Data Protection: 10 industry myths

Almost 2 years following the application of Regulation (EU) 2016/679 (“GDPR”) and the introduction of Legislative Decree 101/2018, some false myths continue to spread around in the digital marketing field, potentially misleading to companies needing to make choices.

Let’s debunk some of these “false myths” together, by having a careful read at the regulation, measures and guidelines of the Italian Data Protection Authority, as well as the European Data Protection Board.

Today we‘ll discuss the first 5 false myths, don’t miss the next blog concerning the other five!

Share on linkedin
Share on twitter
Share on facebook
Data Protection MagNews

Data processed for profiling and marketing purposes must be deleted after 12 and 24 months respectively

Among colleagues in our industry, there is a deeply rooted conviction that personal data processed for profiling and marketing purposes must be peremptorily erased 12 and 24 months after their registration, respectively. This conviction has its roots in the Italian Data Protection Authority’s “Loyalty Cards Measure” of 2005 : a measure that is still considered current, aimed at regulating certain aspects (including data retention times) related to the processing in the context of “loyalty” cards or cards that create a lasting relationship with customers for purchases and service provision.

However, the above measure does not appear to be susceptible to application by analogy. Yet, many companies have understood these terms as mandatory for any processing carried out for marketing and profiling purposes, even outside the scope of “loyalty programs”. This is probably due to the fact that, over time, the Data Protection Authority has de facto applied the principles on data retention set out concerning loyalty cards to all marketing and profiling activities carried out on clients and prospects within a CRM (see the FCA case).

However, careful reading of these measures reveals that:

  • even in the case of “loyalty programs”, the above mentioned 12 and 24 months can be extended for particular categories of goods, such as: luxury goods, large organised distribution, etc.
  • as of 25th of May 2018, under the principle of accountability, it is up to the Data Controller to autonomously evaluate the retention times of the data processed for marketing and profiling purposes by carrying out, where necessary, a data protection impact assessment which may of course take into account the above measures, while still respecting privacy principles (accountability, data minimization, limitation of retention, relevance and non-excessiveness).

Prior consent is always required to send a Newsletter

How many of you believe that sending Newsletters requires mandatory prior consent?

Actually, this is not always true, it depends on the content of the Newsletter and how it is offered to users. For example: a Newsletter with purely editorial/informative content could be offered to the user as a service. In this case, the data processing necessary to send the Newsletter could have a legal basis other than consent (for example, Art. 6, letter b, GDPR). However, if the newsletter is a real “direct email” with promotional content, the Data Protection Authority has stated in various occasions the mandatory nature of prior consent.

Should I request privacy consent

Many times, we hear about “privacy consent” or are faced with forms that generically ask us to accept a generic privacy consent.

In reality, the expression “privacy consent” has no meaning and appears in it of itself incompatible with the specificity of consent established by the GDPR. Likewise, the privacy policy must be read by the user (towards which the Data Controller has an obligation to provide information), but does not imply the collection of a generic consent concerning its content. In other words, accepting the privacy policy by checking a specific check-box does not imply the expression of valid consent to the processing of your data for any marketing and / or profiling purposes set out in the policy.  It is therefore necessary to pay the utmost attention to draft a clear and complete privacy policy, taking care to specifically and transparently request any consent necessary to legitimize one or more processing purposes.

Learn more about Data Breach! We have published a new content on this topic: 

The GDPR allows me to do direct marketing based on legitimate interest

Many industry stakeholders have found, in the text of GDPR, the (unhoped-for) possibility to process personal data for direct marketing purposes on the basis of legitimate interest, i.e. without prior consent of the data subject. The provision leading to this interpretation is to be found in particular in recital 47 of the GDPR, according to which <<(…)the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

In fact, given that recital 47 of the GDPR is merely programmatic in nature and therefore guides the interpreter but does not contain any regulatory requirements, the real decisive aspect concerns the fact that – in marketing – the GDPR must be considered a general law which, as such, must be read in the light of the special national applicable law, namely the e-privacy Directive, consolidated in Italy by Article 130 of the Privacy Code. From the analysis of this provision (which, as we’ve said, is prevalent as a special law), it clearly emerges that in Italy automated direct marketing (i.e. carried out for example by e-mail, SMS, fax) must necessarily be based on the prior consent of the contractor or the user ex art. 7 GDPR. The only exceptions to this rule are “soft-spam” and “social spam”, in compliance with the limitations set by the applicable legislation.

I can always send an email to request consent

Be careful with consent gathering initiatives via e-mail. In the course of your experience, you may well have been tempted by the possibility of sending an e-mail to your database to request processing consent for marketing purposes; after all, it would just be a “harmless” communication that promotes nothing and merely attempts to acquire consent.

However, sending such a communication indirectly constitutes processing for marketing purposes by itself, and could therefore be unlawful without prior consent. The Data Protection Authority has expressed itself in this regard in the Guidelines on promotional activities and the fight against spam, specifying that the processing carried out for promotional purposes by automated tools or similar is subject to Article 130, paragraphs 1 and 2, of the Privacy Code, according to which the use of such tools for marketing purposes is permitted only with the prior consent of the contractor or user (so-called opt-in).


And what do you think? Have you come across other myths in our industry?

To talk about it together, write to us at your experience could become the subject of further study for the benefit of everyone in the industry.

* This Article does not constitute legal advice in any way.