The National Data Protection Committee (CNPD) published Directive 2022/1 regarding direct marketing through electronic communications, specially addressed to data controllers and processors.

This Directive sets various guidelines during a period in which the CNPD has received an increasing number of complaints concerning unsolicited direct marketing through electronic communications. 

Firstly, the CNPD emphasizes that direct marketing through electronic communications may be carried out in the following conditions: 

1. If a customer relationship is already established and:

                        i.         The marketing concerns similar products or services to those already acquired by the customer, then no consent is necessary; however, the right to object must be guaranteed both in the moment of the data collection and with each message sent.

                      ii.         The marketing concerns different products or services from those already acquired by the costumer, prior and express consent must be given.

       2. If there isn’t a prior customer relationship, the data subject must give prior and express consent.

Direct marketing campaigns must abide to the foundational principle which limits the processing of personal data’s scope in its triple dimension: legitimacy, loyalty and transparency.

In this regard, consent should not be considered valid when:

1. The processing of data and declaration of consent is explained in an ambiguous way and lacks transparency, collected through online contests which intend to obtain consent for data transmission to third parties or develop direct marketing campaigns on behalf of third parties;
2. Requested for the processing of data by a third party and the entity which collects the data does not explicitly identify that third party and the context in which the processing of data will occur;
3. Demanded for website access or participation in certain activities, such as contests or viewing content, which depends upon the subscription and acceptance of personal data processing operations in bulk, necessary or not for that access or participation, in which direct marketing is included.

Accordingly, consent must be given through a positive and clear act which manifests a free, specific, informed and unambiguous will, in accordance with what is already established on the General Data Protection Regulation.

The various obligations of the data controller according to the principle of liability are also emphasized.

Entities must adopt technical and organisational measures tailored to data protection (privacy by design). In situations where these entities resort to processors or sub processors, their choice must be thorough as to ensure compliance of rights for data subjects.

Additionally, the data controller cannot be exempted from liability by omission, as they must give precise and documented instructions to processors regarding all features of the data processing in question, as well as monitor their operation.

The Directive also reasserts the data controller must exercise effective control over subsequent subcontracting, having knowledge and approving them beforehand. These relationships must be regulated by written contracts.

Finally, the controller must keep an updated list of people who explicitly manifested their consent to receiving these kinds of communications, as well as other customers who did not object to receive them.

Consequently, the burden of proof concerning the data subject’s consent and the guarantee of the right to object lies with the data controller.