GDPR & PKE: Marketing Rules for Webinar Attendees (Full Transcript)

[00:00:05] Speaker 1: Hello, welcome to the next ClickMeeting event. In order to determine whether we have any technical problems, we would like you to write in the chat which city you are from. We have Opole, Gdańsk, Kołob, Garwolin, so we can be heard well, I am very happy. Today's topic is a bit unusual when it comes to webinars, however, it is extremely important, i.e. all legal regulations that we can use to use the data of our event participants. However, before we move on to the webinar itself, I would like to ask you to devote literally minutes to fill out the survey. I'll turn it on for you in a moment. Please feel free to answer the questions asked in it. Okay, we can see that you are voting. I take this opportunity while you are filling out this survey, I would just like to inform you that we will be doing a charity webinar again this year, in December, before Christmas. It will probably be December 12, but we will inform you about it. It will probably be a fundraiser for the Pankrac Foundation, but we will inform you about it. The topic is quite interesting, however, I will allow myself to wait with this little secret until we are ready to promote our event. Okay, going back to our survey, I see you are filling it out, so please feel free to fill it out. In the meantime, I will introduce our lawyer, Mr. Adam Detmer, who will take over the webinar now and I hope he will also answer many of your intriguing questions. Okay, Adam, we're turning off the survey. And we will be able to give you a vote. Please, go ahead.

