Establishing communication with customers for the purpose of marketing initiatives

Regardless of whether a company has a contract with the customer, it is in any event necessary to obtain separate consent from the customer to receive advertising. Consent must be clearly expressed. In order to ensure that consent is given clearly and thoughtfully by the customer, the company must ensure that the customer is aware of what personal data may be used and to what extent, for what purpose, and it is important to make clear the customer’s ability to withdraw consent at any time. Ensuring such information will not only ensure compliance with the requirements of the applicable regulation, but will also contribute to the customer's trust in the company.

Recent examples include the decision taken by the French supervisory authority on 14 November 2024 to impose a fine of EUR 50 million on Orange. The case was based on the fact that a telecommunications operator providing electronic messaging services to its customers displayed e-mails containing advertisements in users' electronic mailboxes among the customer's e-mails. This case vividly illustrates the consequences and their possible extent in the event of non-consent.

In cases of processing of personal data, the most important thing is respect for the data subject's rights, which in this case implies not only obtaining explicit consent but also respecting the data subject's wish to withdraw previous consent. In 2020, a case was identified in Hungary where an airline did not properly comply with a data subject's request to erase his personal data in relation to the use of his email address for marketing purposes. In this case, the data subject requested the deletion of his email address in order to no longer receive marketing messages from the company. The company replied that it had received the request but requested an additional eight weeks to comply with it. The data subject did not consent to this extension and insisted on the deletion of the data. After some time, the data subject received a message about the deletion of the data, but continued to receive messages despite this claim, which resulted in the finding of a breach of the GDPR. Based on the circumstances of this case, it can be concluded that the company must not only listen to the requests made by the data subject, but also provide an effective mechanism for their enforcement. The company must take into account that such rights exist for the subject and that they must be duly respected.

In this context, the issue of attracting new customers can also be mentioned. On 4 December 2024, a decision was taken in relation to the company KASPR. KASPR allows its clients to retrieve from its database, for a fee, the professional contact details of people whose profiles they visit on LinkedIn. As a result, the company's clients can contact those persons to make various offers, including for marketing purposes. In the present case, a number of complaints were received from individuals who received various types of offers from the company's clients, which also led to the finding of a breach of the GDPR. The issue of attracting new customers requires a well thought out procedure where the requirements of the legal framework are addressed from the very first steps taken by the company - approaching potential customers.

Despite the fact that this topic has not appeared on the agenda of the Supreme Court in Latvia recently, it is likely that this trend will change, as both the data subjects themselves and the supervisory authority are increasingly beginning to pay more attention to marketing activities which involve processing of personal data.​