Road to the GDPR: the registration process

Estimated reading time: 6 minutes (Too long? Email me this article)
21, March 2018

This blog is part of our GDPR health check “Road to the GDPR.” In part one of the test, we cover the registration process. If you have not completed the test yet, you should do so first and then come back to read the background information in this blog.

 

As the name implies, the registration process is a process that every subscriber goes through on your website. During the registration process for e.g. a newsletter or an event, your subscribers enter their email address, name and/or other personal information. In light of the GDPR, it is important to first explain what personal information is, what it means to “process personal information” and what your role as an email marketer is under the GDPR (in the context of the registration process). Next, we will explain when you may collect personal information from people to send them commercial content and what the rules are for existing clients. Finally, we will give you advice on how to set up the registration process on your website.

What is personal information under the GDPR?

Personal information is all information about an identified or identifiable natural person. Think of e.g. a name or a picture, but also an email address, IP address or cookie ID. Pseudonymised information, e.g. a hashed IP address, is also considered personal information, because it is still possible to identify the person in question (even though you may have to e.g. combine multiple databases from various parties to do so). Besides regular personal information, there is also special personal information. This information concerns someone’s religion or beliefs, race, political orientation, health, sexual activity, membership of a professional organisation or criminal or objectionable activities. Processing this latter category of information is subject to additional regulations.

What is processing under the GDPR?

“Processing” is a broad term. It refers to any action pertaining to personal information, e.g. storing it, passing it on to another party or possibly having access to this information. In the context of (direct) email marketing, you are processing personal information as soon as you do anything at all with the data.

What is your role as a marketer under the GDPR?

The privacy legislation differentiates between different roles. Depending on your role, the GDPR imposes different requirements that you have to meet. Roles include the responsible party (the party that decides to process personal information for a given purpose and which defines this purpose and the means that will be used), the party involved (the natural person whose personal information is being processed) and the processor (the party tasked by the responsible party with “supporting” or executing the processing of personal information).

When you, as a marketer, decide to use Webpower (or a different ESP) to email your customers for a purpose you defined (e.g. your weekly newsletter), this makes you the responsible party, while Webpower is the processor (whom you will task with processing the personal information) and the person whose email address you give to Webpower to send emails to is the person involved. It is legally required to draw up written agreements between the responsible party and the processor, e.g. pertaining to what the processor can do with the information, how the processor will secure the data and how both parties will deal with possible data leaks and the rights of the persons involved. These points must be recorded in a so-called processor agreement.

When can you collect personal information from persons involved?

You will need a legitimate reason to do so. There are various reasons for you to process personal information, such as needing this information to execute an agreement, a legal obligation, permission and legitimate interest. Permission is a particularly important reason for (direct) marketing under the GDPR:  

  • Permission: valid permission under the GDPR must be a “freely given, specific, informed and unequivocal expression of will.” This means that giving permission must be a clear, active action (e.g. checking a checkbox), that the person involved cannot be coerced in any way (e.g. by making a newsletter subscription a prerequisite for placing an order) and that your permission request must be sufficiently specific so that people know exactly what they are giving permission for and what they can expect from you (e.g. you sending them a newsletter with your latest offers via email once per week). Furthermore, you must provide sufficient information about what you will do with the personal information you collect (that is why you should always refer to your privacy policy when asking for permission).

Besides these requirements, another important aspect of “permission” is that the person involved can revoke the permission they have given at any time and that the process of revoking one’s permission should be just as easy as giving it. You must therefore include an opt-out option in every commercial message. Furthermore, you, being the person responsible, must be able to prove that you received permission.

How can I set up my registration process?

We recommend using a multi-stage registration process. By including steps such as registering, giving permission and confirming one’s permission and email address in your registration process, you can e.g. make sure that the email address someone enters is correct. This method also makes it easy to prove that you received valid permission. This blog (stage two of the Road to the GDPR) covers how best to draw up your registration text. The ins and outs of the burden of proof under the GDPR and how you can meet this requirement are covered in this blog (stage three of the Road to the GDPR).

What about existing clients?

At the moment, the Netherlands makes an exception for sending commercial messages to existing clients. This has to do with the Telecommunication Act. You are therefore allowed to approach existing clients via email to promote products and services similar to what they already purchased from you, even if they did not give you explicit permission to do so. An important condition is that you must first inform your clients of your intention to send them these messages, how often you will do so and via which method and what the messages will be about. Furthermore, you must offer them an opt-out option (the right to object) before sending them any commercial messages. However, new privacy legislation (the e-Privacy Regulation) is being drawn up. This European legislation will complement the GDPR and contain specific rules pertaining to e.g. the use of cookies and the sending of commercial messages. The e-Privacy Regulation has not been finalised yet, so it is unclear what exactly will change and how.

Myth:

  • The exception that permits the sending of commercial emails to existing clients will definitely be abolished. At the moment, this does not appear to be the case, as long as you follow the stipulations of the Telecommunication Act for now. It is advisable to keep a close eye on the latest developments concerning the e-Privacy Regulation.

GDPR compliant with Webpower

Under the GDPR (which will enter into effect on May 25th, 2018), you will have to be able to demonstrate how permission was obtained and exactly what that permission pertains to. This applies to new registrants, but also applies retroactively to your existing database. Thankfully, Webpower has developed the GDPR Version Manager and the GDPR Easy Consent Manager, which will ensure that all of your email marketing from now on is fully GDPR-compliant.

Contact us    Read more about our GDPR solutions

It is important to us to handle the new privacy legislation correctly. The contents of this blog have therefore been verified by ICTRecht. We provide this information to you so you can gain a better understanding of what the GDPR can mean to marketers. The purpose of this blog article is to share knowledge and it should not be viewed as official legal advice. In reading this article, you safeguard Webpower, ICTRecht and the author against any legal implications. We recommend always consulting a legal adviser before implementing any GDPR-related measures in your organisation.

Share this article