Fed Ma Report

FEDMA Pan European Email
Marketing Benchmark Report
Sponsored by
2010 - first edtion

2
This report is published by FIMAC –

FEDMA‟s Interactive Marketing Council
Federation of European Direct and Interactive Marketing
439, Avenue de Tervuren, B-1150 Brussels
Tel: +32 2 779 42 69
Fax: +32 2 779 42 69
E-mail: info@fedma.org
Web: www.fedma.org
Copyright © FEDMA 2010
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted by any means, electronic, mechanical, photocopying, recording
or otherwise, without the prior permission of FEDMA.
Further copies of this report can be purchased from FEDMA at the above address, priced at
€1.200, or €349 for FEDMA members.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
3
Table of contents
Section I:
A. Introductions/welcome by:
1. About Nick Martin; About Field Fisher Waterhouse LLP P. 5

2. Alastair Tempest - Understanding how to engage through email marketing P. 6
B. Executive Summary P. 8
C. Sponsors:
Alterian, Opt4, Mardev, Telefaction, Fokus Integrated, PAR P.12
D. Survey - Clients:
D1. Geographical distribution of respondents P. 15

D2. Use of promotional emails as part of marketing mix P. 16
D3. Represented industries/segments P. 17
D4. Number of employees (in company, in marketing department and working with email marketing) P. 18
D5. Number of years the company is using email marketing P. 19
D6. Target groups P. 20
D7. Handling of email campaigns P. 21
D8. Campaign frequency (How often are email campaigns sent) P. 22
D9. The use of transactional emails P. 25
D10. Main motivation for the use of email marketing P. 26
D11. Expenditure prediction for the next 12 months P. 27
D12. Expectations for the next 12 months (deliverability rates, unqiue open rates, P. 28
click through rates, opt-out rates, volumes)
D13. Strategic importance of email marketing P. 30
D14. The allocation of marketing budgets to email marketing P. 30
D15. Compliance with legislation P. 32
E. Campaign metrics:
E1. Regular newsletter P. 33

E2. Sales/product service campaigns P. 34
E3. Customer/Product surveys P. 35
E4. Win-back campaigns P. 36
F. Survey - Email Service Providers:
F1. Geographical distribution of respondents P. 37

F2. Average delivery rates P. 38
F3. Average hard bounce rates P. 39
F4. Average opt-out rates P. 40
F5. Average unique click through rates P. 41
F6. Average unique open rates P. 42
F7. Volume prediction for the next 12 months P. 43
F8. Volumes for April, May and June 2009 P. 44
F9. Days of the week with largest volume of emails P. 45
F10. Days of the week with lowest volume of emails P. 47
G. ESPs and DMAs P. 49
4
Table of contents
Section II:
2010 Legal Overview – Email Marketing in Europe P. 57
Introduction by Alastair Tempest, FEDMA P. 58
Data Protection and Regulations in:
Austria P. 60 Italy P. 107

Belgium P. 66 The Netherlands P. 115
Bulgaria P. 71 Norway P. 120
Denmark P. 74 Poland P. 124
Estonia P. 78 Romania P. 128
Finland P. 83 Slovenia P. 133
France P. 87 Spain P. 140
Germany P. 90 Sweden P. 145
Greece P. 93 Switzerland P. 148
Hungary P. 96 United Kingdom P. 151
Ireland P. 100 United States P. 156
Up to date guidelines for professional marketers, including detailed information on:
Current Data Protection Laws and Regulations

Registration of marketing lists with the National Data Commission (cost, duration)
Common legal ground for the use of electronic messages for marketing purposes
Rules on electronic communication for B-to-B marketing purposes
Collection of data (opt-in, opt-out, soft opt-in)
Notification when Collecting Data
Time limits on holding data
Purposes for processing personal data (main guidelines)
Wording of notice when collecting data
Penalties for breaching the rules on unsolicited Email messages
Online Collection & Processing of Data
Additional rules for on-time collection of data on the internet
Access and rectification of data
Codes of Practice & Preference Services (Robinson Lists)
About FEDMA P. 160
5
About Nick Martin
With 25 years spent in marketing information services, Nick's career has

spanned market research; insourced /outsourced customer and
campaign management solutions; information products; demand
generation programmes and online marketing.
Nick spent many years at Reed Business Information (RBI), leading their
global B2B marketing services operation Mardev. Latterly he was
European Vice President and UK Managing Director at Acxiom.
He first launched a B2B email marketing service in 2000, online B2B lead
generation in 2006, before developing Acxiom's integrated
consumer demand generation solution across Europe.
Now independent, he is currently working on ventures in collaborative

outsourced solutions and online consumer engagement.
Find him on Twitter: http://twitter.com/n1ckma , Linkedin and on his blog

http://marketingpages.typepad.com/
About Field Fisher Waterhouse LLP
With thanks to Eduardo Ustaran and Michelle Levin of Field Fisher Waterhouse LLP.
Field Fisher Waterhouse LLP is a full-service European law firm with offices in London, Manchester,
Brussels, Hamburg and Paris.
Field Fisher Waterhouse LLP's market leading Privacy and Information Law Group comprises a
dedicated team of lawyers supported by an international network covering over 40 jurisdictions with
specialist knowledge across all areas of privacy and data protection law. Its work embraces all aspects
of privacy-related law, including working with regulators across the world and contributing to the
policy-making process
Eduardo Ustaran is the head of the Privacy and Information Law Group and an internationally
recognised expert in privacy and data protection law. Eduardo advises international clients, including
FTSE 100 companies and leading Internet businesses, on the adoption of global privacy strategies.
Named by Revolution magazine as one of the 40 most influential people in the growth of the digital
sector in the UK, Eduardo is co-author of E-Privacy and Online Data Protection and of the Law
Society‟s Data Protection Handbook.
Michelle Levin is a solicitor in the Privacy and Information Law Group. Michelle's practice focuses
privacy and security issues in relation to the Internet and e-commerce, marketing activities and
information sharing.
www.ffw.com
6
Introduction
Alastair Tempest, Director General,
Welcome to this, the first pan-European email benchmark survey.

The idea for doing this study dates back a few years to a discussion with Michel Lambert of
Procter and Gamble, who said that there was a major gap in his research on European
marketing practices and wondered if we could help fill that. We knew of the UK DMA‟s
quarterly survey on email, and therefore approach them for help. The Email Marketing
Council of the UK DMA most generously offered us their template and the use of their data to
add to this report. FEDMA‟s own new media council, FIMAC, took up the challenge, and Nick
Martin, courageously, agreed to provide the expert insight into the interpretation of the
data.
Thanks to the national direct marketing associations (DMAs), and other sources that we had at our disposal we were
able to send at the survey to a wide range of ESPs and clients across Europe – and, indeed, far beyond.
Email marketing has not had a very easy beginning. Unlike most marketing channels, it was immediately seized upon
by unscrupulous operators, and naive amateurs who created an era of spam, which lost the trust and confidence of
consumers, and greatly irritated regulators. Email marketing was almost strangled at birth by the activities of
spammers, sending out millions of unsolicited, untargeted and unwelcomed messages, which not only clogged up
consumers‟ mail boxes, but also played havoc with the ISPs‟ systems. Since email remains a cheap marketing
medium there is a temptation to forget two of direct marketing‟s cardinal rules – always target your
communications and never over-do a good thing! Consumers who have opted in can become frustrated by too many
irrelevant messages and then opt out – when that happens the customer / potential customer is lost forever. Over-
mailing also can cause problems with ISPs and trigger other systems which block bona fide senders as well as
spammers. In 2002, the European regulators applied opt-in (consent) laws for electronic communications, and over
time there have been some successful prosecutions of spammers. But by far the most important development have
been technical solutions (firewalls, spam filters, etc). Spam volumes have continued to rise over time and are now
variously estimated to be about 40 billion messages a year, 95% of total email traffic. The European Network and
Information Security Agency (Enisa), Microsoft and Symantec all come to about the same estimate. Symantec points
out that the percentage change from 2006 to 2009 has been 39% (from 56% to 95%), which is horrific. Effective
filtering has reduced the numbers of spam actually delivered. However, in another concerning development, while
the amateur spammer is now less active, professional and highly organized criminal spam operators have appeared
with their “bots”, viruses, spyware, etc, to plague both the consumer and business. FEDMA recognized the need to
be actively engaged in the fight against spam early on, and became one of the first business organisations in the
London Action Plan (LAP) – a unique, global cooperation between the regulators, enforcement bodies and business.
However, despite the problems created by spam, email marketing has not only survived but flourished on the basis
of opt-in (consent) from the consumer (and now in some countries, also applied to business to business emailing, as
the reader will see in the section on legal requirements at the end of this report).
Email marketers are tackling the problem of getting their messages accepted both by ISPs, and also by the individual
firewalls and spam filters on personal computers. This is not easy and there are a number of national initiatives to
try to solve the problems, such as the German ISPs‟ (ECO) system, which recognizes specific ESPs (email service
providers) and provides a strict code of best practice. FEDMA does not believe that the spam issue has stopped
damaging bona fide marketing messages – far from it, spammers use sophisticated and state-of-the-art software to
avoid being blocked – however, properly done email marketing is now much better recognised and accepted.
Email is a fast, effective, and efficient medium for getting marketing messages, and supporting information (such
as regular email information sheets – “ezines” – and other supporting information alerts, customer relations info,
etc) to the recipient. Email may even be helped by its ephemeral nature – it can be easily stored in the email
mailbox of the receiver, and equally easily deleted. Interested – but not now – leave it in the inbox; not interested –
delete with a click.
7
Introduction Contd
As direct marketing has rapidly evolved over the last decade into multi-channel, convergence (relationship)
marketing, all means of communication are finding their place. Email is particularly powerful in both a “passive”
and “active” context – it is used to send information to the consumer (which can of course include active links to
websites, etc); and it is used by the consumer to send messages to the marketer. As our survey shows, email has
moved from being used by marketers simply as an acquisition tool, and is now recognized as a very effective method
for demand generation, combining push and pull, as part of integrated programme in web marketing. Email within
these parameters has proved to be the key to success for many campaigns.
As the legal section of this report shows the regulations in place within the European Union vary enormously. Opt in
is universally required in the EU, however, how that is applied is not at all consistent, with a number of the 27 EU
Member States simply ignoring part of the EU directives. This makes the email marketers‟ job difficult and raises
questions in cross border email marketing campaigns. FEDMA is constantly being approached by marketers for advice
on these issues.
FEDMA intends in the future also to produce benchmark studies for Europe on mobile marketing and multi-channel.
We expect that we will find considerable convergence between all these major marketing communications channels.
Each provides specific benefits, within the general marketing strategies of marketers. Direct mail, for example, can
help drive permission (consent) for email; SMS through short messages provides links which the consumer can either
activate to eventually receive, or send, emails to the marketer, etc. The website and the telephone also play key
roles in this convergence or integrated marketing. The new generation of mobile phones has brought email to the
handset of consumers as well as business.
As marketers, we need always to be careful to nurture the trust and confidence of our customers. Email (as spam
has shown) can become very intrusive if used unwisely. Excessive use of an opted-in email list will rapidly lead to
loss of consent. Recipients will simply exercise their right to opt out, and once that happens the contact is most
likely to be lost forever. Codes of conduct (and best practices, suggested in reports such as this one) are useful
guidance to prevent the over-use of, or even misuse of, email lists. But the most important thing an email marketer
has is the common sense to avoid over-using its email lists.
Creativity is another issue which many experts have written about. The creativity to create great email copy is
completely different from the skills needed to write a great direct mail letter! Experience is providing excellent
case studies and training courses to help the marketer / agency new to email to find its way through the pitfalls and
achieve excellent results. But training is important.
This report would never have been prepared had it not been for the work of a number of people.
We are extremely grateful to the UK DMA Email Marketing Council for allowing us to use their well-established
template and results; to Nick Martin who has carefully analysed the data and provided the commentary; to Michael
Leander Nielsen of Fokus Integrated and to all the FIMAC Council of FEDMA for their invaluable assistance. Eduardo
Ustavan of Field Fisher Waterhouse and his colleagues provided essential legal input to the Legal Section. And of
course, we are greatly indebted to the national direct marketing associations; and to all those ESPs and marketers
who took the time to fill in the questionnaire. We do hope that you will continue to answer our annual
questionnaire from now on!
The report would not have been possible without the generous support of Alterian and Opt4, and to Mardev which
sponsored its publication.
Finally, the FEDMA staff, Jorgen Andreassen, Razvan Antemir, Lena Jaggi, Salima Hassan and our intern Victory Budd
have been invaluable in bringing this baby to term!
If you see any errors, or have suggestions please let us know so that we can improve the study in the future.
Alastair Tempest, April 2010
8
Executive Summary
The first pan-European Email Marketing Benchmark Survey
FEDMA has published the first pan-European Email Marketing Benchmark Survey. This is sampled from
clients directly and Email Service Providers (ESP), comprised of 464 end users and 75 email service
providers (ESPs), with respondents operating across 16 European countries. There is broad
representation from across sectors and size of organisations.
The Survey published by FEDMA contains 31 charts. In addition there is a 102 page report on the legal
situation in 22 countries.
Email marketing benchmark survey overview
At the survey shows, over the last decade email marketing has grown from being a discrete
marketing activity, delivering exceptional rates of return, to a connected part of an organisation‟s
overall marketing mix.
Today it is rare for an organisation not to employ email marketing as a prime channel, whether for
acquisition, list building, lead generation, nurturing, customer management, up and cross sell,
retention marketing or win-back programmes.
Inevitably as its use has become embedded as an essential part of any customer communication or
engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing
in particular has moderated. Notwithstanding it is proving a phenomenally successful marketing
channel in the hands of responsible practitioners, and the vast majority of organisations now use
email as a key communication channel.
Years practised
Yet the average length of time that respondents to the benchmark report have been deploying email
marketing is just over 5 years, ranging from 3 1/2 to just under 7 years. So for many practitioners it
is a relatively new medium.
The insight challenge

Is this a determinant factor behind the extent to which end user practitioners are able to measure or
report results? Whilst everyone polled knew what volume of email had been sent, and most knew
what their open rates were, a quarter of end user respondents were unable to report hard bounce
and opt out rates, and almost a third could not say what the conversion to sale was from their sales
and product/ service information campaigns.
A quarter of email marketing practitioners still do not personalise, which also suggests that among
that group, limited segmentation and targeted list selection takes place. This will need to change if
email marketing is to justify continuing increased levels of investment based on performance due to
rising market activity levels.
With 56.7% of end users undertaking email marketing entirely in-house, there is a parallel need to
apply more rigorous analysis; and as marketing departments find themselves increasingly stretched
in an increasingly challenging world, they may well need to reconsider outsourcing key aspects of
their email marketing operations.
Executive Summary - FEDMA Pan European Email Marketing Benchmark Report First edition 2010
9
Executive Summary
Email marketing growth prospects
Email marketing activity levels are set to continue to grow, and campaigns are likely to proliferate.
72.3% of respondents plan on sending out more marketing emails, and practically no one expects to
do less. Yet opt out rates as a proportion of total volumes are expected to hold steady. This assumes
at least as much or better targeting in spite of the higher volumes.
A number of factors are driving these growth trends:

• Newsletter activity is generally undertaken monthly, reflecting a one size fits all approach. With
a likely future trend towards greater targeting will come dynamic content ordering and other
data driven personalisation reflecting transactional history, preferences and demographics, and
a 1 to 1 approach to customer management via email.
• Email marketing is gaining a greater share of the marketing wallet along with other forms of
digital media, at the expense of traditional advertising and offline media, due to immediacy of
results (notwithstanding the considerable scope for improving performance measurement).
• Driving sales is the main motivation for using email marketing, along with lead generation and
driving web traffic. A lot of that activity is in support of new customer acquisition. Whilst that
will continue, expect the biggest growth over the next year to come in customer management
cross and up sell programmes.
• Email marketing‟s expanding role within integrated marketing campaigns, lead generation, social
media and customer management programmes shows that it is ripe for further growth as more
sophisticated consumer engagement rule sets are defined and applied that reflect buyer and
customer behaviour; and permit practitioners to act upon it quickly.
Key growth factors/ inhibitors

Continued growth may well be anticipated and planned for by the majority of respondents, but it
should not be assumed at any cost. The future growth – and health – of email marketing will depend
on some key factors:
• Better targeting and the use of properly permissioned and managed customer information
databases; the relevancy of campaigns and careful application of local/ EU laws.
• Careful stewardship of customer information databases, and developing email marketing use
further into the consumer/ buyer engagement process. The impetus to increase volume and
activity can only be successfully achieved where it remains engaging.
• Delivery to inbox, which will be increasingly seen as a barrier to overcome, especially in B2C.
Deliverability and IPR

Whilst Deliverability rates are expected to improve or remain the same, this raises a key question of
how deliverability is measured. Most practitioners will determine deliverability as delivery to
Internet or to mail server as the primary measure, but delivery to inbox or Inbox Placement Rate
1
(IPR) is being seen as an increasingly key metric.
1 I am indebted to Richard Gibson of Return Path for his advice and knowledge on IPR issues.
10
Executive Summary
IPR is tied in with reputation. If reputation is poor, acquired through issues like indiscriminate use or
poor targeting, large groups of consumers belonging to the same ISP domain, for example, such as
GMail or Hotmail will not receive bulk email from that source into their inbox. It is estimated as a
much as 7% of email marketing campaigns go missing, which historically has not been accounted for.
Strategic vs tactical
End users overwhelmingly believe email marketing to be strategically important, but that belief is
yet to translate into a strategic approach around execution. Poor visibility of conversions to sale and
conversions to action, and the lack of testing around aspects such as creative templates and
frequency suggests there is much more critical measurement and insight needed.
ESPs support this view, characterising end users as much more focused on tactical vs strategic use of
email marketing, according to the DMA UK benchmark survey Q3 2009. That survey also highlights
just 38% of email marketing driven by some data, and only 16% whose content is driven entirely by
data.
Compliance
Just 7% of end users polled lacked confidence in their compliance with legislation, with B2B
organisations twice as concerned by this issue compared with B2C organisations. Nonetheless there is
some evidence that in certain countries tougher regulation significantly holds back companies from
undertaking acquisition marketing based on concerns of strict legal compliance.
A full 102 page report on the legal requirements in 22 countries completes the Email Benchmark
Survey. This shows the considerable legal differences that exist between the European national laws,
despite the supposed “harmonization” of national regulations by the European Union. In particular,
there are wide differences in the local interpretation of the concept of “soft opt-in” for email
marketing. This principle in the EU directive is supposed to allow a marketer to email a customer,
whose email address has been given “in the process of sale”, without having to get any further opt in
(the customer always has the right at any time to opt out). But the national variations on this
principle vary greatly which make it impossible for an email marketer which is established in many
EU states to follow the same legal procedures.
Email marketing uses

Newsletter and related customer management activity is likely to be a key growth area over the next
12 months, with the growing recognition that email marketing is especially well suited to these
applications. This is reflected in the difference in click through rates between newsletter and sales
or product/service information campaigns, which average 17% higher.
Nearly three-quarters of end users deploy email marketing for sales or related campaign activity.
Open rates typically range 10%-25%. Unsurprisingly, sales and product/ service information
campaigns generate conversion to sales 4x better than newsletters or customer surveys.
53% of respondents do not use email marketing for customer or product (development) surveys.
Where they do, they experience excellent results.
The majority of companies do not use email marketing for win-back campaigns following the loss of
customers. The minority of respondents who do use email for win back, have experienced excellent
results, with conversion to sale or action of between 2% and 5%.
11
Executive Summary
Nor do they systematically use transactional emails for cross and up selling.
In both cases here are clearly opportunities missed, which once again suggests that email marketing
is deployed typically as a series of standalone activities, in some cases integrated with online, but
generally not implemented as an end-to-end programme or integrated with other customer channels.
ESP reported Average delivery rates

Average delivery rates of end user client organisations using ESP platforms are reported in the region
of 85-99.6%. These effectively are acceptance rates, that is a calculation based on number of emails
delivered to the Internet less the bounces.
As highlighted earlier in the report, it does not take into account missing emails that go to spam
folders or do not make it into the inbox (and where no bounce codes are received back from ISPs).
ESP reported Hard bounce rates

If hard bounce rates are a primary measure of list quality, there is scope for improvement in email
data quality, with 15% of all campaigns seeing hard bounce rates of more than 7%, and a further 20%
experiencing hard bounces of between 3%-7%.
Compared to end user respondents, results favour those campaigns conducted exclusively via ESP
platforms.
ESP reported Click through rates

Click through rates, indicating how effectively the email is engaging with the buyer or consumer,
predominantly (61%) fall within the broad range of 4-20%. Within that broad range, the tightest
distribution reported by ESPs falls into the 4-8% range. This broadly correlates with the click through
rates reported by end users.
ESP reported Open rates

Open rates reported were across a very wide range, and reflect the varying performances of
individual campaigns. There is no discernable country pattern within ESPs. This goes to show that
that campaign design, the ability to engage the consumer/ buyer and cut through the inbox clutter,
is paramount.
Practitioners would do well to test more rigorously each element of an email campaign, beyond the
generally adopted focus on subject lines, sender name, time of day and week, and spam filter
scoring.
Volume predictions for 2010-04-07

Email marketing is poised for strong growth this year, at the expense of traditional offline channels.
19% of the respondent ESP base expect their clients to increase volume of email marketing between
a quarter and a half year on year, a continuation of the shift from offline to digital channels.
Nick Martin
& FEDMA
April 2010
12
Sponsors
FEDMA would like to thank the following sponsors for their kind support:
Main sponsors:
Alterian (LSE: ALN) empowers organizations to create relevant, effective and
engaging experiences with their audience that help build value and reinforce
commitment to their brand, through the use of the Alterian Integrated
Marketing Platform. Alterian drives the transformation of marketing and
communications, making it practical and cost-effective for companies to
orchestrate multichannel engagement with the individual.
The Alterian platform combines campaign management, web content
management, email and social media monitoring tools to help marketers be
more insightful, engaging and accountable than ever before, by sending the
best, most relevant message at the right time – regardless of channel. One of
the key differentiators of the Alterian offering is that the various elements are
integrated. The marketer can move seamlessly between organizing their
resources, undertaking analytics, planning a campaign and overseeing the
approvals necessary to drive things to timely completion.
Alterian‟s unprecedented integration of analytics, content and execution

through industry leading tools, such as the Dynamic Messenger email platform,
SM2 Social Media Monitoring platform and the award winning Content
Management solutions, enables companies to build integrated communication
strategies which create a true picture of the individual.
Marketers can now orchestrate multichannel engagement with the individual as
opposed to mass marketing. This will impact businesses profitability through
integrating data from online and offline sources in order to truly engage with
the individual at every step of their customer lifecycle. Offering individuals
what is relevant to them and engaging in conversations with them generates
influence, advocacy and revenue.
Alterian is changing the rules of the game through technology – allowing

marketers to listen to the conversations their customers, prospects or
influencers are having, and engaging in conversations with them to add value.
Alterian's advanced marketing software is being used as the 'intel inside for
marketing' by many of the world's leading Agencies, Marketing Services
Providers and Systems Integrators, allowing them to deliver cutting edge
marketing solutions to many of the world‟s largest brands.
Alterian works with marketing services partners, system integrators and

agencies who recognize the need to plan and deliver coordinated customer
engagement services in partnership with their clients. For more information
about Alterian, products within the Alterian Integrated Marketing Platform or
Alterian‟s Partner Network, visit www.alterian.com or the Alterian blog at
www.engagingtimes.com.
13
Sponsors
Main sponsors:
Opt-4 is an international permission marketing and privacy consultancy

that helps organisations to comply with the Data Protection and the
Electronic Communications regulations, providing recommendations to
minimise risks whilst maximising customer trust and interaction with
brands.
www.opt-4.co.uk
Mardev, the direct marketing division of Reed Business Information, helps

you to source leads and generate qualified prospects through integrated
direct marketing campaigns.
Our mission is to solve our client‟s prospecting, lead generation and business
development needs. We achieve this through a range of highly responsive
B2B contacts, an unrivalled online community of B2B decision makers, brand
leverage and our quality marketing services.
With a lists portfolio of more than 300 databases made up of business and
professional contacts from around the world we can improve the accuracy
of your business targeting.
But we appreciate that successful business targeting involves much more

than just lists. Our range of innovative services has been developed to add
value to the process of acquiring and retaining new customers.
>> database enhancement

>> predicitive modeling
>> data audit
>> lead generation
>> demand generation
We offer a complete solution, from finding your very best prospects,

improving the accuracy and profile of your customer database, and
qualifying response through lead generation. Our unique business audiences
and targeting solutions ensure that you get the high quality response you
need to build healthy profits in the future.
www.mardev.com
14
Sponsors
Other sponsors:
PAR is developer of direct marketing information since 1956. PAR is a database

owner and an expert at collecting and handling large volumes of information,
such as addresses, telephone numbers and market information. Depending on
your needs, we deliver the pieces of the information puzzle that are useful to you
– addresses, information handling services or long-term CRM solutions.Tell us who
you want to reach and we‟ll make sure that you really hit your target – in
Sweden, Scandinavia and Europe.
www.par.se
Fokus Integrated is specialized in helping B2B and B2C marketers improve

customer acqusition, retention and loyalty through cleverly designed and
highly cost effective automated marketing programs. More experienced than
most, our principals each brings 15-20 years of “hardcore” direct marketing
expertise to the table. Add to that an average of 10 years of interactive
marketing experience and you have one of Europe‟s most experienced experts
in the marketing automation space. To you that means an unparalleled focus
on implementing engaging, automated and integrated direct/interactive
marketing programs that are specifically designed to meet your critical
marketing objectives - now and in the future.
www.fokusintegrated.com
TeleFaction helps your organisation increase loyalty and increase sales fast and
efficiently. When it comes to increasing customer loyalty and reducing customer
defections, everyone with high contact intensity with customers and subjects
may benefit from TeleFaction‟s Return on Behavior® concept.
www.telefaction.com
15
SECTION I – Survey
The results: Client Survey

In this first section we review the benchmarking survey results of 464 end user e-marketing
practitioners, drawn from across Europe, with the highest completed samples from the following
countries:
Germany
Austria
United Kingdom
Sweden
Switzerland
Belgium
Denmark
Netherlands
Slovenia
Norway
Finland
Ireland
Italy
France
Hungary
Spain
For the quantitative benchmark questions, respondents were asked to either a) report the results of last
3 email campaigns individually, or b) the average of the last 3 email campaigns sent out.
16
Use of promotional emails as part of marketing mix
1.0 Does your organization use promotional emails as part of your marketing mix?
No; 5,8%
Yes; 94,2%
Copyright © by FEDMA
Over the last decade email marketing has grown from being a discrete marketing activity, delivering
exceptional rates of return, to a connected part of an organisation‟s overall marketing mix.
Today it is rare for an organisation not to employ email marketing as a prime channel, whether for
acquisition, list building, lead generation, nurturing, customer management, up and cross sell,
retention marketing and win-back programmes.
Inevitably, as its use has become embedded as an essential part of any customer communication or
engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing has
moderated. Notwithstanding it is proving a phenomenally successful marketing channel in the hands of
responsible practitioners.
The vast majority of organisations use email as a key communication channel. That trend is set to
continue. According to the Email Marketing Industry Census from Econsultancy (in association with
Adestra); email now accounts for 17% of brands‟ digital marketing budget, up from 14% at the start of
2009.
17
Represented industries/segments
1.1 Which industry do you belong to?
14,0%
12,0%
10,0%
8,0%
6,0%
4,0%
2,0%
0,0%
FMCG (Fast Moving Consumer …
Other - small medium sized…

Other - small medium sized…
Energy / Utilities
Education / Training
Airline
IT software
Realestate
Other- large business B2C

Non-Profit / Trade Association
Insurance
Wholesale / Distribution
IT hardware
Other- large business B2B

Entertainment
Government
Business Services / Consulting
Manufacturing
Travel / Transportation
Hospitality (hotel, restaurant)
Retail (not e-commerce)

