Direct Marketing and GDPR

Direct marketing is a very useful commercial tool and is perfectly allowed under GDPR provided certain aspects are taken into account.

What is considered direct marketing?

Any communication, solicited or unsolicited, aimed at the promotion or sale of services, products as well as brands or ideas, which is addressed directly to one or more natural persons in a private or professional context and which involves the processing of personal data.

See our practical advice below first and then more detail.

Direct Marketing and GDPR – Practical advice

  1. You can’t just bombard (spam) people with marketing messages. If your marketing is done over the phone, you must absolutely respect the exclusion list of the respective country.
  2. You must have a good privacy statement and you must also refer to that policy in your marketing message for people to consult.
  3. Make sure you mention how you got the address of the addressee e.g. because you entered your email address at our booth at the book fair in February 2020
  4. Make sure that addressees can easily object to the message or withdraw their previously given consent; and that you can provide proof of their consent if requested.
  5. Make sure your direct marketing activities are well documented in your GDPR register.

The details – What does the GDPR oblige me to do?

For your direct marketing – as for any other activity you undertake with personal data – you must:

  • accurately determine the processing purpose
  • have a valid legal basis to pursue those goals
  • be transparent to data subjects about what you do with their personal data
  • ensuring that data subjects can effectively exercise their rights
  • be able to demonstrate at all times what you have done to comply with the GDPR
  • provide appropriate security measures

As a subscriber to you can fulfill your obligations (1 to 5) by adding the correct process to your customer file and (6) by following our standard approaches to data & system security.

What is a valid legal basis for direct marketing?

Direct Marketing under the GDPR: Consent and Legitimate interests

Direct marketing usually involves the legal grounds ‘consent’ and ‘legitimate interests’.

Legitimate interest

Make sure that your interests are indeed justified. Make sure that the processing is necessary to serve the interest that you are pursuing and that the balancing of the interests weighs in your favor. In doing so, you should pay particular attention to two things with regard to the reasonable expectations of those involved:

A. If you rely on a legitimate interest, the data subject must be able to object. The right of objection of the data subjects must be brought to their attention from the first contact. If they object, you must absolutely stop processing their data for direct marketing purposes.

B. If you have obtained the personal data from the data subject yourself, you must have a robust privacy statement and make reference to it in your marketing message. As a subscriber to, you can quickly draw up and download such a privacy statement.

If you have obtained the personal data through another route, there are additional obligations. If you want to do marketing in this way, it is best to contact a specialist.


If you base your marketing on the consent of the data subjects, you should pay particular attention to:

  1. Consent is given in an informed manner. In other words, that the data subject has had access to clear, accessible and complete information about what they consent to.
  2. The permission is free, so not under any pressure. In an employer-employee relationship, for example, it is usually assumed that the consent of the employee cannot be regarded as freely given.
  3. The consent is specific to a certain type of processing that is clearly communicated to the data subject.
  4. The consent is unambiguous.
  5. The person can withdraw his consent at any time (similar to objection under legitimate interest)
  6. You can prove that you have received a valid consent