[00:02:19] Speaker 2: Thank you. Good morning. As Kuba mentioned, my name is Adam Detmer. I am a legal advisor and a Data Protection Inspector and I will try to bring the topic of conducting direct marketing related to a reasonable case. All right. From registration to reporting, that's what we called today's webinar. It is quite a complex and interesting topic, because I would like to make it the starting point of our meeting and also point out that during these specific moments, any relation or registration, any contact with a client or a potential client, the law imposes certain obligations on us, but it also gives us a chance to carry out activities and develop the business. In fact, to begin understanding the topic of data processing, in the context of marketing, it is worth to start from the roles. The roles that the regulations on data processing impose on us, i.e. the person in charge of data processing. Because the two main actors in the process of data processing are the administrator and the processing entity, possibly further processing entities, but the administrator plays a key role, and all the obligations related to data processing, the processing entity only fulfills its orders. And we have article 6. The basics of data processing. To become an administrator, to have the role of an administrator in the data processing process, we must have one of the basics of data processing indicated in the first article. I will not discuss them all. Today we will focus mainly on the letter A, i.e. on the consent of the person whose data will be processed, and only a brief introduction to the subject of protection, because we very often talk about the law of personal data protection, about regulations on personal data protection, but we would like to answer the question, what is actually the subject of protection in RODO, i.e. in this basic regulation that currently regulates the processing of personal data in the entire European Union. And quite intuitively, the answer may come to us that we protect the data with the subject of protection. Personal data. And here many administrators, many entities, already make a basic mistake, because it is not true, despite the fact that all these names and titles indicate it. The subject of protection is the right of individuals, only related to the processing of personal data. If we approach the subject of data protection in our enterprises, in our companies in this way, then they will be able to reach the right conclusions without doing any major analysis, whether we can process data, and how we can process it, focusing on the subject of protection. The right of individuals. So what really, how our actions could cause inconvenience or frustration of a person, in connection with the processing of personal data. Because it should be admitted that the email address itself, or the IP address, does not represent any significant value for each of us. It just is. But already receiving spam, linking our IP address, i.e. partially, the possibility of reaching us as people, in connection with our purchases, choices, or more sensitive data, could already lead to such frustration, to something that is unpleasant. This is what RODO protects against, this is what special laws protect against, and here is the meaning of the whole system of these regulations. Processing. Processing personal data as such can mean, in fact, everything. That is, it is necessary to avoid opinions, in which storing is not processing, in which keeping data on a disk is not processing. Processing can mean, in fact, every relationship of an object with data. So you don't need to send these data, profile, you don't need to process these data in any particular way. It is enough to have them. And this is very important. And here, attention, processing is also removing or destroying. You also need to have a basis and possibility for this, because sometimes, for example, regulations force us to process data, for example, tax regulations, or regulations within the scope of the law of work, and such an illegal removal of, for example, employee data or tax data will also be a violation not only of specific regulations, those that are tax or within the scope of the law of work, but also a violation of personal data protection. And regarding marketing itself, we have an interesting issue, because direct marketing, here I will try to discuss its definition, the main regulation, i.e. RODO, the electronic communication law, which, attention, replaced the telecommunication law, the law on the provision of services by electronic means, there is also a regulation. I will try to put it all together and present it as closely as possible. I will not always provide sources for my theses, I will not always give specific examples from the statements, because the time frames of this meeting do not allow it, but you have to believe me that I did not take it all out of nowhere. We have the motive 47 RODO, which says that the basic processing can be a legally justified interest, i.e. on this first slide, I showed this article 6, paragraph 1, it is specifically the letter F, a legally justified interest of the administrator, i.e. the administrator processes the data, assuming that he has a legally justified interest in it, there he also performs the so-called balance test, in which he shows that this interest is superior, it stands higher than this negligence, this interest of a person whose data is processed. But according to this motive 47, direct marketing is included in this legally justified interest of the administrator, i.e. the European legislator considers that the interest of every entrepreneur, and this is legally justified, is to provide marketing services, which it offers, products that it sells, and it seems to be quite sensible, and on this basis, theoretically, we could support direct marketing. And here, too, there is such a basic mistake, but also such a trap, because there is RODO, and if we limited ourselves to RODO, we conduct marketing without any consent, based on a legally justified interest, and the topic closes. And this is the case in many cases. Based on RODO itself, we will actually go nowhere, because you have to remember that together with RODO, in Poland, more than 100 bills were renewed at the very beginning. And each of these special bills has its own detailed decisions regarding data processing, and, for example, it is the electronic communication law, which replaced the telecommunications law, Article 398. What does it say? It says that it is forbidden to use, or, in short, we cannot send direct marketing. We cannot send it, because let's make it clear, processing data for marketing purposes and sending messages, these are two different things now, because it should be recognized, in accordance with this PKR regulation, that sending is forbidden. However, RODO tells us that processing data for direct marketing is in a legally justified interest of the administrator, that