Let’s clarify: a newsletter constitutes the sending of commercial communications, and sending commercial communications by email involves the processing of website users’ personal data, most commonly their first name, surname and email address. However, this processing is not subject solely to the provisions of the General Data Protection Regulation (GDPR). Additional requirements in this regard are also set out in the Act on the Provision of Electronic Services and the Telecommunications Law.
Pursuant to Article 10(1)-(2) of the Act on the Provision of Electronic Services:
It is prohibited to send unsolicited commercial information addressed to a specific recipient who is a natural person by means of electronic communication, in particular by email.
Commercial information is deemed to have been requested if the recipient has consented to receiving such information, in particular by providing an email address identifying them for that purpose.
However, pursuant to Article 172(1) of the Telecommunications Law:
It is prohibited to use telecommunications terminal equipment and automatic calling systems for direct marketing purposes, unless the subscriber or end-user has given their prior consent.
Therefore, in order to be able to send offers or other commercial information to subscribers, one must take into account not only the GDPR but also the above regulations.
Legal basis for processing
As a general rule, the legal basis for processing the personal data of newsletter subscribers is consent. **Consent cannot be implied; it must be voluntary and explicit, and the person giving consent must be aware of what they are agreeing to.**Information addressed to users should be worded as clearly and simply as possible. Consent that is incomprehensible or ambiguous will be invalid.
Furthermore, as part of fulfilling the information obligation under the GDPR, our user must be informed of who will be the controller of their personal data, the scope of the data being processed, the purpose and legal basis for processing, the duration of processing, and the rights the user has regarding the processing of their personal data – here, the right to withdraw consent at any time plays a key role. However, the information obligation may be fulfilled in the privacy policy on the website in question, which also covers other information regarding the controller’s processing of website users’ personal data. In that case, if we do not wish to include such a lengthy information obligation beneath the newsletter subscription checkbox, we may place a link to the privacy policy there with an appropriate note.
The recitals of the GDPR indicate that the processing of personal data for direct marketing purposes may be considered an activity carried out in the legitimate interests of the controller, so this is, in fact, a sufficient basis for processing data for the aforementioned purpose. However, firstly, we are talking here only about the GDPR! One must also take into account, for example, the provisions of the Act on the Provision of Electronic Services. Secondly, relying on this ground requires the controller to carry out a thorough analysis to ensure that this is indeed the appropriate basis. In this case, a so-called balancing test can be carried out, which involves weighing up the interests of the data controller against those of the data subjects. The result of the test will indicate whose interests prevail in the given case and whether the legitimate interest ground can be relied upon.
Single opt-in or double opt-in methods
To build a mailing list, we can use the single opt-in or double opt-in method. The first method involves a person wishing to subscribe to the newsletter providing their email address and other specified details, after which they are immediately added to the list. The second method – double opt-in – involves an additional verification step, i.e. after subscribing to the newsletter, the user receives an activation link; clicking this link adds them to the mailing list. If the link is not activated, the subscription to the newsletter does not go through. Admittedly, this method means that some users do not activate their subscription, but it does prevent us from processing data belonging to someone other than the person who filled in the form. With the single opt-in method, it may happen that the person filling in the form enters someone else’s details. The double opt-in method also allows us to demonstrate and provide additional confirmation that the subscriber has consented to receiving commercial communications.
Business partners
A separate issue from the above is the transfer of users’ personal data to business partners. Here too, information regarding the possibility of transferring data to partners must be clear, specific and include details of the partners to whom the data may be transferred. A general statement that the data controller may transfer a website user’s personal data to its business partners would not be correct. The user then does not know to whom their data will be transferred and cannot be certain that their data will not be passed on to further partners. They are, in a sense, deprived of the ability to exercise their rights regarding their own personal data and to control its processing.
If we wish to transfer the personal data of users that we have obtained to our partners, we must identify those partners. They may already be listed in the checkbox under the newsletter subscription form, or they may also be identified, for example, in the privacy policy, to which a link will be provided next to the subscription option.
Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…
View profile →HWW lawyers offer consultations in Warsaw and online.
Do not miss the next analysis
Key legal changes and their business impact, once a month to your inbox.
By subscribing you accept the privacy policy. Unsubscribe with one click.
