In this blog post, we will comment on what impact this new law will have in Sweden from a digital marketing perspective. The goal of GDPR is to harmonize the legislation across the European union. Some national exceptions are approved, and due to this, we are only commenting the legislation from a Swedish perspective. It should also be mentioned that the Swedish law is currently in draft, so it might still change before May 25th, 2018.
In this blog post, we will comment on what impact this new legislation will have in Sweden from a digital marketing perspective.
On April 27th 2016, the European Parliament and Council adopted Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC General Data Protection Regulation (GDPR). GDPR will be valid as law in Sweden from May 25th, 2018. The same day, The Swedish Data Protection Act (1998:204) “PUL” that is currently in force will be repealed.
Similar to PUL, the goal of GDPR is to safeguard personal privacy and to protect against offensive and all-encompassing processing of personal data. With this in mind, there will not be any major changes in GDPR compared to PUL. However, GDPR brings several clarifications of the rules, as well as clearer responsibility for the managing personal data, as well as significant penalties for those who abuse them.
GDPR contains the same rules as PUL regarding the processing of personal data, which is only allowed if the processing is legal and takes places for one expressed purpose. Furthermore, the treatment should be correct and open to the registrant, meaning that the registrant has an extended right to access information about the processing both during and after the data is collected. The processing is legal if it’s based on one of the following legal grounds:
The legal bases are to a certain extent equivalent to the provisions of Section 10 in PUL, but some of the basics have a clearer meaning in GDPR. For example, the new rules impose higher requirements on what constitutes a valid consent from the registrant. There are also more, and to some extent higher, demands to how the treatment is carried out.
It is also stated that the processing should not be too extensive, meaning that only the information needed to achieve the purpose can be processed. Furthermore, the processing may only occur during a certain period of time. According to the general rule, the registrant must be informed in advance of how long the processing will continue, but if it is not possible to specify a defined period of time, the registrant will have to receive information on the principles that determine how long the data will be processed. An example of this is that customer data is stored as long as the registrant is a customer of the company, that employee data is processed during the term of employment, or that billing information is processed until the final payment is made.
BUT HEY, WHAT ABOUT ADVERTISING?
The European Data Protection and Data Protection Expert Group (Article 29 Group) stated that direct marketing, profiling, and similar use of personal data to track behaviour and the like are allowed, but consent must be obtained from the registrant. This is not new in relation to PUL, but what is new is that the consent has to be considered valid (more about this below).
The personal data controller must also ensure that no more data is processed than necessary, that the data is not used for a longer period than is justified, and that it is not used for any purpose other than those specified. It is also important that the registrant is informed of his or her rights at any time to oppose the processing.
WHAT IS A VALID CONSENT?
According to GDPR, consent can only be given in relation to a predetermined purpose. This means that if personal data is to be processed for multiple purposes, several separate consents may need to be obtained. It is further stated that consent should be “voluntary, specific, informed and unambiguous”, which imposes a requirement that personal data controllers provide complete information regarding the intended treatment in a clear manner. It is therefore important that you inform about what processing you intend to perform when obtaining the consent, but also what processing that may be carried out in the future.
Today it is common with somewhat sweeping phrasing to indicate some of the purposes for which the information may be used, such as: “Your personal information will be used for newsletters, marketing of new products and the like.”. Such phrasing will not be allowed when the new rules come into force because it does not give the registrant a clear idea of what the data will actually be used for, which means that the registrant can not give informed consent to such treatment.
It is also stated that consent should be as easily revoked as it was obtained. The registrant must, therefore, have clear information about how to revoke the consent, and as soon as it has been revoked, the processing of personal data must be discontinued, as long as the personal data controller cannot demonstrate that there is a legitimate reason for the continuation of the processing. However, such reasons would never be for marketing or profiling purposes.
MORE ABOUT DIGITAL MARKETING
Unlike what has been mentioned to some extent in media, the new rules do not mean that the use of personal data for marketing and profiling purposes will be prohibited. Instead, clearer (and stricter) requirements are imposed on when and how usage is allowed. What should be displayed to the registrant:
WHAT ABOUT GOOGLE ANALYTICS?
Google Analytics and similar technologies will be allowed under the new rules if the user agrees to such use. However, in the absence of consent to the use, you will need to obtain this before the tracking via Google Analytics or similar technologies is taking place. Through GDPR, a personal information officer can be held liable for improper processing, which means that if you do not clearly inform your users about the management of personal data, you will not be able to use that data for marketing purposes.