is, we collect data for marketing purposes, because we collect each data for a specific purpose. Here we have a marketing goal. Let's say we collect a mailing list. Processing them, that is, for example, what I said, processing and also storing, can be considered legal without permission. PKR prohibits us from using this data, which would lead to sending e-mails, telecommunications, SMS, everything that happens remotely, and this is an important understanding. In the second paragraph, we have information about the consent, which must also meet the conditions to break this ban, but the first paragraph indicates that we have the ending here, unless he has previously expressed his consent. We have the element that previously, that is, before sending such communication, and the consent we are talking about must meet, among other requirements, that is, it must be similar to the consent from RODO. What else can I say? However, this is very important. The consent must be in advance. There were such interpretations, which can still work somewhere, that you can contact in order to obtain consent. This is a rather controversial topic. I know that it is also quite common and used on the market, because somehow this marketing should be conducted, so please do not approach it in such a way that I am now saying that nothing can be done. I am trying to present the perspective of the regulations, regulations and doctrines, while the entire RODO and the entire processing of personal data after entering the life of the regulation was based on the analysis of the risk. We do not have such strict, very often and directly indicated, guidelines in the regulations. We estimate the risk, we estimate what we can do, having a certain appetite for risk, a certain profit that a given action can bring us. I can say that, as a rule, consent is in advance. If we do not have consent, we do not contact. However, each administrator makes these decisions individually. They may consider that the risk of injury to a person by sending a query to them, for example, about the possibility of contact, is so small that it is appropriate. I will not answer this question directly. The fourth provision, which I have left, is still important here. PKF provides us with one more obligation. It considers that sending such marketing without consent is an act of unfair competition, which means that by conducting such marketing improperly, without consent, or with inappropriate consents, we are not only subject to an administrative penalty, in the sense of RODO, we are subject to the procedure from the Office of Electronic Communications, i.e. UK, and the fourth provision is introduced by the Office of Competition Protection and Consumers. So we have three regimes in one action, which further increases the seriousness of the situation. Now, moving on to direct marketing, as an activity itself. Here I have put a definition. It is quite long. PKF has really balanced us. We had such a dualism before PKF came into being. Commercial information, direct marketing, it was not entirely clear what it meant, what was indicated that commercial information was something broader. Now PKF refers directly to the definition from the Law on the Enforcement of Electronic Services. Here you can see what it means. I would focus on the key concepts. Marketing and commercial character. It is difficult to escape the fact that most of the information that is in the interest of an entrepreneur sent to a client or a potential client will have a marketing or commercial character, because in fact its purpose is to achieve some sales, product sales, services, encourage this person to cooperate. It is really difficult to escape this. From the new guidelines that have appeared, for example, I could mention the satisfaction survey. Such a satisfaction survey is the subject of many disputes. Many administrators decide to send without consent, it is an action in the interest of the administrator, we already have a relationship with the client, it is related to a service that has actually been proven in the past. There have been penalties for this, so such a satisfaction survey can also be recognized by the regulator for information about a marketing or commercial character. Communication at a distance, we do not have to develop it in any particular way. The traditional post office does not fall within the scope, so you can do it by mail. However, all modern tools for communication at a distance unfortunately already include this. If we have already decided that marketing is understood as the transmission of any commercial or marketing information, it can only be carried out on the basis of prior consent. Let's talk about this consent now. The consent in reference to the first slide that I showed is the basis of processing and must have certain features. It must be voluntary. This is probably quite understandable. It is also worth noting quite clearly that it is voluntary, that is, this consent is not forced. We have a little star here, we can put it here. Pay your okay, pay your consent, i.e. this mechanism is based on a contract, a contract with a user, which says that the payment for the service is his consent, i.e. his consent for marketing activities in relation to him is the payment for the service. Here we also have several different approaches. Again, it will not be a clear and pure answer whether it is possible or not. It is a commonly used market tool. As for the principle, you can do this. The only observation that sometimes appears, which I have to mention, is the provision of a different type of payment, i.e. we can pay either with marketing consent or, for example, pay in advance for a given service. It is a rather restrictive approach, but it appears. We must be aware that when you conduct a risk analysis of your processes, you have to take this into account somewhere. So you can rely on such a claim. I am not a fan of this approach and I believe that the content of such a contract where the user pays with his consent is as acceptable as possible. Specificity. Awareness. The user is to receive content that is understandable to him, which he is able to read correctly. It is very fluid, but as I say, everything is based on the risk, on the opinion of the administrator. He has to create it in such a way that he will be able to prove later, according to the principles of accountability, that he fulfilled this obligation. Uniqueness of expression. Here, a classic example comes to mind. We do not mark consent by default. The consent marked by default is not uniquely expressed. The statement of will is so complex, because the expression of consent is made in such a way as not to reject something. It cannot be considered effective. There must be this movement. Even if it is a button, mark everything where we have required and voluntary consent. However, it requires some action by the user, so the consent cannot be marked by default. And what does the