The basic rule of the GDPR is that the user must give his express, active consent for his personal data to be stored and processed.
Therefore, no prior ticked boxes (opt out) any more in order to receive a newsletter or commercial announcements.
You collect data of your users including the e-mail address, and use that address to send a monthly mailing with an overview of the services and promotional offers.
When creating the customer account, this was indicated in extremely fine print somewhere at the bottom of the website and the “I agree” box was already ticked proactively. This is clearly no active operation on the part of the customer and therefore no legal processing of personal data.
When creating the customer account, this was indicated in block letters and boldface on the website together with a disclaimer “I agree to this processing” which the customer must tick in order to activate the mailing. This clearly requires an active operation from the customer and is therefore fully in line with the GDPR.
Do you always need the customer’s consent? The answer is no. There are fortunately several logical exceptions.
The most important exception is perhaps that consent is not needed when the processing is required to perform an agreement with the customer.
When a customer purchases services from you, a contractual cooperation comes into being. You provide the service and the customer pays you for it. So if you process the customer’s data to draw up and send the invoice, you do so to perform the contract you have concluded with the customer. You do not need the customer’s consent to do so.
Another exception is the legal obligation that makes the processing necessary.
Example: You collect numerous data of your employees which you keep in a file and then submit to your social secretariat which uses said data to draw up the pay slips and to pay your employees. Furthermore, the social secretariats have to provide copies of the payroll documents to the government. Inland revenue is fully aware of your salary. In this example, a legal obligation is clearly at issue, which is equivalent to the consent of the person concerned.
Finally, there are a few other exceptions:
At megalotto.be, we have a very clear case that falls under this category, namely the request of registration data of private registrants. We have for years provided no contact data of private registrants (other than the e-mail address). This does not mean that these data are under lock and key for eternity.
