Direct Marketing and GDPR

Direct marketing is a very useful commercial tool and is perfectly allowed under GDPR provided certain aspects are taken into account.

What is considered direct marketing?

Any communication, solicited or unsolicited, aimed at the promotion or sale of services, products as well as brands or ideas, which is addressed directly to one or more natural persons in a private or professional context and which involves the processing of personal data.

Practical advice

When it comes to direct marketing the GDPR rules are not the only rules that apply. There are a number of rules that apply, some at the EU level and some national level. We have summarised below the basic rules you should follow to avoid challenges:

  1. You can’t just bombard (spam) people with marketing messages. Make sure your message is relevant to the addressee. Ideally you want to confirm why you are contacting the person and mention how you got the address of the addressee (e.g. because you entered your email address at our booth at the book fair in February 2020)
  2. Make sure to identify yourself as the sender of the message and provide contact details
  3. Make sure you clearly outline that the addressee can unsubscribe from further communications and provide an easy option to do so e.g. using a weblink.
  4. Make sure your message clearly references your privacy policy so people can get informed on how you safeguard their privacy and what their rights are (e.g. object to your communication). Your direct marketing activities should be documented in your GDPR register.
  5. If your marketing is done over the phone, you must absolutely respect the exclusion list of the respective country.

B2B vs B2C

When addressing a company’s sales or legal department you might use a sales@ or legal@ email address. Although those email addresses are not personal in nature and as a result do not fall under GDPR, most countries have adopted additional rules around direct marketing that also cover messages sent to businesses.

In summary there isn’t really much difference between addressing private individuals, members of staff at a company address or companies in general. In fact I’m sure you agree that you would want your communications to be privacy mindful in any and all cases.

So the rules outlined above very much apply: make sure you target your messages so they are perceived to be relevant, identify yourself, make sure you clearly allow for people to object to your message and opt out of receiving further messages, reference your privacy policy and respect exclusion lists. At the time of writing Germany and Switzerland have the most strict direct marketing rules, where often it insists on a 2 step opt-in before you can communicate with the addressee.

If you want to learn more about the details of GDPR when it comes to direct marketing, continue to the sections below.

The details – What does the GDPR oblige me to do?

For your direct marketing – as for any other activity you undertake with personal data – you must:

  1. accurately determine the processing purpose
  2. have a valid legal basis to pursue those goals
  3. be transparent to data subjects about what you do with their personal data
  4. ensuring that data subjects can effectively exercise their rights
  5. be able to demonstrate at all times what you have done to comply with the GDPR
  6. implement appropriate security measures

As a subscriber to you can fulfill your obligations (1 to 5) by adding the correct process to your customer file and (6) by following our standard approaches to data & system security.

What is a valid legal basis for direct marketing?

Direct Marketing under the GDPR: Consent and Legitimate interests

Direct marketing usually involves the legal grounds ‘consent’ and ‘legitimate interests’.

Legitimate interest

Make sure that your interests are indeed justified. Make sure that the processing is necessary to serve the interest that you are pursuing and that the balancing of the interests weighs in your favor. In doing so, you should pay particular attention to two things with regard to the reasonable expectations of those involved:

A. If you rely on a legitimate interest, the data subject must be able to object. The right of objection of the data subjects must be brought to their attention from the first contact. If they object, you must absolutely stop processing their data for direct marketing purposes.

B. If you have obtained the personal data from the data subject yourself, you must have a robust privacy statement and make reference to it in your marketing message. As a subscriber to, you can quickly draw up and download such a privacy statement.

If you have obtained the personal data through another route, there are additional obligations. If you want to do marketing in this way, it is best to contact a specialist.


If you base your marketing on the consent of the data subjects, you should pay particular attention to:

  1. Consent is given in an informed manner. In other words, that the data subject has had access to clear, accessible and complete information about what they consent to.
  2. The permission is free, so not under any pressure. In an employer-employee relationship, for example, it is usually assumed that the consent of the employee cannot be regarded as freely given.
  3. The consent is specific to a certain type of processing that is clearly communicated to the data subject.
  4. The consent is unambiguous.
  5. The person can withdraw his consent at any time (similar to objection under legitimate interest)
  6. You can prove that you have received a valid consent