Banking / Financial Services
Telecommunications
Consumer Electronics
Media / Publishing
Medincal/Dental/Healthcare
Internet business, pureplay
The benchmark survey is sampled from end user practitioners directly and ESPs. Although all industries
were represented, there is a slight respondent bias towards B2B organisations, with 56.2% of companies
marketing solely to other businesses, with 28% marketing to both businesses and consumers, and the
remaining 15.8% representing consumer-only brands or offerings.
The most represented sectors are business services/ consulting and hi tech organisations (both 12%),
Media/ publishing (11%), IT small & medium sized B2B firms (9%) other large B2B organisations (7.5%),
manufacturing (5.5%) and wholesale/ distribution (4.75%).
Other sectors with less than 5% are financial services, telecommunications, ecommerce and internet
pure-plays, utilities, retail, travel, entertainment, health, education and not for profit.
18
Number of employees
1.2 How many employees do you have at your company?
>10000 6,8%
5000-9999 3,5%
3000-4999 2,5%
2000-2999 1,3%
1000-1999 4,3%
500-999 5,5%
200-499 12,6%
100-199 5,0%
50-99 11,6%
30-49 4,5%
20-29 13,4%
15-19 3,3%
10-14 7,6%
5-9 5,3%
1-4 12,8%
Sampling by company size is very evenly distributed when comparing to the business population of the
major economies in Europe by size, with 24% of responses from organisations of more than 500
employees. A further 29% of responses were from companies of 50-500 employees. 47% of respondents
belonged to companies employing less than 50 people.
19
Number of employees and Number of years the company

is using email marketing
1.3 What are the number of employees in your marketing department?
20+ employees; 1 employee; 24,7%

14,0%
10-19 employees;
9,7%
5-9 employees;
13,7%
2-4 employees;
37,9%
Can you estimate how many employees in your marketing department work with email marketing?
European Average: 4,4
Approximately how many years has your organization practiced email marketing?
Almost two thirds of respondent organisations employ less than 4 people in their marketing
department, with 23.7% employing more than 10 marketing personnel.
Whilst email marketing has enjoyed a decade of rapid growth, the average time that organisations have
adopted email as a marketing channel is just under 5 years.
Variation ranges between a mean average of 3.5 years for Norway, Italy, Spain, Hungary, Finland and
Slovenia, to 6.9 years in France.
20
Target groups
1.4 Which of the following groups are you primarily marketing to?
Both businesses and

consumers; 28,0%
Only businesses;
56,2%
Only consumers; Copyright © by FEDMA

15,8%
21
Handling of email campaigns

1.5 How do you handle your email marketing efforts from start to
finish, from a production perspective?
40,9% Everything done in house

We outsource everything
56,7% Mix of internal and outsourcing
2,3%
Given the pressure on resources that many marketing teams are under (62.6% of marketing departments
are staffed with 4 or less people), it is notable that 56.7% of all companies still undertake their email
marketing entirely in-house.
Only 2.3% outsource everything, suggesting activities such as campaign definition and key parts of the
operational process are still managed in-house. 40.9% say they manage a mix of outsourced and in house
activities.
B2C brands are more likely to outsource all marketing efforts, although that still accounts for only 6% of
respondents, with most (55%) preferring to do everything in-house. B2B brands on the other hand have
not as yet considered outsourcing email marketing in its entirety, with 62% doing it all in-house.
With greater sensitivity in the practise of direct to consumer email marketing and the need for
correspondingly more support and expertise, perhaps these differences are not altogether surprising.
A few trends are likely to change that over the next couple of years, given the number of ESPs that
operate a Software as a Service (SaaS) model:
-The need for greater (ie more sophisticated) targeting and personalisation.
-Increased data mining and profiling activity, as segmentation by online personas and behaviour becomes
more widespread.
-Tighter definition and management of permissions.
-Greater use of campaign rules.
-Integrated use of email with online advertising, social media and other interactive channels.
In other words, marketing is becoming a more complicated discipline, customers need to be engaged
with and across many more channels than ever before, and are far less predictable in their purchasing
and/ or engagement patterns. It is therefore increasingly difficult to cover the ground through a
stretched, in-house resource, and increasingly unlikely that the necessary skills exist within an in-house
team to do everything.
22
Campaign frequency
1.6 Do you send email newsletters and if so, how often do you send them?
Don‟t send email newsletters 10,9%
Every six months 3,6%
Quarterly 21,3%
Monthly 30,6%
Every two weeks 12,5%
Weekly 16,1%
Daily 4,9%
Of the 79 respondents who sent newsletters via email, 70% on average were used in context of B2B
activity, 10% were a mix of B2C and B2B, whilst 20% related to B2C activity.
The most popular campaign frequency for sending email newsletters out is monthly. In Italy and
Slovakia the average frequency increases to weekly, whilst Sweden, Norway and Spain the average falls
to quarterly sends.
There appears to be no correlation between other factors, such as bounce or opt out rates, and the
frequency with which newsletters are sent.
Infrequent newsletters suggests a one size fits all approach to newsletter content, whereas the scope
for dynamic content ordering, for example, to reflect different customer segments and recent
behaviour arguably increases with frequency.
More frequent newsletters certainly demand closer integration with an up to date customer
information database to reflect recent transactional history or other pertinent factors.
23
Campaign frequency
1.7 Does your newsletter registration form say how often they will be sent
and if so, what frequency do you say?
We don‟t state how often newsletters will be

53,8%
sent
Quarterly 10,5%
Monthly 18,4%
Weekly 9,1%
Daily 2,9%
The majority of respondents do not inform newsletter subscribers of the frequency with which they will
receive them.
Whilst on the face of it this appears to be a general omission, in practise the more targeted and
„triggered‟ email newsletter content is based on a predetermined range of behaviours, the less
predictable frequency becomes. In this context, notifying customers of newsletter frequency in
advance may become restrictive.
24
Campaign frequency
1.8 Do you send email campaigns with promotional content, such as sales
offers, and if so, how often do you send them?
Don‟t send promotional email campaigns 21,7%
Quarterly 18,1%
Monthly 23,8%
Weekly 13,6%
Daily 3,4%
21.7% of all companies do not use email for promotional content such as sales offers, whilst 41.9% send
promotional emails monthly or quarterly. 17% of companies send out promotional emails weekly or
daily, the balance of 11% sending them out every two weeks.
There are differences in the most practised frequency of promotional contact by email depending on
the country:
Weekly – Slovenia (43%), Hungary (50%), Ireland (25%) and Sweden 23.1%
Monthly – Norway (41.7%), Switzerland (27%), Finland (33%), UK (31.6%), France (50%), Denmark
(31.8%)and Germany (29.2%), Austria (27.5%)
Quarterly – Netherlands (28.6%), Belgium (32.1%) and Austria (27.5%)
In Ireland, 25% of companies only send promotional emails every 6 months.
Those countries most likely not to send promotional content by email are Finland, Spain (33.3%), Italy
(28.6%) and Germany (29%). Privacy regulation, and an organisation‟s interpretation of it, is likely to
determine corporate policy towards unsolicited commercial email (UCE) in many cases. It is surely no
coincidence that those countries with the most restrictive and/or punitive data protection laws are
those where email marketing is least used as a sales channel (see legal report in this survey from page
57).
25
The use of transactional emails
1.9 If you use transactional emails, such as order confirmations, are they an
integrated part of your cross- and up selling process, for example do they
include sales offers?
Don‟t use Yes; 27,0%

transactional
emails; 40,5%
No; 32,5%
Where transactional emails are generated as part of an order confirmation process, just under half do
not use them for cross and up sell strategies - what traditional direct mail order companies would have
described as „free rides‟.
Notable exceptions to the average results are Italy, where 43% of companies do use transactional
emails to cross an up sell together with Norway (41.7%), and Austria (37%).
26
Main motivation for the use of email marketing

2.0 What purposes are most important for your email marketing efforts? Please
prioritize the purposes listed below giving 1 for the most important, 2 for the second
most important and so on.
Ranked 1 2 3 4 5
Drive web traffic 15.7% 22.7% 27.3% 16.3% 18.0%
Direct sales 32.9% 22.2% 10.5% 12.0% 22.4%
Lead generation 29.1% 22.4% 20.6% 18.2% 9.7%
Brand awareness 15.7% 21.9% 22.2% 26.5% 13.7%

Support other marketing
communications 9.5% 12.7% 19.6% 24.8% 33.4%
When it comes to marketing and sales application areas for email marketing, driving sales is the
overwhelming priority, either directly (as direct sales) or indirectly (as lead generation).
In the case of lead (or demand) generation, email will most often work as part of an integrated
campaign that encompasses primarily online affiliate marketing, the use of lead generation networks,
and paid for search.
Relatively little attention tends to be paid to the continuation of email marketing in order to nuture
unconverted interest from lead generation and inbound sales channels over a longer period of time. This
is an area of considerable future development that should yield excellent returns, but requires careful
planning.
For most countries the second priority is to drive web traffic or lead generation. It should be noted that
whilst the two activities can be applied to different purposes, at least some of the responses that
identify driving web traffic will likely relate to lead generation activities as well, i.e. activity that is
designed to lead to consumer engagement with the goal of increasing sales or building an opted in
prospect base.
Brand awareness is considered the next most important use in Belgium, France and Spain.
In those countries where direct sales is not the most important motivation for using email marketing
(Austria, Norway and Finland), it is considered the second most important use.
Only in Italy, Spain, Slovakia and Ireland do companies not consider the use of email for lead generation
in their top 2 priorities.
27
Expenditure prediction for the next 12 months

2.1 We are trying to get a prediction of marketing spend for
your email marketing in 2010. Do you think it will increase or
decrease for your organization over the next 12 months?
Decrease; 3,0%
Neither
increase nor
decrease;
30,8% Increase; 66,2%
Spend on email is forecast to grow over the course of 2010, with 2/3rds of respondents expecting to
grow their investment in email marketing. Tellingly, only 3% would expect to decrease their spend in
this time period.
This clear trend is reflected in Ipsos Mori‟s poll for the Chartered Institute of Marketing report The
Shape of Digital to Come? Senior marketing practitioners in Q4 2009 were polled to ask how their spend
would vary year on year across different marketing activities. Email (1.6%) and online (2.5%) were
expected to be the biggest winners in attracting additional marketing investment, at the expense of
offline advertising (-3%), sponsorship (-2.3%), direct mail, and internal marketing (-1.6% each).
Geographical markets will vary according to their relative maturity.
Continued growth will depend upon a number of factors:
The first is ongoing effectiveness of email as a push marketing medium, which depends principally upon
targeting/ use of properly permissioned and managed customer information databases; the relevancy of
campaigns and careful application of local/ EU laws.
If greater spend is driven by higher volumes in conjunction with looser qualification of who receives
what and how often, then it follows that more people will receive less relevant unsolicited commercial
email (UCE), and Return on investment (ROI) will drop.
Secondly, successful growth can only come through careful stewardship of customer information
databases, and developing its use further into the consumer/ buyer engagement process.
For example, its expanding role within integrated marketing campaigns, lead generation, social media
and customer management programmes. These are ripe for expansion as more sophisticated consumer
engagement rule sets are defined and applied that reflect buyer and customer behaviour; and permit
practitioners to act upon the information quickly.
Thirdly ,delivery to inbox will be increasingly seen as a barrier to overcome, especially in B2C.
28
Expectations for the next 12 months

Remain the Don`t
Increase Decrease
same measure
Our deliverability rates will (Number

of failed emails divided by number 40.8% 40.3% 13.5% 5.6%
of emails sent):
Our unqiue open rates will (Unique

number of opens divided by number 48.3% 33.6% 10.5% 8.2%
of emails delivered):
Our click through rates will (Number

of individuals who have clicked
56.0% 29.0% 8.2% 6.8%
divided by the number of emails
delivered):
Our opt-out rates will (Number of

individuals who have opt-out divided 18.1% 49.3% 22.9% 9.6%
by the number of emails delivered):
Our volumes for email marketing

72.3% 21.8% 4.5% 1.7%
will:
Deliverability rates are expected to improve or remain the same. A small percentage do not measure,
presumably those undertaking email marketing in-house using generic transmission. Just 13.5% believe
deliverability will worsen.
This raises a key question of how deliverability is measured. Most practitioners will determine
deliverability as delivery to Internet or to mail server as the primary measure, but delivery to inbox is an
increasingly key metric. This is because reputation, the measure of trust that an ISP places on the
sender, determines whether the majority of emails transmitted in a campaign are blocked.
Increasingly important, in particular in B2C, is the issue of deliverability to inbox. If reputation is poor,
acquired through issues like indiscriminate use or poor targeting, large groups of consumers belonging to
the same ISP domain, for example such GMail or Hotmail, will not receive the email into their inbox.
B2B deliverability is also an issue, albeit a different cause, due to corporate systems like Postini,
Symantec and Messagelabs.
Companies like Return Path and Pivotal Veracity use seeds or panels to measure the difference between
deliverability to Internet/ server vs inbox. Research from Return Path suggests that approximately an
additional 10% of European email volume does not make it into the intended inbox (source: The Global
Email Deliverability Benchmark Report, 2H 2009).
The same report indicates deliverability to inbox to be less of an issue in Germany (with one or two ISP
exceptions) and more of an issue in the UK and France (11%). Non delivery to inbox is accounted for by a
third being placed directly into spam folders, and two thirds going missing.
29
Expectations for the next 12 months

This often tends to be caused by certain domains rejecting the majority of a campaign, and can be
identified by looking at ESP reports that break down open rates and click through by domain name. If
Google believes your IP range has a poor reputation, you will see Gmail customers will show an
exceptionally low or non existent open and click though rate compared to other domains within the
same campaign. If ISPs migrate from identifying sender by IP range to identifying the sender by their
domain name, as some commentators believe may have already started to happen, this issue could
become even more significant.
Respondents clearly believe that their use of the email medium is improving, based on the
overwhelming majority of 56% who believe their click through rates will increase. Just 8% of
respondents expect their click through rates to decrease.
Volumes are expected to rise across the board, with 72.3% of respondents planning on sending out more
marketing emails, whilst practically no one expects to do less. Yet opt out rates as a proportion of total
volume are expected to hold steady. This assumes at least as much or better targeting in spite of the
higher volumes, which either suggests:
a) email marketing taking a greater channel share of a company‟s overall marketing plan, at the
expense of direct mail and telemarketing, or
b) Further targeting leading to a proliferation of campaigns of volumes that are more segmented than
current ones.
One thing is certain: for the expected performance improvements to occur against a backdrop of higher
volume, targeting and relevance at least will need to be maintained.
30
Strategic importance of email marketing and the

allocation of marketing budgets to email marketing
2.3 How strategically important do you consider your email
marketing to be to meet your marketing objectives?
Very unimportant 1,1%
Somewhat unimportant 1,7%
Neutral 9,1%
Somewhat important 41,4%
Very important 46,7%

How much of the marketing budget within your company covers email marketing?
Not surprisingly given the growth forecasts, most respondents see email marketing as strategically
important in meeting marketing objectives, with 46.% characterising it as very important, whilst 41.4%
see it as somewhat important.
Analysis by country shows that whilst the majority see it as very important overall, companies in
Switzerland, Norway, Germany and Austria generally see it as somewhat important.
Where email is primarily used to support direct sales and lead generation programmes, its importance
will be seen as correspondingly higher.
Even where lead generation programmes are online, the added targeting of email by consumer or buyer
profile means that conversion to action is generally higher from the email push when compared to the
online pull. As a result email is an important component of most online lead generation programmes,
which are generally priced on performance.
The temptation to increase email volumes in support of lead generation at the expense of targeting
should be resisted, since this is likely to be a principal cause of reputation damage. However this is not
currently problematic based on the reported statistics. If opt-out rates are a primary measure of
relevancy, 18% of respondents reported average opt out rates of 1.5%-3%, but most (76%) were less than
1%.
31
Strategic importance of email marketing and the

allocation of marketing budgets to email marketing
Are users reconsidering how email marketing is used, in the context of how strategically important it is
considered? The relatively high proportion of practitioners who do not measure beyond the basics is
concerning: 26% of end users were not able to say what their average opt out rates were, whilst 57%
experienced rates of less than 1%.
Between a third and half of end user respondents were not able to measure conversion to sale, for
example - the rate depends on the email marketing use, with newsletters worst and acquisition best.
This echoes the Email Marketing Industry Census 2010 by Econsultancy in association with Adestra which
shows similar lack of insight.
When asked the same question about their clients, ESPs beg to differ, characterising end users as much
more focused on tactical use vs strategic use of email marketing, according to the DMA UK benchmark
survey Q3 2009. That survey also highlights just 38% of email marketing driven by some data, and only
16% whose content is driven entirely by data.
In other words, when end users overwhelmingly talk about the strategic importance of email marketing,
that belief is yet to translate into rigorous action, and there is a quite some way to go.
32
Compliance with legislation
2.4 How confident are you that all of your email marketing activities are in
compliance with legislation in your country and in any other country you are
marketing to?
Not confident at
all; 6,9%
Rather confident;
35,7%
Very confident;
57,4%
Hungary stands out as being only „rather confident‟ across the majority of organisations
about compliance with legislation domestically and to other marketed countries. The
majority of countries are very confident, whilst 6.9% of respondents have no confidence in
their compliance with legislation.
There is a marked difference in confidence between B2C and B2B organisations, with those
engaged in B2B only email marketing twice as likely to lack confidence in their compliance
with legislation (9.8%) compared with B2C only organisations (5.4%).
This may suggest that regulation around B2B marketing is perceived as less clear-cut, such
as for example the definition of „natural persons‟ in the case of sole traders and small
partnerships that render them subject to the same rules as apply to consumers. In this case
B2B organisations may face difficulty in identifying incorporated versus non incorporated
entities.
For the details on the legal aspects see Section II – Legal Overview.
33
Regular newsletter
2.5 Do you use regular newsletters as part of your communication?
No; 23,2%
Yes; 76,8%
Email is used for the distribution of regular newsletters by 76.8% of client (end user) respondents. The
majority of campaign open rates range from 15-37% in the UK; 10-35% in Germany and Austria; 24-46% in
Belgium.
The low completion levels of individual campaign performance for regular newsletters suggest that
organisations are less likely to measure newsletter performance to the same extent as other email
marketing purposes, such as acquisition.
Yet newsletter and related customer management activity is likely to be a main growth area over the
next 12 months, with the growing recognition that email marketing is especially well suited to these
applications. This is reflected in the difference in click through rates between newsletter which average
17% higher than sales or product/service information campaigns.
This is an area of customer engagement where companies would do well to increase their focus, since
added targeting by transactional and behavioural history, that drives dynamic segmentation, content
ordering and personalisation, is likely to generate an additional payback for a little extra time invested.
Regular newsletters are an obvious opportunity to generate cross and up sell revenues.
One in 4 organisations do not currently appear to measure opt out and hard bounce rates to keep
current their customer database and preferences, or at least do not have ready access to that data.
34
Sales/product service campaigns
2.6 Do you use sales/product-service info campaigns as part of your

communication?
No; 27,2%
Yes; 72,8%
72.8% deploy email marketing for sales or related campaign activity. Open rates typically range 10-20%
in the UK; 10-23% in Germany; 10-26% in Austria; 10-26% Switzerland.
Average click through rates vary tremendously by country for this type of campaign activity, and need to
be viewed cautiously as smaller countries report results from a low respondent base. Notwithstanding
the differences are marked, with Finland reporting less than 1%, and Austria averaging 21%. This figure
reflects a spread of 13%-28%, and is typical of the distribution of answers.
Also at the low end of reported rates is Norway, with 2%, yet Sweden averages 6%, whilst Denmark sees
average rates of 11%.
UK, Germany, Ireland, Switzerland and Slovenia average 6-8%.
Spain, Belgium, Hungary, Denmark average 13-17%.
Unsurprisingly, sales and product/ service information campaigns generate conversion to sales four times
better than newsletters or customer surveys, with 12.5% of respondents claiming rates of between 2%-
2.25%.
35
Customer/Product surveys
2.7 Do you use Customer/product surveys as part of your communication?
Yes; 47,0%
No; 53,0%
53% of respondents do not use email marketing for customer or product (development) surveys.
Those that do average open rates of 36% (UK); 25% (Italy); 18% (Switzerland); 33% Denmark.
In countries where responses were isolated and therefore difficult to draw statistical conclusions from
with great confidence, nevertheless open rates ranged from the 20% to 40% range, with fewer
outlying results below 15% or higher than 50%.
These healthy open rates, whilst not necessary conclusive in their own right, are allied to high click
through rates that start at circa 7% and can top 25%+. It goes to show that customers appreciate being
asked for feedback, and represents a useful plank to a strong customer engagement strategy.
36
Win-back campaigns
2.8 Do you use Win-back lost customers as part of your communication?
Yes; 23,8%
No; 76,2%
The majority of companies do not use email marketing for win-back campaigns following the loss of
customers.
Click through rates are comparatively high, with 25% of all win-back campaigns achieving rates of
between 10%-12%. This is two times the results reported for sales and product/ service information
campaigns, and 60% better than newsletter click through rates.
The minority of respondents who do use email for win back, have experienced excellent results, with
conversion to sale or action of between 2% and 5%.
Ranges are Denmark and Netherlands (4%), Austria (3%), UK (2.5%), Germany and Switzerland (2%),
France and Slovenia (2.25%).
37
The results: ESP Survey
Next we turn to the results of the benchmarking survey undertaken among Email Service Providers
(ESP).
Each ESP may undertake hundreds of campaigns per month, representing a significant number of end
user firms who outsource their email marketing or use a Software platform as a Service (SaaS) that they
use to define, create, send and measure themselves.
A total of 75 ESPs were surveyed across Europe.
Austria
Belgium
Denmark
France
Germany
Greece
Hungary
Ireland
Italy
Netherlands
Norway
Poland
Romania
Spain
Sweden
Switzerland
United Kingdom
Average delivery rates:
38
Average delivery rates
2.9 Average delivery rates
Replied
0-10%
(31%)
Replied
85-100%
(66%)
Replied
10-85%
(3%)
Average delivery rates of end user client organisations using ESP platforms are reported in the region
of 85-99.6%. These effectively are acceptance rates, that is a calculation based on number of emails
delivered to the Internet less, the bounces.
As highlighted earlier in the report, it does not take into account missing emails that go to spam folders
or do not make it into the inbox (and where no bounce codes are received back from ISPs).
These are early days in terms of discussing delivery rates in terms of inbox placement rates (IPR) and
therefore would be extremely difficult to assess in a current benchmark survey. We anticipate being
able to benchmark and track these trends in future, as practitioners become more aware and adopt
seeding, panels or pixel tracking solutions, or via benchmark statistics from deliverability software/
service providers.
The highest frequency mean of distribution is 95-96%.
Variations by country fall within the wider range, but appear to be much more dependent on the
campaign (influenced by variables such as content and targeting) than on the national differences.
39
Average hard bounce rates

3.0 Average hard bounce rates
Replied
Replied 50-60% Replied
10-35% (6%) 0-0.50%
(6%) (14%)
Replied
7-10% Replied
(8%) 0.50-1%
(11%)
Replied
3-7%
(19%)
Replied
1-2%
Replied 2-3% (30%)
(6%)
If hard bounce rates are a primary measure of list quality, there is scope for improvement in email data
quality, with 15% of all campaigns seeing hard bounce rates of more than 7%, and a further 20%
experiencing hard bounces of between 3%-7%.
This finding is echoed in Econsultancy‟s Email Marketing Industry Census 2010. The report highlights
quality of databases as the biggest barrier to effective email marketing. This is cited as a problem by
61% of marketers, up from 44% in 2009.
Compared to end user respondents, results favour those campaigns conducted exclusively via ESP
platforms.
ESPs report that 59% of campaigns experience hard bounce rates of less than 2%, compared with 50%
among end user respondents.
Furthermore the difference in hard bounce rates between different campaign types does not appear to
be material, suggesting there is work to be done on maintaining the quality of customer information
databases as well as selecting email cold lists.
There is little difference in hard bounce rates between countries, with France, Germany, Spain and
Italy all reporting hard bounce rates of less than 2%, whilst Sweden, Norway, Belgium, UK, Romania
averaging 4-6%.
40
Average opt-out rates
3.1 Average opt-out rates
Replied
2.1-3%
Replied (6%) Replied
1.50-2%
0-0.11%
(12%)
(21%)
Replied
1.1-1.50%
(6%) Replied
0.12-0.25%
(12%)
Replied
0.50-1% Replied
(28%) Copyright © by FEDMA 0.26-0.50%
(15%)
Opt-out rates are a primary measure of relevancy. 18% of respondents reported average opt out rates
of 1.5%-3%, but most (76%) were less than 1%.
26% of end users were not able to say what their average opt out rates were, whilst 57% experienced
rates of less than 1%.
These ESP results are considerably better than the end user ones (of the end user sample 57% of
respondents did not outsource, either in part or whole).
This may suggest that practitioners are better able to manage, pre-screen (and filter out or correct)
their customer information data using tools provided by the ESP SaaS platforms than email marketers
which use in-house programme or processes.
41
Average unique click through rates
3.2 Average Unique Click Through Rates
Replied Replied
21-50% 0-2%
(9%) (12%) Replied
2.1-3%
(6%)
Replied
10.1-20% Replied
(24%) 3.1-4%
(12%)
Replied
4.1-10%
(37%)
Click through rates, indicating how effectively the email is engaging with the buyer or consumer,
predominantly (61%) fall within the broad range of 4-20%. Within that broad range, the tightest
distribution reported by ESPs falls into the 4-8% range.
This broadly correlates with the click through rates reported by end users, and also correlates with the
latest benchmarking results for Q3 2009 from the UK DMA, which shows average click through rates of
5.7% for acquisition marketing and 7.9% for retention (customer) marketing.
It is important to recognise that these numbers are global averages, with individual campaigns capable
of achieving click through rates of 30-50% when associated with customer marketing, retention
campaigns and surveys. Once again these variations are far more material than country differences,
which demonstrate the value of defining the correct audience for each proposition, and crafting the
communication to optimise results.
Results from the UK DMA‟s email benchmarking research shows click through rates are 40%+ higher for
retention (customer) campaigns compared with acquisition campaigns.
42
Average unique open rates

3.3 Average Unique Open Rates
Replied
60.1-90%
Replied (3%) Replied
40.1-60% 5-15%
(8%) (19%)
Replied
30.1-40% Replied
(17%) 15.1-20%
(8%)
Replied Replied
25.1-30% Copyright © by FEDMA 20.1%-25%
(19%) (26%)
Open rates reported were across a very wide range, and reflect the varying performances of individual
campaigns. There is no discernable country pattern within ESPs.
This goes to show that that campaign design, the ability to engage the consumer/ buyer and cut
through the inbox clutter, is paramount.
Practitioners would do well to test more rigorously each element of an email campaign, beyond the
generally adopted focus on subject lines, sender name, time of day and week, and spam filter scoring,
as illustrated in the Email Marketing Industry Census 2010 by Econsultancy.
The same report indicates that between 33% and 58% of client practitioners are not testing creative
templates, frequency, landing pages, and multivariate campaign strategies. This points to the need for
greater segmentation, and carefully planned user experience to support better engagement within the
email and online. As highlighted in the DMA UK benchmark survey Q3 2009, end users favour email
marketing for tactical campaigns (circa 65%) versus strategic campaigns (circa 35%), and this
inevitably influences the amount of time spent planning, segmenting and bespoking offers and analysis.
End users across Europe directly report lower average open rates compared with client campaigns
reported by ESPs, with 19% unable to report this statistic. Whilst 46% of ESPs‟ client campaigns see
open rates in the 20%-30% band, that falls to 24% reported by end users for acquisition related sales
campaigns, and rises to 42% for customer product survey campaigns.
Comparing the proportion of open rates between 30-40%, the end user results dissect the ESP reported
rate of 17%, between sales campaigns (12%) customer product survey campaigns (22.5%), providing
interesting insight into the possible make-up of the ESP average values.
43
Volume prediction for the next 12 months

