-out

When the vendor receives an email, or other request, to remove data, , he should delete the sender‟s

personal data from his lists and databases.

Mail receivers can buy stickers and attach them to their mailboxes, which means that they do not

want to receive unaddressed printed advertisements anymore.


Yes, it is necessary to offer an opt-out mechanism each time when approaching the customer.

Data Storage


There is a Data Protection clause.



136


There are time limits on holding data. If the legal basis for the processing of data is by statute,

personal data can only be held for the period defined by the legislation and then deleted.

If the legal basis for the processing of data is a contract, then there is a prescriptive deadline in

which all claims from the contract expire.

If the legal basis for the processing of data is consent, the proportionality principle applies (data is

held until they are needed for the purpose for which it was collected. The purpose has to be

communicated.)

Penalties


ZVOP-1 defines the following penalties:

Article 91

(1) A fine of between 4170€ and 12510€ shall be imposed for a minor offence on a

legal person or sole trader:

1. if he processes personal data without having the statutory grounds or personal consent of the

individual to so do;

2. if he entrusts an individual task relating to the processing of personal data to another person

without concluding a contract;

3. if he processes sensitive personal data or does not protect them;

4. if he automatically processes personal data;

5. if he collects personal data for purposes that are not defined and lawful, or if he continues to

process them;

6. if he supplies personal data to a data recipient;

7. if he does not inform the individual of the processing of personal data;

8. if he uses the same linking code;

9. if he does not delete, destroy, block or make anonymous personal data after the purpose for

which they were processed has been achieved;

10. if he fails to ensure that the filing system catalogue contains data provided by statute;

11. if he fails to supply data for the needs of the Register of Filing Systems.

(2) A fine of between 830€ and 1250€ can be imposed for a minor offence (see above) on a company‟s

controller or a sole trader.

(3) A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person of

a state body or body of self-governing local community who offends against any element of the first

paragraph of this Article.

(4) A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who offends

against any element of the first paragraph of this Article.



137

Violation of the provisions on contractual processing

Article 92

A fine of between 4170€ and 12510€ can be imposed for a minor offence on a legal person or sole

trader, if he oversteps the authorisation contained in the contract from the second paragraph of

Article 11 or does not return personal data in accordance with the third paragraph of Article 11.

A fine of between 830€ and 1250€ can be imposed for a minor offence from the previous

paragraph on a company‟s controller.

A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person

of a state body or body of self-governing local community who offends against the first paragraph

of this Article.

A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who

commits the act from the first paragraph of this Article.

Violation of the provisions on security of personal data

Article 93


trader, if he processes personal data and fails to ensure the security of the personal data (Articles

24 and 25).


paragraph on the company‟s controller or the sole trader.

A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person

of a state body or body of self-governing local community who offends against the first paragraph

of this Article.

A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who

commits the act from the first paragraph of this Article.

Violation of the provisions on direct marketing

Article 94


trader, if he processes personal data for the purposes of direct marketing and does not act in

accordance with Articles 72 or 73.


paragraph on the company‟s controller or a sole trader.

A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who offends

against the requirements (the first paragraph of this Article).

Penalties for breaching the rules on unsolicited E-mail messages

E-mail - ZEKom:

A fine of between 50000€ to 400000€ shall be imposed on a medium-sized or large company, as

defined by the Companies Act, if it uses:

a customer‟s e-mail address for direct marketing after the customer has declared that he does not

want to receive it,

electronic communications for direct marketing without subscriber‟s consent

a false identity or false address for direct marketing by use of electronic communications

A fine between 2000€ and 20000€ shall be imposed on other legal entities (not being medium-sized or

large companies), entrepreneurs or individuals performing such activities.



138

A fine between 500€ and 10000€ shall be imposed on the responsible person of legal entity or

entrepreneur for committing one of the above mentioned minor offences.

E-mail - ZVPot:

A fine of between 3000€ and 40000€ shall be imposed on a legal person, entrepreneur or individual:

1. for advertising goods or services in a manner which is against the law, indecent or misleading, or

for not advertising goods or services in the Slovene language (Articles 12, 12a and 12b);

2. for advertising goods or services through a means of comparative advertising which is contrary to

provisions of Article 12c;

3. for advertising messages which are part of or present a service of an information society and are

not in accordance with Article 15a;

4. for using an automatic calling machine without the mediation of an individual, facsimile

transmission machine or electronic mail without prior consent from the consumer, to whom a

message was addressed (first paragraph of Article 45a);

5. for sending messages to consumers with the intention of concluding a contract to supply goods or

services, regardless of a consumer's declaration that he/she no longer wishes to receive such mail

(third paragraph of Article 45a);

ZEPT

A fine of between 10000€ and 50000€ for a minor offence on a service provider which is considered a

mid-sized or large if it sends commercial messages contrary to Article 6 (without consent of the

receiver).

A fine of between 2000€ and 2000€ for a minor offence on a service provider, performing activity as

legal person (but no meeting the criteria of a mid-sized or large company), entrepreneur or

individual.

A fine between 1000€ and 4000€ shall be imposed for a minor offence on a responsible person of legal

person or entrepreneur.

When commercial messages are sent contrary to the provisions of ZEPT and are considered unsolicited

messages pursuant to ZVPOT, the provision of ZEPT apply.



There are no additional rules for on-time collection of data on the internet.


(1) Data controller shall on request of the individual be obliged:

1. to enable consultation of the filing system catalogue;

2. to certify whether data relating to him are being processed or not, and to enable him to consult

personal data contained in the filing system which relates to him, and to transcribe or copy them;

3. to supply him with an extract of personal data contained in the filing system which relate to him;

4. to provide a list of data recipients to whom personal data were supplied, when, on what basis and

for what purpose;

5. to provide information on the sources on which records contained about the individual in a filing

system are based, and on the method of processing.