element have to include? I have indicated here the most cut-off consent that would meet the minimum requirements. But as you can see here, we have to indicate the subject, i.e. as an administrator, we have to introduce ourselves. For whom is this consent? For what purpose? Because this purpose is always the basis. And the channel of contact. Here again, I must point out that according to the regulations, completely correctly, each channel of contact should be a separate consent, a separate checkbox. So we give the possibility of expressing consent by e-mail, by phone, by phone as a conversation and by phone as a text message. So purely theoretically, it would be worth considering these channels of contact as separate checkboxes. However, again, UX-wise, it is certainly very difficult. Market-wise, it is also not widely used. However, it must be taken into account that the channels of contact were taken collectively and the person physically did not have a real possibility of making a choice. And what else is very important? Consent is such a basis that is very popular and widely used, because if you don't know what to apply, what basis, we take consent. And this is very often a mistake, this is such a feature that can show that consent does not make sense for many processes, because let's take the example of such an agreement that we have, for example, an agreement for such a webinar, because this is also a type of agreement. We have a service, we testify to the service of conducting such a webinar, we have an agreement. And if you apply consent to any other agreement, or apply consent to the experience of some service in some workplace, then please imagine a situation in which this agreement comes into being, the parties began to testify to each other, let's say this agreement is for a year, and one party withdraws the consent. At this point, the other party cannot process its data. There is no name, address, this is a completely absurd situation, so let's remember that consent is not always a good basis. Consent is a good basis for marketing, but it is not always good, at least due to the possibility of withdrawal. And here's another note, this justified interest that we talked about on the basis of the motive of the 47th RODO, this is not consent, justified interest is not liable for withdrawal of consent, but is liable for objection. For example, if a company can report against such processing, and it is also not subject to negotiations, then the processing ceases to be legal. Of course, it should not be opposed, and it is also important that withdrawal of consent does not mean that the processing before this withdrawal was not legal, because there were also such questions. And when we have this consent, we also have an information obligation under Article 13 of the RODO. The entire information obligation is a very broad topic, because according to this article, the subject of data must be informed very broadly about its rights, about the identity of the administrator, about the goals, about the methods. This range is very broad, which is why the use of the information obligation and this extended version in the form of, most often, a policy of privacy, was adopted. This is data from a physical person. We have a form, we collect, for example, an e-mail, we collect consent, it is necessary to inform the person about the identity of the administrator. Here we have an example, the administrator of your personal data is, they will be processed on purpose, on the basis of, and so on. This abbreviated administrator's obligation is the most common hitch, that is, the administrator is, the data is collected on purpose, it is necessary to provide the website with an active link, but it should be remembered, because not fulfilling this obligation itself is a violation. Marketing without consent. Because here, let's go back to various options, the so-called soft opt-in, cold mailing, or spam. Here we have information about the decision of the President of the Office of Personal Data Protection, that customer satisfaction can only be achieved with marketing consent. This is what I mentioned. It's hard to run away from it so as not to think about it at all, I just leave it for you to have it in mind. There are such decisions, there are such positions, we have to take it into account in these risk analyses. As for cold mailing itself, obtaining these clients or potential clients by sending messages even then without consent, but for the purpose of obtaining, you can mitigate the risk of conducting such actions. First of all, you can run away from the responsibility of RODO, because as I mentioned, RODO talks about the situations in which personal data is processed. Then we talk, for example, about name boxes, where we have the name and surname of the company, for example. When we contact the general box, contact, offer, marketing, secretary, then the responsibility from RODO is deactualized because we don't have personal data here, we don't get to a specific person, only to some general email address and this is one of the elements and this is one of the elements. The second element is based on the principle of minimization, on the protection object, i.e. the rights of physical persons. If we use such a mailing, it is worth remembering about giving up excessive aggressiveness and violence. So we run this mailing, for example, the first message, so that it is soft, so that it poses a certain question, an invitation, and not immediately such a spammed character, so that the person who receives it has the impression that he has a choice, that he was asked something and did not receive such a typical email that bears the character of spam. Here, too, it should be remembered about regulations regarding unfair competition from PKR, because this responsibility qualifies. Returning to consent as payment, because I would also like to mention it, it is worth putting it in the checkbox in which we indicate that the user expresses consent to send commercial and marketing information. It is also worth indicating the channel of this communication and how this contractual relationship takes place, i.e. that this consent for marketing and trading is in exchange for participation in this webinar, so that it is clear for the user. Moving on, in the context of running webinars, let's remember that the organizer always, according to the regulations, has to have one of the basics. Returning to the first slides, he must have one of the basics and it is also worth remembering in the context of contact forms or notes for certain events. The informational duty must be fulfilled, and when it comes to participation in the webinar, this is what I indicated, it is not based on consent, it is a contract. Consent may be marketing, but the possibility of withdrawing this consent at any time actually disqualifies our consent as a basis. And I got to the end quite quickly, so maybe we'll move on to the question session now.

