Czech Data Protection Authority: newsletters without consent

One of the tasks of the Czech Data Protection Authority - Úřad pro ochranu osobních údajů (DPA) is to supervise over statutory compliance of dissemination of commercial communications by electronic means (such as newsletters). 

In this context, the Czech DPA recently addressed in its audit report from 2022 the topic of the compliance of direct marketing practices with both the GDPR and the other relevant Czech laws. 

A brief introduction is in order. Direct marketing is a viable tool for companies to promote their business and upsell their products or services to specific individuals. However, the lawfulness of this promotion practice is subject to GDPR and other relevant requirements under local laws. 

Specifically, the processing must be lawful in accordance with Article 6 paragraph 1 GDPR, must be based on adequate prior information and must be discontinued if the data subjects withdraw their consent (Art. 7 GDPR) and or object to the use of their personal data for such purposes (Article 21 GDPR). 

Moreover, in the Czech Republic, if a company engages in marketing via the use of electronic means, such as by e-mail or SMS/MMS messages, the relevant provisions of Act No. 480/2004 Sb., on certain services of the information society, must also be observed when sending such commercial communication. These stipulate that:

In all cases, commercial communication needs to be clearly marked as such, it must identify the sender or the company on whose behalf the communication is made and must be sent from a valid address, as to allow the recipient to object to the processing. 

Now, one of the questions under the scrutiny of the DPA was the identification of a maximum time frame for the transmission of commercial communication based on the “opt-out principle” following the “last transaction” between the data controller and the customer (meaning the last completed order, provision of good or services or the end of the contractual commitment in general). 

The data controller at issue was initially processing its customer data for three years after the end of the contractual relationship. The DPA found this processing to occur for longer than what would have been necessary for the purpose of direct marketing, but it welcomed the data controller´s corrective measure to reduce the period of processing for direct marketing purposes to six months. 

In its audit report, the DPA stated that a period of six months is considered acceptable and in line with common practices. Therefore, companies are advised to align the processing of customer data for the purposes of direct marketing by setting adequate time of processing. 

The best practice is to limit the processing to the maximum period of six months. After expiration of this time period, the data may no longer be processed for the purpose of direct marketing. 

However, the lawfulness of the process still requires the contact details to be lawfully obtained and that data subjects are duly informed on how they may object to the use of their personal data.