6. to provide information on the purpose of processing and the type of personal data being

processed, and all necessary explanations in this connection;

7. to explain technical and logical-technical procedures of decision-making, if the controller is

performing automated decision-making through the processing of personal data of an individual.



139

Right to supplement, correct, block, erase and to object

1. On the request of an individual to whom personal data relate, the data controller must

supplement, correct, block or erase personal data which the individual proves as being

incomplete, inaccurate or not up to date, or that they were collected or processed contrary to

statute.

2. On the request of the individual the data controller must inform all data recipients and data

processors to whom the controller has supplied the personal data of the individual, before the

measures from the previous paragraph have been carried out, of their supplementation,

correction, blocking or erasure pursuant to the previous paragraph. Exceptionally the data

controller shall not need to do this if it would incur large costs, disproportionate efforts or would

require a large amount of time.

3. Individuals whose personal data are processed shall have the right through objection at any time

to demand the cessation of their processing. The data controller shall grant the objection if the

individual demonstrates that the conditions for processing have not been fulfilled. In this case the

personal data of the individual may no longer be processed.

4. The DPA shall rule on any request resulting from the previous paragraph within two months of

receiving the request. The lodging of a request will stop the processing of personal data of that

individual.

5. The costs of all actions of the data controller shall be borne by the data controller.

Procedure of supplementing, correction, blocking, deletion and objection

1. The request or objection shall be lodged in writing or orally in an annotation with the data

controller.

2. The data controller shall be obliged to perform the supplementing, correction, blocking or

deletion of personal data within 15 days of the date of receipt of the request, and to inform the

person who lodged the request, or within the same interval to inform him of the reasons why he

will not do so. The controller must decide on an objection within the same deadline.

3. If the data controller fails to act, the request shall be deemed to have been refused.

4. If the data controller concludes on his own that the personal data are incomplete, inaccurate or

not up to date, he should supplement or correct them and inform the individual, unless otherwise

provided by statute.

5. Costs relating to the supplementing, correction and erasure of personal data, and of the

notification and decision on the objection, shall be borne by the data controller.



140

Spain


Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal. (Commonly known as LOPD)

Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo

de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal

(Commonly know as RDLOPD)

Ley de Servicios de la Sociedad de la Información y del Comercio Electrónico. (Commonly known

as LSSI)

Ley 32/2003, de 3 de Noviembre, General de Telecomunicaciones (Commonly known as LGTel).

Articles 33 to 38 regulate the privacy of communications and the protection of personal data,

public rights and obligations related to networks and electronic communication services.

Extent of the Spanish Data Protection Authority‟s (“Spanish DPA”) Assistance with Enquiries

The Spanish DPA will assist with enquiries but the answers to those enquiries are not binding for the

Spanish DPA. There are examples of decisions of the DPA in contradiction with previous enquiries.


Not only Marketing files but every file containing personal data processed by the data controller has

to be registered.


If the data controller has not received any express notification from the DPA to a request within one

month the file will be considered registered.

There are no registration costs.



purposes

The protection of the Fundamental Right to privacy, as stated in the Spanish Constitution and

developed by the LOPD (Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal) and the

RD LOPD (Real Decreto 1720/2007, por el que se aprueba el Reglamento de desarrollo de la Ley

Orgánica 15/1999).

The LOPD is based on the following principles:

Quality of the data processed, which should be adequate, relevant and not excessive in relation

to the purposes for which they were obtained.

Data subjects‟ right to be informed before collection or at the time of collection of their

personal data. The data subjects must be informed explicitly, precisely and unequivocally of the

following:

a) The existence of a file or personal data processing operation, the purpose of collecting

the data, and the recipients of the information.

b) The obligatory or voluntary nature of the reply to the questions put to them.

c) The consequences of obtaining the data or of refusing to provide them.

d) The possibility of exercising rights of access, rectification, erasure and objection.

e) The identity and address of the controller or of his representative, if any.

SECTION II – Legal Overview – Spain


141

Consent of the data subject. Processing of personal data shall require the unambiguous consent of

the data subject, unless established otherwise by law.

Data security and the duty of secrecy. The controller or, where applicable, the processor shall

adopt the technical and organisational measures necessary to ensure the security of the personal

data. The data controller and any person involved in any stage of the processing personal data

shall be subject to professional secrecy.

The specific regulation of data sharing and access to data on behalf of third parties.

Additional requirements for the processing of sensitive data.

Article 30 LOPD and Articles 46 to 51 RD LOPD specifically regulate files processed for the purpose of

advertising and market research. Article 30 states that the files processed for this purpose must be

collected whether from sources accessible to the public or provided by the data subjects themselves

or with their consent. When the personal data are collected from public sources, the data controller

will have to include in each communication to the data subject information about the origin of the

data and the identity of the data controller, as well as the rights available to the data subject. Data

subjects have the right to oppose to the processing of their personal data for this purposes.

Public sources are precisely identified in Article 28 LOPD and Article 7 RD LOPD as:

Personal data included in the promotional census;

Lists of persons belonging to professional groups;

Data contained in guides to electronic communications services available to the public;

Data obtained from official journals and gazettes;

The media.

No other sources are accepted as public sources.

Please note that the RD LOPD expands the regulation of the processing of personal data for the

purposes of advertising and market research introducing relevant provisions regulating:

the role of organizations (data controllers or data processors) that carry out advertising

campaigns;

the implications of depuration of data controllers‟ databases;

the conservation of personal data of opt-outs;

the creation of a Robison list for electronic communications;

the exercise of the rights of access, rectification, cancelation and opposition by data subjects;


As a general rule, the data subject‟s consent is required for the processing of personal data. . There

are some exceptions to this general rule. Consent is not needed when personal data are collected

from public sources as long as the data controller has a legitimate interest to process the data and

the fundamental rights of the data subjects are not violated.

