Home Blog Clang is AVG/GDPR-PROOF!

Share this post

Clang is AVG/GDPR-PROOF!

Clang is GDPR-PROOF!

Written by Femke van Zelst / 28 May 2018 / Legislation / Technique

As of 25 May, the Dutch Data Protection Act (Wbp) has been replaced by the GDPR (General Data Protection Regulation). This new legislation is enforced throughout the European Union and has two important consequences: strengthening and expanding the privacy rights and increasing responsibilities for organisations. The ESP plays an important role in this, and as email marketer, you’ll want to know: is CLANG ready for the GDPR? The answer is: YES! In this blog, you will read how Clang is ready for the GDPR.

Processing data

Email marketing is a type of direct marketing. Article 6 of the GDPR says the following about direct marketing:

‘’The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.’’

This means that the GDPR dictate that processing personal data for email marketing goals is allowed based on a legitimate interest. Legitimate interest is when there is a relevant and appropriate relation between the organisation and the persons whose data is being processed. This relation will be present, for instance, between an organisation and its clients. As long as the marketing interest is not outweighed by the privacy interest of the data subject, the processing of personal data is allowed. The way you process personal data must be included in the privacy statement.

Rights and obligations

The GDPR comes with a number of new rights and obligations. As soon as a data subject wants to make use of one of these rights, you are to comply with their request as soon as possible. A few rights and obligations are explained below, and how you can fulfil them using Clang.

Transparency

TTransparency is an important obligation within the GDPR. For instance, your privacy statement has to be transparent about your email marketing activities, and you have to be transparent about all the measures you have taken to be GDPR-compliant.

Obligation to provide proof of valid consent

From 25 May onwards, you are only allowed to send out commercial mailings to contacts who have given permission. If you already have permission, you do not need to ask for it again. As a business, you have to be able to prove you have obtained valid consent for the collection of personal data. Your database has to clearly state what the privacy status of each record is, when this was obtained, how this was obtained, and what exactly the data subject gave permission for.

Status

Using a client option field in Clang, you can record all the necessary information regarding the documentation of consent. By recording a version number of the privacy statement in this field, you can easily inform clients of the changes when altering your privacy statement.

When

When creating a record, Clang automatically records the date (created at). When consent is not obtained at the moment of recording, you can record the date of consent in a client option field you create for that purpose.

How

When the recording of consent takes place in Clang, this information can also be recorded in a client option field. Think for instance of: date of confirmation double opt-in (the consent used for this is recorded in the history overview) or date of last transaction.

For what

In case of explicit consent, the data subject agrees to receiving commercial emails from your company. Of course, the data subject has to be made clear on what they are agreeing to. So it’s a good idea to include a version number with the opt-in (the text in the statement the data subject is agreeing to) and to record it in a client option field. This allows you to select for this and in case of an alteration in the conditions, to easily inform the people concerned. Below are two examples of opt-ins:

“Yes, I would like to receive communications by email about {company X} information, products, services and offers relevant to me.”

“Yes, I would like to be kept up to date on {company X} and would like to receive the monthly newsletter with offers and information.”

Right to erasure

When a data subject wants to have their data removed, they can call on the right to erasure. As a business, you are required to acknowledge this right and remove all recorded data. In a preference centre, for instance, the data subject can adjust or remove their data. Clang provides various options for the erasure of data, for instance through the ‘RemoveCustomer’ object in the Campaign Designer. By implementing the RemoveCustomer object in your campaign, records who no longer wish to receive your mailings are automatically removed from Clang.

Voorbeeld preference center AVG-PROOF

Figure 1: Example of a good preference centre

Right to be forgotten

A data subject has the right to know if their personal data is being processed, and if this is the case, they have the right to information about this data. The data subject has a right to information on, among other things:

  1. the goals of the processing;

  2. the categories of personal data involved;

  3. the storage period;

  4. with whom the personal data can be shared;

  5. the fact that the data subject can register a complaint.

This means you are required to clearly inform the data subject about what you are doing with their personal data. You can best incorporate this into your privacy statement. It is also possible to show pop-ups with an explanation for each request for consent.

Right to object

The right to object to processing means that the data subject has the right to ask an organisation to stop using their personal data. Organisations are always required to respect this objection. So make sure you always incorporate an opt-out process into your commercial emails.

Right of access

A data subject has the right to know if their personal data is processed by the controller. When the data subject invokes the right to access, the organisation is required to provide a copy of the personal data that is processed. An overview of the data subject’s data you have recorded in a client (option) field and campaign field can easily be created using exports.

Right of rectification

If a data subject wishes to alter their personal data, they can invoke the right of rectification. This can for instance be done through a preference centre. On this page, the data subject can see for which moments of contact and/or types of communication they can sign up, and have signed up. This page can be expanded to a profile overview page, where you give the data subject insight into the data they provided. You can present the data subject with the option of altering and removing their data here. Do you need help creating a preference centre? Feel free to contact a Project Manager.

Don’t throw out your database!

Requiring an opt-in for sending commercial emails was already arranged in the 1998 Dutch Telecommunications Act (Tw). This law does not change. Everything else, such as processing data, is part of the GDPR. The GDPR directly influences the Telecommunications Act, because this law refers to the Dutch Data Protection Act for its definition of obtaining consent, and the Data Protection Act has been replaced by the GDPR. The most important difference is that the data subject’s consent has to henceforth be ‘unambiguous’. The consent has to be a voluntary, active deed and cannot be derived from agreeing to general terms and conditions.

The GDPR requires proof. When you have obtained the data subject’s consent, you have to be able to prove it. The rules for the opt-in and opt-out remain unchanged in other ways. As long as your opt-ins have been obtained in compliance with the current legislation, you do not need to re-request your opt-ins, and definitely don’t throw them away! Below is a brief overview of what requirements your opt-ins have to meet:

  • The email opt-in must be a clear and concise consent message.

  • The opt-in must be separate from other conditions and cannot be a condition for the supply of goods or services. This means the ‘upon accepting the terms and conditions you will automatically be registered for our newsletter’ is forbidden.

  • It is forbidden to automatically check the opt-in checkbox. This is called ‘Privacy by default’.

  • You are required to have segmented opt-ins when you use the data in more than one way, i.e.: when you use the same data for various purposes. This is called ‘purpose limitation’.

  • Your database needs to track the opt-in, so you can show you received permission from the data subject.

  • Recipients reserve the right to withdraw their opt-in. You have to make clear to the recipient how they can unregister. This can be included in a ‘Privacy Statement’.

Recently, we built the GDPR campaign for various clients, including Robeco, Zicht Adviseurs, and Technische Unie. Do you need help building a GDPR campaign, or would you rather have us handle everything? Our email specialists are there for you! For more information, contact your Project Manager.

Would you like to know more about the GDPR? Read our blog Everything an email marketer needs to know about the GDPR.

Scroll omhoog