Regulation (EU) 2016/679 of the European Parliament and of the Council, referred to as the GDPR (hereinafter “the Regulation”), and the Czech Act on Certain Information Society Services permit, in certain cases, the sending of commercial communications without the prior express consent of the addressee. We examined in detail the issues related to the processing of personal data (for the purposes of sending commercial communications) based on consent in legal circular 1/2018. In this legal circular, we shall address precisely the issue of processing personal data for the purposes of sending commercial communications on the basis of the so-called legitimate interest (pursuant to Article 6(1)(f) of the Regulation).
Article 6(1)(f) of the Regulation specifically provides that processing (of personal data) is lawful where “it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.” The legal basis for such processing is therefore the legitimate interest of the controller concerned or of a third party. Recital 47 of the Regulation adds to this provision that “such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing… The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
In the case of processing personal data on the basis of legitimate interest, a legitimate interests assessment should be carried out by the controller, including the so-called balancing test, where the legitimate interests of both parties are compared. According to an informal statement by the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), this legitimate interests assessment should be in favour of the trader in those cases where all requirements laid down by the Act on Certain Information Society Services are observed by the trader.
In this context, it is possible in particular to mention the requirements given in Section 7(3) of the Act on Certain Information Society Services, namely that the addressee of the commercial communication must be a previous customer of the trader, that the commercial communications sent must concern similar products or services (which the customer previously purchased), and that “the customer has a clear and distinct possibility in a simple manner, free of charge… to refuse consent to such use of his electronic contact also when each individual message is sent, if he did not originally refuse such use.” This last-mentioned requirement merits increased attention, as it constitutes implementation of Directive 2002/58/EC of the European Parliament and of the Council (hereinafter “the Directive”), which contains a more precise specification of the aforementioned obligation than the national regulation; nevertheless, the interpretation of the Czech national regulation should correspond to the wording of the Directive. The Directive provides that customers must be “given the opportunity in a clear and distinct manner to object, free of charge and in an easy way, to such use of electronic contact details at the time when they are collected…” This consequently means an obligation to add a check-box for the customer’s possible opt-out already at the time of collection of his contact details.
Section 7(4) of the Act on Certain Information Society Services then adds that “the sending of electronic mail for the purpose of disseminating commercial communications is prohibited if (a) it is not clearly and distinctly designated as a commercial communication, (b) it conceals or disguises the identity of the sender on whose behalf the communication is made, or (c) it is sent without a valid address to which the addressee could directly and effectively send information that he does not wish to continue receiving commercial information from the sender.”
In the event that the trader decides to process personal data on the basis of legitimate interest, it must fulfil the GDPR requirements related to the processing of personal data on such a legal basis, whilst not omitting the regulation given by the Act on Certain Information Society Services.
Josef Aujezdský, advocate
Law Office Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory
This text was originally prepared by the law office Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 06/2018 intended for members of this association.
This text was translated from Czech to English using an AI translator.