Express consent is required for the processing of sensitive data.

Express consent is also needed for sending commercial emails or other commercial electronic

communications unless to a person with whom the sender has a commercial relationship and the

requirements established in Article 21.2 LSSI apply.

Implied consent

Implied consent is generally acceptable in Spain. Apart from the type of consent needed, the data

controller must always provide data subjects with information related to the purposes for which

personal data is processed.



142

Consent may also be obtained by sending, in a way that will allow the data controller to track

whether the communication has bounced back, a communication to the data subject with the

information required in Article 5 LOPD providing the consumer with 30 days to object to the

processing. This request of consent can only be sent to the data subject once a year.

Consent by data subject is required when using all means of communication media for marketing

purposes.


Express consent.


health, and trade union memberships Personal data related to beliefs and criminal or administrative

offences.



The addressee must have given their consent to the sender before sending them email or any other

electronic communication system. As stated in the Preliminary Recitals of the LSSI (mentioned in

above), and Articles 19 to 22 related to commercial electronic communications, these

communications should be identified as commercial.

The principles governing commercial electronic communications regulation are the consent of the

addressee and the right to revoke the consent at any time by letting the sender know.

There is one exception to this principle, which was introduced by the LGTel. Consent will not be

required when the sender and the addressee have a previous contractual relationship, the data have

been collected in a lawful way and the commercial electronic communications send to them relate to

products or services which are similar to those originally purchased by the addressee.

Article 38 of the LGTel establishes the rights which correspond to electronic communication services

subscribers. This regulation, in relation to marketing issues, prohibits the use of traffic data for

commercial use without the informed consent of the subscriber. Automatic calls or fax messages for

Direct Marketing purposes without informed consent are also banned.


Soft opt-in is allowed by the Spanish DPA under conditions. Express consent is not required when

there is prior contractual relationship between the sender and addressee . The requirements that

must be met for this exception to apply are described above.


Article 38.3 LGTel regulates the rights of subscribers in electronic communication services and,

includes in the scope of protection companies or professionals subscribers to these services.

This regulation prohibits the use of traffic data for commercial use without the informed consent of

the subscriber, and also requires that automatic calls or fax messages for Direct Marketing purposes

must have informed consent.

Purposes

Data controllers must be precise when they provide information about the purpose of processing

personal data.



143

Generic terms

Article 46 RD LOPD states that data subjects must be provided with information about the specific

sectors from which the data subject may receive information.



There is no official statement that data controllers must use, however, certain information must

always be provided to the individual. This information is listed above.

This statement must also include reference to any transfer of data to a third party that is not a data

processor. Consent of the individual is required to transfer personal data to a third party.

In relation to direct marketing and market research files it is vital to note that data controllers have

the obligation to be precise when informing data subjects about the specific and concrete sectors in

relation to which the data subject may receive information.

When, in the context of entering into a contract with the data subject, the data controller requests

the data subject‟s consent for the processing of their personal data for a purpose other than the

contract, data subjects must be given the opportunity to object to this processing or data transfer of

their personal data.



Data subjects do not need to be given information about the processing of their personal data more

than once unless any circumstance related to the processing has varied. When the data subject‟s data

has been obtained from a public source, data subjects must be provided the following information in

every commercial communication that is sent to them: origin of their data; identify of the data

controller, their rights and how to exercise them.

Opt-out

Every electronic communication must offer the data subject the possibility to opt out from receiving

marketing communications, this must be easy and free of charge.


Yes.

Data Storage


None


Access control registries and CCTV recordings can only be held for 1 month.

A principle of the Spanish legislation is that personal data may be collected for processing, and

undergo such processing, only if it is adequate, relevant and not excessive in relation to the scope

and the specified, explicit and legitimate purposes for which they were obtained. Personal data must

be erased when it has ceased to be necessary or relevant for the purpose for which they were

obtained or recorded.



144

Data controllers must observe the terms of storage of personal data required by law .

Cancellation (opt out) must lead to the personal data being blocked and maintained solely at the

disposal of the public administrations, judges and courts, for the purpose of determining any liability

arising from the processing, and for the duration of such liability. On expiry of this liability, the data

must be deleted.

Penalties

National penalties which the DPA can apply

For infringements of data protection regulation (LOPD and RD LOPD) economic fines and the blocking of

the file in order to restore the rights of the data subjects.

These are the amounts of the fines set out by LOPD:

1. Minor infringements shall be punished by a fine of 601,01 € up to 60.101,21 €

2. Serious infringements shall be punished by a fine of 60.101,21 € up to 300.506,05 €

3. Very serious infringements shall be punished by a fine of 300.506,05 € up to 601.012,10 €

Infringements of electronic communications and e-commerce regulation (LSSI) are the following:

1. Very serious infringements shall be punished by a fine of 150.001 € up to 600.000 € (two or more

very serious infringements within 3 years can result in the company being barred from carrying out

any activity in Spain for a maximum of 2 years)

2. Serious infringements shall be punished by a fine of 30.001 € up to 150.000 €

3. Minor infringements shall be punished by a fine of up to 30.000 €

LGTel establishes a complex fine calculation based on criteria such as the type of infringement or the

profit obtained from the infringement for serious and very serious infringements. In the event that these

criteria cannot be applied, the maximum fine for very serious infringements goes up to 2 million €, and

for serious infringements up to 500.000 €. The maximum fine for minor infringements is 30.000 €.


Penalties established by LOPD, LSSI and LGTel (note: under certain circumstances, a data controller or a

data subject can have multiple fines imposed upon them from these three laws for the same actions).



Collection of data with cookies is regulated in LSSI.

