Processing of Personal Data for Marketing Purposes in Denmark – What’s New?

The guidelines include, among other things, a new interpretation in relation to the use of legitimate interest as legal basis, advertising via social media, the limits of profiling and the use of “double consent”.

A prerequisite for using marketing tools in connection with emails, direct messages on social media and specific advertising is that the requirements in the GDPR are complied with, given that marketing tools often involve processing of personal data.

Organisations often use a wide range of marketing tools such as newsletters, profiling tools, pixels, cookies, ads, and social plugins, and must therefore consider whether the rules in the Danish Marketing Practices Act, the Danish Consumer Contracts Act, the Executive Order on Cookies, etc, must be complied with as a supplement to the GDPR.

The Danish Data Protection Agency's new guidelines on direct marketing focus on the fundamental rules of the GDPR that must be in place in order to process personal data for direct marketing purposes. This includes requirements for mapping processing activities, documenting lawfulness, data minimisation, erasure, compliance with the duty to provide information and special requirements for processing personal data about children for marketing purposes.

Furthermore, the guidelines contain new interpretations and assessments of several direct marketing activities that are widely used by many organisations. Below, we have selected and described the most important new interpretative contributions.

The Danish Data Protection Agency emphasises that the data controller must always be able to document and demonstrate the legality of legitimate interests (the balancing of interests rule) as a basis for processing personal data for direct marketing purposes. In practice, this means (especially for more intrusive processing) that the data controller must prepare a written assessment involving:

Thus, data controllers must prepare an “LIA” (legitimate interest assessment) prior to the processing. The Danish Data Protection Agency also states in the guidelines that a "contract" (GDPR Article 6(1)(b)) cannot generally be used as a basis for processing personal data for direct marketing purposes.

Consent is required in the following situations:

However, consent may not be required when it comes to profiling based on information about name, address, telephone number, email address and purchase history for marketing purposes, which according to the Danish Data Protection Agency, may be based on the balancing of interests rule, provided that the data subjects have been clearly informed about the processing and have been given the opportunity to object.

In several cases, the data controller will (by other regulation) be required to obtain consent as part of direct marketing. This includes the placement of cookies and pixels, etc, (see the Executive Order on Cookies), to send marketing via – eg, email (see the Danish Marketing Practices Act), and to be able to call consumers for marketing purposes (see the Danish Consumer Contracts Act).

The Danish Data Protection Agency emphasises that when it is necessary to obtain consent under these laws, the legal basis for the processing of personal data for direct marketing purposes will, as a general rule, also be consent.

Conversely, if the data controller does not need consent under other legislation, the data controller can use the balancing of interests rule.

In the guidelines, the Danish Data Protection Agency describes the situation where an organisation provides a customer's email address to a social media platform with the purpose of matching the organisation's list of email addresses with the email addresses held by the social media platform. In this way, the organisation can target marketing of similar products to customers on the social media platform via advertisements. The Danish Data Protection Agency assesses that the processing can be based on the balancing of interests rule, provided that the data controller has informed the customer that the email address will be used for this purpose and provided that the customer has been given the opportunity to object.

The procedure is very similar to lookalike audience and custom audience (via, for example, Facebook and Google), and the Danish Data Protection Agency, thus, opens up the possibility to use these services without consent to some extent. However, the Danish Data Protection Agency does not address the problems that may arise if there is a joint data responsibility with the social media platform.