3.4 Volume prediction for the next 12 months
Replied
75.1-100% Replied
(3%) 100.1-150%
(3%)
Replied
50.1-75%
(8%)
Replied Replied
25.1-50% 0-15%
(19%) (50%)
Replied
15.1-25% Copyright © by FEDMA
(17%)
Email marketing is poised for strong growth this year, at the expense of traditional offline channels.
19% of the respondent ESP base expect their clients to increase volume of email marketing between a
quarter and a half year on year, a continuation of the shift from offline to digital channels.
In Ipsos Mori‟s poll for the Chartered Institute of Marketing report,The Shape of Digital to Come?, the
question was asked which activities delivered the best return on investment. Top of the charts comes
CRM by some margin, followed by online advertising (12%) and email marketing (11%). Those activities
considered to deliver the worst return were direct mail, sponsorship, and internal marketing, mirroring
the evident shift in spend.
Econsultancy‟s email marketing census 2010 also predicts a net increase in email marketing over the
course of the year, with the greater proportion coming from retention marketing, where 71% expect to
ramp up their activities in this area, and only 1% expect to reduce activity on email campaigns to their
customer base. This reflects a growing recognition that email marketing is the perfect medium for
customer management and development, and a key component within integrated multi-channel
consumer engagement.
44
Volumes for April 2009
3.5 Volumes April 2009
Replied Replied
1.000.000.001- 500.001-1.500.000
2.000.000.000 (9%)
(3%)
Replied
100.000.001-
1.000.000.000 Replied
(29%) 1.500.001-
10.000.000
(30%)
Replied
10.000.001-
100.000.000
(29%)
The next 3 charts show activity by total volumes for April – May 2009 within the ESP sample base, and
will form the basis of year on year tracking as part of the benchmarking methodology once
comparative 2010 data is collected.
45
Volumes for May 2009
3.6 Volumes May 2009

Replied
1.000.000.001-
Replied 100.001-
2.000.000.000
500.000
3% Replied 500.001-
3%
1.500.000
6%
Replied
100.000.001-
1.000.000.000 Replied
26% 1.500.001-
10.000.000
27%
Replied
10.000.001-
100.000.000
35%
46
Volumes for June 2009
3.7 Volumes June 2009

Replied
Replied 100.000-
1.000.000.001- 500.000
2.000.000.000 (6%)
(3%)
Replied
100.000.001-
1.000.000.000
(27%) Replied
500.001-
10.000.000
(37%)
Replied
10.000.001-
100.000.000
(27%)
47
Days of the week with largest volume of emails

3.8 Please indicate for Q2 2009, if any, which day of the week
your clients send the largest volume of emails?
Sunday 3%
Saturday 0%
Friday 18%
Thursday 26%
Wednesday 13%
Tuesday 26%
Monday 13%
Days of week with largest volume of emails cited by ESPs for sending out email marketing campaigns
are Tuesday and Thursday (26% each). Whilst overall email activity over weekends is extremely low,
there are some marked differences by country:
Saturday and Monday are the least selected to execute an email marketing campaign, which, whilst
indicating a universal experience of low responsiveness on those days, also suggests an opportunity to
re-test given a) increased email volumes, and b) the growing challenge of „cut through‟ in an
increasingly media-cluttered landscape.
48
Days of the week with lowest volume of emails
3.9 Please indicate for Q2 2009, if any, which day of the week your clients
send the lowest volume of emails?
Sunday 35%
Saturday 11%
Friday 24%
Thursday 0%
Wednesday
3%
Tuesday 0%
Monday 27%
The diapositive of most activity by volume for email campaign execution, shows Sunday and Monday
as the least popular days by volume (62%) as cited by ESPs, with Friday running a close third (24%).
49
Email Service Providers
Email marketing service providers (ESPs) who contributed

to this report
Alterian´s Integrated Marketing Platform empowers organizations to
create relevant, effective and engaging experiences with their audiences
that build value, generate revenue and reinforce brand.
Web:www.alterian.com
As a software independent consultancy, 22 Times offers independent

advice and execution, fully tailored to your situation and needs. We help
from the start of an emailing to the finish and beyond, constantly
improving your results.
Web: www.22times.com
Addemar - On-Demand Marketing Intelligence & Campaign Management

Software
Aggregation / Analysis & Rapporting / Automatisation

Communicating at the right moment, with the right target group, through
the right channel and with the right message. Seems simple and it is: with
the help of Addemar.
Addemar develops intelligent, do-it-yourself webbased marketing

solutions: both personalised one-to-one dialogues based on behavioral
segmentation and former marketing campaigns as well as data
aggregation. More info? Surf to www.addemar.com or mail to
sales@addemar.com.
Adestra is an industry leading, UK based international email service

provider (ESP). We combine the best email technology and marketing
expertise to deliver results for our clients.
Our platform MessageFocus… Developed entirely by Adestra staff, you can

manage your entire email marketing program using Message Focus, from
data segmentation, to full and complete reporting.
The Adestra difference can be summed up in two ways - our approach and
our people. Underpinning this is our technology which is cutting edge,
user-friendly and is relied upon by well over 3,500 marketers to support
their email marketing programs. Our approach to email marketing is
focused on working with leading publishers, who deploy our technology
and use it to achieve their goals and targets.
We have the largest support team of any UK based ESP and unlike most
other companies we actively recruit email marketers to work alongside
you. This collaborative approach ensures that Adestra work with you as a
partnership to evolve and deliver your email marketing objectives.
Web: www.adestra.com
50
AGNITAS AG offers e-marketing solutions for direct and dialog marketing in the
form of services, software and consultation.
Successful email marketing campaigns can be developed, implemented and

evaluated with the AGNITAS E-Marketing Manager email marketing platform. E-
Marketing Manager services can be used as full service, ASP or license
solutions. The AGNITAS AG product portfolio was supplemented by the free
OpenEMM email marketing software in mid-2006. OpenEMM was derived from
E-Marketing Manager and further developed with the aid of the open source
community. AGNITAS, founded in 1999, counts among its customers such well-
known companies as Daimler, IBM, Siemens and Tomorrow Focus.
Web: www.agnitas.de
Apsis makes good email marketing easier. We supply Apsis Newsletter Pro, a
user friendly, powerful and flexible solution used by over 5 000 customers to
create, personalize, deliver and analyze email marketing. We take pride in
our solution, our commited support and in our email marketings handbooks
containing research and email marketing knowledge.
Web: www.apsis.com
Web: www.bring.no/dialogue
BusinessFinder is the leading provider of B2B email marketing services in Italy; its
database is made by 600.000 opt-in e-mail addresses of Italian companies
selectable by geographical area, industry, legal status and size (employees and
turnover).
Web: www.businessfinder.it
Concep is the digital agency for B2B. If your business is serious about digital we
need to talk. Concep understands your market, understands digital
communications, but above all understands that it‟s about people. We go the extra
mile to really understand your business and its requirements. Concep‟s clients
value our people and our personality, not just our technology. Our expert
knowledge of digital channels and unrivalled sector knowledge allows us to cut
through the confusion and provide your business with insight that will increase
profit, build client loyalty and push your marketing to work harder.
Web: www.concepglobal.com
Communicator Corp is a leading global Enterprise Email Management company,

providing technology based solutions, strategy and expertise.
From email marketing to transactional receipts and service messaging, we
deliver our clients proven cost savings and increased revenue for all their digital
communications.
Our intuitive email platform, Communicator®, enables clients to send
sophisticated, targeted and relevant communications.
Our services range includes integration, data analysis and enhancement, fully
managed campaigns, delivery solutions and support through to email design and
creation.
At Communicator Corp, we work with our clients every day to ensure delivery
beyond expectation.
Communicator Corp provides exceptional service, expertise and industry defining
technology to a broad range of clients across diverse sectors.
Web: www.communicatorcorp.com
51
ContactLab is the leading Italian provider of solutions relating to e-mail

and digital direct marketing. The company offers a mix of technology
and consultancy, from "turnkey" products to customized solutions for
management of international campaigns.
Web: www.contactlab.com
dotMailer makes powerful email marketing easy - whether you‟re

brand new to email marketing or a seasoned hand.
Web: www.dotmailer.co.uk
eCircle is one of Europe‟s largest digital direct marketing companies,

owning the most comprehensive permission marketing database for email
campaigns and lead generation as well as a state-of-art technology
solution for digital direct marketing. Since 1999 eCircle has stood for
innovative and efficient online marketing for customer acquisition and
retention. Leading organisations including Argos, HBOS and Samsung trust
our consistent customer care, our long-term experience and not least our
highly motivated and committed employees. The company has more
than 160 employees, with headquarters in Munich and additional offices
in London, Paris and Milan.
Web: www.ecircle.com/en
EmailGarage unifies great email campaign management features with

customer intelligence. EmailGarage helps you create, plan and send
email campaigns. Webservices, project management and consulting are
available on demand.
Web: www.emailgarage.com
E-Village is the multi-awarded and leading Dutch email marketing

soft-ware developer. Our passion is to deliver the cutting edge of email
marketing technology, taking the personalized online marketing
experience to the next level. The recently introduced Clang represents
the new generation of Event Driven Marketing software. Clang is a
powerful mix of CRM, Campaign Management and Email Marketing put
into one application. Clang takes online campaign personalization and
engagement to a new level. Clang simply increases R.O.I. Clang is
already available to professional marketers and organizations wishing to
extract greater value and profitability from customer relationships such
as Albelli, Bakker.co.uk, BP, Brantano, General Motors Mexico,
MySecurityCenter and The Phone House.
Web: www.createaclang.com
52
Quattro Internet Solutions (Ltd) t/a GraphicMail has been in

operation since 2004. Based in Jersey, the email marketing company
has a client volume of 13'000 end users, resellers and private label
partners. GraphicMail is currently represented in 14 countries and is
available in 6 different languages.
Web: www.graphicmail.de
GetResponse has been an innovation leader since 1998, providing easy-

to-use, feature-rich email marketing services − from video recording,
social media, and iPhone applications to world-class support.
Web: www.getresponse.com
Httpool Online Advertising is one of the leading, international full-

service online advertising providers, with global reach and focus on
emerging markets. Httpool is an optimal partner for international clients
addressing emerging markets, local advertisers seeking a one-stop
solution, large publishers struggling to monetize their international
traffic, and local publishers trying to increase their revenue potential.
Web: www.httpool.com
Kern develops integrated systems for document processing and

packaging for medium and large companies. As one of the leading
suppliers, Kern develops innovative solutions, so that you are always one
step ahead of the continuously changing market. With the software
solution mailFactory, mailroom processes can be monitored and
optimized.
Together, Kern establishes your requirements and works out an

individually solution for your company - and this all over the world.
Web: www.kern.ch
MailDirect is one of Sweden‟s leading services for directed digital

mailings. We offer a dynamic price model which ensures that companies
of all sizes have the possibility to take part of the benefits of our
software service. We also provide our customers with free support and
education.
Web: www.maildirect.us and www.maildirect.se
53
Our job is to identify sales problems and bring relevant solutions to them by
using our capability to integrate direct & digital communication channels.
Web: www.mediapost-hitmail.ro
Netoptions is one of Scandinavia's leading suppliers of tools for digital

marketing and communication by e-mail, social media, mobile phone and the
Internet.
The company has developed the BizWizard eMarketing Suite, which is the ideal
solution for companies wanting to work with permission-based marketing and
communication.
The BizWizard system provides users with a common work platform offering
rich functionality, so that they can work without external tools to produce,
distribute, measure and follow up newsletters, product information,
campaigns, events, invitations, training courses and surveys. BizWizard
eMarketing Suite is a Web-based system which can be used entirely
independently or integrated with the company's other information systems
(CRM, ERP, CMS, etc.). This system is based on Microsoft .NET, IIS and SQL
Server, and is offered as a service via the Netoptions Hosting Center or as
packaged software for installation in the company's own operating
environment.
www.netoptions.se
optivo is a professional email marketing provider, including sms and fax. The
company's product portfolio encompasses the permission-based distribution of
electronic mailing and email newsletters via an efficient and secure platform
(optivo® broadmail), consulting and strategic advice as well as professional
services and tailor-made customer solutions.
More than 500 customers from all sectors rely on optivo, including renowned
companies such as Tchibo, Henkel, Jack Wolfskin, Accor Hotels,
ArabellaStarwood, Europcar, Germanwings, German Railways, Siemens, Sixt,
Bosch and HypoVereinsbank. optivo is actively committed to promoting high
standards of quality and transparency in the field of email marketing through
its memberships of the German Direct Marketing Association (DDV), the Federal
Association of the Digital Economy (BVDW) and the Association of the German
Internet Economy (eco).
Moreover, optivo is participating at the world's leading white list programme

Sender Score Certified. The company is also a member of the Certified Senders
Alliance - the first German white list project. Both programmes increase
customer‟s delivery rate significantly.
Web: www.optivo.net
54
rabbit eMarketing is an independent advertizing agency with currently

35 employees in Frankfurt, Germany, specialized in electronic customer
dialog, focusing on full-service e-mail marketing. In German-speaking
Europe, rabbit eMarketing is among the leading e-mail marketing
providers, and offers professional e-mail marketing campaigns, IT
integration, strategic and operational services as well as consulting in
the selection of e-mail marketing software.
Since 2009 rabbit has been offering also the development of

applications for the iPhone and social networks. Among rabbit
eMarketing‟s clients, there are medium-sized businesses and public
institutions as well as multinational corporations, e.g. the Hotel Adlon
Kempinski Berlin, DocMorris, Dresdner Bank, Electrolux, Epson, Hanse
Merkur, Hottinger Baldwin Messtechnik, Novell, Osram, Siemens
Medical, T-Systems, Telekom Training, VDMA, WWF, and World Vision.
Web: www.rabbit-emarketing.de
Relation & Brand is a leading provider of both boxed and tailored e-mail
marketing solutions with state of the art measuring functionality helping
companies to build strong and profitable relationships.
Web: http://www.relationbrand.com
Reputy is Europe‟s first Delivery Service Provider. We optimize

commercial and transactional email deliverability. Through Reputy‟s
Managed Deliverability Service, businesses realize enhanced Trust, Click
Through and Turnover.”
Web: www.reputy-europe.com
Schober is the leading provider in Europe for data and services for
interactive marketing. We have a consolidated invoicing of 130 million
Euros and more than 400 employees present in 15 countries, providing
information and marketing services to more than 25,000 customers each
year. Schober is the owner and developer company of the eCRM solution,
Xprofiler, eMailing technology solution used by more than 350 current
successful mailers in Europe.
Web: www.schober.es
55
White Image is a leading provider of loyalty and email marketing

solutions, dedicated to develop a highly specialized and strong
software platform, able to face the biggest challenges of the online
environment. Focused on creating insightful and innovative tools that
can provide its clients with highly effective feedback, White Image is
committed to deliverability and to highest standards in email
marketing.
Web: www.whiteimage.net
Winholistic: any action should always be based on facts rather than

beliefs and feelings. And interventions that do not provide the desired
result must be eliminated and the ones that does should be optimized.
Finally attention must be pointed towards learning and innovation from
the performance, as it must be the drivers of future continuous
improvement.
That is what we mean, when we say we are working with Holistic

Customer Life Cycle Management.
Web: www.winholistic.dk
56
DMAs who contributed to this report
Austria Greece Portugal
Dialog Marketing Verband Österreich (DMVÖ) Hellenic Association of Communications Agencies (HACA) Associação Portuguesa de Marketing Directo, Relacional e
Heumühlgasse 11 7, Ypereidou Street Interactivo (AMD)
1040 Vienna 105 58 Athens Estrada de Queluz 91
AUSTRIA GREECE 2794-100 Carnaxide
Tel: +43 1 911 43 00 Tel: +30 210 3246 215 PORTUGAL
Fax: +43 1 911 2972 Fax: +30 210 3246 880 Tel: +351 21 436 67 27
E-mail: office@dmvoe.at E-mail: edee@edee.gr Fax: +351 21 436 78 45
Website: www.dmvoe.at Website: http://www.edee.gr/ E-mail: amdportugal@amd.pt
Website: www.amd.pt
Belgium Hungary Romania

Belgian Direct Marketing Association (BDMA) Direkt Marketing Szövetség (DMSZ) Asociatia Romana de Marketing Direct (ARMAD)
Noordkustlaan 1 Tuzér u. 39 ntrarera Ghioceilor Nr. 11
1702 Groot-Bijgaarden H-1134, Budapest Sat Petresti, Com. Corbeanca Jud. IIfov
BELGIUM HUNGARY SECTOR 3
Tel: +32 2 477 1797 Tel.: +36-1-413-6397 031911 BUCURESTI
Fax: +32 2 479 0679 Fax: +36-1-342-0536 ROMANIA
E-mail: info@bdma.be E-mail: info@dmsz.hu Tel: +40 723339983
Website: www.bdma.be Website: www.dmsz.hu Fax: +40 318164263
E-mail: armad@armad.ro
Website: www.armad.ro
Croatia Ireland Slovenia

CRODMA Irish Direct Marketing Association (IDMA) Zdruzenje za Direktni Marketing Slovenije (ZDM)
C/O Kompass Info Doo 8 Upper Fitzwilliam Street Tabor 5a
Langov trg 4 Dublin 2 1380 Cerknica
HR -10000 Zagreb Tel: +353 1 661 0470 SLOVENIA
Tel: +385 1 489 3300 Fax: +353 1 830 8914 Tel: +386 1 7090 777
Fax: +385 1 489 3310 E-mail: info@idma.ie Fax: +386 1 7090 779
Website: www.kompass.hr Website: www.idma.ie E-mail: info@zdms.org
Website: www.zdms.org
Czech Republic Italy Spain

Asociace Direct Marketingu a Zásilkového Obchodu (ADMAZ) AIDIM-Associazione Italiana per il Direct Federación Española de la Economía Digital (FECEMD)
Senovázné náměstí 23 Via M. Gioia, 70 Avenida Diagonal, 437, 5ª 1ª
110 00 Praha 1 20125 Milano 08036 Barcelona
CZECH REPUBLIC ITALY SPAIN
Tel: +39 02 2901 4157
Tel: +420 222 241 386 Tel: +34 93 240 40 70
Fax: +39 02 2901 3172
Fax: +420 222 241 387 E-mail: info@aidim.org Fax: +34 93 201 29 88
E-mail: info@admaz.cz Website:www.aidim.org E-mail: fecemd@fecemd.org
Website: www.admaz.cz Website: www.fecemd.org
Denmark Latvia Sweden

Danish Direct Marketing Club Latvian Direct Marketing Association Swedish Direct Marketing Association (SWEDMA)
Nordre Fasanvej 113-115 International Airport "Riga" 30/6 David Bagares Gata 3
2000 Frederiksberg 1044 Riga 111 38 Stockholm
DENMARK Latvia SWEDEN
Tel: +45 38 11 87 87 Tel: +37167509060 Tel: +46 8 534 802 60
Fax: +45 38 11 87 47 Fax: +371 67509065 Fax: +46 8 534 802 61
Email: ft@direction-marketing.com Email: fanija.sitca@mailmaster.lv E-mail: direkt@swedma.se
Web: www.dmklubben.dk Website: http://www.ltma.lv/ Website: www.swedma.se
Finland Netherlands Switzerland

Finnish Direct Marketing Association (ASML) Dutch Dialogue Marketing Association (DDMA) Schweizer Direktmarketing Verband
Bulevardi 44 W.G. Plein 507/508 Postfach 616
00,120 Helsinki 1054 SJ Amsterdam 8501 Frauenfeld
FINLAND Postbus 12408 Switzerland
Tel.+358 207 699 811 1100 AK AMSTERDAM Tel: + 41 52 721 61 62
Fax +358 9 6121039 THE NETHERLANDS Fax: +41 52 721 61 63
Email: info@asml.fi Tel: +31 (0)20 – 452 84 13 E-mail: info@sdv-asmd.ch
Website: www.ssml.fi Fax: + 31 (0)20 - 452 83 95 Website: www.sdv-asmd.ch
E-mail: info@ddma.nl
Website: www.ddma.nl
France Norway Turkey

Union Française du Marketing Direct (UFMD) Norsk Direkte Markedsføring Forening (NORDMA) Turkish Direct Marketing Association
60 rue La Boétie Postal Address: PO Box 150, Oppsal. 0619 0slo Vefa Bayiri Sokak
75008 Paris Visiting Address: Olaf Helset vei 6, Growth Center - Skullerud Sisik Han N°: 22 Kat: 5
FRANCE Tel. +47 22 62 70 17 Gayrettepe
Tel: +33 1 42 56 38 86 Fax: +47 22 62 70 11 34394 Istanbul
Fax: +33 1 45 63 91 95 E-mail: post@nordma.no Turkey
Website: www.ufmd.org Website: www.nordma.no Tel: + 90 212 212 8537
Fax: +90 212 212 8538
E-mail: ayca.aytac@dpid.org.tr
Website: www.dpid.org.tr
Germany Poland United Kingdom

Deutsche Dialogmarketing Verband (DDV) Stowarzyszenie Marketingu Bezposredniego (SMB) The Direct Marketing Association (DMA UK)
Hasengartenstraße 14 Stowarzyszenie marketingu Bezpośredniego DMA House
65189 Wiesbaden ul. Wybieg 21 (wejście od ul. Słonecznej) 70 Margaret Street
GERMANY 00-788 Warsaw London W1W 8SS
Tel: +49 611 97 79 30 Tel. +48 22 / 849 35 00 UNITED KINGDOM
Fax: +49 611 97 79 3 99 Fax +48 22 / 848 89 41 Tel: +44 20 7291 3300
E-mail: info@ddv.de E-mail: info@smb.pl Fax: +44 20 7323 4426
Website: www.ddv.de Website: www.smb.pl E-mail: info@dma.org.uk
Website: www.dma.org.uk
57
SECTION II – Legal Overview
Section II – Legal Overview – Email Marketing in Europe

Data Protection and Regulations in:
Austria P. 60 Italy P. 107

Belgium P. 66 The Netherlands P. 115
Bulgaria P. 71 Norway P. 120
Denmark P. 74 Poland P. 124
Estonia P. 78 Romania P. 128
Finland P. 83 Slovenia P. 133
France P. 87 Spain P. 140
Germany P. 90 Sweden P. 145
Greece P. 93 Switzerland P. 148
Hungary P. 96 United Kingdom P. 151
Ireland P. 100 United States P. 156
Up to date guidelines for professional marketers, including detailed information on:
Current Data Protection Laws and Regulations

Registration of marketing lists with the National Data Commission (cost, duration)
Collection of data (opt-in, opt-out, soft opt-in)
Notification when Collecting Data
Purposes for processing personal data (main guidelines)
Wording of notice when collecting data
Edited by Field Fisher Waterhouse LLP in collaboration with Legis (Austria), Noblex Ltd (Bulgaria),
Plesner Svane Grønborg (Denmark), Luiga Mody Hääl Borenius (Estonia), HH Partners (Finland),
Avramopoulos & Partners (Greece), Bogsch & Partners (Hungary), Beauchamps Solicitors (Ireland),
La Scala & Associati (Italy), Kennedy Van der Laan (The Netherlands), Thommessen Krefting Greve
& Lund (Norway), Laszczuk & Wspólnicy (Poland), Nestor Nestor Diculescu Kingston Petersen
(Romania) Colja, Rojs & partnerji (Slovenia) Fylgia (Sweden), Python & Peter (Switzerland) and
Minnesota Privacy Consultants (United States).
58
SECTION II – Introduction
SECTION II – THE LEGAL INS AND OUTS OF E-MAIL MARKETING IN EUROPE
This section is designed as a detailed guide to the data protection regulations which impact on email
marketing in Europe today. We have prepared, with the invaluable help from Field Fisher Waterhouse, an
overview of the relevant laws in 22 countries – 19 from the European Union, two from the European
Economic Area (Switzerland and Norway), and also the USA. In the future we hope to be able to complete a
report on all 27 European Union countries.
Inevitably any section covering regulations is legalistic – and I am afraid this section cannot dodge the legal
issues and texts, however, also inevitably, if you want to avoid legal problems, or embarrassing and costly
complaints, you need to study these pages.
The key question we receive constantly form members is – “how on earth can I do a cross-border email
campaign covering a number of European countries when the national laws are so different?”
At present the good news is that you should, in theory, only have to apply one national law – that of your
“controller of the data”. In other words, if you have a central database (say you create one for the
campaign), and there is one controller (a data privacy officer, or a subsidiary company, etc), so long as the
data are correctly collected at national level, and the data security is correctly done, then the central (EU
based) controller can use those data under his/her own national law to send out an email (some applies
most other DM campaigns across Europe).
This makes doing a centrally organized EU-wide email campaign more simple. Some countries may not
agree (for example, Spain may prove a challenge), in which case at national level it may be advisable to
approach and discuss the issues with the national Data Protection Authorities (DPAs).
To help strengthen your case there is always the FEDMA code, which was negotiated with the national
DPAs, and the annex to that code which is now being finalized, and also there are many national codes
negotiated between the local direct marketing associations (DMAs) and the DPAs. Examples, France, UK,
Italy, the Netherlands, Belgium, Sweden, etc. These are referred to in this section.
It likely that the European Union will revise its present Data Protection regulations (the 1995 Directive)
over the coming year. This will be an opportunity for business to explain the difficulties they face when
trying to meet the demands of all the national regulatory differences to the European Institutions (the
Commission, Parliament and Council).
This report clearly shows the practical differences between the national laws. In addition, FEDMA will be
collecting evidence and case studies to help us make the case to the regulators. Please let us have your
experiences and your help to ensure better, not tougher, regulations will result from this present review.
In particular, our sector must protect the right to use only one regulation (that of the data controller) when
emails are sent out in a cross-frontier campaign. If we fail to protect that principle, and all national
regulations are applied, it will become extremely difficult to undertake any cross-border campaigns.
National laws, unfortunately, fail dismally to be comparable, despite the ideal of a “Single European
Market”, and FEDMA has noted a worrying trend towards increasing regulation with little regard for the
EU‟s central principles of compatibility and harmonization. The latest major change has been the new
German Data Protection Law of August 2009 which has introduced more restrictions.
Some of these are still unclear at the time of writing: we have attempted to give an interpretation of the
new law which should be of help to the marketer, but the German regional (Land) DPAs and courts may
change the way in which the new law is applied.
59
SECTION II – Introduction Contd
Fortunately not all EU Member States have such a regional structure as Germany, however, changes in
national regulations have in most cases been more, rather than less, strict. A notable exception is Latvia,
where the national law has been brought more into line with the 1995 EU Directive. Previously it had been
far more restrictive than the Directive.
Any report on the national regulations of 23 countries can only expect a limited shelf life: regulations – and
particularly their interpretation by the local data protection authorities – change regularly. If you have
information on new rules or interpretational regulations please share with us. FEDMA wants to keep its
information up to date, and members are always most welcome to ask questions, and get updates. This is
an important membership service which we provide. However, as data protection regulations become
increasingly complex and variable across frontiers, and marketers use a far great mix of media and
techniques - from email to SMS; from viral marketing to online behavioral advertising – it becomes
necessary to be very sure of the detailed ins and outs of data protection in multiple countries.
Law firms, such as Field Fisher Waterhouse, are essential advisors on these complexities across the EU, the
EEA, and in the main markets outside Europe from the USA to Russia, Australia to China. FEDMA strongly
advises its members to be safe rather than sorry when dealing with complex data protection issues – and in
particular with some of the stricter countries, such as Spain, or the new law in Germany. As this section
shows many of the national data protection authorities now have the ability to impose fines and / or to
seize databases, etc. Making a mistake when applying data protection rules can be an expensive error.
Finally, we would like to stress that the information we have provided here is in good faith, but neither
FEDMA, nor Field Fisher Waterhouse can guarantee its accuracy for liability purposes. As we point out, the
interpretation of national regulations continually evolves. In particular the DPAs produce new
interpretations of the relevant laws on a regular basis. The material in this report is therefore a guide to
assist the email marketer; not a firm recipe.
Alastair Tempest
April 2010
60
SECTION II – Legal Overview - Austria
Austria
Major Current Data Protection Laws
The Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000) implements
Directive 95/46/EC and provides a fundamental right to data protection regulating all processing of
personal data, including collection, storing, committing and transmission of data.
The Telecommunication Act (Telekommunikationsgesetz 2003) implements Directive 2002/58/EC and
regulates (among other things) data processing in the electronic communication sector.
Section 151 of the Trade Act (Gewerbeordnung) contains specific data protection provisions for direct
marketing businesses and list brokers.
Registration of marketing lists with the Data Commission (DPA)

In general, every controller has to file a notification with the data processing register
(Datenverarbeitungsregister) before commencing a data processing activity (a data application).
Notification is not required in the case where the data application corresponds to a so called standard
application (Standardanwendung). Processing data for the controller‟s own customer support and
marketing purposes are examples of the standard applications. Therefore, a person can operate a
marketing list without notifying the authority if the list meets the requirements of a standard
application. The rule is defined in an ordinance (Verordnung) of the Federal Chancellor.
Expected time duration for registering marketing lists with the DPA
The notification process in Austria is quite simple. The Data Protection Authority provides forms on its
website. These can be found at: http://www.dsk.gv.at.
The process takes several months. However, in most cases the data application may be run as soon as
the notification is filed, unless the application contains sensitive data.
Registration costs
The authority does not charge fees for notification.
Non Sensitive/Sensitive Information
Common legal grounds for the processing of (non-sensitive) personal data for marketing purposes
carried in all media
 Overriding legitimate interests of the controller, such as execution of a contractual obligation to
the data subject
 Consent by the data subject
 For (licensed) direct marketing businesses and list brokers only: explicit statutory authorisation
(sec. 151 Trade Act)
How the data subject exercises „consent‟

The Data Protection Act requires “informed consent”. In order to obtain valid consent the controller
has to inform the data subject of:
 the types of data being processed;
 the purposes of the processing;
 in the event of a data transfer:
• the type of data to be transferred;
• the purpose of the transfer; and
• the (specific) recipients of the transfer and
 the right to withdraw its consent at any time.
61
Generally no specific form of consent is required. If the data are non-sensitive then implied consent is
sufficient. The data subject can revoke his or her consent at any time.
Implied consent
The Datenschutzgesetz 2000 does not require a specific wording for collecting data. Generally,
consent, including implied consent, must be informed consent –see above.
A tick box is not required by law. However, providing a check box linked to, or placed next to, the
statement of consent helps the controller to prove that the data subject approved of the data
processing.
Sensitive Data: Required form of consent for the processing of sensitive data
Sensitive data may only be processed under very strict conditions; the most important is to have prior,
expressed consent from the data subject. The consent does not have to be in writing but written
consent is recommended for purposes of proof.
Types of data considered “sensitive”

Sensitive data is defined (in section 4 no. 2 of the Datenschutzgesetz) as data relating to natural
persons concerning their racial or ethnic origin, political opinion, trade-union membership, religious
or philosophical beliefs, and data concerning health or sex life.
Information on (alleged) criminal behaviour and criminal convictions relating to the data subject, as
well as information on the data subject‟s credit history (if processed for the purpose of providing such
information to third parties) are by definition not sensitive data, but are subject to specific
restrictions.
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing
Direct marketing is regulated in the Telecommunication Act (Telekommunikationsgesetz 2003), in
sections 5a – 5h, and 28a of the Consumer Protection Act (Konsumentenschutzgesetz) and the Federal
Act concerning the Protection of Personal Data (Datenschutzgesetz 2000).
Telemarketing in terms of unsolicited marketing by phone, email, SMS or MMS is regulated in the
Telecommunication Act (Telekommunikationsgesetz 2003). Section 107 paragraph 1, generally forbids
phone calls and communications by fax for marketing purposes without the prior consent of the
addressee. Furthermore, section 107 paragraph 2 forbids sending electronic mail (including SMS)
without the prior consent of the addressee if:
 the message is sent for Direct Marketing purposes, or
 the message is addressed to more than 50 addressees.
Electronic mail for direct-marketing purposes is illegal if the identity of the sender is concealed or if
there is no address displayed in the mail to which the addressee can send his request for removal
from the mailing list.
Definition: soft opt-in for electronic communications

“Soft opt-in” is referred to in section 107 paragraph 3 of the Telekommunikationsgesetz. Prior
consent in terms of paragraph 2 is not necessary if:
 the sender has received the contact information of the addressee in connection with a sale or a
service to his customers;
62
 the direct marketing message relates to the sender‟s own (similar) products and the addressee
was given the opportunity (from the date of acquiring the data onwards) to refuse such a use of
his electronic contact information, easily and without any cost;
 the address is not registered in the so-called “§ 7 ECG-Liste”, (i.e. a Robinson list for electronic
mail).