This regulation establishes that services providers using data storage devices (cookies) shall inform the

user, in a clear way, about their use and purpose, offering them the possibility of rejecting the

processing of these data by means of a simple and free procedure.


Both rights must be free of charge for the data subject giving them enough information of how to

exercise these rights.

Access: the data controller has 1 month to honour the request of the data subject.

Rectification and Cancellation: the data controller has 10 days to honour the request of the data

subject.



145

Sweden


The Swedish Personal Data Act 1998;

The Marketing Practices Act 2008 (MPA);

The Credit Information Act 1973.

Swedish marketing law is mainly regulated by the MPA, which is based on Directive 2005/29/EC. A

public authority, the Consumers Ombudsman, has the primary responsibility for ensuring compliance

with the MPA. The MPA contains general provisions stating that marketing practices shall be consistent

with generally accepted marketing practices and that marketing practices which contravene this

standard shall be deemed unfair if they noticeably affect or are likely to affect the recipient‟s ability

to take a well-founded commercial decision. These general provisions are supplemented by explicit

provisions and a more detailed system of sanctions. The MPA is both aimed at consumer protection

and to protect commercial and industrial actions.

The legislative technique used in the MPA is based on a combination of having a general clause

requiring all commercial marketing to be fair and compatible with good marketing practice and a

number of detailed legal provisions. These provisions address specific types of marketing practices,

which are to be regarded as unlawful.

The detailed legal provisions concern aggressive marketing practices, misleading marketing practices,

comparative advertising, unsolicited advertising and warranty information. The misleading practices

are specified in provisions regarding

Identification in advertisements;

Misleading claims or other presentations;

Purchase offers;

Misleading copies;

Discount;

Liquidation sales;

In addition, sections 1-23 of Annex I to the Unfair Commercial Practices (UCP) Directive 2005/29/EC,

detail various misleading marketing practices which will always be deemed to be unfair. If a trader is

found to be using unfair marketing practices it may be subject to a prohibition or information in

conjunction with a conditional fine and could also be sued for damages. The advertiser can also be

ordered to pay a fine to the State, a so-called market disruption fee.



Registration of Marketing Lists with the DPA

There is no requirement to register marketing lists with the Data Commission. Processing shall

however be notified but the notification procedure contains several exceptions.

Purposes

The data subject has to be provided with the purpose for the collection of data.

SECTION II – Legal Overview – Sweden


146

Wording for Collecting Data and consent to marketing activities

There is no particular wording required for collecting data. However generally, an the data subject

must be made aware of the purposes for data processing, including that the data are to be used for

direct marketing purposes. From a personal data perspective, implied (opt-out) consent is generally

sufficient for direct marketing purposes. However, under the MPA the data subject must give prior

explicit consent (opt-in) to his data being used for direct marketing through electronic communication

means, such as SMS, telefax and e-mail, but certain exemptions are made, such as marketing of the

traders own products.


Data that reveals any of the following is considered sensitive data:

Religious or philosophical belief;

Membership of a Trade Union;

Race or ethnic origin;

Political opinions;

Sexual Interests;

Health issues;

The government may issue regulations concerning exemptions from the prohibition on processing

sensitive personal data if this is necessary having regard to an important public interest. The rules for

processing of sensitive personal data apply in addition to the fundamental and general requirements

that must be satisfied in the processing of personal data.

Data Storage

Under the Swedish Personal Data Act, personal data should not be kept for a longer period than

necessary. As regards processing of personal data for historical, statistical or scientific purposes

certain rules apply. If personal data that are processed for such purposes are also processed later, this

is not considered incompatible with the original purpose for which the data were gathered. It is also

permitted, for such purposes, to save personal data for a longer period. Personal data can only be

stored during a time when there is a purpose for the information:

The time limit for maintaining registrations on dormant customers is three years;

The three year limit can be extended if an active customer contact is established.

The advertiser must get rid of the information if he hasn‟t received any response. When destroying

the information, it should be done so there is no way to recreate the information. It is not enough

merely to write the information in cipher.


No specific data confidentiality clause exists.

Penalties

Breaches regarding processing of personal data may render fines, imprisonment and/or damages.


Presently, the European Commission has started an action at the European Court of Justice (ECJ)

against Sweden for not applying the EU Directive adequately.



147


The controller is liable, upon request by the data subject, to correct, block, restrict or erase as soon

as practicable personal data which has not been processed in accordance with the Personal Data Act

or regulations issued under the Act. If a disagreement arises between the controller and the

registered person about whether data should be corrected or not, the data subject can report the

matter to the DIB.

National DPA‟s Contact Details

Datainspektionen

Box 8114

SE-104 20 Stockholm

Sweden

Office Address:

Drottninggatan 29

5th Floor

Stockholm

Sweden

Tel: (+46) 8 657 61 00

Fax: (+46) 8 652 86 52


Web: http://www.datainspektionen.se/in_english/contact_us.shtml

Industry Codes of Practice

For information, contact SWEDMA:

David Bagares Gata 3

P.O. Box 3276

103 65 Stockholm

Sweden

Tel. + 46 8 534 802 60


Website: www.swedma.se




http://www.datainspektionen.se/in_english/contact_us.shtml

148

Switzerland


Swiss Federal Act on Data Protection (“DPA”), 19 June 1992 (Status as per January 2008)

Ordinance on the Data Protection Act, 14 June 1993 (Status as per 1 January 2008)

Ordinance on the Certification Procedure, 28 September 2007 (Status as per 1 January 2008)

Art. 28 of the Swiss Civil Code dealing with the protection of personality rights.

