Magazine: GDPR’s influence on marketing processes

Date: 2018. 05. 09. 07:48

As of 25 May 2018 companies must change their data management procedures in accordance with the new rules of the General Data Protection Regulation (GDPR) of the European Union. The new regulation is much stricter than the rules already in effect in Hungary. What is more, if the rules are broken, in the future the authorities will impose bigger fines than they do now. This means that companies will have to pay closer attention to managing personal data.

Dr. László Szűcs
co-owner
PwC Legal

Before analysing the actual effect of GDPR on marketing processes, let’s clarify two concepts: 1. personal data – any information that can be used to identify a person directly or indirectly (e.g. name, e-mail address, information on the given person’s habits, etc.); 2. data management – this process lasts from registering data to deleting them, and basically includes each personal data-related operation, together with the systematisation and transfer of such data.

An important element in the efficiency of marketing processes is how companies get their product/service message through to consumers. If this marketing message is sent directly to consumers, certain data protection issues might arise. It must also be made clear what qualifies as marketing communication, because marketing messages that appear in a consumer’s news feed in social media are also considered to be direct communication. It is important to note that data can only be managed in order to reach a clearly defined goal.

Dr. Péter Mezei
lawyer
PwC Legal

When talking about the legal basis for data management, it must be mentioned that according to the GDPR, when data management is done in connection with implementing direct marketing, it can be based on legitimate interest for which the target person’s consent isn’t required. This is a change in regulation, as the advertising law that is currently in effect in Hungary stipulates: direct marketing methods can only be used to get a message through to consumers if the target person has given their consent in advance. If data management is based on consent, the data manger must prove that the given person has given their consent. In practice this means that if the consumer agrees to receive direct marketing messages in a telephone conversation, they need to listen to detailed information on how their personal data will be managed and declare that they have understood everything and agree to their data being managed.

It often happens that new objectives become part of a marketing strategy. If the purpose of data use also changes, the target persons need to give their consent again, and they must listen to detailed information once more before they say yes to the new terms. Objectives can’t be interpreted extendedly: this means that if a retailer does direct marketing and at the same time examines the shopping habits of customers, these two things don’t qualify as data management with the same marketing purpose.

If the data manager transmits legitimately managed personal data to any third party, the data manager must inform the person concerned (the consumer whose data is managed) about how and why data is passed on. In practice this can be a very complex task, but one thing must always be guaranteed: the person concerned must always know which data managers work with their personal data, why and for how long they are doing it – this includes data storing information as well.

The new regulation refers to data management operations carried out after 25 May 2018. This means data managing companies must contact consumers again and – in accordance with what is contained in the GDPR – they must inform them about the conditions of data management as required by the GDPR. If consumer consent is needed for certain marketing operations, it must be obtained again. In Hungary it is very likely that the National Authority for Data Protection and the Freedom of Information (NAIH) will make sure that the GDPR rules are applied in real life. Fines can be imposed up to EUR 20 million (at the moment the biggest fine is HUF 20 million). //