====== Spam - GDPR ====== ===== How does the GDPR affect email? ===== The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. * Any organization (companies, charities, even micro-enterprises) that handles the personal information of EU citizens or residents is subject to the GDPR. * That includes organizations not in the EU but that offer goods or services to people there. If a company collects, stores, or uses the data of people in the EU, then the GDPR applies to them. * That means they may have an obligation to change the way they operates in some fundamental ways. ---- ===== Email marketing and spam ===== The GDPR [[https://gdpr.eu/article-5-how-to-process-personal-data/|Article 5]] principles relate to **lawfulness, fairness, and transparency.** This means someones data can only be used if it is allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. GDPR [[https://gdpr.eu/article-6-how-to-process-personal-data-legally/|Article 6]] covers six **lawful bases** to allow **processing, collecting, storing and using of someones data**. - Consent must be **freely given, specific, informed and unambiguous.** - Requests for consent must be **clearly distinguishable from the other matters** and presented in **clear and plain language.** - Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. Companies cannot simply change the legal basis of the processing to one of the other justifications. - Children under 13 can only give consent with permission from their parent. - They need to keep documentary evidence of consent. - To have a **legitimate interest** to process someones data. The [[https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN|ePrivacy Directive, specifically Article 13]], presents organizations with another way to use someones data for marketing purposes that stems from the contractual basis of the GDPR. * An organization, **may use these electronic contact details for direct marketing of its __own__ similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner,** according to Article 13, part 2. * Essentially this means that an organization can lawfully send you marketing emails about the service they provide you as long as they inform you that you can opt-out at any time. ==== What this means for email ==== * GDPR does not ban email marketing. * GDPR does clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. * Companies must also make it easy for people to change their mind and opt-out. * If a marketing email does not present the option to unsubscribe, is sent to someone who never signed up for it, or does not advertise a service related to one the receiver uses is it violating the GDPR. ---- ===== References ===== https://gdpr.eu/email-encryption/ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN