Two recent decisions of the Italian Data Protection Authority, against Comparafacile (web doc. no. 9921112) and Tiscali (web doc. no. 9920942), offer the cue to resume the systematic analysis of consent as a legal basis for data processing, in general, and for processing for marketing purposes, in particular.
More specifically, today we will focus in detail on the profile of the duration of “marketing consent.”
The consent of the data subject is, in principle, the legal basis underlying the processing of personal data for marketing and commercial profiling purposes. The other legal basis that can be used for processing for marketing purposes, that of legitimate interest, has residual application in this area.
Consent must be prior to the processing of the data and, consequently, to the promoting company’s commercial contact with the data subject.
Consent may be collected by direct or indirect means:
- Consent is obtained directly when the data controller has direct contact with the data subject and collects his or her specific consent from him or her, after issuing appropriate privacy notice that specifies the purposes of the processing.
- Consent is obtained indirectly when the principal of a promotional campaign (data controller) acquires from a provider (list provider) a list of master data relating to individuals who, having been adequately informed, have expressed their consent to be contacted by third parties (identified by category or by name) for their own commercial purposes.
When the acquisition of master data is indirect, it is the responsibility of the acquiring organization to verify that, with regard to the list of contact data, the legal requirements have been properly met; that is:
- providing the data subject with an adequate privacy notice
- collection of a valid consent for the communication of data to identified third parties and for the processing of data by them, for their own marketing purposes.
If the identification of the third party is by product category, the purchaser must provide its own individual privacy notice in accordance with Article 14 of the GDPR, within one month or at the first marketing contact.