The Act regulates the processing of data of private individuals and legal entities undertaken by both

private individuals and Federal Authorities. It does not apply to:

personal data that are processed by a private individual exclusively for personal use and that are

not disclosed to a third party;

deliberations of the Federal Parliament and Parliamentary Committees;

pending civil, penal, or international legal assistance proceedings, or public or administrative law

proceedings, with the exception of administrative proceedings of the first instance;

public registers relating to private law matters;

personal data processed by the International Committee of the Red Cross.

The DPA maintains a register of data files that is accessible online. Anyone may consult that register.

Federal authorities must declare all of their data files to the DPA for registration purposes.

Private individuals must register their data files (i)_ if they regularly process sensitive personal data

or personality profiles or (ii) if they regularly disclose personal data to third parties.

However, the controller of data files is not required to declare his files to the DPA under certain

conditions (Art. 11a § 5 lit. a to f DPA and Article 4 of the Ordinance).

Purposes

Personal data may only be processed for the purposes for which it was collected, which are evident

from the circumstances of the collection, or which are provided for by the law.

Wording for Collecting Data (art. 4 DPA)

Personal data must be processed lawfully, and the processing must be proportionate and carried out

in good faith. The collection of personal data and in particular the purpose of its processing must be

evident to the data subject (principle of transparency).

If the consent of the data subject is required for the processing of personal data, such consent is only

valid only if it is given voluntarily on the provision of adequate information. Additionally, in relation

to sensitive personal data and personality profiles, the consent must be given expressly.

Correctness of the data (art. 5 DPA)

Anyone who processes personal data must make certain that it is correct. Duty to provide information

when collecting sensitive personal data and personality profile (art. 7a DPA)

Sensitive personal data includes data relating to the subjects:

religious, ideological, political or trade union-related views or activities,

health, the intimate sphere or the racial origin,

social security measures,

administrative or criminal proceedings and sanctions.

SECTION II – Legal Overview – Switzerland


149

A personality profile is a collection of data that permits an assessment of essential characteristics of a

private individual.

The controller of a data file is obliged to inform the data subject of the collection of sensitive

personal data or personality profiles; this duty to provide information also applies if the data are

obtained from third parties.

If the data are not obtained from the data subject, the required information must be provided at the

latest when the storage of the data begins, or if the data is not stored, when it is first disclosure to

third parties.

Data Storage (art. 7 DPA and art. 8 to 12 of the Ordinance regarding the DPA)

The DPA does not provide specific provisions regarding data storage. It contains however provisions as

to data security. According to these provisions, personal data must be protected against unauthorised

processing through adequate technical and organisational measures. Moreover, for security purposes,

sensitive personal data and personality profiles should be protected and are to be kept under

restricted access.

Articles 8 to 12 of the Ordinance regarding the DPA address the technical measures to be taken in this

regard.


There is no data confidentiality clause as such however the following rules apply (Article 8 of the Data

Protection Act):

Anyone may ask a file controller if data stored concerning him are being processed;

The file controller must provide information on:

a) all data relating to the individual that are contained in the file;

b) the purpose and if necessary the legal basis for the processing, the categories of processed

data, the individuals involved in processing the file, and the individuals designated to receive the

file;

In the event that the file controller has the personal data processed by a third party, the data

controller shall remain responsible for providing any information that is requested. The third

party shall be obliged to provide information in the event that it does not disclose the name of

the data controller or in the event that the controller is not resident in Switzerland;

The information should, as a general rule, be provided free of charge and submitted in writing in

printed form. The Federal Council regulates exceptions.

No one may waive the right to information in advance.

Data Processing by third parties (art. 10 A DPA)

The processing of personal data may be carried out by a third parties by agreement, or by law, if:

the data are processed only in accordance with the instructions of the data controller; and

it is not prohibited by a statutory or contractual duty of confidentiality.

The instructing party must in particular ensure that the third party guarantees data security. The

third parties may claim the same justification as the instructing party.

Cross-border disclosure (art. 6 DPA)

Personal data may not be transferred abroad if the privacy of the data subjects would be seriously

endangered, in particular due to the absence of legislation that guarantees adequate protection.



150

In the absence of legislation that guarantees adequate protection, personal data may be disclosed

abroad only under restrictive conditions as mentioned under (Article 6 (2) a to g DPA). The explicit

consent of the data subject may be an alternative to disclose the data. The consent must be given for

each case separately and the person must know which data are concerned by the transfer.

It is not possible to give a "general consent" regarding the transmission of personal sensitive data to a

foreign recipient.

Certification Procedure (art. 11 DPA and Ordinance about the Certification Procedure)

According to the new regulation, private individuals or Federal Authorities can submit their

operational processes and organizational structures relevant for data protection in order to obtain a

"Data Protection Certificate". The definition of "certification" according to Swiss law is not the same

as that in other European countries.

Security of Data

Personal data must be protected against unauthorised processing by appropriate organisational and

technical means. The Federal Council may enact more detailed provisions on the minimum data

security measures (see also above: Data Storage).

Penalties

Private persons violating their obligations with respect to information, notification and granting

access to information are punishable by fine. Unauthorised access to sensitive data is punishable by

fine, i.e. the data subject enjoys all usual remedies available under normal civil procedure (i.e.

injunctions, right to restitution, or right to claim damages). Private individuals who unlawfully

disclose personal data are liable to a fine (see art. 35 DPA).


No information available.

Access and Rectification of Data (art. 29 DPA)

Whoever processes personal data must ensure that the information is correct. Any persons affected

can request the rectification of inaccurate data.

The Commissioner shall investigate cases in more details on his own initiative or at the request of

third parties under various conditions.

On the basis of his investigation, the Commissioner may recommend that the method of processing be

changed or abandoned. If a recommendation made by the Commissioner is not complied with or is

rejected, he may refer the matter to the Federal Administrative Court for a decision. He has the right

to appeal against this decision.