Since March 2006 the above stated rules apply to both B2C and B2B. There is no difference any more.
Purposes
Provided that the controller gives the data subject a very detailed list of purposes, the data subject‟s
(implied) consent will cover all such purposes.
Generic terms
Generic terms describing purposes and destination of data transmission may be insufficient –
especially in respect of consumers. However, “direct marketing” and “market research” may be
sufficient for the purpose of data processing. Wording like “transmission to all linked companies of
the X-group” was considered too vague by the courts.
Notifying when Collecting Data
Wording for collecting data

There is no required or recognised form of wording for collecting data in Austria.
When collecting data the controller must inform the data subject of:
the purpose of the processing
the name and address of the controller
and provide such additional information as required from time to time for fair data processing, in
particular, if the data subject has a right to object against the processing; if it is not clear to the data
subject whether or not he/she is obliged to provide certain data; or if data are processed in a data
pool where the data are equally accessible to multiple controllers (Joint Information System /
Informationsverbundsystem).
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes for processing should be provided each time data are collected or used for
alternative/additional purposes. It is irrelevant whether or not the data subject is an existing client.
Opt-out
There is no specific form or wording for opting-out. Data subjects can revoke their consent at any
time in any form, thus making further data processing illegal. Data subjects also have the right to
rectification and/or erasure of his/her data. In regards to addressed mail, email and SMS the
addressee can opt-out by registering with a Robinson list (see below).
Do you have to offer the opt-out each time when approaching the customer?
When using email and SMS for marketing purposes, you have to give the addressee the opportunity to
refuse the use of his electronic contact information in every single message.
63
Data Storage
Data confidentiality clause

(Section 15 of the Datenschutzgesetz) imposes a general obligation on controllers, processors and
their respective employees to keep data accessible to them in their professional capacity
confidential. Additional confidentiality requirements apply to certain professions.

Data may only be kept in a form which permits identification of data subjects for as long as this is
necessary for the purpose for which the data was collected. No specific period is stated by law.
(Section 6 paragraph 1 of the Datenschutzgesetz)
As far as standard applications are concerned, the ordinance of the Federal Chancellor limits the
storage period to a specific time.
Every controller has to erase or make anonymous data he has stored as soon as the data (or its link to
a specific person) are not necessary for the purpose for which the data were collected.
When the controller uses a standard application, he may only store data for the time stated in the
Ordinance of the Federal Chancellor. If the controller holds the data for a longer period, he exceeds
the requirements of a standard application and therefore must notify the application to the DPA.
Security of data
Section 14 of the Data Protection Act provides several measures to ensure data security, which have
to be taken by the Data Controller or Processor.
Among them are:
 The use of data must be tied to valid orders of the authorised organisational units or operatives;
 Every operative must be instructed about his duties according to the Datenschutzgesetz and the
internal data protection regulations, including data security regulations;
 The right of access to the premises, data and programmes of the data Controller or Processor has
to be regulated;
 The right to operate the data processing equipment has to be laid down and every device has to
be secured against unauthorised operation by taking precautions with the systems and
programmes used.
Costs associated with security of data

The Data Protection Act states: “These measures must, taking into account the technological state of
the art and the cost incurred in their execution, safeguard a level of data protection appropriate with
regard to the risks arising from the use and the type of data to be protected.”
Protection for database owners

The owner of a database, who has made a substantial investment, whether qualitatively and/or
quantitatively, in either the obtaining, verification or presentation of the contents, has the right to
prevent extraction and/or re-utilization of the whole or of a substantial part, evaluated qualitatively
and/or quantitatively, of the contents of that database. Databases are protected under the Copyright
Act (Urheberrechtsgesetz)
64
Penalties
National penalties the DPA can apply

Technically the DPA has now power to issue penalties. If it becomes aware of a criminal or
administrative offense regarding the unlawful use of data it has to notify the respective criminal
prosecution or administrative penal authorities, as the case may be. Unlawful use of data for the
purpose of monetary gain or with the intent to cause harm is a criminal offense punishable by
imprisonment of up to one year.
The Datenschutzgesetz defines certain violations as administrative offense punishable with a fine of
up to EUR 25.000,00 or 10.000,00, as the case may be.
Penalties for breaching the rules on unsolicited for Email message:

Administrative penalty up to EUR 37.000,00.

All “traffic data” must be erased or made anonymous when they are no longer needed for the purpose
of the transmission of a communication. (Section 99 of the Telekommunikationsgesetz)
Log files may only be stored for as long as they are necessary for the purposes of subscriber billing and
interconnection payments. Log files may be stored for some marketing purposes to the extent and for
the duration necessary for such services or marketing, provided the subscriber has given his/her
consent.

Every data subject is given the right to information about, rectification and erasure of his/her data.
The data subject may demand information about processing of his/her data in writing and on
production of proof of his/her identity. The controller has to give such information in writing within
eight weeks, or explain why he is not able to provide such information.
Every controller has to rectify or erase data as soon as he becomes aware of any inaccuracies in the
data or inadmissibility of processing. If a data subject requests the deletion or rectification of his/her
data, the controller must act on this request within eight weeks.

A Robinson list concerning electronic mail is operated by the Rundfunk- und Telekom Regulierungs-
GmbH. For more information, please visit:
http://www.rtr.at/web.nsf/deutsch/Telekommunikation_Konsumentenservice_E-Commerce-Gesetz
A list concerning mailings by post is operated by the Fachverband Werbung und Marktkommunikation
der Bundessparte "Gewerbe, Handwerk, Dienstleistung" der Wirtschaftskammer Österreich. For more
information, please visit: http://www.fachverbandwerbung.at/de-service-robinsonliste.shtml
The above-mentioned Robinson lists do not concern collecting of addresses, but the sending of
unsolicited mail. The DPA is not the competent authority in the field of unsolicited mail.
65
Consumer Protection Legislation
The term “inbound telemarketing” does not exist in Austrian law. When a consumer calls a company
to get information about a product or to order a product on a hot-line or via a call-centre, this
situation would be regulated by the Consumer Protection Act (Konsumentenschutzgesetz).
Call monitoring for quality control/training

There are no specific rules for monitoring calls of call centre agencies. However, the general
provisions of labour law, data protection and unfair competition law apply.
Internet
National laws specifically on eCommerce

In implementing the Directive 2000/31/EC, Austria established the Federal Act concerning certain
legal aspects of electronic business and legal relations (E-Commerce Gesetz), which became effective
on January 1st 2002.
The E-Commerce Act (E-Commerce-Gesetz) regulates the accreditation of service providers in

electronic business and legal relations, their duty to supply information, the conclusion of contracts,
the responsibilities of the service providers, the country-of-origin principle and the cooperation with
other
member states.
Service provides are defined as every individual or legal person or other construct with legal capacity
who/which provides an information society service.
66
SECTION II – Legal Overview - Belgium
Belgium
« Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère
personnel / Wet tot bescerming van de persoonlijke levensfeer ten opzichte van de verwerking van
persoonsgegevens » (Data Protection Act) dated 8 December 1992, as amended especially by the law
of 26 February 2003.

When acquiring or starting a marketing list in Belgium, you are required to notify the “Commission de
la protection de la vie privée / Commissie voor de bescherming van de persoonlijke levenssfeer”).
There is however an exception where there is no need for such a notification: If (i) the marketing list
will only be used for client management (i.e. not for direct marketing), (ii) the data collected are not
sensitive data, (iii) the data have been obtained directly from the data subject and (iv) there will not
be any transfer of those data to another person or company.
Under Belgian law, only processing of personal data for marketing purposes needs to be registered
with the DPA. The marketing list as such does not need to be registered. The notification process
approximately takes 4-6 weeks.
Registration costs
The costs for such a notification amount to 25 Euros if it is done by Internet, but increase to 125 Euros
if the notification is submitted on a paper form. The cost to modify notifications is 20 Euros.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Article 5 of the Data Protection Act states the legal grounds that allow for the processing of personal
data in general. As far as marketing is concerned, in order to process personal data an opt-in is
generally required, and in some instances mandatory (see below). Therefore, the DPA is of the
opinion that obtaining the data subjects consent is best practice.
However, the DPA recognises that processing of personal data for marketing purposes may in some
cases be justified if the processing is necessary for the performance of a contract to which the data
subject is party (existing clients) or in order to take steps at the request of the data subject prior to
entering into a contract (prospects), provided that no express consent is required by law.
In certain (more exceptional) cases, the processing could even be justified based on the fact that the
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the
third party to whom the data are disclosed, provided the interests or fundamental rights and
freedoms of the data subject are not infringed.
67
The data subject, whose data are collected and processed, has to give his/her unambiguous consent
(i.e. freely given, specific and informed). (Article 5.a of the Data Protection Act)
Consent can be given by checking an opt-in tick box.
Implied consent
In principle, the consent has to be unambiguous (i.e. freely given, specific and informed). Implied
consent may be acceptable in certain circumstances, but it may lead to uncertainty, especially if the
existence of the data subject‟s consent is the only legal ground for the processing of his personal
data.
In certain cases, soft opt-in, which is a form of implied consent, can be expressly considered to be a
valid consent.
Consent by data subject is required when using the following communication media:
Subject to the soft opt-in and opt-out exceptions set out below, express consent (opt-in) shall be
mandatory by virtue of the law for the following categories: SMS, MMS, EMAIL, Telephone, Fax, Mail
and Chat
In principle, it is prohibited to process sensitive data. However, there are some exceptions, the most
important one being the written consent of the data subject (unless prohibited by law). (Articles 6 §
2, a-e, 7 § 2 a-k and 8 § 2 a-e of the Data Protection Act)
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
 Personal data relating to litigation that have been submitted to courts or administrative judicial
bodies, relating to allegations, charges, or convictions in matters of criminal offences,
administrative sanctions or security measures.
 Biometric data may be sensitive if they can be considered as health related data (e.g. DNA).
The Act of 11 March 2003 on the information society, together with the Royal Decree of 4 April 2003
regulate marketing by electronic communication. These transpose parts of the EU Directive
2000/31/CE and specifically apply to e-commerce.

The Act of 11 March 2003 imposes an opt-in system in Belgium, but the Royal Decree of 4 April 2003
provides for two exceptions:
The first one concerns direct marketing sent electronically to a person whose data have been
obtained at the occasion of a previous sale if: - (i) at the time of collection it had been mentioned
that the person could refuse such use; (ii) the marketing message concerns the same kind of product
or service as the one the person had previously bought, and (iii) the marketing message is sent by the
entity that was involved in the previous sale (soft opt-in for existing clients).
68
The second exception concerns emails sent to impersonal email addresses belonging to legal entities,
for example info@befirm.be (but not firstname.surname@befirm.be). But these should still be opt-out
for impersonal email addresses of legal entities.

As far as B-to-B is concerned, the same opt-in rules apply as in case of B-to-C. The two exceptions set
out above also apply to the same extent.
Purposes
If the personal data are obtained directly from the data subject, the data subject must be informed
of the purpose of the processing no later than at the moment at which the data are obtained.
If the personal data are not obtained from the data subject, the data subject must be informed of the
purpose of the processing at the time the personal data are recorded, or, if a transfer to a third party
is envisaged, no later than the moment at which the data are first disclosed.
Generic terms
Generic terms are not acceptable in the following instances:
 When notifying a declaration to the DPA, the controller has to select the most appropriate
purpose from a list of purposes proposed by the DPA (e.g. direct marketing, trade of commercial
information); and
 When the data are effectively collected. When a data subject is asked whether she/he agrees to
give personal data, this person needs to know exactly the reason why these data are being
collected. The data cannot be used for another purpose other than the one mentioned.

There is no required or recognized form of wording for collecting data. However, the DPA has given an
example information clause for collecting data:
In French:
“Vos données sont reprises dans le fichier [d‟adresses] de [nom du responsable de traitement] pour
[finalité du traitement]. Vos données seront communiquées par [nom du responsable de traitement]
à [catégories de destinataires] à des fins de [finalité du traitement].
Vous diposez à tout moment d‟un droit d‟accès et de rectification de vos données et du droit de vous
opposer, gratuitement, à leur traitement et à leur communication”
In Dutch :
“Uw gegevens worden opgenomen in het [addressen]bestand van [naam van de verantwoordelijke van
de verwerking] met het oog op [doeleinde van de verwerking]. Uw gegevens worden door [naam van
de verantwoordelijke van de verwerking] meegedeeld aan [categorie van ontvangers] met het oog op
[doeleinde van de verwerking].).
69
U beschikt te allen tijde over een recht op toegang en op verbetering van uw gegevens en u heeft het
recht om u kosteloos te verzetten tegen de verwerking en de doorgifte van die gegevens”.
(“Marketing direct et Protection des données” / “Direct marketing en bescherming van

persoonsgegevens” , www.privacycommission.be).
This example clause mentions the purpose of the data processing, the name of the controller, the
identity of the people who will have access to the data and the rights of the data subject.
The purposes have to be given when collecting personal data from both existing and prospective
clients.
Opt-out
The data subject may choose to opt-out, free of charge, at any time, without any justification.
The controller must inform the data subject of this right each time an electronic marketing message is
sent and must offer the data subject the possibility to exercise this right electronically (i.e. either by
clicking on a link or via an email address for this purpose).
Data Storage

Article 16 of the Privacy Act obliges the data controller to take the necessary security measures to
guarantee the integrity of the personal data processed.

Personal data must not be kept longer than is necessary for the purposes for which the data are
collected or for which they are further processed. (Article 4, § 1, 5° of the Data Protection Act)

The DPA may investigate complaints but has no enforcement powers. It can however issue an opinion
and inform the Public Prosecutor of an infringement. The criminal courts can impose ffines, which
may vary between 550 EUR and 550.000 EUR.

All the above mentioned principles apply to the on-line collection of data on the Internet and have to
be adapted to this media. For example, the fact that the consent has to be unambiguous implies that
a pre-ticked box on a web page is not sufficient.

The data subject has a free of charge right of access and rectification to his/her data. He/She only
needs to send a written and signed request and a copy of his/her identity card, to the person who is
responsible for this data processing.
70
There is a “Code de déontologie” (professional Code of Ethics) that is published by the Belgian Direct
Marketing Association (BDMA) and that is available on its website (www.bdma.be). This code was
drawn up together with the DPA.
The DPA also published a recommendation on direct marketing and the protection of personal data,
which contains guidelines on the matter ( “Recommandation 04/2009 du 14 octobre 2009 concernant
le marketing direct et la protection des données à caractère personnel /Aanbeveling 04/2009 van 14
oktober 2009 betreffende direct marketing en bescherming van persoonsgegevens”).
Internet

The Act of 11 March 2003 on the information society and the Royal Decree of 4 April 2003, both
transposing part of the EU Directive 2000/31/CE, specifically apply to e-commerce.
Rules to apply for the use of new media such as Bluetooth or other mobile messaging
The above mentioned regulations apply to the use of new media.
Rules on the use of viral advertising

Strictly speaking, some aspects of viral advertising are contrary to the Data Protection Act and the
regulations on direct marketing (Act of 11 March 2003 and the Royal Decree of 4 April 2003),
specifically member get member/friend get friend campaigns. According to the DPA, these are only
compliant with the requirements of electronic marketing where the friend‟s prior consent is obtained.
Moreover, there is a general requirement that, upon receipt of the (viral) advertising message, it
should be clear to the recipient that the message has an advertising purpose. The (viral) advertising
message should mention the word “publicité / reclame” [advertisement] as well as the identity and
address of the sender.
71
SECTION II – Legal Overview - Bulgaria
Bulgaria
Promulgated State Gazette No. 1/4.01.2002, effective 1.01.2002, supplemented,
SG No. 70/10.08.2004, effective 1.01.2005, SG No. 93/19.10.2004, No. 43/20.05.2005, effective
1.09.2005, amended and supplemented, SG No. 103/23.12.2005, amended, SG No. 30/11.04.2006,
effective 12.07.2006, amended and supplemented, SG No. 91/10.11.2006, supplemented, SG
57/13.07.2007, effective 13.07.2007, emended, SG No.42/05.06.2009
Extent of DPA‟s Assistance with Enquiries

The DPA will assist with enquiries.
Registration of marketing lists with the Data Commission

Each entity that operates and/or maintains databases containing personal data is obliged to make a
registration with the Commission for Protection of Personal Data (DPA). The registration must be
made before the operation/maintaining of the database commences.
2 months
Registration costs
Registration as an administrator is free.
purposes
There must be a legitimate interest from the direct marketer.
How „consent‟ is exercised by the data subject

The data subject‟s consent is implied when he/she voluntarily provides his/her personal data. When
this is not the case, the failure to opt-out is regarded as consent. Where consent is needed, it has to
be explicit and unequivocal.
Implied consent
Implied consent is acceptable in Bulgaria. A tick box is not a compulsory element.
Consent by data subject is required when using the following communication media: SMS, MMS,
EMAIL, Telephone, Fax, Mail
There must be explicit consent from the physical person.
Data about the ethic origin, philosophical conviction and genetic make-up of the data subject.
72
Sending unwanted commercial communications to consumers without their prior consent is forbidden.
Electronic messages are regulated by the Electronic Commerce Law and by the Electronic
Communications Act. These two Laws transpose the provisions of Directive 2000/31/EC and of
Directive 2002/21/EC..

There is no soft opt-in for electronic communications in Bulgaria.
There are no rules on electronic communication for B-to-B marketing purposes.
Purposes
When giving the purposes for processing personal data generic terms are acceptable.

There is no requirement for a recognised form of wording for collecting data in Bulgaria.
Legally, the purposes for processing personal data only need to be given to prospective clients
Opt-out
The laws provide the right for the consumer to object to the processing of his/her personal data for
the purposes of direct marketing. It is not necessary to offer opt-out each time when approaching a
customer.
Data Storage

There are data confidentiality clauses in Bulgaria.

There are no time limits on holding data. Every data administrator has to specify the terms for holding
collected data when registering with the DPA.
National penalties which the national DPA can apply

The DPA can issue fees and the penalty rates are between 250 and 50 000 EUR. In cases of repeated
violations the sanctions are double that of the original penalty. The law provides the possibility for
the DPA to suspend, upon prior notification, the processing of personal data where such processing
violates the provisions on the protection of personal data, but the DPA can not order the destruction
of the database etc.
73
Penalties for breaching the rules on unsolicited electronic communications for Email are between
2500 - 5000 Euros.

Any person whose personal data is processed has the right to file a request in writing for access to
and/or rectification of the data related to him.
The processor has to reply within a definite period and no response is considered a refusal for
access/rectification. Access may be denied if there is an adequate reason, and access by third parties
is restricted.

There are no industry codes of practice in place.

The Regulations under the E-Commerce Law govern this area.
74
SECTION II – Legal Overview - Denmark
Denmark
Persondataloven (Personal Data Act)

The mere holding of a marketing list does not require that person to register with the DPA.
There is no expected time duration for registering marketing lists with the DPA.
purposes
Personal data may be processed only if:
1. the data subject has given his explicit consent; or

2. processing is necessary for the performance of a contract to which the data subject is a party, or
in order to take steps at the request of the data subject prior to entering into a contract; or
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
or
4. processing is necessary in order to protect the vital interests of the data subject; or
5. processing is necessary for the performance of a task carried out in the public interest; or
6. processing is necessary for the performance of a task carried out in the exercise of an official
authority vested in the controller or a third party to whom the data are disclosed; or
7. processing is necessary for the purposes of the legitimate interests pursued by the controller or by
the third party to whom the data are disclosed, and these interests are not overridden by the
interests of the data subject. (Sections 6(1)(1) or 6(1)(7) of the Personal Data Act. Section 6(1))

The data subject's consent shall mean any freely given specific and informed indication of his wishes
by which the data subject signifies his agreement to personal data relating to him being processed.
Implied consent
Implied consent is as a general rule is not acceptable in Denmark. In certain cases, the disclosure of
non-sensitive data may be deemed to be implied consent to the processing for which the data was
disclosed.
Consent by data subject is required when using the following communication media: SMS, MMS,
Email, Telephone (except if the call concerns the sale of insurances, books or newspapers/magazines
in which case consent is not required. The Robinson list must, however, still be observed), FAX, Mail
(normally consent is not required for Mail, unless the data subject has signed up to the Robinson list,
in which case consent is required).
The consent must be explicit and informed.
75
Under the Personal Data Act, in addition to the above, there is a special category called "semi-
sensitive data", which covers data about criminal offences, serious social problems and other purely
private matters. In practice, “semi-sensitive data” are subject to the same limitations/conditions as
sensitive data.
Consent, cf. Section 6(1) of the Danish Marketing Practices Act.

A trader that has received a customer‟s electronic contact details in connection with the sale of
products or services may market his own similar products or services to that customer by electronic
mail, provided that the customer has been given the option, free of charge and in an easy manner, of
declining this both when providing his contact details to the trader and in the event of subsequent
communications.
Opt-in is required for electronic communication for B-to-B marketing purposes is required for:
Automated Calling Machines, SMS, MMS, EMAIL, Telephone, FAX, Mail
Purposes
It is necessary to be precise when providing the purposes for processing personal data.
Generic terms
It is necessary to be precise to a certain extent.

There are no required or a recognized form of wording for collecting data in Denmark.
The purposes only have to be stated once.
Opt-out
The opportunity to opt-out must be easy and free of charge.
Yes, if the customer is approached by email. For communications by ordinary mail to consumers, the
opt-out must be stated in the first letter to the customer.
76
Data Storage

There is a data confidentiality clause in Denmark.

There are no exact time limits on holding data, but the data may not be kept in a form which makes it
possible to identify the data subject for a longer period than is necessary for the purposes for which
the data are processed.
Transfers of data between companies
Model clauses to govern the rules

There are no model clauses governing the rules of data transfer between companies.
Transfer of data from one company to another for marketing purposes requires active or passive
consent, depending on the categories of data being transferred.
Penalties

Fines, imprisonment, orders or prohibitions.

Fines and damages/compensation claims

None

The following Sections of the PDA apply:
31. – (1) Where a person submits a request to that effect, the controller shall inform him whether or
not data relating to him are being processed. Where such data are being processed, communication
to him shall take place in an intelligible form about:
1. the data that are being processed;

2. the purposes of the processing;
3. the categories of recipients of the data; and
4. any available information as to the source of such data.
(2) The controller shall reply to requests as referred to in subsection (1) without delay. If the
request has not been replied to within 4 weeks from receipt of the request, the controller shall
inform the person in question of the grounds for this and of the time at which the decision can be
expected to be available.
77
33. A data subject who has received a communication in accordance with section 31 (1) shall not be
entitled to a new communication until 6 months after the last communication, unless he can prove
that he has a specific interest to that effect.
34. – (1) Communication in accordance with section 31 (1) shall be in writing, if requested. In cases
where the interests of the data subject speak in favour thereof, the communication may, however,
be given in the form of oral information about the contents of the data. (2) The Minister of Justice
may lay down rules for payment of a fee for communications, which are given in writing by private
companies, etc.

There are codes of practice in Denmark, and it is possible to obtain these by contacting the individual
industries' organisations.
The Robinson list is operated by the Det Centrale Personregister (CPR register). For more information
please visit: www.cpr.dk
78
SECTION II – Legal Overview - Estonia
Estonia
Major Data Protection Laws
 The Constitution – basic principles
 Personal Data Protection Act came, into force 01/01/2008
 Public Information Act, came into force 01/01/2001
 Information Society Services Act, came into force 01/05/2004

The mere holding of a marketing list does not require that person to register such list with the
Estonian Data Protection Inspectorate (DPA).
The processor of personal data is only required to register the processing of personal data with the
DPA in cases where the marketing list, or creation, involves the processing of sensitive personal data,
and the processor has not appointed (and informed the DPA) a person responsible for the protection
of personal data.
Expected time duration for registering marketing lists with the DPA:
Marketing lists do not have to be registered.
The registration of processing of sensitive personal data with the DPA (as referred to above) takes up
to 20 working days; but the DPA may extend this period by up to 10 working days. A registration
application shall be submitted to the DPA at least one month before processing of sensitive personal
data commences.
Registration costs
There are no specific fees for the registration of the processing of sensitive personal data.
purposes
As a general rule - processing of personal data is permitted only with the consent of the data subject,
unless otherwise provided by law.
The law provides that processing of personal data without the consent of a data subject is permitted,
if the personal data are to be processed:
1) on the basis of law;
2) for performance of a task prescribed by an international agreement or directly applicable
legislation of the EU Council or the European Commission;
3) in individual cases for the protection of the life, health or freedom of the data subject if
obtaining the consent of the data subject is impossible;
4) for performance of a contract entered into with the data subject or for ensuring the performance
of such contract, unless the data to be processed are sensitive personal data.

