The GDPR, i.e. the Regulation on the Protection of Personal Data, strengthens our rights as consumers, newsletter recipients and customers of online stores to access and view their data. We may also request the complete deletion of our data or transfer it to another administrator. On entrepreneurs (regardless of the scale of activity), the GDPR imposes several obligations related to data processing (saving, copying, and storing them in digital form).
The most important thing is consent
The consent must be free and granted to a specific entity. The declaration of consent must be formulated simply and have: a specific purpose (e.g. sending offers, information materials), place of data processing, and a specified period for which the consent is granted. We must indicate the data administrator and information about the possibility of changing them and withdrawing consent.
GDPR in practice - you will not send an offer without the consent
To send an email with an offer to a person or company, we must have confirmation (consent) that we would like to receive such information. Even if we found her/his address on the company website.
Self-built databases are legal, but ... we can't send them messages with offers, because we still don't have permission to do so. Nevertheless, we are obliged to inform the people we have added to the database that we have done it, and to provide information about the rules for processing their data. Such e-mail is a legal obligation.
We cannot include advertising information in its content, as this would be a violation of the law. The interpretation that I found in the materials from August 2020 says that a purely informational e-mail asking for consent to the offer also constitutes a violation of the law.
The solution is the registration form on the website with the double opt-in option. This is an additional confirmation that the person who signs up is the actual user of the address and is sure of his consent. In the form, the customer must check the box with the consent to mailing himself, have information about the administrator's data, data processing rules, and a link to the page with full rules for their processing.
For each consent given (e.g. during a face-to-face meeting), it is best to record information about who and when gave consent and what its content was, what information was received by the consenting person before giving consent, what information was provided about how to withdraw consent and whether consent was withdrawn (and when). Important - we must also obtain marketing consent from clients with whom we already cooperate.
Compliance with these rules allows you to prove that the recipients of your messages have consented to the processing of data and receiving marketing materials. With a large database, verbal assurances by the recipient may be impractical.
Solution for trade fairs or at the point of sale? A special notebook with a ready-made form, a place to attach a business card, and a signature.
Text published in Szkółkarstwo 3/2021