Industry Codes of Practice

The Swiss Code of Best Practice for Corporate Governance contains the principles for corporate

governance in Switzerland and gives recommendations to the Swiss public companies. Unlisted

companies can also use the code. As it was issued by “economiesuisse” (the Swiss Business

Federation), it is considered to be a self regulation tool for all business (industry, financial sector,

other services).

Consumer Protection Regulation

The Office of Consumer Affairs ensures that the collective interests of consumers are upheld.

It promotes consumer protection and the proper functioning of the market. For more information (in

French, Italian, German and English): http://www.ch.ch/urn:ch:en:ch:ch.02.13.02.10:01



http://www.ch.ch/urn:ch:en:ch:ch.02.13.02.10:01

151

United Kingdom


Data Protection Act 1998

Privacy and Electronic Communications (EC Directive) Regulations 2003


The DPA does help with enquiries.


If you are a data controller in the UK (i.e. Responsible for compiling and maintaining a marketing list),

the general rule is that you are required to notify. However, you may be exempt from the

requirement to register, but it is still good practice to do so, if you are:

only using your own customer list for the marketing of your own goods and services to them; and

you otherwise only process personal information for staff administration purposes (including

payroll) and for accounts and record keeping purposes

Please see:

www.ico.gov.uk/what_we_cover/data_protection/notification/do_i_need_to_notify.aspx

If you are a data processor (i.e. only compiling and maintaining a marketing list on behalf of a client),

then you do not need to notify, but it is good practice to do so.


3 weeks

Registration costs

From October 2009 a new two tiered fee system for registration with the Information Commissioners

Office (DPA) was introduced, based on the organisation‟s size and turnover.

Data contollers will have to pay a registration fee of £35 per year unless they are exempt or if they

meet the following criteria:

a turnover of £25.9M and 250 or more members of staff; or

if they are a public authority with 250 or more members of staff

In which case they will have to pay £500 per year.



purposes

1) Balance of interests necessary for the purposes and legitimate interests pursued by marketer or

third parties to whom the data are disclosed, except where the marketing is unwanted in any

particular case because the recipient has registered with the preference services (Robinsons Lists)

2) Consent of the individual

SECTION II – Legal Overview – UK


http://www.ico.gov.uk/what_we_cover/data_protection/notification/do_i_need_to_notify.aspx

152


Consent is required for email, SMS and fax marketing to individuals. The UK uses the definition of

consent in the Data Protection Directive. Consent is defined as any freely given, specific, informed

action by which the consumer signifies agreement. Consent can be obtained by an opt-in tick box or

by the consumer providing their contact details providing they are told the consequences before they

provide those details.

Implied consent

Implied consent is acceptable for the marketers own marketing, but remember that consumers can

withdraw implied consent at any time. Implied consent is acceptable for email and SMS if using the

„soft opt-in‟ facility. Implied consent is also acceptable, other than for email and SMS, for passing

contact details to third parties. Organisations in the UK often use two tick opt-out boxes:

1. for own marketing

2. for third party marketing

Implied consent can also be obtained by providing consumers with a valid contact address they can

use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.


Consent is required for SMS, MMS, EMAIL, FAX

Consent is not required for Telephone (although the Preference Service needs to be checked first)

and Mail (provided the address was not registered in the Preference Service)


Explicit consent is required to process sensitive data.



No other category.



Consumers have to opt-in to any marketing communications by email, SMS and MMS, however see the

soft opt-in option below.


A soft opt-in is available when the direct marketer has obtained the personal data during negotiations

for the sale of goods or services and the communication will be about similar products or services to

those purchased. Every communication must provide an easy opt-out mechanism and the trader‟s

identity must not be concealed.


The rules requiring an opt-in for email marketing do not apply to emails sent to organisations, even if

there is a named individual. The identity of the sender must be clear and the email must provide a

valid address to which opt-out requests can be sent.. However, the British Code of Advertising, Sales

Promotion and Direct Marketing (the CAP code) recommends that explicit consent should be obtained

for marketing consumer products to named employees of corporate subscribers.



153

Purposes

There is no requirement to be precise when providing the purpose for processing information.

Although the DPA has produced best practice guidance which states that organisations should provide

as much as much detail as possible as to the purposes of processing. Failure to comply with best

practice guidelines can result in an organisation being held to be in breach of the Data Protection Act.

Generic terms

Generic terms are acceptable, however, see the above, not on the DPA‟s best practice guidelines.



There is no requirement or recognized form of wording.



Only on the initial collection of the data

Opt-out

Normally opt-out is exercised through a tick box on a response or data collection form or in the case

of email and SMS a return unsubscribe facility. Opt-out can also be exercised through a valid contact

address.

By means of two tick opt-out boxes:

for own marketing

for third party marketing

Implied consent can also be obtained by providing consumers with a valid contact address they can

use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.


Yes- if you are using the soft opt-in exemption for email or SMS.

No – for other channels although it is good practice.

Data Storage


There is no model data confidentiality clause in the UK.


There is no specific limit for holding data, but data should not be kept longer than is necessary. Direct

Marketers should therefore draw up their own retention policies, bearing in mind retention periods

under company and tax legislation and ensure that data are destroyed at the appropriate time.



There are no model clauses to govern the rules. Data can be transferred between companies provided

there is a contract in writing in place which meets the requirements of Schedule 1 Part II paras 9 – 12

(see section „Security of Data‟ below). The UK DMA has an example contract.



154

Transfer of data to non-EU countries

Procedure for transferring data to non-EU countries

The Information Commissioners Office (ICO) has produced guidance but does not require notification

of individual transfers nor does it wish to see individual contracts. However, when you initially notify

the ICO, you must state whether you transfer data to such countries.