The declaration of intention of a data subject whereby the person grants the consent for processing of
his or her personal data (hereinafter “consent”) is valid only if it is based on the free will of the data
subject.
79
In order to obtain valid consent the data subject shall be clearly informed of:
 the data to which the permission relates,
 the purpose of the processing,
 the persons to whom the data may be transferred,
 the conditions for communicating the data to third persons, and
 the rights of the data subject concerning further processing of his or her personal data.
Silence or inactivity shall not be deemed a declaration of intention to grant the consent.
Before obtaining a data subject's consent for the processing of personal data, the processor of
personal data shall notify the data subject of the name, address and other contact details of the
processor of the personal data. If the personal data is to be processed by the chief processor and
authorised processor then the name of the chief processor and authorised processor or their
representatives, and the address and other contact details of the chief processor or authorised
processor shall be communicated and made available.
For processing sensitive personal data, the data subject must be informed that the data to be
processed are sensitive personal data, and the data subject's consent has be obtained in a format
which can be reproduced in writing.
A data subject has the right to prohibit, at all times, the processing of data concerning him or her for
the purposes of marketing research or direct marketing, and communication of data to third persons
who intend to use such data for market research or direct marketing.
In the case of a dispute it shall be presumed that the data subject has not granted consent for the
processing of his or her personal data. The onus is on the processor to provide proof of the consent of
a data subject.
Implied consent
The law says that silence or inactivity does not mean that consent has been given. Consent shall be
given in a format which can be reproduced in writing, unless this is not possible due to a specific
manner of data processing (the last exception does not apply to sensitive personal data).
Consent by data subject is required when using the following communication media
As a general rule under Personal Data Protection Act - any kind of data processing requires the
consent of the data subject.
In the case that the use of data involves sending commercial communications to natural persons (not
processing), then the Information Society Services Act provides the following rule - the service
providers may transmit digital commercial communications to natural persons through a public data
communication network only with the prior consent of the addressee. The term “public data
communication network” is not currently defined in the law, therefore we suggest that it is
interpreted widely to cover not just e-mail, but also telephone, SMS; MMS; and fax.
Thus, consent is required for SMS, MMS, EMAIL, Telephone, FAX but not for Mail.
80
For processing sensitive personal data, the person must be informed that the data to be processed is
sensitive personal data and the data subject's consent shall be obtained in a format which can be
reproduced in writing.
Besides those above the following si also considered to be sensitive data:

data concerning genetic information, philosophical beliefs, ethnic origin, biometric data
(particularly fingerprints, palm prints, eye iris images and genetic data), information concerning the
commission of an offence or falling victim to an offence before a public court hearing, making of a
decision in the matter of the offence or termination of the court proceeding.
Information Society Services Act provides that a "Commercial communication" is any form of
communication designed to promote, directly or indirectly, the goods, services or image of a service
provider.
A commercial communication shall comply with the following conditions:
1) the commercial communication shall be clearly identifiable as such;

2) the person on whose behalf the commercial communication is made shall be clearly identifiable;
3) promotional offers, such as discounts, premiums and gifts, promotional competitions and games,
shall be clearly identifiable as such;
4) the conditions for participation in the promotional offers and commercial lotteries shall be
presented clearly.
Service providers are permitted to transmit digital commercial communications to consumers (natural
persons) through a public data communication network only under the following conditions:
1) with the prior consent of the addressee,

2) if the addressee is informed, in a clear and unambiguous manner, of how to cancel the
commercial communications in the future;
3) if the addressee is guaranteed the actual opportunity to exercise the right to refuse the receipt of
the commercial communication through the public data communication network.
The service provider must record the consent, or refusal of an addressee. The obligation to prove the
consent rests with the service provider.
Rules on electronic communication for B-to-B marketing purposes, specified by subject

Currently the law only regulates, and the above-referred restrictions only apply to, transmission of
the digital commercial communications to natural persons; not to legal entities.
Purposes
The consent of the data subject shall clearly determine the purpose of the processing of the data.
81
Generic terms
See section on “How consent is exercised by the data subject”. Provided those requirements are
fulfilled, there are no restrictions on the use of generic terms.

There is no required or recognized form of wording for collecting data in Estonia. However, the DPA
has published on their web-site certain examples that could be used in particular cases.
The purposes for processing should be stated each time data are collected or data are used for
alternate/additional purposes. It does not matter whether the data subject is an existing client or
not.
Opt-out
The consent of the data subject may be withdrawn by the data subject at any time. The law requires
that while asking for the consent of the data subject, the controller shall clearly state, among other
things, the rights of the data subject concerning further processing of his or her personal data and
his/her possibility to withdraw the consent at any time. (Personal Data Protection Act)
Information Society Services Act provides additional rules for transmission of digital commercial
communications to natural persons through a public data communication network. It states that when
sending commercial communications through the public data communication network the addressees
must be informed, in a clear and unambiguous manner, of the right (and how to exercise this right) to
cancel the commercial communications and there sender must provide the opportunity to exercise
this right.
In case of general data processing, when covered by wider consent of the data subject, there is no
such need, as the right of the data subject to withdraw the consent was offered when the consent
was obtained.
In case of sending commercial communications to natural person through a public data communication
network, then the Act provides the additional rule, described above, which specifically requires that
the opt-out must be offered.
Data Storage

There is a personal data confidentiality clause in Estonia. The law provides that a processor of
personal data is required to take organisational, physical and information technology security
measures to protect the personal data against unauthorised processing.

The data shall only be kept for a period of time during which they are necessary. The law provides
that a processor of personal data is required to immediately delete, or close, personal data which are
no longer necessary for achieving the purposes for which the data were collected, unless otherwise
provided by law.
82
Penalties

The DPA may impose fines for the violation of personal data processing requirements. For natural
person the fine is up to EEK 18,000 (approx. EUR 1,150); for legal entity up to EEK 500,000 (approx.
EUR 31,900).
Criminal sanctions (monetary penalty or imprisonment) may also apply to unlawful disclosures of
sensitive personal data.

A natural person may be fined up to EEK 18,000 (approx. EUR 1,150). For a legal entity this maximum
increases to EEK 50,000 (approx. EUR 3,190).
There are no additional rules for on-time collection of data on the internet

At the request of a data subject, a processor of personal data must communicate the following to the
data subject:
1) the personal data concerning the data subject;
2) the purposes of processing of personal data;
3) the categories and source of personal data;
4) third persons or categories to whom transmission of the personal data is permitted;
5) third persons to whom the personal data of the data subject has been transmitted;
6) the name of the processor of the personal data or their representative and the address and other
contact details of the processor of the personal data.
The processor of personal data is required to provide a data subject with information and the
requested personal data, or state the reasons for refusal to provide data or information, within five
working days after the date of receipt of the corresponding request.
The rights of a data subject to receive information and personal data concerning him or her upon the
processing of the personal data shall be restricted only if this may:
1. damage rights and freedoms of other persons;
2. endanger the protection of the confidentiality of the filiation of a child;
3. hinder the prevention of a criminal offence or apprehension of a criminal offender;
4. complicate a criminal proceeding.
A data subject has also the right to demand the correction of his/her inaccurate personal data from
the processor.
The processor must immediately perform the correction and notify the data subject that that has
been done. Reasons for denial shall be provided to the data subject.

A Direct Marketing Association exists in Estonia but there was no information available on codes of
practice or preference lists.
83
SECTION II – Legal Overview - Finland
Finland
Major Data Protection Laws
The Personal Data Act requires that the purpose of processing personal data; the regular sources of
personal data; and the regular recipients of the personal data shall be defined before personal data,
which are intended to be recorded, are collected. Personal data must not be used or otherwise
processed in a manner incompatible with these purposes. The controller has to describe the personal
data files for which it (he/she) is responsible.
The Data Protection Ombudsman (DPA) has right of access to personal data that are being processed
and also has the right to inspect personal files. The Personal Data Act contains provisions on the
processing of personal data for special purposes such as research, statistics, official plans and reports,
direct marketing and other personalized mailing.
The Personal Data Act, PDA

The Personal Data Act (523/1999) based on Directive 95/46/EC came into force on 01/06/1999 and it
repealed the Personal Data File Act (471/1987). The provisions of the Act apply to the processing of
personal data. Translations (Swedish and English) can be found in the web pages of the office of the
Data Protection Ombudsman.
Act on Privacy in E-Communications

Act (516/2004) based on E-communications Directive 2002/58/EC came into force September
01/09/2004 and repealed previous Act (565/1999). Translation will be available on the DPA‟s website.
Act on Data Protection Working Life
The Act on Protection of Privacy in Working Life (759/2004) came into force from the beginning of the
October 2004. The Act incorporates the main data protection issues relating to working life by
creating procedures for the needs of working life in particular email usage and supervision of it;
camera surveillance at the workplace and tests. The Act supplements the Personal Data Act. A
translation is available on the DPA‟s website. Further material in English related to Act is available in
the web pages of the Ministry of Employment and the Economy
http://www.tem.fi/index.phtml?l=en&s=2313
Registration of Marketing Lists with the DPA

Registration with the DPA is essential for marketing lists. The Act states that the controller shall
notify the DPA of automated data processing by sending a description of the file to that authority.
All direct marketing and other personalized mailing files stored in a relevant system (an ADP system)
must be notified. The duty to notify the DPA does not apply to the files concerning data subjects who
are a client or member of, or in the service of, the controller or, if the data has been entered into
the register with the consent of the data subject. There is a light notification procedure, the model
form is available at the DPA‟s website.
Non-Sensitive Data
Opt-in is just one ground for collecting/processing non-sensitive data. General processing purposes
like relevant connection and collection of payment, etc. are mentioned in the PDA (Article 8).
Opt-in is generally required for email, SMS, MMS and other so-called automatic systems such as
communications via fax where the marketing is targeted to consumers.
84
However, there is an exception for e-mail, text, voice, sound or image messages where the service
provider or product seller obtains the consumer‟s contact information in the context of the sale of a
product or service. In such cases that marketer may use this contact information for direct marketing
of its own similar products or services and for those products in the same product group. This
exception only applies if the marketer provides the consumer with the opportunity to opt-out, easily
and at no charge, from future marketing at the time when the data are collected, and in any
subsequent e-mail, text, voice, sound or image message.
Purposes
Basic purposes in common terms should be given.
Wording for Collecting Data

There is no specific wording for collecting data, various forms and ways are used. A data subject has
the right to prohibit the controller from processing personal data for purposes of direct advertising,
distance selling and other direct marketing. The right is exercisable by contacting the controller and
asking for the processing to cease. With the exception of e-marketing, opt-out does not have to be
offered each time a customer is approached though generally, access to an opt-out mechanism must
be continually available and that possibility must have been informed to the customer.
Robinson Lists/Preference Service Lists

The Finnish DMA (FDMA) keeps mailing and telephone preference services. Member companies of
FDMA shall ensure that the requests of the consumers are observed.
Please contact the Finish Direct Marketing Association for more information:
Finnish Direct Marketing Association

Bulevardi 44
00120 Helsinki
Finland
Tel. + 358 20 699811
E-mail: info@asml.fi
Special Requirements for Sensitive Data

The processing of sensitive data is, in general, prohibited. A personal identity number may be
processed with the consent of the data subject or where the Act allows such processing. Personal data
are deemed to be sensitive, if they relate to:
 Religion, Trade Union Members, Race, Politics, Sexual Interests, Health, Criminal act, punishment
or other criminal sanction, Social welfare of a person or the benefits, support or other social
welfare assistance received by the person.
Data Storage
There are no specific limits on the retention periods for data. It depends on the defined purposes of
processing and the duration of the relationship with the customer, which may vary in different sectors
of business.
Data Confidentiality Clause

Anyone who has gained knowledge of the characteristics, personal circumstances or economic
situation of another person while carrying out data processing shall not disclose the data to a third
person (PDA, Article 33).
85
Penalties
The DPA may impose a conditional fine to enforce his right of access to a data file and to enforce his
decision on the data subject‟s right of access and right to have erroneous data corrected. At the
request of the DPA, the Data Protection Board may prohibit processing of personal data which is
contrary to the provisions of this Act or the rules and regulations issued on the basis of this Act. The
Board may enforce its decision with a conditional fine. In addition, certain breaches of the data
protection legislation are subject to penal sanctions.
On-Time Collection of Data on the Internet

There are no special rules with regard to on-time collection of data on the internet. With respect to
cookies, special rules exist in the Act on Protection of Privacy in Electronic Communications.
Access and Rectification of Data

See articles below:
Section 28 – Realisation of the right of access

1. Anyone who wishes to have access to the data on himself/herself, as referred to in section
26, shall make a request to this effect to the controller by a personally signed or otherwise
comparably verified document or by appearing personally in the premises of the controller.
2. The controller shall without undue delay give the data subject an opportunity to inspect
the data referred to in section 26 or, upon request, provide a hard copy of the data. The
data shall be given in an intelligible form. If the controller refuses to provide access to the
data, a written certificate to this effect will be issued. The certificate shall also mention the
reasons for the refusal. A failure by the controller to give a written response to the data
subject within three months of the request is deemed equivalent to a refusal to provide
access to the data. In this event, the data subject may bring the matter to the attention of
the Data Protection Ombudsman.
3. Anyone who wishes to have access to data on himself/herself in the files of the health
care authorities and institutions, physicians and dentists or other health care professions and
relating to their state of health or illness, shall make a request to this effect to a physician
or another health care professional, who shall obtain the data with the consent of the data
subject and provide him/her with access to the entries in the file. The provisions in
paragraph 2 apply to the procedure in the realisation and refusal of the right of access.
Section 29 – Rectification
1. The controller shall, on its own initiative or at the request of the data subject, without
undue delay rectify, erase or supplement personal data contained in its personal data file
and erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
The controller shall also prevent the dissemination of such data, if this could compromise the
protection of the privacy of the data subject or his/her rights.
2. If the controller refuses the request of a data subject to rectify of an error, a written
certificate to this effect shall be issued. The certificate shall also mention the reasons for
the refusal. In this event, the data subject may bring the matter to the attention of the Data
Protection Ombudsman.
3. The controller shall notify the rectification to the recipients to whom the data have been
disclosed and to the source of the erroneous personal data. However, there is no duty of
notification if this is impossible or unreasonably difficult.
86
Section 30 - Right to prohibit processing.
A data subject has the right to prohibit the controller to process personal data for purposes
of direct advertising, distance selling, other direct marketing, market research, opinion
polls, public registers or genealogical research.
B2B Sales Promotion

One rule on B2B sales promotion exists in the Unfair Competition Act, section 3. A benefit that
depends on a lottery or that is otherwise based on chance may not be promised if the benefit is
conditional on a sale, purchase or ordering of a product or otherwise requires consideration. However,
this rule shall not apply to prize competitions organised in newspapers and periodicals as customary
entertainment.
If discounts, additional benefits or other specific benefits are offered in the marketing, or if the
marketing involves lottery, prize contests for the public, or games, the conditions for receiving the
benefits or for participating in the lottery, contest or game shall be stated in a clear and
comprehensible manner and be easily accessible (461/2002).
Other Regulation
Public authorities have to follow rules regarding the Swedish and Sami languages.
Other Information
The Finnish Direct Marketing Association (FDMA) approved, in June 2000, the Code of Practice for the
use of personal data in B to C marketing. The Code is based on the Personal Data Act. The Act states
that the controllers of the personal data files or their representatives may draft Sectoral codes of
practice for the application of the Act and the promotion of good processing practice. The Data
Protection Ombudsman has stated that the Code of Practice is in conformity with the Act and other
provisions relating to the processing of personal data.
FDMA, with three other organisations, published in December 2002 the Code of e-Commerce, which
also contains guidelines regarding on-line marketing and data protection issues. FDMA has also
published two Codes on Telemarketing in March 2004, updated in 2008 and complemented with a
separate supplement in 2009. FDMA has issued further guidelines on mobile marketing in 2008, which
also address data protection issues.
87
SECTION II – Legal Overview - France
France
The Data Protection Act No. 78-17 of 6 January 1978 (La Loi relative à l‟Informatique, aux fichiers et
aux libertés) is the cornerstone of data protection in France. It was amended by a bill implementing
the European Directive No. 95/46/EC of 24 October 1995 into French law. This bill was published on 6
August 2004. A draft Bill is presently before the Senate and time of writing (February 2010), which
will make new changes to the data privacy rules for e-communications following the recent adoption
of the EU Telecoms Package.
Registration of Marketing Lists with the Data Commission

The creation of most databases and the use of a computer to process information must be notified to
the French Supervisory Authority, the Commission Nationale Informatique et Libertés (CNIL). For
certain files, for example those resulting from the combination, or which require the collection of
sensitive data, registration consists of a request for authorisation to be approved by the CNIL. For
others, the notification simply consists of declaring the database, which the CNIL acknowledges.
In some cases, exemptions are granted and no notification is required. In other cases, only a
simplified notification must be provided. A controller must therefore check whether his processing of
personal data needs to be notified to the CNIL and, if this is the case, which of the above categories
his processing falls. When a company contracts with a French data processor, the contract must
contain clauses addressing the data protection obligations. Since the of 6 August 2004, any company
having appointed a personal data protection officer (“correspondant Informatique et Libertés (CIL)”)
is exempt from the declaration formalities, except where data are transferred outside of the EU.
According to this Act, the CNIL keeps a record of all databases registered. Any member of the public
can consult this record, which contains the major characteristics of the registration.
Principles (Fair processing, subject information, purposes)

Collecting data, to compile mailing lists for instance, is allowed by the Data Protection Act provided
that such collection is not unfair, fraudulent or illegal, and provided that the person in charge of the
processing (“controller”) informs the person whose data are collected and processed (“data subject”)
of the identity of the controller and, where applicable, of his representative; the purposes of the
processing; the recipients or categories of recipients of the data; of his rights to object to the
collection and to access, modify, update, delete his data.
In addition, in most cases, the data subject must consent to the collection and processing of his data.
Failure to comply with these principles will lead to penal sanctions.
Collecting sensitive data without the data subject‟s consent is usually prohibited. This involves data
referring directly or indirectly to racial or ethnic origin, political opinions, philosophical or religious
beliefs or trade-union membership or data concerning health or sex life (sensitive data). However,
derogations are possible. In all cases involving the processing of sensitive data, authorisation from the
CNIL is required.
88
Opt-In, Opt-out
Specific provisions apply to the electronic sending of direct marketing information. Direct marketing
by phone, fax or automatic calling machine is today governed by two distinct bodies of law, the
Consumer Code and the Posts and Telecommunications Code.
The law on the Confidence in Digital Economy, adopted by the Parliament on 21 June 2004, provides
the following (Law No. 2004-575 Article 22-I4):
-“Sending direct marketing by automated calling system, fax machines or electronic mails by
using, in any form whatsoever, the contact information of an individual who has not express
his prior consent to the receipt of direct marketing materials via this mean is strictly
prohibited”.
Another interesting point of the Confidence in Digital Economy Bill is that it defines “consent”: “For
purposes of this Article, „consent‟ shall mean any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal data relating to him used for
direct marketing purposes.” (Article 22.5)
Direct marketing sent by those means must obtain the prior consent of the data subjects. The new
law thus adopts an "opt-in" approach for the internet user to receive advertising messages.
Exemptions are nevertheless provided for emailing. Companies may send advertising messages to their
clients for "similar products and services" to those previously purchased by these clients on the
condition that:
“the recipient is expressly and unambiguously offered the possibility, at no cost, except
those related to the transmission of the refusal, to object in a simple manner to the use of
his contact information when the latter are collected and every time a direct marketing
electronic mail is sent to him”.
Data Storage
For computerised data storage, the law states that data shall be stored for a period no longer than is
necessary for the purposes for which they are obtained and processed.

No information available.
Security of Data
The data controller must ensure the security of the collected and processed data by, in particular,
protecting the network from unauthorised access and by protecting the data. Where data are
disclosed to third parties, the data controller must complete a very detailed document concerning the
IT environment which will be attached to its CNIL declaration.
Penalties
Penalties may be imposed either by the CNIL (French Data Protection Authority) or by the criminal
courts. The penalty imposed by the CNIL must be proportional to the severity of the breaches
committed and the profits obtained from the breach. In case of a first breach, the penalty may not
exceed 150,000 Euros. In the event of a second breach within five years from the date on which the
preceding penalty was imposed, it may not exceed 300,000 Euros.
89
The processing of personal data without complying with the French Data Protection Act, is punishable
by five years‟ imprisonment and a fine of up to 300,000 Euros, for individuals, and up to 1,500,000
Euros for legal entities.
Where the criminal courts and the CNIL pursue actions against a controller for a breach on the same
or related facts, the criminal courts have the power to order that the fine they impose is reduced by
an amount equivalent to the CNIL penalty .

There is no specific rule concerning on-time collection of data on the Internet.

A data subject, on providing proof of identity, has the right, at any time, to access and ask the data
controller to rectify his personal data. The data subject may request to receive a copy of the personal
data. The data controller may require payment of a sum of money for the delivery of the copy and
this may not exceed the cost of the copy.
National DPA‟s Contact Details

Commission Nationale de l'Informatique et des Libertés (CNIL)
8, rue Vivienne; CS 30223; 75083 Paris cedex 02
Tel : 01 53 73 22 22; Fax : 01 53 73 22 00

Forbidden Forms of Selling

The practice known as “forced sending” consisting of sending goods or services to persons who have
not asked for them and expecting that due to their negligence or indifference they will make a
purchase they did not desire, is prohibited by: Article R. 635-2 of the Penal Code, and Article L.122-3
of the Consumer Code.
Under the Penal Code it is prohibited to “(i) send to someone any good, (ii) without
permission, (iii) where the goods are accompanied by a letter indicating that the goods may
be accepted on the payment of a fixed price or returned to the sender, even if there is no
cost to return the goods.” This action may be punished by a fine of up to 1,500 Euros.
Under the Consumer Code it is prohibited to demand money for any good or service from a consumer,
without prior order from the consumer. In such circumstances, the consumer will not be obliged to
pay the money and the vendor must reimburse any money paid by the consumer.
The practice known as “pyramid selling” is prohibited. This consists, in particular, of offering the
public goods in the hope that they may obtain goods free of charge or cheaper than their real value
and making the sales subject to the placing of forms or tickets with third parties or the collection of
memberships or registrations, or of proposing to persons that they collect memberships or register on
a list in the hope of financial gain resulting from a geometric progression of the number of people
recruited or registered. (Article L.122-6 of the Consumer Code)
The Consumer Code also prohibits, in its article L.121-35, the sale or offer for sale of goods or any
provision, or offer to provide services made to consumers and giving entitlement, free of charge,
immediately or at the end of a fixed period, to a bonus consisting of products, goods or services, if
these are identical to those forming the subject of the sale or the service provision.
90
SECTION II – Legal Overview - Germany
Germany
 Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), Version of 14.8.2009
 Telemedia Service Act (Telemediendienstegesetz, TMG) Version of 14.8.2009
 Telecommunication Act (Telekommunikationsgesetz, TKG) Version of 14.8.2009

In general no registration is required; however, where transfers of data are central to the main
business of a company e.g. address trading and credit agencies, the company will have to notify the
relevant Data Protection Authority (DPA).
Furthermore, every company with more than 9 people permanently dealing with automated
processing of personal data, or any company with more than 20 employees, is obliged to register with
the DPA unless it appoints a Data Protection Officer (DPO).
3 – 6 weeks, if necessary
Registration costs
There are no registration costs when registering with the DPA.
purposes
 Balance of Interest Clause, Sect. 28 SS. 1 No. 2 BDSG.
 Consent of the data subject is necessary to create a detailed profile for marketing purposes

According to the BDSG (Federal Data Protection Act), consent must generally be in writing unless the
circumstances allow for a different form (i.e. with call centers). In addition, consent can be given
electronically according to a special provision in the TMG (Telemedia Services Act).
The following conditions are required:
 An unambiguous and deliberate act by the user;
 The consent is recorded;
 The text of the consent is accessible to the user at any time, and
 The controller has informed the data subject about his right to revoke consent at any time in the
future.
Implied consent
Implied consent is acceptable in Germany. However, this is on the precondition that the controller
has clearly informed the data subject about the further use of the contact details presented.
Consent by data subject is required when using SMS, EMAIL, MMS, Telephone (for B2B assumed
consent), Fax.
91
Required form of consent for the processing of sensitive data
In Germany, it is required to have consent in writing.
This definition is slightly modified in Sect. 3 SS. 9 BDSG as it includes race and ethnic origin, and
religion or philosophical beliefs.
There must be consent from the recipient of the electronic messages.
Definition: soft opt-in for email communications

For email communications, a soft opt-in is sufficient as defined in Sect. 7 SS. 3 Unfair Competition
Act (UWG) as follows:
 A company has received the email address in the context of the sale of a product or a service,
 The company uses the email for direct marketing of its own similar products or services,
 The customer has not objected the use of the email address, and
 The customer has clearly and distinctly been informed about the opportunity to opt out the use of
the email address upon collection and upon each use of the email address.

Consent is required for all electronic communications media. Telephone is considered to be assumed
consent.
Purposes
Purposes
When giving the purposes for processing personal data, it is necessary to be precise.
Generic terms
These terms are commonly used, but the DPA requires a more detailed description of a consent clause
especially when a data warehouse is established.

There are no required or a recognized form of wording for collecting data in Germany.
The purposes only have to be given when collecting personal data from prospective clients and not
from existing clients, however the existing clients will have to be informed of the opportunity to opt-
out within each email sent to him based on the soft opt-in.
92
Opt-out
There are no legal requirements on how opt-out is exercised. Normally controllers mention a certain
postal address or an email address for exercising an opt-out.
Yes.
Data Storage

There is a data confidentiality clause in Germany, specifically upon entering into a controller
processor agreement strict former rules need to be considered.

Time limits on holding data depend on the legal basis for processing personal data. If consent is the
legal basis, there is generally no time limit for storing personal data. If the balance of interest clause
is the legal basis, a controller may process personal data for direct marketing purposes only for a
limited time; generally, about 3 to 4 years after the contractual relationship has been terminated,
personal data have to be erased afterwards. In specific branches such as telecommunications,
retention times are significantly shorter.
Penalties

The DPA can apply several penalties, such as:
 Fines;
 Right to initiate a court trial (could lead to imprisonment for up to two years);
 Right to oblige controllers to undertake the necessary security measurements

Letter of abstention & declaration of discontinuance with a contractual penalty clause; contract
penalty in the case of a repeated violation; moreover fines can be issued (and have been issued) for
such breaches.

In Germany, there are additional rules for on-time collection of data. The Telemedia Act has special
regulations concerning information and communication services.
The main difference is the exclusion of the balance of interest clause. A controller needs consent
from the data subject for a further use of personal data incurring when using a Telemedia service – in
particular for direct marketing purposes.

The rule for access and rectification of data is that a data subject may at any time file a request to a
controller to retrieve and see their personal information stored in a database. The data subject is also
allowed to see the origin of the retrieved data (if stored by the controller), the purposes of
processing, and the categories of recipients. If any of the personal information is incorrect, a data
subject has the right to correct the mistakes.
93
SECTION II – Legal Overview - Greece
Greece
 Law 2472/97 - Protection of the individual and the elaboration of personal data
 Law 3471/06 - Protection of personal data and privacy in electronic communications
 Law 2774/1999 - Protection of personal data in the sector of telecommunications (the law was
replaced by Law 3471/06 on 29.07.2006).
 Law 3783/2009 – Identification of users and holders of telecommunications equipment and
services (this law was essentially a security and anti-terrorism measure)

Marketing lists are deemed to be personal data by the DPA and therefore processing and collection of
such data must be notified in accordance with the provisions of Law 2472/97.
Expected time duration for registering marketing lists with the Data Commission:
The notification is effective immediately upon submission, provided the processing and collection
does not involve sensitive data.
Registration costs
No costs to register marketing lists.
purposes
Consent from the Data Subject must be obtained.

