Processing of Personal Data for Marketing Purposes in Denmark – What’s New?
In June 2023, the Danish Data Protection Agency published its guidelines describing the GDPR rules that are particularly relevant when organisations process personal data for direct marketing purposes. Eric Husum and Susanne Stougaard of Bech-Bruun discuss this development.
Egil Husum
Contact authorSusanne Stougaard
Contact authorThe guidelines include, among other things, a new interpretation in relation to the use of legitimate interest as legal basis, advertising via social media, the limits of profiling and the use of “double consent”.
A prerequisite for using marketing tools in connection with emails, direct messages on social media and specific advertising is that the requirements in the GDPR are complied with, given that marketing tools often involve processing of personal data.
"Marketing tools often involve processing of personal data."
Organisations often use a wide range of marketing tools such as newsletters, profiling tools, pixels, cookies, ads, and social plugins, and must therefore consider whether the rules in the Danish Marketing Practices Act, the Danish Consumer Contracts Act, the Executive Order on Cookies, etc, must be complied with as a supplement to the GDPR.
The Danish Data Protection Agency's new guidelines on direct marketing focus on the fundamental rules of the GDPR that must be in place in order to process personal data for direct marketing purposes. This includes requirements for mapping processing activities, documenting lawfulness, data minimisation, erasure, compliance with the duty to provide information and special requirements for processing personal data about children for marketing purposes.
"The Danish Data Protection Agency's new guidelines on direct marketing focus on the fundamental rules of the GDPR that must be in place in order to process personal data for direct marketing purposes."
Furthermore, the guidelines contain new interpretations and assessments of several direct marketing activities that are widely used by many organisations. Below, we have selected and described the most important new interpretative contributions.
Legitimate interests as a legal basis
The Danish Data Protection Agency emphasises that the data controller must always be able to document and demonstrate the legality of legitimate interests (the balancing of interests rule) as a basis for processing personal data for direct marketing purposes. In practice, this means (especially for more intrusive processing) that the data controller must prepare a written assessment involving:
- the strength or intensity of the legitimate interest;
- the consequences of the data controller’s processing of the data for the data subjects;
- what data subjects can reasonably expect in the situation;
- the category of data subjects, for example child, elderly person or other vulnerable person;
- the category of the personal data;
- the way in which the information is processed; and
- whether additional privacy-enhancing measures have been implemented, for example, pseudonymisation.
Thus, data controllers must prepare an “LIA” (legitimate interest assessment) prior to the processing. The Danish Data Protection Agency also states in the guidelines that a "contract" (GDPR Article 6(1)(b)) cannot generally be used as a basis for processing personal data for direct marketing purposes.
Profiling with or without consent
“Through several examples, the Danish Data Protection Agency provides a benchmark for when consent is required and when to apply the balancing of interests rule.”
Consent is required in the following situations:
- when profiling is based on information about product purchases, times of purchase and the customer's movement pattern in the store’s premises;
- when using beacons for the purpose of sending offers and building profiles; and
- when tracking and profiling of natural persons across websites for the purpose of targeted marketing implies real time use – eg, for personalised adds, etc.
However, consent may not be required when it comes to profiling based on information about name, address, telephone number, email address and purchase history for marketing purposes, which according to the Danish Data Protection Agency, may be based on the balancing of interests rule, provided that the data subjects have been clearly informed about the processing and have been given the opportunity to object.
“Double consent”
In several cases, the data controller will (by other regulation) be required to obtain consent as part of direct marketing. This includes the placement of cookies and pixels, etc, (see the Executive Order on Cookies), to send marketing via – eg, email (see the Danish Marketing Practices Act), and to be able to call consumers for marketing purposes (see the Danish Consumer Contracts Act).
The Danish Data Protection Agency emphasises that when it is necessary to obtain consent under these laws, the legal basis for the processing of personal data for direct marketing purposes will, as a general rule, also be consent.
Conversely, if the data controller does not need consent under other legislation, the data controller can use the balancing of interests rule.
Advertising via social media
In the guidelines, the Danish Data Protection Agency describes the situation where an organisation provides a customer's email address to a social media platform with the purpose of matching the organisation's list of email addresses with the email addresses held by the social media platform. In this way, the organisation can target marketing of similar products to customers on the social media platform via advertisements. The Danish Data Protection Agency assesses that the processing can be based on the balancing of interests rule, provided that the data controller has informed the customer that the email address will be used for this purpose and provided that the customer has been given the opportunity to object.
The procedure is very similar to lookalike audience and custom audience (via, for example, Facebook and Google), and the Danish Data Protection Agency, thus, opens up the possibility to use these services without consent to some extent. However, the Danish Data Protection Agency does not address the problems that may arise if there is a joint data responsibility with the social media platform.
Bech-Bruun
13 ranked departments and 43 ranked lawyers
Learn more about the firm's ranking in Chambers Europe
View firm profile