Do not attempt to outsmart GDPR.

When your customers do not want to receive marketing materials : trying to outsmart them may come at a cost.

Customers can exercise their right to object to receiving commercial communications, meaning you cannot or no longer send them any commercial or marketing materials.

A Spanish bank tried to work around such an objection by sending a formal standard looking letter with the usual bank branding but the envelope also contained a commercial communication, promoting and informing about the bank’s services.

Don’t try to outsmart GDPR, an example of a complaint with the Spanish DPA

The client in question did not appreciate this action and lodged a complaint with the Spanish DPA.

The bank alleged that it was not a commercial communication but a mere standard envelope like the banners and signs that they display at their offices, that include information about the bank’s services, and that the letter inside was just information sent to the client regarding the services that they had contracted. The bank also stated that it was not a direct marketing action, as it did not include any profiling or made use of individual preferences, but was general information sent to their clients. They alleged that they were relying on a legitimate interest for this.
The bank also alleged that they had not processed their client’s data for marketing purposes, since the processing was done to send the letter, and the envelope containing the commercial message was just accidental to it, but the data was not processed for that purpose.

The Spanish DPA determined that the actions performed by the bank were nevertheless commercial communications with a marketing purpose, and that the bank did not have a legal basis for doing so, as the bank could not rely on a legitimate interest since the client had exercised their right to object, in accordance to Article 21 GDPR.

The Spanish DPA concluded that there had been a violation of Article 6(1)(f) and fined the bank €50,000, compelling it to implement the necessary measures to prevent the sending of commercial communications to clients that have objected to them.

Check our GDPRWise Web App – GDPR Compliance tool.


Is your web page GDPR compliant?

Wondering if the privacy policy on your web page is GDPR compliant? You can perform a quick and free GDPR compliance test of your privacy policy, simply paste in the link to your privacy policy web page here in our GDPR privacy policy checker, and find out the result.