Data subjects have to specifically consent.
Implied consent
Implied consent is not acceptable..
Consent by data subject is required when using SMS, MMS, Email, Telephone, Fax and Mail.
The collection and processing of sensitive data is generally prohibited. However, the collection and
processing of sensitive data, as well as the establishment and operation of the relevant file, will be
permitted by the DPA, when certain conditions are met including the specific explicit consent of the
Data Subject.

The definition of "Sensitive data" in Law 2472/1997 is broader than most European territories and
includes data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs,
membership to a trade-union, health, social welfare and sexual life, criminal charges or convictions
as well as membership of societies dealing with these areas
94
There is no way to opt-in for all electronic messages, except e-commerce when the specific website
provides such a facility.
There is no soft opt-in for electronic communications. There are no rules on electronic
communication for B-to-B marketing purposes.
Purposes
Personal Data, in whatever medium, in order to be lawfully processed, must be: (a) collected fairly
and lawfully for specific, explicit and legitimate purposes, and fairly and lawfully processed in view of
such purposes, (b) adequate, relevant and not excessive in relation to the purposes for which they are
processed at any given time, (c) accurate and, where necessary, kept up to date, (d) kept in a form
which permits identification of Data Subjects for no longer than the period required, according to the
DPA, for the purposes for which such data were collected or processed.
Generic terms
Generic terms are not acceptable when giving purposes.

There is no required or recognised form of wording for collecting data.
If the purposes for processing personal data have altered and/or changed then existing and
prospective clients must be notified again.
Opt out and Robinson lists

Greek Law provides the following opt-out provision: Any person shall be entitled to declare to the DPA
that s/he does not wish data relating to him to be processed in order to promote the sale of goods or
long distance services. The DPA shall keep a register for the identification of such persons. The
Controllers of the relevant files must consult the said register prior to any processing, and clean their
lists of those names that are on the DPA‟s file.
The opt-out must be offered each time when approaching a customer.
Data Storage

Greek Law expressly states that the “processing of personal data shall be confidential and shall be
carried out solely and exclusively by persons acting under the authority of the Controller or the
Processor and upon his/her instructions”. Greek Law also implies obligations of confidentiality as the
processing and collection of personal data, in most instances, require the prior consent of the Data
Subject.
95
Greek Law expressly states that personal data should be kept “for no longer than the period
required, for the purposes for which such data were collected or processed. Once this period of time
is lapsed, the Authority may, by means of a reasoned decision, allow the maintenance of personal
data for historical, scientific or statistical purposes, provided that it considers that the rights of the
data subjects or even third parties are not violated in any given case”. Personal data collected by
CCTV however cannot be kept for longer than 15 days.
Penalties
National penalties which the national DPA can apply, including Penalties for breaching the rules
on unsolicited Email messages
Fines and penal responsibility for data managers.

None

Greek Law provides for the following rights of the Data Subject: (a) the right to information, (b) the
right to access, and (c) the right to object.
INFORMATION
The Controller must, during the stage of collection of Personal Data, inform the Data Subject in an
appropriate and express manner of the following data:
a) his/her identity and the identity of his/her representative, if any,

b) the purpose of the Data Processing,
c) the recipients or the categories of recipients of such data,
d) the Data Subject‟s right of access.
ACCESS
All persons are entitled to know whether Personal Data relating to them are being processed or have
been processed. The Controller must respond in writing to any enquiry.
OBJECT
The Data Subject shall be entitled to object at any time to the processing of data relating to him.
Such objections shall be addressed in writing to the Controller and must contain a request for a
specific action, such as correction, temporary non-use, locking, non-transfer or deletion. The
Controller must reply in writing within a deadline of fifteen days.
96
SECTION II – Legal Overview - Hungary
Hungary
 Act No LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest
(Data Protection Act)
 Act CXIX of 1995 on the Use of the Name and Address Information for Research and Direct
Marketing (Direct Marketing Act)
 Act XLVII of 2008 on Unfair Commercial Practices against Consumer (UCP-Act)
 Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising
Activity (Advertising Act)
 Act CVIII of 2001 on on certain issues of electronic commerce services and information society
services (E-Commerce Act)
 Act C of 2003 on Electronic Communications

The DPA (the Data Protection Commissioner‟s Office) will assist with enquiries by phone, however,
formal (written) enquiries may take 6-12 months answered.
Registration of marketing lists with the DPA

It is required to notify marketing related data processing activities with the Registry of the DPA
before commencing such activity. Notably, the Direct Marketing Act only requires that the notification
is filed prior to the start of the processing activities, therefore it is not necessary to wait for the
formal decision of the DPA.
Registration (release of the DP registry number) might take 12-18 weeks following the filing of the
notification.
Registration costs
There are no registration costs/charges
purposes
Prior, express, specific, voluntary and informed consent of the individual to marketing
communications must be obtained. (The Advertising Act and the Data Protection Act.)

Consent from the data subject can be sought in any form , however, it is strongly recommended that
written consent is obtained or that the consent is recorded in writing as the obligation to prove that
the data subject expressly consented to such communications and that the consent complied with the
requirements of the law lies with the data controller.
Implied consent
In relation to recipients of communications who are also natural persons, implied consent is not valid
under the law, since the consent must be clear and express. However, implied consent is acceptable
in relation to legal entities (including legal entities without legal personality).
97
Consent by data subject is required when using SMS, MMS, Email, Telephone and Fax. For the
Direct Mail opt out is allowed for bulk mailings (over 500 items), but opt in is still required for
non-bulk mailings.
Sensitive data cannot be processed in relation to marketing activities.

„Sensitive data‟ has been defined by the Data Protection Act as any personal data relating to:
a) racial, or national or ethnic minority origin, political opinion or party affiliation, religious or
ideological belief , or membership in any interest representing organization;
b) state of health, pathological addictions, sexual life, or data on criminal issues.
As previously stated, prior, express, specific, voluntary and informed consent is required.
Definition: Soft opt-in for electronic communications

Under the E-Commerce Act so called “permission e-mails” are also prohibited unless expressly
consented to by the individual. There are two requirements to obtain opt-in consent in case of
electronic communications addressed to private individuals. However, provided that the contact
information of the individual has been obtained in connection with the sale of a product or service
(soft opt-in), an e-mail requesting the individual‟s permission can be sent to natural persons.
Accordingly, if the individual does not respond to such inquiry (the permission e-mail), further
communications and permission e-mails cannot be sent to such individuals.
Rules on electronic communication for B-to-B marketing purposes: If the mobile phone or email
address provided by a company to a person can be used also for private purposes, then consent from
the person is necessary. Without this consent their data cannot be used for marketing purposes.
Consent (Opt-in) is required for Automated Calling Machines (both natural and legal person); Fax
(Opt-out, in case of legal persons and persons without a legal personality); Email Opt-in (in case of all
natural person and Opt-out in case of legal persons (including persons without legal personality)); SMS
(Opt-in in case of natural persons and Opt-out in case of legal persons (including persons without
legal personality)); MMS (the same as for SMS, EMAIL).
The law does not recognize B2B communications in the electronic marketing context, since the opt-in
requirement generally applies to all kind of natural persons even if the individual subscribed to the
marketing e-mail in his capacity as a professional.
Purposes
The controller must precisely state the purposes for processing personal data, in clear language. The
Direct Marketing Act provides that the purposes shall be provided in written form to the recipients.
Generic terms
Generic terms are acceptable (e.g. direct marketing, market research, etc.)
98

The consent of the individual to marketing messages must include the name of the recipient, and, if
the message may only be communicated to persons over a certain age, the date and place of birth, as
well as any other personal data necessary for data processing.
The Direct Marketing Act also lays down requirements as to the information to be provided to data
subjects. This information must be provided in writing and shall include detailed information on the
source of data, the time, method, purpose as well as the duration of data processing and details as to
the identity of the data controller and any data processors. Furthermore, the notice shall state that
the data processing is voluntary and that the data subject may at any time request deletion of his/her
personal data.
All advertisements must be clearly identified as marketing material. The law requires the inclusion of
this information in the subject line of the message. If the marketing e-mail involves a promotion,
promotional game or prize draw, the conditions of rebates, gifts, prize draws or games shall be also
clearly disclosed. The conditions of participation in a prize draw or promotional game must be made
easily available to the recipients;
No, in the case of existing clients, the purposes do not have be stated in every communication,
provided that the client is clearly aware of the purpose of the message.
Opt-out
There must be the possibility to opt-out in each marketing message.
Yes. All marketing messages must clearly and conspicuously state the e-mail and postal address of the
sender where opt-out requests may be sent if the recipient does not wish to receive further marketing
messages. This information must be provided in every marketing message.
Penalties

The DPA may launch an investigation and may request the data controller ceases infringing activities.
If the data controller does not suspend illegal data processing, the DPA has no power to impose a fine,
but he may release an order to delete illegally processed data. The DPA may also inform the media
and release a press statement on the infringement.
Penalties for breaching the rules on unsolicited email

If the e-mail marketing information requirements are breached, the National Consumer Protection
Authority, the Competition Office or the National Finance Supervision Authority have jurisdiction
under the provisions of the UCP-Act. These Authorities may issue an order to cease and desist all
infringing behaviour, and/or may impose a fine.
On the part of the National Communication Authority the maximum fine is 500 000 HUF, however, the
authorities have the power to impose this repeatedly.
99
The addressee of unsolicited e-mails may file an action before the ordinary courts with respect to the
infringement of general personal rights. If the Court finds that the personal rights/privacy rights have
been infringed, it can issue a cease and desist order, require the organisation to give satisfaction,
impose a public fine (the amount of which is not limited); or the court may award immaterial and
material damages to the claimant.
Finally, regarding illegal data trafficking, it must be noted that the Hungarian Penal Code (Act IV of
1978) criminalises the misuse of personal data (up to one year imprisonment) if committed for
unlawful personal benefit or if it causes significant detriment to the data subject.

The general rules apply.

According to the general provisions of the Data Protection Act enquiries must be answered within 15
days in writing.

The Robinson list for individuals (on name and home address) is maintained by the Hungarian Central
Office for Administrative and Electronic Public Services. Furthermore, each organization engaged in
marketing activities shall maintain a list of persons who have indicated a wish not wish to receive
such communications.
Data Protection Code for privacy and cross-border direct marketing

Not used
100
SECTION II – Legal Overview - Ireland
Ireland
The Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003 (referred to
as “DP Acts”)
Extent of Data Protection Commissioner‟s (DPA) Assistance with Enquiries

The Commissioner will assist with enquiries.

The mere holding of a marketing list does not require that person to register with the Office.
However, if the person‟s business consists wholly or mainly of direct marketing, then registration is
required.
If all information required is provided registration can be done within a week.
Registration costs
The cost of registration depends on the number of employees in an organisation.
purposes
Personal data may be processed for marketing purposes, where the following four conditions are met:
Condition 1. Compliance with the Data Protection Principles

Where personal data is retained for processing for any purpose, including marketing, the following
principles must be met:
 The data shall be accurate and complete and where necessary kept up to date;
 The data shall be kept only for one or more specified, explicit and legitimate purpose(s);
 The data shall not be processed in a manner incompatible with that purpose; or those purposes;
 The data shall be adequate, relevant and not excessive in relation to the purpose or purposes for
which they were collected;
 A copy of the data held must be given to the data subject on request;
• The data shall not be kept longer than is necessary for that purpose; and
• Appropriate security measures shall be taken against unauthorized access to the data.
Condition 2. Consent to the Processing

The data subject has given his or her consent to the processing for marketing purposes.
Condition 3. Fairness
The data must be obtained fairly and processed fairly. Where a data controller is obtaining data from
the data subject, processing of that data will only be considered fair where the data controller
ensures that the following information is readily available to the data subject:
 The identity of the data controller;
 The identity of the data controller‟s representative for the purposes of the DP Acts (if any);
101
 The purpose or purposes for which the data are intended to be processed;
 The persons or categories of persons to whom the data may be disclosed;
 Whether replies to questions asked are obligatory and the consequences of not providing replies
to those questions;
• the existence of the right of access to their personal data;
• the right to rectify their data if inaccurate or processed unfairly; and
 any other information which is necessary, having regarding to the specific circumstances in which
the data are to be processed, such as, information as to the recipients or categories of recipient
If the data controller does not obtain the data from the data subject, processing will only be fair
where all the above information is provided to the data subject and they must also be informed of the
identity of the original data controller from whom the information was obtained and the categories of
data concerned.
Condition 4: Compliance with Request that Processing for Direct Marketing Ceases
In respect of data held for direct marketing purposes, the DP Acts places a specific obligation on the
data controller to cease processing the data within specific timetables, if requested by the data
subject.

Depending on the circumstances, consent may be exercised on an opt-out or opt-in basis.
Implied consent
Implied consent is acceptable in Ireland but it can be withdrawn at any stage.
Consent by data subject is required when using SMS, MMS, Email, Fax and Mail, Telephone:
although first check the National Directory Database.
Consent for any processing is always required, unless consent does not need to be obtained, because
the processing falls within certain necessity grounds set out in the DP Acts
In respect of the nature of consent in respect of processing sensitive data, the Commissioner notes:
“When processing sensitive personal data, the level of consent must be explicit. This means
that a data subject must be aware of and understand the purposes for which his/her data are
being processed. Explicit consent need not require a data subject to sign a form in all cases.
Consent can be understood to be explicit where a person volunteers personal data after the
purposes in processing the data have been clearly explained. Thus a clear explanation on a
form, a web page, or the delivery of a script by properly trained telephone staff might be
sufficient to demonstrate consent has been explicitly given.”
Philosophical beliefs, ethnic origin, the commission or alleged commission of any offence by the data
subject or any proceedings for an offence committed or alleged to have been committed by the data
subject, the disposal of such proceedings or the sentence of any court in such proceedings.
102
Specific rules govern the use of email and mobile phone numbers for unsolicited direct marketing.
The Irish rules on email and SMS unsolicited direct marketing are based on the concept of a
“subscriber”. A subscriber can be a natural person or legal entity, but, either way, he or she or it,
will only be a “subscriber” if he/she/it are the party to a contract with the provider of the publicly
available electronic communications services.
So, an individual at home, presuming that they have signed the contract with the telephone company
for the telephone service, would be a subscriber in respect of their home telephone number. By way
of contrast, they would in all likelihood not be a subscriber with respect to their work telephone
number, as more than likely, that person‟s employer will be the party to the contract with the
telephone provider.
Unless certain conditions are met (sometimes referred to as the Soft Opt-In Condition – as set out
below), a marketer requires opt-in consent to send unsolicited emails or SMS messages for the purpose
of direct marketing to a subscriber who is a natural person.
Opt-out consent is only required if a marketer is sending unsolicited emails or SMS messages for the
purposes of direct marketing to a subscriber who is not a natural person.

An unsolicited SMS or email may be sent by any person (“the marketer”) without obtaining opt-in
consent from a natural person (“the consumer”) who is a subscriber where:
 The mobile phone number or email of the consumer was obtained by the marketer in accordance
with the DP Acts and specific regulations on email and SMS marketing;
 Explicit consent was given within the last 12 months;
 The consumer is of a customer of the marketer;
 The consumer‟s mobile phone number or email is obtained in the context of a sale of a product or
service;
 The consumer‟s mobile phone number or email are only used for direct marketing of the
marketer‟s own similar products or services; within the last 12 months;
 The consumer is clearly and distinctly given the opportunity to object, in an easy manner and
without charge, when the mobile phone or email address is collected;
 The consumer is clearly and distinctly given the opportunity to object, in an easy manner and
without charge on the occasion of each message, if the customer does not initially refuse the use
BtoB marketing requires the opt out for approaches by any media.
Purposes
The DPA has indicated that where the data controller is collecting the data, the purpose for
processing must be given at the time of collection. The DPA further notes that:
“If a data controller has information about people and wishes to use it for a new purpose
(which was not disclosed and perhaps not even contemplated at the time the information was
collected), he or she is obliged to give an option to individuals to indicate whether or not
they wish their information to be used for the new purpose.”
103
Different rules apply if the personal information is not obtained from the data subject. In that case,
the data subject must be informed of the purpose of processing not later than the time when the data
controller first processes the data or if disclosure of the data to a third party is envisaged, not later
than the time of such disclosure.
Generic terms
Once it is clear to the data subject the purpose of processing, generic terms are acceptable.

There are no required or a recognized form of wording for collecting data in Ireland.
Both prospective and existing clients will need to be informed of the purpose of processing personal
data.
Opt-out
There are no set rules regarding the exercise of opt-out. It can take the form of any communication
of an objection to processing, or a wish not to be included within data processing. So it can range
from telephoning the data subject, to writing to them, or by ticking a tick box.
No, once they have given their consent, that is sufficient, however, opt out must always be given in
respect of email and SMS marketing if relying on the Soft-Opt In basis for unsolicited direct marketing
by email and SMS.
Data Storage

There are no data confidentiality clauses in Ireland.

There are no time limits on holding data, however the Commissioner does note:
“If there is no good reason for retaining personal information, then that information should be
routinely deleted. Information should never be kept "just in case" a use can be found for it in the
future.”
Security of data
The DP Acts provide that as a condition to processing, appropriate security measures be taken against
unauthorized access to or unauthorized alteration, disclosure or destruction of the data, in particular
where the processing involves the transmission over a network.
In assessing the appropriate security measures, and in particular, where processing involves
transmission of data over a network, a data controller may have regard to the state of technological
development and the costs of implementing the measures and shall ensure a level of security
appropriate to:
 the harm that might result from unauthorized or unlawful processing, accidental or unlawful
destruction or accidental loss of, or damage to the data; and
104
 the nature of the data concerned.
 The data controller or processor must ensure that persons employed by them and other persons at
the place of work are aware of and comply with relevant security measures.
Where a processor is carrying out processing for a controller, the data controller must ensure that
 the processing is carried out as the result of a written contract, which contains provisions that the
controller complies with relevant security obligations; and
 the processor provides sufficient guarantees in respect of the technical security measures and
organisational measures governing the processing; and
 the processor takes reasonable steps to ensure compliance with the measures.
Further, an undertaking providing a publicly available electronic communications service must take
appropriate technical and organisational measures to safeguard the security of its services, if
necessary in conjunction with undertakings from those upon whose networks such services are
transmitted with respect to network security. These measures must ensure the level of security
appropriate to the risk presented, having regard to the state of the art and the cost of their
implementation.

There are no statutory fees imposed in respect of security arrangements, but there may be a cost to
the business in ensuring PCs have appropriate password protection, internet access has firewalls and
other appropriate security arrangements in place, files are kept secure, access to rooms or buildings
are subject to password key entry, etc.

Under the Copyright and Related Rights Act 2000 (as amended) an original database is subject to
copyright protection. Therefore, it is a breach of the copyright in an original database to copy it,
make it available, issue copies of it to the public, rent or lend it, or make an adaptation of the
original database. An "original database" means a database in any form which by reason of the
selection or arrangement of its contents constitutes the original intellectual creation of the author.
The Copyright and Related Rights Act 2000 (as amended) provides protection in respect of databases
where there has been a substantial investment in obtaining, verifying or presenting the contents of
the database. It is a breach of the rights in a database if a person extracts or reutilises the database
without the consent of the owner of the rights in the database. This is known as the sui-generis
database right.
For the purpose of copyright and sui-generis protection "database" is defined as a collection of
independent works, data or other materials, arranged in a systematic or methodical way and
individually accessible by any means but excludes computer programs used in the making or operation
of a database.
Section 9(1) of Criminal Justice (Theft and Fraud Offences) Act 2001 contains a general offence in
respect of a person who dishonestly, whether within or outside the State, operates or causes to be
operated a computer within the State with the intention of making a gain for himself or herself or
another, or of causing loss to another.
105
The Criminal Damage Act 1991 contains an offence of unauthorized access to a computer. The Act
also includes “data” within its definition of property, and so makes it an offence to damage data.
Damage is defined as to:-
“Add to, alter, corrupt, erase or move to another storage medium or to a different location
in the storage medium in which they are kept (whether or not property other than data is
damaged thereby) or . . .do any act that contributes toward causing such addition,
alteration, corruption, erasure or movement …”
Penalties
National penalties which the Commissioner can apply

Normally offences in Ireland are brought and prosecuted by the Government agency responsible for
the prosecution of offences on behalf of the State, namely, the Director of Public Prosecutions (DPP).
However, the DP Acts contain an exception to this rule and grant the DPA the right to bring and
prosecute summary proceedings for an offence. Summary proceedings for an offence are reserved for
minor breaches. The DPA also has the power to prosecute offences in relation to unsolicited
marketing. The penalties on summary conviction are a fine of €3000. For a conviction on indictment
(more serious offences), which may only be brought by the DPP, the maximum penalty is €100,000.
The following are the offences under the DP Acts:
 Requiring someone to make an access request in connection with recruitment, employment or the
provision of services;
 Failing or refusing to comply with a requirement of an enforcement notice;
 Failing to comply with a prohibition contained in a prohibition notice;
 Failing or refusing to provide information as required by an information notice or knowingly
providing false information in response to an information notice;
 Processing personal data where it may cause in the opinion of the Commissioner substantial
damage or substantial distress to data subjects, without compliance with conditions laid down by
the Commissioner;
 The keeping and processing of personal data by a data controller who is required to register under
the DP Acts and fails to so register;
 Failing to notify the change of address of a data controller registered under the DP Acts;
 Providing information known to be false and misleading in respect of an entry in the register;
 Disclosure of data by a data processor without the prior authority of the data controller;
 Disclosure of data by a person whom obtains it without the authority of the data controller or
data processor; and
 Obstructing or impeding an authorised officer of the Commissioner.

The penalties are up to €5000 per email sent in contravention of the applicable rules.
There are no rules for on-time collection of data on the internet

The data subject has the right to be informed within 21 days of the date of the request, whether a
person keeps data regarding them, and if they do keep data, the person must indicate the description
of the data and the purposes for which they are kept;
106
In addition, where a data subject makes an access request, they are entitled to receive in intelligible
form, relevant personal data, and any information known or available to the data controller as to the
source of those data; and the following information:
 whether data processed on behalf of the data controller includes personal data relating to them;
 if the data controller is processing the subject‟s personal data, the data subject is entitled to a
description of:
 the categories of data being processed by or on behalf of the data controller;

 the personal data constituting data of which that individual is the data subject;
 the purpose or purposes of the processing; and
 the recipients or categories of recipients to whom the data are or may be disclosed, and
 where the processing by automatic means of the data of which the individual is the data subject
has constituted or is likely to constitute the sole basis for any decision significantly affecting him
or her, be informed free of charge of the logic involved in the processing.
An individual has the right to request in writing, that a data controller rectify, block or erase any data
in relation to which there has been a breach of the data protection principles.
An individual is may write at any time to the data controller to request it to cease within reasonable
time, or not to begin, processing or processing for a specified purpose, or in a manner specified by
the individual, any personal data in respect of which they are the data subject where the processing
is likely to cause damage or distress. This right of objection only applies to processing that is
necessary:-
1. For the performance of a task carried out in the public interest or in the exercise of official
authority vested in the data controller or in a third party to whom the data are or are to be
disclosed; or
2. For the purposes of the legitimate interests pursued by the data controller to whom the data are
or are to be disclosed, unless those interests are overridden by the interests of the data subject in
relation to fundamental rights and freedoms and, in particular, their right to privacy with respect
to the processing of personal data.

The Irish Direct Marketing Association has codes of practice in place with respect to data protection
and e-commerce.
Irish Direct Marketing Association: www.directbrand.ie
107
SECTION II – Legal Overview - Italy
Italy
“Personal Data Protection Code”, Legislative Decree No. 196 of June 30, 2003 (hereinafter “PDPC”).

The individual can first access to the general enquiries office (“URP”, Ufficio Relazioni con il
Pubblico) that provides general information regarding any issues related to processing of personal
data. It is also possible to make enquiries to the relevant departments. Email: urp@garanteprivacy.it;
tel:(+39)06.69677.917.

