What good could it bring to have the best product if no one knows about it?  Marketing as a process by which a product or service is introduced and promoted to potential customers is indeed, one of the core tools for any business.  

What good could it bring to introduce and promote your product to people that are NOT interested? or, gain thousands of customers, but because of inadequate security, have them suing you? Data protection laws, as data protection by design and default, is also, another core tool for any business.


Useful? Embed this infographic on your website.

That being said, this article aims to address some situations that marketers may face when trying to get new clients while also complying with the current EU data protection laws. The idea is to provide practical insights into where to look and how to solve.

  1. Purpose Limitation

If you are getting people’s name and email –building your email list- by promising “free” access to products and/or services, you should keep in mind the following:

  • The use of the term “free” may be misleading since you are asking for personal data in exchange to provide access to a product or service that later on, will be used it for marketing purposes. You are not giving anything deliberately (for free).


  • At the moment of collection of the personal data, you have to specify the purpose of the collection – for what you are requesting that email – e.g., for offering your products and services- Whatever is your purpose of the collection, this has to be defined, clear, lawful, recorded and specify in your Privacy Policy.


  • Ensure that the personal data obtained is only processed in a manner compatible with the purpose informed at the moment of the collection -e.g., if you ask for the email address to market your products, you can use it only for that. It is not allowed to use them for another goal, such as, sell third-party products or services. This is really important to keep in mind for marketers doing affiliate marketing.

2. Solicited vs. Unsolicited Marketing

There is no legal basis required under the law to provide with marketing material to a person that has specifically requested it. Naturally, the handling of personal data must be done following the GDPR.

On the other hand, when it comes to unsolicited marketing -marketing material that the person has not particularly requested, e.g., “cold” emails addressed to natural persons- the ePrivacy Directive applies and consent is required (freely given, specific, informed and given by a clear affirmative action).

Organisations cannot rely on implied consent -e.g., silence, pre-ticket boxes or inactivity- an active opt-in is required to guarantee the person’s free option to consent or not -e.g., clicking an icon or sending an email. Additionally, an opt-out option has to be provided to the individual at the time his or her details are collected and in each subsequent marketing e-mail.

In the given case that the individual becomes your client, direct marketing might be a legitimate interest under the terms of the GDPR; however, it’s not a sine qua non hence, if you want to use this as a legal base, you need to show that your processing passes the necessity and balancing tests.

3. Use of Social Networks: “Facebook Fan Page”

If you are using Facebook Fan Page; note that on the 5 of June 2018, the European Court of Justice judged that the companies using Facebook Fan pages are considered joint controllers, and hence liable for the processing of personal data of the visitors by Facebook.

In other words, an organisation with a Facebook Fan Page is jointly liable for the personal data processing activities of Facebook -which is not exactly the most reliable company when it comes to processing personal data- and as such, it can be, independently under its own risk, subject to regulatory and legal actions.

Thus, it would be wise to avoid the use of Fan Pages or suggesting so avidly the use of it. The same, careful assessment, should be done for other products and the use of other social networks.

This goes without saying, that I agree that social media is a powerful tool to generate more business, the advice is to evaluate the platform and assess which product gives you what you need without undermining the lawfulness and fairness.

4. ePrivacy Directive

It is true that the principal EU legal instrument on data protection is the GDPR. However, the specific rules at EU level for the processing of personal data and the protection of privacy in the electronic communication sector are regulated by the ePrivacy Directive; hence familiarise and apply this regulation is a must.  

The ePrivacy Directive covers important matters as the legal basis for the collection of personal data for sending some marketing and advertising by electronic means, rules around cookies consent or other tracking technologies, caller identification, call blocking, location data, public directories, etc. This doesn’t mean that the GDPR is irrelevant, it applies to all matters concerning privacy and data protection, both legislations work together, they strengthen and complement.

Therefore, when preparing content about marketing and data protection, or deciding to attend a training or courses or presentation on the field, note that the material covers the relevant dispositions of the ePrivacy Directive and proposed amendments to turn into an EU Regulation (as it is currently the GDPR). Otherwise, there are high chances that the material is or will become irrelevant shortly.

5. Other Laws, Regulations, and Codes

When defining your marketing strategies, you should consider the national data protection acts- which has implemented the GDPR into national law. The ePrivacy Directive and proposed amendments. And other laws, regulations, and codes that may apply to your marketing and advertising activities, such as consumer protection laws, advertising standards or gaming laws. For instance, in the United Kingdom, we can mention the Consumer Protection from Unfair Trading Regulations affecting the advertising to consumers and the Direct Marketing Code of Practice published by the Direct Marketing Association (DMA) which is mandatory to all DMA members.

You don’t need to do your marketing illegal to get clients. Knowing how to apply the law can help you to acquire the data directly and voluntarily from the customer which is the highest clean data that can be used, which of course, translates into higher conversions. Best of Luck!

Jessica Lam

Jessica Lam

Lawyer and Entrepreneur.
Jessica Lam

Latest posts by Jessica Lam (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *