GNP Guia Naghi & Partners The Legal 500 – The Clients Guide to Law Firms
23855
post-template-default,single,single-post,postid-23855,single-format-standard,theme-stockholm,qode-social-login-1.1.3,qode-restaurant-1.1.1,stockholm-core-1.1,woocommerce-no-js,select-theme-ver-5.1.8,ajax_fade,page_not_loaded,side_area_over_content,wpb-js-composer js-comp-ver-6.0.5,vc_responsive
23 October 2024 In Cold Calls, Consent, GDPR

Roxana Barica – Cold calls

  1. UNDERSTANDING “PERSONAL DATA”

The definition of personal data explicitly refers to natural persons, and information related to legal entities is generally not covered or protected by the General Data Protection Regulation (GDPR). However, certain data protection rules may still indirectly apply to information related to businesses or legal entities in specific circumstances where such information can lead to the identification of a natural person.

For example, there is a distinction if the email address of a potential client is: contact@potentialclient.rooffice@potentialclient.com, or sales@potentialclient.com, for which GDPR rules will not apply as these are considered identification data of the legal entity. Conversely, if the processed email address is firstname.lastname@potentialclient.ro, GDPR rules will apply. Similarly, a phone number that may lead to the identification of a natural person will also entail the application of GDPR.

  • RELEVANT LEGISLATION

Beyond the GDPR, it’s important to note that the concept of unsolicited commercial communications, as regulated by Article 12 of Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (“Law 504/2004”), also applies to legal entities receiving such communications.

The law states:

“(1) The making of commercial communications using automatic calling and communication systems that do not require human operator intervention [Note: We emphasize this point because, although not confirmed by the Romanian Supervisory Authority, industry consensus indicates that the only communication method excluded by this Article is a call with a human operator], by fax, electronic mail, or any other method using public electronic communications services, is prohibited unless the subscriber or user has given prior express consent to receive such communications.”

“(4) The provisions of paragraphs (1) and (3) shall apply accordingly to legal entity subscribers.”

The same legislation defines electronic mail as “the service that consists of transmitting messages in text, voice, sound, or image format through a public electronic communications network, which can be stored in the network or in the recipient’s terminal equipment until received by the recipient.”

Additionally, we reference:

  • RELEVANT PRACTICES FROM OTHER EUROPEAN COUNTRIES

  • Poland: According to a court decision, telemarketers must obtain consent from potential clients before making any marketing calls. This consent cannot be solicited during the initial marketing call. Telemarketers are required to make at least two calls: the first to request consent for future marketing communications (without any marketing content) and a second call for the actual marketing, provided consent is granted. 
  • France: Email marketing is permissible, but individuals must be informed in advance. Natural persons must give their prior consent, while professionals must be given the opportunity to opt-out.
  • Belgium: Each marketing email must clearly identify the sender and provide a simple way for recipients to unsubscribe from future communications. This requirement is mandated by both the GDPR and the Royal Decree of April 4, 2003.

  • BRIEF CONCLUSIONS

While prospecting clients by contacting representatives of legal entities using publicly available contact details is a common practice, it’s important to consider the nuances from a personal data perspective:

  • Applicable Law: According to Law 504/2004, any processing of contact details, except for calls with a human operator, may be considered an infringement if there is no opt-out option. Since the most commonly processed data includes email addresses with individuals’ names, these should be treated as personal data, making GDPR applicable.

  • Legal Basis for Processing: Data controllers must ensure they have a legal basis for processing personal data, such as obtaining the potential client’s consent or relying on legitimate interests. If processing is based on legitimate interests, a Legitimate Interests Assessment (LIA) is necessary to determine if the data controller’s interests outweigh the rights and freedoms of individuals. Additionally, the right to object must be clearly mentioned in any marketing communication, and individuals’ objections must be respected and documented. The right to object should be as accessible as the initial contact method, whether by phone, email, or direct message, without redirecting individuals to other channels that require additional steps.

  • Transparency: When contacting representatives of potential corporate clients, it’s crucial to clearly and simply inform them who you are, how you obtained their contact details, the purpose of the contact, and request their consent for future communications (if the legal basis is consent) or offer them the right to object (if the legal basis is legitimate interest). Article 14 of the GDPR should be observed, and a contact address should be provided for more information.

  • The Concept of “Publicly Available Data”: Although it’s common to use publicly available data (like job emails) for direct marketing, it’s specifically required that the person contacted for marketing purposes represents the business in a relevant area. For example, data protection inquiries should go to dpo@company.com, and sales offers to sales@company.com. The purposes for which an individual makes their email public, such as on LinkedIn for job recruitment or conference invitations, should be respected and not used for unrelated direct marketing.

Tags:
No Comments

Post a Comment