The mere holding of a marketing list does not require that the data controller notifies the processing
of data to the DPA. For the purposes of notification, the data shall be processed with the help of
electronic means aimed at profiling the data subject and/or his/her personality, analysing
consumption patterns and/or choices, or monitoring use of electronic communications services except
for those processing operations that are technically indispensable to deliver the aforesaid services to
the users.
The notification to the DPA must be submitted only once, prior to starting the processing, regardless
of the number of operations to be performed, the duration of the processing and it may concern one
or more processing operations for related purposes also in case of transfer of data abroad. It must be
transmitted via electronic networks by using the form made available by the DPA on its website
(https://web.garanteprivacy.it/rgt/.) and following the instructions indicated therein, also with
regard to the arrangements applying to digital signature and receipt confirmation. The relevant
provisions in connection with the registration with the DPA are set forth in Sections 37, 38, 154,
paragraph 1, l), 163, 168, 181, para. 1 c), 16, 162, para. 1, of the PDPC. Please notice that such
obligation stands on the subjects processing certain kind of data, depending on the way the data are
processed but irrespective of the specific number of marketing lists. In other terms it is not a list to
be notified but a subject (data controller) and the way a certain data controller is processing the data
it has been collecting.
Only some categories of data processing must be notified to the DPA. In particular, the processing of
personal data must be notified to the DPA if such processing concerns (Section 37 of the PDPC):
i. genetic and biometric data;

ii. (ii) data processed with the help of electronic means aimed at profiling the data subject and/or
his/her personality, analysing consumption patterns and/or choices, or monitoring use of
electronic communications services except for those processing operations that are technically
indispensable to deliver the aforesaid services to the users and
iii. (iii) data stored in ad-hoc data banks managed by electronic means in connection with
creditworthiness, assets and liabilities, appropriate performance of obligations and unlawful
and/or fraudulent conduct.
The DPA, in its resolution of 31st March 2004, specified that the data controller does not have to
notify the processing of personal data stored in databanks and used for supplying the data subject
with goods or services, or for accounting or tax purposes (including cases of breach of an agreement
entered into with the data subject, debt collection and legal disputes vis-à-vis the data subject.)
108
Expected time duration and costs for registering marketing lists with the DPA:
1 – 3 weeks; The cost involved is 150.00 Euros.
Non-Sensitive/Sensitive Information
purposes
The use of automated calling systems, without human intervention, for the purposes of direct
marketing or sending advertising materials or else for carrying out market surveys or interactive
business communication shall only be allowed with the data subject‟s consent (opt-in.) (Section 130
paragraph 1 of the PDPC)

The data subject‟s consent is deemed to be valid only in cases where: (i) it has been freely and
specifically provided in respect to a clearly identified processing operation, (ii) it is documented in
writing and (iii) the data subject has been provided with the information referred to in Section 13 of
the PDPC (Section 23, paragraph 3 PDPC.) In particular, In order to allow the data subject to express
his/her informed consent, the data controller must provide an information document. The data
subject as well as any entity from whom personal data are collected shall be preliminarily informed,
either orally or in writing, as to:
 the purposes and modalities of the processing for which the data are intended;
 the obligatory or voluntary nature of providing the requested data;
 the consequences if he/she fails to reply;
 the entities or categories of entity to whom the data may be communicated, or who may get to
know the data in their capacity as data processors or persons in charge of the processing, and the
scope of dissemination of the aforesaid data;
 the identity of the data controller and, where applicable, the data controller representative in
Italy and the data processor (Article 5 and Article 13 of the PDPC);
 the rights of the data subject to order the data to be updated or amended, the deletion or
anonymisation of data which have been processed unlawfully and the right to object to processing
of data for marketing purposes, opt-out.
The data subject‟s consent can be orally expressed but it must be proved in writing. The data
subject‟s consent is not required when the processing is necessary to perform obligations arising from
a contract entered into by the data subject or in order to comply with specific requests made by the
data subject prior to entering into a contract (Section 24 PDPC). In this case, nevertheless, the
subject has the right to be informed as to the purposes of the processing of his/her data and to object
to the processing of his/her data.
In case of direct mail addressed to a consumer under a business-to-consumer scheme (“B2C”), the use
of telephone, email, automated calling system, without human intervention or fax by a good supplier,
always requires the consumer‟s prior consent (Article 58 paragraph. (Legislative Decree No. 206 of 6th
September 2005 (“Consumer Code”))
However, distance sale communications other than those mentioned above, if personally addressed,
can be used by a good supplier if the consumer does not explicitly oppose to them (Article 58
paragraph. 2 of the Consumer Code.) A subsequent law No. 51 of 23 rd February 2006, clarified that
Article 58 paragraph. 2 of the Consumer Code shall apply derogating from the provisions of the PDPC.
109
Further to this subsequent legislative intervention, in case of direct mail the data subject‟s previous
consent has become irrelevant. Therefore, companies are entitled to contact consumers by direct
mail addressed to them until do expressly object (opts out).
A decision issued by the DPA on June 19th, 2008, which covers B2C schemes and B2B as well, the
suppliers of good or services are entitled to use the ordinary mail address provided by their
customers, for direct marketing, in order to carry out market research and in order to send
commercial communications, provided that the activities relate to products or services which are
similar to the ones previously sold to the recipients by the suppliers.
The data subject must be adequately informed of the possibility not to receive further commercial
communications when the data are collected and in subsequent communications, a soft opt-in.
Implied consent
Implied consent is usually not accepted. A tick-a-box on a form is the minimal form of evidence that
the consent has been given and it is normally used in case of distance sales (e.g. direct marketing on
the telephone or on internet).
Processing by telephone of the data contained in publicly available paper or electronic directories,
for direct marketing purposes, shall be allowed for consumers or other entities who have not opted
out in the public register, via simplified mechanisms including the use of electronic networks.
(Section 130 paragraph 3 bis of the PDPC).
Such an opt out list shall be set up by a decree of the President of the Republic, still to be adopted,
in accordance with general standards and principles. Marketers must ensure presentation of calling
line identification and provide the appropriate information to users, specifically in relation to the
possibility and arrangements to have their data entered in the register so as to object to being
contacted in future.
The DPA expressed its concerns with regard to the new amendment to Section 130 PDPC - added on
November 20th, 2009 – as it represents a considerable exception to the opt in principle and specified
that, until the opt out list is set up, the only data banks that can be used lawfully for direct marketing
purposes, without an express consent of the data subjects, will be the ones created on the basis of
telephone directories issued before August 1st, 2005.
Consent for any processing is always required, unless consent does not need to be obtained
because the processing falls within certain necessity grounds set out in Section 24 of the PDPC.
However, there are two exceptions: Telephone (consent is not needed only for the cases covered by
Section 130 paragraph 3 bis of the PDPC); Mail ( consent is not needed only for the cases covered by
Section 58 paragraph. 2 of the Consumer Code and/or decision of the DPA on June 19 th, 2009)
The general rule applied to the processing of sensitive data requests the data subject‟s prior consent
expressed in writing and subject to the DPA authorisation. The DPA shall communicate its decision
concerning the request for authorisation within forty-five days; the request shall be regarded as
dismissed in case of no reply at the expiry of this time. Along with, or subsequent to, authorisation,
the DPA may prescribe additional measures and precautions in order to safeguard the data subject,
which are binding for the data controller (Section 26 PDPC.)
110
Sensitive data are personal data allowing the disclosure of racial or ethnic origin, religious,
philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or
organisations of a religious, philosophical, political or trade-unionist character, as well as personal
data disclosing health and sex life. (Section 4 of the PDPC)
Although separately regulated within the PDPC, besides the sensitive data there are also judicial data
i.e. data related concerning criminal offences or administrative sanctions related to criminal offences
or the status of being either defendant or subject to investigation as provided by the Italian Code of
Criminal Procedure. Processing of judicial data by private entities or profit-seeking public bodies shall
be permitted only where expressly authorised by law or by a DPA order and always specifying the
reasons under which a public interest to such a processing exists, the purposes of the processing, the
categories of data processed and kind of processing allowed.
Electronic communications, performed by email, fax, MMS (Multimedia Messaging Service) or SMS
(Short Message Service) messages or other means for the purposes of direct marketing or sending
advertising materials or else for carrying out market research or interactive business communication
are subject the opt-in rule and therefore always require the data subject‟s previous consent.

The opt-in rule applies to email advertising although with an exception, provided by law, in the case a
commercial relationship already exists (so called “soft opt-in”.) The law allows the data controller to
use the electronic contact details, already provided by the data subject, for direct marketing of his
own products or services, provided that the products or services are similar to those previously sold.
Furthermore, the data subject must be adequately informed of the possibility not to receive further
commercial communications either initially or in connection with subsequent communications (Article
130, paragraph. 4 of the PDPC). Apart from this exception and in contrast with other European
countries, Italy has adopted a 'hard opt-in' method. This means the data subject must have given
explicit consent to the data controller allowing contact for marketing purposes by him/it or by third
parties.
The DPA clarified that the consent cannot be gathered by sending the data subject a first email with a
promotional or advertising content, or which offers an opt-out in order to no longer receive messages.
The fact that email addresses can be easily found on the Internet does not imply the right to use them
for advertising messages, since they can only be used exclusively for the purposes for which they have
been published on the Web.

The opt-in rule applies to unsolicited commercial communications addressed to both individuals and
companies.
111
Purposes
The individual‟s consent must given on the basis of the information provided by the data controller as
to the nature of data collected, the purposes and means of the processing, the subjects to whom the
data can be communicated and the individual‟s rights to have access to his/her data and to oppose to
their processing. The aforesaid information must be accurate. (Section 13 of the PDPC)
Generic terms
The DPA stated that the data controller must clearly indicate the purposes of the data collection and
the modalities of their processing. Moreover, the controller must specify whether the data will be
processed for purposes strictly related to services requested by the data subject or for other purposes
(i.e. studies or market surveys.)
As far as the transfer of data is concerned, the DPA specified that the controller must inform the data
subject that his/her per personal data may be transferred to a third party for specific purposes: at
this regard, the DPA has considered it insufficient that the third party be indicated as a company
“entrusted” by the controller, but it has accepted the possibility that data can be disclosed to “other
companies operating in the same area of industry”. The name and addresses of these entities must be
available upon the subject‟s request or on the company‟s website.

There is no required or recognised form of wording for collecting data. The information to be
provided to the data subject can be given in a simplified fashion although it must be exhaustive. It
really depends on the type of data collected and the related processing purposes.
All the information related to the processing of data must be provided before the data are processed.
Once the data subject has been given properly the consent and provided that the data are processed
in accordance to the purposes originally disclosed, there is no need for the data controller to restate
the purpose for processing personal data.
Opt-out
Appart from the above mentioned provision regarding telephone communications, included in Section
130 paragraph 3 bis of the PDPC, there are no opt-out lists prescribed by law. AIDiM (Associazione
Italiana per il Direct Marketing) created a voluntary opt-out list available on-line
(www.cancellami.it). Consumers who do not wish to receive unsolicited commercial communications
may register on Cancellami. The means of communications covered by Cancellami are the mail, fax,
telephone, email and SMS. Members of AIDiM are required to “clean” their direct marketing databases
from data registered through Cancellami.
The data subject has always the right to object, in whole or in part, on legitimate grounds, to the
processing of personal data relating to him. Such a right must be notified at the time the consent is
gathered.
112
Data Storage

Personal data must be guaranteed a high level of confidentiality. As a general principle governing
contractual obligations, a data confidentiality clause is normally imposed on the person in charge of
the processing and, in any event, on the data controller.
Retaining Data
Section 11 of the PDPC states that personal data shall be collected and recorded only for specific
purposes and for a period of time that cannot exceed the period that is necessary to achieve the
purpose for which the data have been collected or subsequently processed.
Specific provisions are set forth for specific data:

 Communications service providers are entitled to retain data for a six-month period in order to
deal with disputes over billing and subscriber services (Section 123 PDPC.)
 Communications service providers are also required to retain telephone traffic and electronic
data for the purpose of detecting and preventing crime for twenty-four months (Section 132
PDPC.) As far as “data retention” is concerned, Italy should implement EU Directive 2006/24 on
the retention of data generated or processed in connection with the provision of publicly
available electronic communications services or of public communications networks and the
Telecoms Package. According to the Directive, all data specified in Article 5 are retained for
periods of not less than six months and not more than two years from the date of the
communication for the purpose of the investigation, detection and prosecution of serious crimes.
The DPA produced a Code of Conduct and Professional Practice on 16 November 2004 which entered
into force as of January 1, 2005. The code applies to information systems managed by private entities
with regard to consumer credit, reliability, and timeliness of payments. Personal data related to
credit applications as communicated by participants may be retained in a credit information system as
long as it is necessary in order to deal with the applications and - in any event - for no longer than
one hundred and eighty days as of the date of submission of the applications.
There are no specific rules on data erasure. According to Section 16 of the PDPC, once the data
processing has been terminated the data must be either destroyed or assigned to another data
controller provided that they are intended to be processed under terms that are compatible with the
purposes for which the data have been collected.

 Omission or incomplete information: Breach of the provisions referred to Section 13 of the PDPC
for omission or incomplete information are punished by a fine between 6000 and 36 000 Euros (the
payment may be increased up to three times, should the fine be considered ineffective, provided
the economic status of the offender) (Section 161 PDPC.)
 Transfer of data when the processing has been terminated and the transfer is not compatible with
the purposes for which the data have been collected is punished by a fine between 10 000 and 60
000 Euros (Section 162 paragraph 1 of PDPC.)
 Failure to provide information or to produce documents to the DPA is punished by a fine between
10 000 and 60 000 Euros (Section 164 PDPC.)
113
 The processing of personal data in breach of the minimum security measures provided by Section
33 and/or the provisions laid down in Section 167 of the PDPC (Unlawful Data Processing) is
punished with a fine between 10 000 Euros and 120 000 Euros (Section 162 paragraph 2 bis PDPC).
As well, any breach of the data subject‟s right to object in accordance with the mechanisms set
forth in Section 130 paragraph 3 bis PDPC and the respective regulations shall be punished with
the same fine (162 paragraph 2 quater PDPC).
Should any of the above mentioned violations be less serious, in consideration of the social and
business features of the activities at issue, the upper and lower thresholds may be reduced by two-
fifths.
Should one or more of the above mentioned provisions be violated repeatedly, on different occasions,
in connection with especially important and/or large databases, an administrative sanction shall be
applied as consisting in payment of a fine ranging from 50 000 and 300 000 Euro. In such a case,
reduction of the applicable fine will not be allowed.
With specific regard to more serious cases, in particular if the prejudicial effects produced on one or
more data subjects are more substantial or if the violation concerns several data subjects, the upper
and lower thresholds of the applicable fines shall be doubled.
Finally, the fines referred above may be increased up to four times if they may prove ineffective on
account of the offender‟s economic status.
Should the DPA apply a fine, it may also publish the injunctive order, in whole or in part, in one or
more daily newspapers.(Section 165 PDPC)
Besides the financial penalties that the DPA can apply, a breach of the PDPC also involves the
possibility of a criminal offence – prosecuted by the competent judicial authority - for:
 Unlawful processing of data: any person who, with a view to gain for himself or another or with
intent to cause harm to another processes personal data without the data subject‟s consent shall
be punished, if harm is caused by imprisonment for between six and eighteen months or, if the
offence consists in data communication or dissemination by imprisonment for between six and
twenty-four months, unless the offence is more serious or by imprisonment between one and
three years in case of judiciary or sensitive data (Section 167 PDPC.)
 Omission or incomplete notification to the DPA: for failure to submit timely the notification
required under Sections 37 and 38 of the PDPC, or who provides incomplete information in breach
of his/her duties, shall be punished by a fine consisting in a payment of between 10.000 and
60.000 euro as well as by the additional sanction of publication of the relevant injunction/order,
in whole or in part, in one or more daily newspapers (Section 163 PDPC.)

In principle, unsolicited commercial communications are allowed only with the data subject‟s
consent. Therefore, with the sole exceptions mentioned above and until when the opt out list will be
set up, processing of data without the data subject‟s consent represents both an administrative illicit
and a criminal offence and is punished according to the criteria indicated above.
In any case, the data subject must always be adequately informed of the possibility not to receive
further commercial communications either initially or in connection with subsequent communications
(Section 130, paragraph. 4 of the PDPC).
114

N/A

The data subject has always the right to access and request the rectification of his/her data. The
rights referred to in Section 7 of the PDPC may be exercised by making a request to the data
controller or processor without formalities, also by the agency of a person in charge of the processing.
A suitable response shall be provided to said request without delay. Any requests of access and/or
rectification is free of charge.
The data subject may grant, in writing, a power of attorney to natural persons, associations or
organisations in order to exercise the rights set forth in Section 7 of the PDPC. The rights indicated in
Section 7 which concern deceased persons can be exercised by subjects who have a personal interest
related thereto or by subjects acting on behalf of the deceased or for family-related reasons
deserving to be protected.
An individual may also file a circumstantial claim pursuant to Section 142 of the PDPC, in order to
point out an infringement of the relevant provisions on the processing of personal data. This claim
must contains, with as many details as possible, the facts and circumstances on which the complaint
is grounded, the allegedly infringed provisions and the remedies as well as to the identification data
concerning the data controller, data processor, if available, and claimant. The claim shall be
undersigned by the data subjects or by associations representing them and shall be lodged with the
DPA without any specific formalities being required.
115
SECTION II – Legal Overview - Netherlands
The Netherlands
 Personal Data Protection Act (Wet bescherming persoonsgegevens), 1 September 2001;
 Telecommunication Act (Telecommunicatiewet), 19 October 1998,
 Article 11.7 Telecommunication Act (version of 1 October 2009).

The DPA has amended its policy as of 2008. The DPA has considerably reduced its assistance with
enquiries and has shifted towards strict enforcement.

If the controller has a marketing list, it is assumed that the controller already processes personal
data, or is intending to. Before the controller uses the list for direct marketing purposes, the
controller has to notify the data processing to the DPA (article 27 Personal Data Protection Act).
Exempt from this notification requirement are the data processing conditions, by general
administrative regulation, in article 11 or article 13 or article 42 Vrijstellingsbesluit Wbp (7 May
2001).
Organisations can also appoint their own internal supervisor, the Data Protection Officer, who is
(publicly) registered with the DPA. The marketing list must be notified to the Data Protection Officer,
instead of the DPA.
On the website of the Dutch DPA (College Bescherming Persoonsgegevens, www.cbpweb.nl) a public
register of the data processing activities by Controllers and a public register of Data Protection
Officers are available (also in English).
Registering a marketing list is not a lengthy process for the Controller. Any change in the contact data
of the Controller (for example address, residence) needs to be notified within a week after the prior
notification. Structural changes related to the purposes of the data processing have to be notified to
the DPA or the Data Protection Officer of the Controller. Changes are to be kept on file by the
Controller (or its data protection officer) for a minimum of three years.
Time
0 - 1 week (after the prior notification) Any change in the name or address of the Controller
1-3 weeks
4-6 weeks Expected time duration for a market list to be
published in the public register by the DPA
Within 1 year (after the Structural changes related to:
prior notification) -the purposes of the data processing;
-the categories of data subjects and personal data;
-the receivers to whom the date are disclosed;
the transfer of data to countries outside the European
Union; and
-security measures to protect personal data.
116
Registration costs
There are no costs involved.
purposes
The legal ground for processing (non-sensitive) personal data for marketing purposes is based on the
„legitimate interests of the controller or third party to whom the data are disclosed‟. The consent of
the data subject (opt-in) is often not necessary. As a rule it is sufficient to give the data subject the
opportunity to opt-out if (non-sensitive) personal data are processed for marketing purposes.

The consent of the data subject (opt-in) is often not necessary. As a rule, it is sufficient to give the
data subject the opportunity to opt-out, if (non-sensitive) personal data are processed for marketing
purposes.
Consent or opt-in is defined as: „any freely given, specific and informed expression of will by which
the data subject agrees to personal data relating to him being processed‟. (Article 1 section in
Personal Data Protection Act1)
For sensitive data, as defined in article 16 Personal Data Protection Act, the explicit consent of the
data subject is required. Implied consent is not sufficient. To give expressed consent the data subject
must indicate his wishes orally, or in writing, or by his/her behaviour.
Consent is needed for: SMS, MMS, EMAIL, Fax, Automatic Calling Machines, Voice Mail
Consent is not needed for: Telephone and Mail
Sensitive data cannot be processed (article 16 Personal Data Protection Act), except as otherwise
provided in the articles 17–23 Personal Data Protection Act. Note that the processing of sensitive
personal data must fully comply with all the requirements for legitimate personal data processing
under the Wbp. The processing of sensitive personal data is allowed where the processing is carried
out with the explicit consent of the data subject. Written opt-in can be considered as explicit consent
of the data subject. Explicit consent may also be indicated orally or by behaviour.
In particular circumstances the data subject‟s confirmation of its consent to the processing of the
sensitive data may be necessary, as the Controller may have to prove the express consent. It is not
clear how this burden of proof is achieved in practice.
Other types of data considered „sensitive‟, are data concerning a person‟s criminal behaviour or
related data. Whether data are considered sensitive depends on the nature of the corporate culture.
1 Dutch original: (artikel 1 onderdeel i Wet bescherming persoonsgegevens): „elke vrije, specifieke en op informatie berustende wilsuiting waarmee de
betrokkene aanvaardt dat hem betreffende persoonsgegevens worden verwerkt‟.
117
The legal ground for the use of electronic messages for marketing purposes is based on the prior
consent of the subscriber (article 11.7 section 1 Telecommunications Act). The sender of the
electronic messages, like email, needs to prove the prior consent of the subscriber.
Prior consent can be proven by the use of double unticked boxes (□ Yes □ No). The sender must
provide sufficient information on the use of the email address for commercial purposes, just above
the frame where the subscriber actually can fill in his or her email address. These requirements for
(prior) consent are applicable online and offline.

“Anyone who obtained electronic contact data for electronic messages in the context of the sale of a
product or service, may use these data for the communication of commercial or charitable purposes
of its own similar products or services, provided that when the contact data were collected the
customer clearly and distinctly was given the opportunity to object, free of charge and in an easy
manner to such use of electronic contact details, and, in case the customer has not made use of this
opportunity, the customer is offered the possibility to object against further use of his electronic
contact data in every communication under the same conditions. Article 41 section 2 Personal Data
Protection Act is applicable in a similar manner.” Article 11.7 section 3 Telecommunication Act2.

As a result of the amendments of 1 October 2009 of the Telecommunication Act, the obligation to
obtain prior consent (opt-in) also applies to legal persons.
The new subsection 2 of Section 11.7 of the Telecommunications Act stipulates a number of
exceptions to the general obligation to obtain consent. According to this subsection, the (legal)
person that sends electronic messages (email, SMS, MMS) to legal persons and natural persons as part
of their professional and business practice, may assume that consent has been given under certain
circumstances. The first is that consent can be assumed where the legal persons have made it
generally known that they want to receive unsolicited marketing messages, they have given their
contact details where commercial messages can be send to, and, if desired, have indicated the types
of messages they want to receive. Making their contact information available will be put on par with
the giving of prior consent for receiving unsolicited commercial electronic messages. However, the
mere exchange of business cards cannot be considered as giving of consent, according to the
Supervisory Authority OPTA.
A sender is furthermore not obliged to gain prior approval if an electronic message is sent to a
subscriber based in a country outside of the European Economic Area (the European Union, Iceland,
Norway and Liechtenstein) and the sender has satisfied the applicable provisions in that country with
respect to sending unsolicited communications.
2Dutch original article 11.7 section 3 Telecommunication Act:

Een ieder die elektronische contactgegevens voor elektronische berichten heeft verkregen in het kader van de verkoop van zijn product of dienst mag
deze gegevens gebruiken voor het overbrengen van communicatie voor commerciële, ideële of charitatieve doeleinden met betrekking tot eigen
gelijksoortige producten of diensten, mits bij de verkrijging van de contactgegevens aan de klant duidelijk en uitdrukkelijk de gelegenheid is geboden
om kosteloos en op gemakkelijke wijze verzet aan te tekenen tegen het gebruik van die elektronische contactgegevens, en, indien de klant hiervan geen
gebruik heeft gemaakt, hem bij elke overgebrachte communicatie de mogelijkheid wordt geboden om onder dezelfde voorwaarden verzet aan te
tekenen tegen het verder gebruik van zijn elektronische contactgegevens. Artikel 41 lid 2 Wet bescherming persoonsgegevens is van overeenkomstige
toepassing.
118
Purposes
Article 7 of the Personal Data Protection Act stipulates that personal data shall be collected only for
specific, explicitly defined and legitimate purposes. A purpose that is too widely formulated almost
always generates data that cannot be used in practice; therefore, the purpose should be precise.
However, it is not advisable to be too precise, as the purpose could limit the use of the data too
much.
Generic terms
It is advisable to be specific when stipulated in the Personal Data Protection Act (the Wbp -for
example contains certain provisions related to direct marketing purposes). Otherwise, sector specific
self-regulation defines generic terms.

The data subject must be informed of his right to block personal data (opt-out), when personal data
are collected for marketing purposes (article 33/34 Personal Data Protection Act). However, there is
no recognized form of wording on this subject.
Both prospective and existing clients will need to be informed of the purpose of processing personal
data.
Opt-out
The data subject exercises opt-out by sending a note or email directly to the Controller or by using an
unsubscribe hyperlink. The Controller must flag the concerned contact data as not to be used for
direct marketing purposes.
Each time when the Controller informs the customer for commercial or charitable purposes, the data
subject needs to be informed of the right to opt-out.
Data Storage

A data confidentiality clause is stated in article 9 section 4 Personal Data Protection Act: the data
processing shall not take place when there is an obligation of confidentiality by virtue of function,
profession or legal provision.
Another confidentiality clause, in general, is stated in article 12 Personal Data Protection Act: anyone
acting under the authority of the Controller or the Processor, as well as the Processor itself, when
they have access to personal data, shall only process such data in accordance with the instructions of
the Controller, except when otherwise required by law (article 12 section 1 Personal Data Protection
Act).
These persons are required to treat the personal data as confidential, except when any legal provision
or the performance of their duties requires communication of such data (article 12 section 2 Personal
Data Protection Act).
119
There is a specific time limit on holding data. Article 10 section 1 Personal Data Protection Act states
that data may no longer be kept in a form that identifies a person, if the purposes for which the data
are processed are accomplished. Historical, statistical or scientific purposes are exempted (article 10
section 2 Personal Data Protection Act).
Penalties
The administrative infringements are categorized in „less serious and serious‟ infringements, with
regard to the duty to notify the data processing to the DPA (article 66 Personal Data Protection Act /
Policy rules DPA for fining):
 Notification after the deadline;
 An incorrect or incomplete notification;
 Notification of changes after the deadline;
 Not capturing the data in relation to a different processing of personal data.
Maximum administrative fine for less serious infringements is €1500,--;
Maximum administrative fine for serious infringements is €3000,--;
Maximum administrative fine for repeated offenses is €4500,--.
The DPA is also authorized to apply administrative measures of constraint, which can lead to halting
the processing of personal data (article 65 Personal Data Protection Act).

The Independent Post & Telecommunications Authority, OPTA, which is authorized to enforce article
11.7 Telecommunication Act, regards a breach of the rules on unsolicited electronic communication
for commercial or charitable purposes as „less serious infringements‟. The maximum administrative
fine is € 100.000,-- for „less serious infringements‟. The amount of the fine depends on the criteria:
 the number of complaints;
 repeated infringement;
 several infringements;
 the particular damage of the message according to end-users;
 the damage, caused by the message, according to ISP‟s and hosting providers;
 the damage of the message to end-users;
 number of messages sent.
Maximum fine of € 450.000, -- („very serious infringement‟), if the obtained benefit or damage caused
justifies this.

There are no specific special rules concerning on-time collection of data on the internet. The Personal
Data Protection Act is equally applicable in the online and offline area.

Article 35 Personal Data Protection Act: request for access by the data subject, reaction by the
Controller within 4 weeks. Compensation of costs is possible: maximum of €0,23 for one page with a
maximum of €4,50 for one message. Article 36 Personal Data Protection Act: request for rectification
by the data subject, reaction by the Controller within 4 weeks.
120
SECTION II – Legal Overview - Norway
Norway
Personal Data Act, 14. April 2000 nr 31
Marketing Control Act, 9. January 2009 nr 2
Norway is a member of the European Economic Area (EEA) and its Data Protection laws are recognised
by the EU.

Obligations in relation to marketing lists with the Data Protection Authority (Datatilsynet)
The processing of personal data in relation to marketing lists must as a main rule be notified with the
DPA.
To the extent that the processing involves sensitive personal data, a licence will, in principle, be
required.
Expected time duration for notification and application for a licence to the DPA
Notification: The DPA does not provide companies with permission; they only use the notification in
their role as supervisors. For licences the time varies. Normally it is approximately 8 weeks.
Registration costs
There are no registration costs
purposes
 The person have given his/her consent
 To fulfill a contract to which the data subject is a party (§ 8 a)
 The interest of the controller overrides the interest of the data subject (§ 8f)

Valid consent is obtained when a freely given, specific and informed declaration is made by a data
subject, in which they agree to the processing of their personal data .
Implied consent
Implied consent (i.e. if a consumer provides details – address, phone number or email) is generally not
acceptable.
121
Category Yes No N/A
SMS

MMS

Email

Telephone
*
**
Fax

Mail

Other, please specify:
Addressed mail
*
* Consumers may opt out of marketing by telephone or addressed mail by registering their names,
addresses and telephone numbers in the Central Marketing Exclusion Register. Marketing lists must be
compared against the Central Marketing Exclusion Register before a consumer is contacted for the
first time, and subsequently on a monthly basis.
** It is prohibited in the course of trade to telephone marketing to consumers on Saturdays, Sundays or

public holidays, or on weekdays before 09:00 or after 21:00.
The required form of consent for sensitive and non-sensitive data is the same.
Data on whether a data subject has been suspected of, charged with, indicted for ,or convicted of a
criminal act.
Common legal ground for the use of electronic messages for marketing
Prior consent, opt–in, is required.

There is no soft opt-in in Norway.
Rules on electronic communication for B-to-B marketing

Not in general – but if the marketing is to a specific person in a company, you will need that person‟s
consent before approaching them.
Purposes
When giving the purposes for processing personal data, it is necessary to be precise.
122
Generic terms
Generic terms are acceptable. For example, „fax direct marketing‟ is sufficient.

There are no required or a recognised form of wording for collecting data in Norway.
If the purposes are clearly stated and consent has been given, it is not necessary to detail the
purposes each time an existing client is approached. Only prospective clients need to be informed of
the purposes for processing.
Opt-out
Yes, if you use electronic media such as email, SMS or MMS.
Data Storage

This is a data confidentiality clause in Norway.
Time limits on storage of data

Data may not be stored for longer than is necessary in order to fulfill the purpose of the processing of
personal data.

There are no national model clauses governing the rules of data transfer between companies. The EU
standard model clauses are accepted.
Transfer of data to non-EU countries
Procedure for transferring data to non-EU countries

There has to be a model clause in place or an agreement between the parties. Alternatively, the data
subject must consent.
Security of Data
Security of data
“The controller and the processor shall by means of planned, systematic measures ensure
satisfactory data security with regards to confidentiality, integrity and accessibility in connection
with the processing of personal data”

There are no costs associated with the security of data to the DPA.
123
There are several rules that must be fulfilled.
Penalties

 Fines
 order to change or cease unlawful processing
 imprisonment
 compensation

 Fines
 order to change or cease unlawful processing
 imprisonment
 compensation

None.

You may only have access to the information that you need in your job –“need to have” and not “nice
to have” information.
Data subjects are entitled to have access to, information about, and rectification of their own data.