[00:28:03] Speaker 1: Okay, I will read the questions from our participants. Okay, what should the regulation say to be able to send information about the next webinars in case participants sign up for one event at the beginning of the year?

[00:28:24] Speaker 2: Here we are actually talking about consent. Here the user must express consent to send him such information. We can compare it, I think, for example, to recruitment processes. When we recruit an employee, he sends us his CV, expressing in some way his will to participate in such a recruitment, and if we would like, for example, to use his data for future recruitments, we need such consent from him. So again, we really see that this whole system is based on the perspective of a person's physical recruitment. We expect our data to be processed precisely for this purpose. And if the administrator would like to do something more, i.e. invite us to another recruitment, because, for example, this one did not work out, he must ask us for consent, because we could not expect it. Okay, great.

[00:29:12] Speaker 1: Here is a very interesting question about data processing in the pet business. Can we use animal data without the consent of the guardian in marketing activities?

[00:29:29] Speaker 2: I did not expect it. I have never received such a question. In general, the right to protect personal data concerns people. We have to accept it. However, I can not imagine that the animal would read the e-mail. So, de facto, a party to the agreement in terms of animal services is a human being. So even if we write to him in connection with the services from which he uses for the sake of his animal, there will be no distinction.

[00:30:03] Speaker 1: The party is not an animal. Okay, thank you. Next question.

[00:30:12] Speaker 2: This is a very good question, because we have a distinction. In Polish law, we distinguish so-called personal companies, i.e. our needs, as well as economic companies, which are the most common, and capital companies. When it comes to one-person activities, it is still a physical person. We do not create a legal person here, so every one-person economic activity will be a physical person, so it is fully protected within the scope of the gender. In the context of capital companies, the risk is much lower, which is basically not the case. However, there is a question that is also debatable. We also have name boxes there. And the question is whether the names and surnames in these name boxes will not be subject to the Personal Data Protection Regulation? I would assume that this is a certain risk. And the question is, what else from PKE? Because it prohibits sending. We distinguish, right? It is processing for marketing purposes and it is not excluded from this obligation. And I would also like to say that there is often an argument that they are visible in publicly available registers, i.e. in CIDG. This publicization does not deprive of protection in any way. When we collect this data, we have to fulfill an information obligation that we are now processing this data.

[00:31:42] Speaker 1: The source of their acquisition does not matter. Okay. The answer is simple. There is no answer. I was talking about risk analysis.

[00:31:50] Speaker 2: I was talking about the fact that the entire system of Personal Data Protection Regulations is designed in such a way that we do not have simple answers here. This is always an assessment. And it is worth looking at the perspective I was talking about. The subject of protection are the rights of a person. We are all these physical people, we are all in this place. How many emails a day, weekly or monthly am I able to survive? Okay.

[00:32:22] Speaker 1: What about the information to the municipalities and other offices?

[00:32:28] Speaker 2: Public institutions will not be subject to this protection. You can contact.

[00:32:35] Speaker 1: We got to the end of the questions. Thank you very much, Adam, for a great webinar. And I would like to remind you that our webinar was recorded. You will receive a certificate of participation right after our webinar, but until the end of today's webinar you will also receive an email with a recording. Thank you very much and we encourage you to follow the information about our webinars, especially about the Christmas and charity webinars. Thank you very much and goodbye. Have a nice day.