Security of data

In order to comply with the security principle in the Data Protection Act 1998, where processing of

personal data is carried out by a data processor on behalf of a data controller, the data controller

must:

a) choose a data processor providing sufficient guarantees in respect of the technical and

organisational security measures governing the processing to be carried out, and

b) take reasonable steps to ensure compliance with those measures.


Data Processors may have to incur costs to keep up with technological developments.


Database owners have protection under copyright legislation (sui generic right) in respect of their

databases, specifically the Copyright and Rights in Databases Regulations 1997. These rights were

seriously limited by the William Hill v British Horseracing Board case.

Penalties


The DPA has the power to issue an enforcement notice, in which it can order the controller to take

specific steps to rectify a breach. It can also carry out an assessment of how an organisation processes

personal data either in response to a complaint or on its own initiative. It can also issue an

information notice requiring the production of specified information. From the 6 April 2010 the DPA

will have the power to fine organisations for serious breaches of the Act. The maximum fine will be

£500,000, depending on, amongst other things, the seriousness of the breach, and the ability of the

organisation to pay the fine.

If an organisation fails to comply with an enforcement notice, court action can be taken and a fine of

£5,000 (7,500 Euros) in the Magistrates Court or an unlimited fine in the Crown Court. The DPA can

also apply for a warrant for powers of entry and inspection in the case of suspected breaches of the

Data Protection Act 1998.

There is also a criminal offence under section 55(1) Data Protection Act 1998 for unlawfully obtaining

or disclosing personal data without the consent of the data controller.

Penalties for breaching the rules on unsolicited Email

The DPA has the same powers of enforcement as under the Data Protection Act 1998 to deal with

breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

individual has the right to request the data controller to correct this.



155



There are no special rules but the Privacy and Electronic Communications (EC Directive) Regulations

must be complied with in respect of marketing by email.


Individuals have the right to ask data controllers for a copy of all the personal information they hold

on them. The request must be in writing and a maximum fee of £10 (15 Euros) can be charged. Data

controllers have a maximum of 40 days to provide the information. If there are any inaccuracies in the

information, the individual has the right to request the data controller to correct this.


The UK DMA have a Code of Practice which is mandatory for all members. The Mail Preference Service

(MPS) is a self-regulatory scheme run by the UK DMA. Use of it is required under the DMA Code of

Practice and the British Code of Advertising, Sales Promotion and Direct Marketing (the CAP code).

The Telephone Preference Service (TPS); Corporate Telephone Preference Service (CTPS); and the Fax

Preference Service (FPS) are run by the UK DMA on behalf of OFCOM (Office of Communications). Use

of the registers is a legal requirement under the Privacy and Electronic Communications (EC Directive)

Regulations 2003.

The UK DMA Code of Practice is not formally agreed with the DPA, but the DPA wrote the forward for

the Code, welcoming its introduction.

The UK DMA runs the Email Preference Service. Use of it is a requirement under the UK DMA Code of

Practice if you are emailing to recipients outside Europe. All the above can be found on the DMA

website at www.dma.org.uk.



http://www.dma.org.uk/

156

United States of America


Fair Credit Reporting Act (FCRA, 1970)/Fair and Accurate Credit Transactions Act (FACTA, 2003) –

credit-report privacy

Privacy Act (1974) – government privacy

Video Privacy Protection Act (VPPA, 1988) – video-rental privacy

Health Insurance Portability and Accountability Act (HIPAA, 1996) / Health Information

Technology for Economic and Clinical Health Act (HITECH, 2009) – healthcare privacy

Drivers Privacy Protection Act (DPPA, 1994) – driver‟s license privacy within government

Telemarketing & Consumer Fraud and Abuse Prevention Act (1994) / Telemarketing Sales Rule

(2003) – telemarketing privacy

Children‟s Online Privacy Protection Act (COPPA, 1998) – children‟s privacy

Gramm-Leach-Billy Act (GLBA, 1999) – financial privacy

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN SPAM, 2003) – e-mail

marketing privacy

State-level data-breach notification laws (ex: California SB 1386)

State-level Social Security Number privacy and security laws

State-level information-security laws (ex: Massachusetts 201 CMR 17)

State-level healthcare privacy laws

State-level government privacy laws (ex: Minnesota Data Practices Act)

In the US, there is no data-protection regime in the European sense of a federal data-protection

commissioner (DPA) overseeing the enforcement of a national data-protection law governing all

personal data. That said, an array of US federal and state regulations govern the protection of many

types of personal information in a similar manner to European data-protection laws. The laws

variously provide the data subject access and correction rights. There also exist:

Limitations on transfers to third parties;

Limits on the purposes for which information can be used;

Rights to be notified of data breaches;

In some cases, individual rights of action.

The varying privacy laws that exist in different sectors and states should be reviewed before doing

business with the US. Generally, one should begin this review with the „business sector‟ the

organization is involved in, then proceed to consider the states it is located in or does business in. For

example, the Fair Credit Reporting Act is extremely complex and has been amended several times but

effectively regulates collecting personal data for sale.

Another example is that of the Health Insurance Portability and Accountability Act (HIPPA) which is

also very complex and it imposes the data protection regime on medical providers. To market in this

area, a signature is required from the data subject.

US laws in data protection are supplemented by self-regulatory regimes, such as those administered

by the Direct Marketing Association, TRUSTe, and Better Business Bureau, and industry-led initiatives

such as the Payment Card Industry Data Security Standard. In addition, the US Department of

Commerce administers, and the Federal Trade Commission enforces, the EU-US Safe Harbor

Agreement, a programme wherein US companies can voluntarily conform their processing of EU

personal data to European data-protection principles.

SECTION II – Legal Overview – USA


157


N/A



purposes

The United States, neither at the federal or state level, distinguishes between sensitive or non-

sensitive data in the European sense. Where its laws impose restrictions on using data for direct

marketing, they do so from the perspective of the category of data subject (children, for example),

the business sector in question (healthcare, for example), or the mode of communications used (e-

mail, for example). At a fundamental level, the Constitution of the United States of America has

established the legal grounds for processing personal data for marketing purposes, as US courts tend

to see this type of communications as within the freedom of speech. Under the self-regulatory model

of the US Direct Marketing Association, customers and prospects should be clearly informed of their

right to tell the member company to suppress the processing or transfer of their details.


In general, consumers exercise an opt-out approach to consent, either by clicking on an “unsubscribe”

link on an e-mail, checking an “opt-out” box on an online profile, posting an opt-out form, or calling a

call center. Patients sign authorization forms to provide consent for the processing of their

protected-health information. Parents give consent for data collection from and marketing to their

children by, for example, providing a verifiable credit-card number. In the self-regulatory model of

the US Direct Marketing Association, data subjects should be clearly told if their details might be

transferred and be provided with an easily exercisable way to opt-out of the direct marketing process.

Implied consent

Implied consent is acceptable in the US and is done by inactivity and failure to object.

Please note that affirmative consent is required for marketing through certain media. See below.


Consent is required for SMS and FAX

Consent is not required Email, Telephone and Mail

There is no information on the sending of MMS messages.


Express consent is required under some federal and states laws, particularly regarding health and

children‟s information.


Health information, which would include sexual interests if the information was obtained in the

context of seeking medical advice or care. Financial information is also considered “sensitive” and is

subject to many regulations on the Federal and State level as to disclosures on gathering and to whom

the data may be disclosed.



158



The Constitution of the United States of America, modified in case of SMS by Congress, which requires

opt-in in the case of transmission of commercial messages where the recipient pays the cost of

receiving the message (e.g. SMS, Fax).


“Soft” opt-in is referred to in the US as a “pre-existing business relationship”. A business relationship

is defined as a purchase or enquiry within defined periods of time.

Rules on electronic communication for B-to-B marketing purposes, specified by subject:

Purposes

When giving the purposes for processing personal data, it is required to be precise when the

information is sensitive. However, it is generally not necessary to be as precise for non-sensitive

information.

Generic terms

Generic terms are acceptable for non-sensitive information.



There are a required and recognized wording for collecting data, and where required, best practices

generally produce common forms of wording in different industries, particularly in the financial and

healthcare sectors.



Generally, only to prospects, although in the sensitive area (financial/medical) most organisations

also disclose to existing clients.

Category Opt–in Opt-out

Automated calling machines

Fax Email SMS MMS



159

Opt-out

Can be oral through a phone call; letter, or electronic through an e-mail or Web site.


For commercial e-mails.

Data Storage


Data confidentiality is a major, ongoing focus of enforcement in the US. In practice, required

notifications of data breaches can result in class-action lawsuits, investigations by state attorneys

general, the Federal Trade Commission, and – depending on the sector of the company involved – by

state insurance commissioners, federal financial regulators, and the US Department of Health and

Human Services. In this regard, the Payment Card Industry Data Security Standard and the Gramm-

Leach-Bliley Safeguards Rule have become de facto national standards of „reasonable security‟ and

confidentiality.


Sectoral and state laws and standards dictate an array of different time limits for holding personal

data, particularly employee records, financial records, and credit-card information.

Penalties

National penalties

The Federal Trade Commission can apply to fines in excess of $1 million.


Civil penalties and civil damages.



None


A legally-enforceable right to access and correct data is embodied in the Federal statute regarding

credit-information, the Fair Credit Reporting Act, which governs the collection of financially-related

information, its use, its theft or loss, and a consumer‟s right to correct information if credit is denied.

Consumers may also block the disclosure of their data on demand.


Codes and Practice and Preference Services can be found at the USA DMA. www.the-dma.org



http://www.the-dma.org/



FEDMA, the Federation of European Direct and Interactive Marketing, represents the sector in all its

forms at European level. FEDMA's objectives are to protect and promote the direct and interactive

marketing sector by creating, through representation, self-regulation and information, acceptance

of, and confidence in, direct and interactive marketing within a healthy commercial and

legislative environment in which the sector can profitably operate and develop. Representing the

interests of over 18,000 companies, FEDMA is the single voice dedicated to building the business

of cross-border direct and interactive marketing, through its vast network of businesses within and

beyond Europe. All our members enjoy a wide range of services.

FEDMA's Mission Statement

Today, direct marketing strategies (via mail, email, telephone, mobile, Internet and direct response)

are an essential tool for companies to approach, inform and retain customers, as well as providing

customer relationship services.

The development of sophisticated databases, telemarketing and e-marketing has made direct

marketing increasingly popular as a marketing strategy and has encouraged strong investment.

FEDMA‟s task is dedicated to building the business of cross-border direct marketing, by promotion,

protection, information and best practices.

FEDMA's mission is to:

Protect the European direct and interactive marketing industry and the interests of our members.

FEDMA aims to encourage the European institutions to ensure a healthy commercial and legislative

environment within which the industry may prosper.

Promote the European direct and interactive marketing industry towards governments, media,

businesses, consumers; to encourage the growth and profitability of our members and support the

further development of direct marketing as a marketing strategy .

Inform members, governments, media, businesses, and consumers about the European direct and

interactive marketing industry, and encourage education and training for the sector.

Contact Details

Federation of European Direct Marketing

439, Avenue de Tervuren, B-1150 Brussels

Tel: +32 2 779 42 69

Fax: +32 2 779 42 69


Web: www.fedma.org

160

About FEDMA


http://www.fedma.org/index.php?id=359757




161


Fed Ma Report

Documents

Transcript of Fed Ma Report