There are no industry codes of practice as there is a duty to clean list against the state operated
“central marketing exclusion register” as mentioned in the Data Protection Act.
For more information please contact:
Brønnøysundregistrene
Tel. + 47 75 00 75 00
E-mail: info@brreg.no
www.brreg.no
124
SECTION II – Legal Overview – Poland
Poland
 the Act of August 29, 1997, on the Protection of Personal Data (hereinafter called the PDPA);
 the E-Commerce Act of July 18, 2002, on providing services by electronic means (hereinafter
called the e-Commerce Act); deals with processing of personal data in respect of e-commerce
(art.16-22);

The Polish DPA‟s (Inspector General for Personal Data Protection, “Generalny Inspektor Ochrony
Danych Osobowych”, or “GIODO”) policy is to answer all questions concerning clarification of
regulatory issues or processing of personal data. On the other hand, if GIODO fails to answer a
question, there is no legal means to force it to do so.

Marketing lists (marketing data files) shall be in general registered with the DPA. The only exception
applies to marketing data files consisting of so-called business contact data (B2B relationship) and the
lists consisting solely of generally accessible data such as data published on websites. Such files do
not have to be registered.
In case of non-sensitive data, the controller may start processing personal data after submitting a
marketing data file for registration.
In case of sensitive data, controller may start processing personal data after registration of the data
file.
4 – 6 weeks.
Registration costs
There are no administrative fees to be paid.
The fee for the certificate of registration of the data file amounts to PLN 17 (approx. EUR 3.50).
purposes
The possible legal grounds are the prior consent of the data subject, obtained by an opt-in (otherwise
the consent may be invalid) or under a provision of PDPA allowing the data controller to process the
data for marketing purposes, provided the data subject does not object to it (opt-out), cf. art. 23
item 4 point 1 of DPDA.
However, it should be stressed that the latter possibility is limited only to processing of personal data
in the context of marketing by a controller of his own products or services. Opt-out may never be
used in the case of the processing of personal data in an e-commerce context.

Consent may be expressed by any declaration by which the data subject unequivocally expresses his
or her agreement to personal data relating to him or her being processed. The consent cannot be
implied or presumed on the basis of the declaration of will on another issue (e.g. a contract with a
controller). Written consent is only required in limited cases (e.g. for processing of sensitive data).
125
Implied consent
Implied consent is not acceptable under PDPA.
Category Yes No N/A
SMS

MMS

Email
Telephone
*
Fax

Mail
**
Automatic calling
machines

* in communications regarding marketing of the controller‟s own goods or services

** in case of other types of marketing communication
The consent must be expressed in writing. Verbal or non-durable explicit (express) consent is not
sufficient. This requirement is regarded to be a serious hindrance for telemarketing and Internet
industries in Poland.
Apart from the above, personal data revealing ethnic origin, philosophical beliefs, as well as the
processing of data concerning, genetic code, addictions and data relating to convictions, decisions on
the penalty, fines and other decisions issued in court or administrative proceedings shall be
considered sensitive data. The exhaustive list of sensitive data is provided for in art.27 of PDPA.
Only explicit consent shall be acceptable.

There is no soft opt-in possibility.
Opt-in is required for all electronic communication for B-to-B marketing purposes.
Purposes
When giving purposes for processing personal data, it is necessary to be precise.
126
Generic terms
Generic terms are acceptable

There are no required or recognized form of wording for collecting data, however, it is advisable to
use the same wording as are used in PDPA.
The purposes for processing personal data shall be given only to prospective clients. The obligation of
notification has to be fulfilled by a controller only once. The data subject has a right to obtain
information as to the purpose, scope, and the means of processing of the data contained in the
system once for six months.
Opt- out
PDPA does not provide for any specific requirements as to exercise of opt-out. Thus, a controller has
to accept a data subject‟s objection raised in any form. Opt out does not have to be offered each
time when approaching the customer.
Data Storage

There is a data confidentiality clause in Poland.

There are no time limits on holding data, however a general preservation principle applies. According
to this, personal data shall not be kept in a form that permits identification of the data subject longer
than it is necessary for the purposes for which they are processed.
“Passive” holding of data is regarded as falling within the scope of “processing of personal data”.

None. The contract in writing is required for appointing the data processor.
Transfer of Personal Data to a Third Country

The transfer of personal data to a third country may take place only, if the country of destination
ensures at least the same level of personal data protection in its territory as that in force in Poland.
The standard EU clauses are used in Poland.
Penalties

In case of any breach of the provisions on personal data protection, GIODO ex officio, or upon a
request of a person concerned, will make an administrative decision, which requires the restoration
of the proper legal state, and in particular:
 to remedy the negligence,
127
 to complete, update, correct, disclose, or not to disclose personal data,
 to apply additional measures protecting the personal data, which has been collected,
 to suspend the transfer of personal data to a third country,
 to safeguard the data or to transfer them to other subjects,
 to erase the personal data.
No administrative fines can be imposed by GIODO.
Penalties for breaching the rules on unsolicited Emails and other means of electronic
communication:
In case of sending unsolicited communications by email or other means of electronic communication,
a fine up to PLN 5,000 (approx. EUR 1,250) may be imposed by a court.

No. General rules are applicable.

The data subject has a right to control the processing of his or her personal data contained in the
databases, and in particular he or she has the right to demand the data to be completed, updated,
rectified, temporarily or permanently suspended, or erased, in case they are not complete, outdated,
untrue or collected in the violation of the act, or in case they are no longer required for the purpose
for which they were collected.

Poland has Codes of Practice & Preference Services (Robinson Lists). They can be found at the Polish
Direct Marketing website www.smb.pl. The DPA has been consulted on the direct marketing code.
128
SECTION II – Legal Overview – Romania
Romania
-Law no. 677/12.12.2001
-Law no. 506/2004
-Law no. 682/21.12.2001
-Law no. 102/03.05.2005
-Law no. 365/2002
-Decision no. 95/2008
-Decision no. 11/2009

The National Authority on the Supervision of Personal Data Processing (the DPA) will assist with
enquiries.

When starting to collect personal data to be included in a marketing list in Romania, you are required
to notify the DPA. If existing marketing lists are transferred from the initial holder to another entity,
such transfers have to be reflected in the initial holder‟s and the receiving entity‟s, respective
notifications.
6 – 8 weeks
Registration costs
Currently there are no registration costs applicable for filing notifications concerning marketing
processing (and marketing lists) with the DPA.
purposes
The common legal ground for the processing of personal data for marketing purposes is that there has
to be a legitimate interest from the direct marketer.

In the cases where consent is needed, it has to be explicit and unequivocal.
Implied consent
Implicit consent is acceptable in Romania, but it is not recommended in situations where the law
requires opt-in.
Consent is required for SMS, MMS, EMAIL, FAX, and Voice Mail
Consent is not required for Telephone and Mail
129
When processing sensitive data, the consent has to be explicit and unequivocal. The DPA has
sometimes expressed the view that processing sensitive data for marketing purposes is excessive and,
thus, not justified.
Categories of sensitive data include ethnic origin, philosophical beliefs or similar nature, personal
numeric code, ID card/passport series and number, genetic and biometric data, data on criminal
offences, criminal convictions/security measures, disciplinary sanctions, administrative sanctions,
criminal record.
Explicit consent of the recipient is required.

There is no soft opt-in for electronic communications in Romania.
Opt-in is required for all electronic communication for B-to-B marketing purposes (it is not
required for direct mail).
Purposes
It is not necessary to be precise when giving the purposes for processing personal data, as long as it is
clearly indicated that the data shall be used for future marketing purposes.
Generic terms
Generic terms are acceptable.

There is a required or a recognized form of wording for collecting data in Romania (included in DPA
guidelines available on its official website:
http://www.dataprotection.ro/?page=ghid_notificare&lang=ro). It is as follows:
Romanian:
For collection via participation tickets or similar means:
“............................................................. (se indică identitatea operatorului sau a
reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) prelucrează datele cu
caracter personal furnizate de dumneavoastră prin acest document.............(se precizează
categoriile de date, dacă acestea nu sunt colectate direct de la persoanele vizate) în scopul
............(se precizează scopul). Datele vor fi dezvăluite ..................................(se precizează
destinatarii cărora le vor fi dezvăluite datele). Pe viitor, aceste date/datele .............. (se
precizează concret datele) ne permit să vă ţinem la curent cu activitatea noastră.
130
În cazul în care nu doriţi aceasta, bifaţi NU ⁫
Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul
de a nu fi supus unei decizii individuale. Aveţi dreptul să vă opuneţi prelucrării datelor personale
care vă privesc şi să solicitaţi ştergerea datelor. Pentru exercitarea acestor drepturi, vă puteţi
adresa cu o cerere scrisă, datată şi semnată la .................................................(se precizează
serviciul, organismul sau persoana responsabilă). De asemenea, vă este recunoscut dreptul de a vă
adresa justiţiei.
Datele dumneavoastră vor fi transferate în ............... (precizaţi statele), în
vederea....................(se precizează scopul transferului datelor în străinătate).“
For collection of data online: “Conform cerinţelor Legii nr. 677/2001 pentru protecţia persoanelor cu
privire la prelucrarea datelor cu caracter personal şi libera circulaţie a acestor date, modificată şi
completată şi ale Legii nr. 506/2004 privind prelucrarea datelor cu caracter personal şi protecţia
vieţii private în sectorul comunicaţiilor electronice (se precizează şi acest act normativ, după
caz)..............................................(se precizează denumirea operatorului sau a
reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) are obligaţia de a administra
în condiţii de siguranţă şi numai pentru scopurile specificate, datele personale pe care ni le furnizaţi
despre dumneavoastră, un membru al familiei dumneavoastră ori o altă persoană. Scopul colectării
datelor este:.............................. (se indică scopul prelucrării).
Sunteţi/nu sunteţi obligat(ă) să furnizaţi datele, acestea fiind necesare................................(se
precizează scopul). Refuzul dvs. determină.................. (se precizează consecinţele refuzului).
Informaţiile înregistrate sunt destinate utilizării de către operator şi sunt comunicate numai
următorilor destinatari:................. (se precizează destinatarii).
Doriţi să primiţi informaţii despre produsele, serviciile, evenimentele etc. oferite de.................(se
precizează denumirea operatorului sau a reprezentantului, precum şi, dacă este cazul, pe cea a
împuternicitului)?
⁫ DA NU
Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul
de a nu fi supus unei decizii individuale şi dreptul de a vă adresa justiţiei. Totodată, aveţi dreptul să
vă opuneţi prelucrării datelor personale care vă privesc şi să solicitaţi ştergerea datelor*. Pentru
exercitarea acestor drepturi, vă puteţi adresa cu o cerere scrisă, datată şi semnată la
.................................................(se precizează serviciul, organismul sau persoana
responsabilă). De asemenea, vă este recunoscut dreptul de a vă adresa justiţiei. Datele
dumneavoastră vor fi transferate în ............... (precizaţi statele), în vederea....................(se
precizează scopul transferului datelor în străinătate)."
Dacă unele din datele despre dumneavoastră sunt incorecte, vă rugăm să ne informaţi cât mai curând
posibil.”
English:
For collection via participation tickets or similar means:
“............................................................. (the identity of the data controller or its
representative and, if the case, of the data processor shall be inserted) processes the personal data
made available by you through this document.............( the categories of data and whether the data
is collected directly from data subjects shall be indicated herein) for the following purpose
............(the purpose shall be inserted). The data shall be disclosed to
..................................(the recipients of the data shall be mentioned herein). In the future,
these data / the following categories of data.............. (the categories of data shall be mentioned)
will allow us to maintain you informed on our activity.
131
If you do not wish to receive such information, please select NO ⁫
According to Law no. 677/2001, you have the right to access and intervene on the data, the right not
to be subjected to automated individual decisions. You have the right to object to the processing of
your personal data and to request the deletion thereof. For exercising these rights, you may send a
written, dated and signed request at ................................................. (the office, body or
person responsible for receiving these requests to be inserted). Moreover, you are entitled to address
the competent court of justice. Your personal data shall be transferred to ............... (countries of
destination to be inserted) in order to .................... (the purpose of the transfer to be inserted).”
For collection of data online: “Pursuant to the requirements of the Law No. 677/2001 on the
protection of individuals with regard to the processing of personal data and the free movement of
such data, as amended and completed, and of the Law No. 506/2004 on the processing of personal
data and the protection of personal life in the electronic communication field (such piece of law is
also specified, as the case may be)………………………………………..(it is specified the name of the data
controller or of the representative thereof and, if the case, the name of the data processor) has the
obligation to administrate in safe conditions and only for the specified purposes the personal data
belonging to you, to a member of your family or to any other person which are provided to us. The
purpose of data collecting is:………………………………(the purpose of the processing is specified).
You are/ you are not compelled to provide the data, which is necessary……………………….(the purpose is
specified). Your refusal triggers …………………….(the consequences of the refusal are specified).
The registered information are destined for the use of the data controller and are communicated
only to the following recipients:…………………………… (the recipients are specified).
Do you want to receive information on the products, services, events, etc. offered by ……………………(it
is specified the name of the data controller or of the representative thereof and, if the case, the
name of the data processor)?
YES ⁫ NO ⁫
According to Law no. 677/2001, you have the right to access and intervene on the data, the right not
to be subjected to automated individual decisions and the right to address the competent court of
law. Moreover, you have the right to object to the processing of your personal data and to request
the deletion thereof. For exercising these rights, you may send a written, dated and signed request
at .................................................(the office, body or person responsible for receiving these
requests to be inserted). Moreover, you are entitled to address the competent court of justice. Your
personal data shall be transferred to ............... (countries of destination to be inserted) in order to
....................(the purpose of the transfer to be inserted)."
If some of your data are incorrect, please indicate this as soon as possible.”
Legally only to prospects.
Opt-out
Opt-out is exercised by written request. The possibility to opt-out should be mentioned in each
marketing message.
132
Data Storage

There are data confidentiality clauses in Romania.

There are no time limits on holding data, but such should be held only as long as necessary for
fulfilling the processing purposes.
Penalties

Fines, suspension or ceasing of the processing, partial or total destruction of the database, legal or
criminal action.

Fines will be imposed.

The consumers have the right to access and rectify the data by sending a written request.

There are codes of Practice in Romania. These can be found on the website of the Romanian DMA,
www.armad.ro. These codes are also agreed by the DPA.
133
SECTION II – Legal Overview – Slovenia
Slovenia
 ZVOP-1 (Personal Data Protection Act)
 ZEKom (Electronic Communications Act)
 ZEPT (Electronic Commerce Market Act)
 ZVPot (Consumer Protection Act - official consolidated text)
 ZASP (Copyright and Related Rights Act)

The DPA is willing to answer questions and provide information regarding these matters.

Companies that keep and process personal data must transmit information about personal data
processing to the DPA except for those companies that use lists of less than 50 people and that do not
process sensitive data.
1-3 weeks
Registration costs
The registration itself is cost free. However, gathering the required data and creating the required
internal guidelines on processing personal data generates internal costs.
purposes
1) Individual‟s consent is the most common legal ground for the processing of personal data for
marketing purposes
2) Marketing databases can also be compiled from publicly available sources (Article 71 of ZVOP-1),
but should not be used for marketing purposes unless addressees consent (opt-in principle). The
processor then has to comply with the demands of the data protection act (ZVOP-1) – including
the requirement to submit information to the DPA and enact internal rules for the processing of
personal data.

Personal consent is a voluntary statement of an individual‟s free will that his personal data can be
processed for a specific purpose and is based upon information the data processor is obliged to
provide. Personal consent can be written, verbal, or in another appropriate form.
Written consent is required for sensitive personal data.
As a rule, written consent is usually acquired because verbal consent is harder to prove. An electronic
form that is not verified with a safe electronic signature counts is of equivalent evidentiary
significance as verbal consent.
Implied consent
Implied consent is not acceptable.
134
Consent by the data subject is required for SMS, email, MMS, fax, telephone, but not mail.
No consent is necessary for the collection of data from publicly available sources according to the
Data Protection Act, but this does not apply to electronic communications. Consent is necessary when
using this data to address consumers according to the Electronic Communications Act (ZEKom) ,
Consumer Protection Act (ZVPot) and Electronic Commerce Market Act (ZEPT ).
The use of automated calling systems for making calls to the subscribers‟ telephone numbers without
human intervention (e.g. automatic calling machines), facsimile machines or electronic mail for the
purposes of direct marketing may only be allowed if the addresses have given their prior consent (opt-
in).
Irrespective of this, natural persons or legal entities that obtain electronic mail addresses from the
customers of their products or services may use such addresses for direct marketing of their similar
products or services, but they shall be obliged to give their customers the possibility, at any time,
free of charge and by using simple means, of preventing such use of their electronic address (soft opt-
in)
In the private sector processing of sensitive data is only allowed if an individual gave his explicit
(express) written consent.
Categories of Sensitive data also include national or nationalistic origin, philosophical beliefs, criminal
and minor offense records and biometric characteristics if they can identify an individual. The
provisions of the Slovenian Data Protection Act are very similar to the EU Data Protection Directive.
ZEKom (which sets the rules for electronic communications for both businesses and consumers)
defines the (soft) opt-in principle. See below.
ZVPOT (which sets the rules for automatic means of communication with consumers, physical persons,
at the receiving end) defines the opt-in principle (prior consent of the consumer).

Natural persons or legal entities that obtain electronic mail addresses from the customers of their
products or services may use such addresses for direct marketing of their similar products or services,
but they shall be obliged to give their customers the possibility at any time, free of charge and by
using simple means, of preventing such use of their electronic address (soft opt-in)

The same opt-in rules apply to B-to-B and to B-to-C with the same two exceptions as defined in the
ZEPT (Electronic Commerce Market Act).
Purposes
When providing the purposes for processing data, the purposes must be precise. Generic terms are
acceptable.
135

There is no required or recognized form of wording for collecting data. However, we recommend
something on the following lines:
Spodaj podpisani ___________, dovoljujem, da podjetje __________________ moje zgoraj navedene

osebne podatke obdeluje v svojih zbirkah ter jih uporablja za sledeče namene:
statistične obdelave, segmentacijo kupcev, obdelave preteklega nakupnega
obnašanja, izpolnjevanje pogodbenih obveznosti, obveščanje kupcev o morebitnih
napakah na izdelkih, pošiljanje ponudb, reklamnega gradiva, revij in vabil na
dogodke ter za telefonsko, pisno in elektronsko anketiranje.
Moje osebne podatke lahko __________________obdeluje za dobo _____ let oziroma do preklica moje
pisne privolitve.
Seznanjen sem, da bo __________________ v primeru preklica moje pisne privolitve moje osebne
podatke še naprej uporabljala, vendar le za izpolnjevanje pogodbenih obveznosti in
uveljavljanje pravic iz pogodbenega razmerja.
In English:
I, the undersigned _________ agree that company ___________ may collect my personal data in their
databases for market segmenting, statistical needs, past purchase statistics (add
appropriate) and marketing and surveying activities.
My data can be used for ____ years or until my written cancellation.
I understand that the company ______ will use just contractual data after my cancellation.
The purposes must be given the first time a client is approached. If the relationship is an on-going
one, it is only necessary to provide the purposes once. Should the scope of the processing expand,
consent is to be obtained once again.
Opt-out
When the vendor receives an email, or other request, to remove data, , he should delete the sender‟s
personal data from his lists and databases.
Mail receivers can buy stickers and attach them to their mailboxes, which means that they do not
want to receive unaddressed printed advertisements anymore.
Yes, it is necessary to offer an opt-out mechanism each time when approaching the customer.
Data Storage

There is a Data Protection clause.
136
There are time limits on holding data. If the legal basis for the processing of data is by statute,
personal data can only be held for the period defined by the legislation and then deleted.
If the legal basis for the processing of data is a contract, then there is a prescriptive deadline in
which all claims from the contract expire.
If the legal basis for the processing of data is consent, the proportionality principle applies (data is
held until they are needed for the purpose for which it was collected. The purpose has to be
communicated.)
Penalties

ZVOP-1 defines the following penalties:
Article 91
(1) A fine of between 4170€ and 12510€ shall be imposed for a minor offence on a
legal person or sole trader:
1. if he processes personal data without having the statutory grounds or personal consent of the
individual to so do;
2. if he entrusts an individual task relating to the processing of personal data to another person
without concluding a contract;
3. if he processes sensitive personal data or does not protect them;
4. if he automatically processes personal data;
5. if he collects personal data for purposes that are not defined and lawful, or if he continues to
process them;
6. if he supplies personal data to a data recipient;
7. if he does not inform the individual of the processing of personal data;
8. if he uses the same linking code;
9. if he does not delete, destroy, block or make anonymous personal data after the purpose for
which they were processed has been achieved;
10. if he fails to ensure that the filing system catalogue contains data provided by statute;
11. if he fails to supply data for the needs of the Register of Filing Systems.
(2) A fine of between 830€ and 1250€ can be imposed for a minor offence (see above) on a company‟s
controller or a sole trader.
(3) A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person of
a state body or body of self-governing local community who offends against any element of the first
paragraph of this Article.
(4) A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who offends
against any element of the first paragraph of this Article.
137
Violation of the provisions on contractual processing
Article 92
 A fine of between 4170€ and 12510€ can be imposed for a minor offence on a legal person or sole
trader, if he oversteps the authorisation contained in the contract from the second paragraph of
Article 11 or does not return personal data in accordance with the third paragraph of Article 11.
 A fine of between 830€ and 1250€ can be imposed for a minor offence from the previous
paragraph on a company‟s controller.
 A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person
of a state body or body of self-governing local community who offends against the first paragraph
of this Article.
 A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who
commits the act from the first paragraph of this Article.
Violation of the provisions on security of personal data

Article 93
trader, if he processes personal data and fails to ensure the security of the personal data (Articles
24 and 25).
paragraph on the company‟s controller or the sole trader.
 A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person
of a state body or body of self-governing local community who offends against the first paragraph
of this Article.
 A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who
commits the act from the first paragraph of this Article.
Violation of the provisions on direct marketing

Article 94
trader, if he processes personal data for the purposes of direct marketing and does not act in
accordance with Articles 72 or 73.
paragraph on the company‟s controller or a sole trader.
 A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who offends
against the requirements (the first paragraph of this Article).
Penalties for breaching the rules on unsolicited E-mail messages
E-mail - ZEKom:
A fine of between 50000€ to 400000€ shall be imposed on a medium-sized or large company, as
defined by the Companies Act, if it uses:
 a customer‟s e-mail address for direct marketing after the customer has declared that he does not
want to receive it,
 electronic communications for direct marketing without subscriber‟s consent
 a false identity or false address for direct marketing by use of electronic communications
A fine between 2000€ and 20000€ shall be imposed on other legal entities (not being medium-sized or
large companies), entrepreneurs or individuals performing such activities.
138
A fine between 500€ and 10000€ shall be imposed on the responsible person of legal entity or
entrepreneur for committing one of the above mentioned minor offences.
E-mail - ZVPot:
A fine of between 3000€ and 40000€ shall be imposed on a legal person, entrepreneur or individual:
1. for advertising goods or services in a manner which is against the law, indecent or misleading, or
for not advertising goods or services in the Slovene language (Articles 12, 12a and 12b);
2. for advertising goods or services through a means of comparative advertising which is contrary to
provisions of Article 12c;
3. for advertising messages which are part of or present a service of an information society and are
not in accordance with Article 15a;
4. for using an automatic calling machine without the mediation of an individual, facsimile
transmission machine or electronic mail without prior consent from the consumer, to whom a
message was addressed (first paragraph of Article 45a);
5. for sending messages to consumers with the intention of concluding a contract to supply goods or
services, regardless of a consumer's declaration that he/she no longer wishes to receive such mail
(third paragraph of Article 45a);
ZEPT
A fine of between 10000€ and 50000€ for a minor offence on a service provider which is considered a
mid-sized or large if it sends commercial messages contrary to Article 6 (without consent of the
receiver).
A fine of between 2000€ and 2000€ for a minor offence on a service provider, performing activity as
legal person (but no meeting the criteria of a mid-sized or large company), entrepreneur or
individual.
A fine between 1000€ and 4000€ shall be imposed for a minor offence on a responsible person of legal
person or entrepreneur.
When commercial messages are sent contrary to the provisions of ZEPT and are considered unsolicited
messages pursuant to ZVPOT, the provision of ZEPT apply.

There are no additional rules for on-time collection of data on the internet.

(1) Data controller shall on request of the individual be obliged:
1. to enable consultation of the filing system catalogue;
2. to certify whether data relating to him are being processed or not, and to enable him to consult
personal data contained in the filing system which relates to him, and to transcribe or copy them;
3. to supply him with an extract of personal data contained in the filing system which relate to him;
4. to provide a list of data recipients to whom personal data were supplied, when, on what basis and
for what purpose;
5. to provide information on the sources on which records contained about the individual in a filing
system are based, and on the method of processing.
6. to provide information on the purpose of processing and the type of personal data being
processed, and all necessary explanations in this connection;
7. to explain technical and logical-technical procedures of decision-making, if the controller is
performing automated decision-making through the processing of personal data of an individual.
139
Right to supplement, correct, block, erase and to object
1. On the request of an individual to whom personal data relate, the data controller must
supplement, correct, block or erase personal data which the individual proves as being
incomplete, inaccurate or not up to date, or that they were collected or processed contrary to
statute.
2. On the request of the individual the data controller must inform all data recipients and data
processors to whom the controller has supplied the personal data of the individual, before the
measures from the previous paragraph have been carried out, of their supplementation,
correction, blocking or erasure pursuant to the previous paragraph. Exceptionally the data
controller shall not need to do this if it would incur large costs, disproportionate efforts or would
require a large amount of time.
3. Individuals whose personal data are processed shall have the right through objection at any time
to demand the cessation of their processing. The data controller shall grant the objection if the
individual demonstrates that the conditions for processing have not been fulfilled. In this case the
personal data of the individual may no longer be processed.
4. The DPA shall rule on any request resulting from the previous paragraph within two months of
receiving the request. The lodging of a request will stop the processing of personal data of that
individual.
5. The costs of all actions of the data controller shall be borne by the data controller.
Procedure of supplementing, correction, blocking, deletion and objection

1. The request or objection shall be lodged in writing or orally in an annotation with the data
controller.
2. The data controller shall be obliged to perform the supplementing, correction, blocking or
deletion of personal data within 15 days of the date of receipt of the request, and to inform the
person who lodged the request, or within the same interval to inform him of the reasons why he
will not do so. The controller must decide on an objection within the same deadline.
3. If the data controller fails to act, the request shall be deemed to have been refused.
4. If the data controller concludes on his own that the personal data are incomplete, inaccurate or
not up to date, he should supplement or correct them and inform the individual, unless otherwise
provided by statute.
5. Costs relating to the supplementing, correction and erasure of personal data, and of the
notification and decision on the objection, shall be borne by the data controller.
140
SECTION II – Legal Overview – Spain
Spain
 Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal. (Commonly known as LOPD)
 Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo
de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal
(Commonly know as RDLOPD)
 Ley de Servicios de la Sociedad de la Información y del Comercio Electrónico. (Commonly known
as LSSI)
 Ley 32/2003, de 3 de Noviembre, General de Telecomunicaciones (Commonly known as LGTel).
Articles 33 to 38 regulate the privacy of communications and the protection of personal data,
public rights and obligations related to networks and electronic communication services.
Extent of the Spanish Data Protection Authority‟s (“Spanish DPA”) Assistance with Enquiries
The Spanish DPA will assist with enquiries but the answers to those enquiries are not binding for the
Spanish DPA. There are examples of decisions of the DPA in contradiction with previous enquiries.

Not only Marketing files but every file containing personal data processed by the data controller has
to be registered.
If the data controller has not received any express notification from the DPA to a request within one
month the file will be considered registered.
There are no registration costs.
purposes
The protection of the Fundamental Right to privacy, as stated in the Spanish Constitution and
developed by the LOPD (Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal) and the
RD LOPD (Real Decreto 1720/2007, por el que se aprueba el Reglamento de desarrollo de la Ley
Orgánica 15/1999).
The LOPD is based on the following principles:

 Quality of the data processed, which should be adequate, relevant and not excessive in relation
to the purposes for which they were obtained.
 Data subjects‟ right to be informed before collection or at the time of collection of their
personal data. The data subjects must be informed explicitly, precisely and unequivocally of the
following:
a) The existence of a file or personal data processing operation, the purpose of collecting
the data, and the recipients of the information.
b) The obligatory or voluntary nature of the reply to the questions put to them.
c) The consequences of obtaining the data or of refusing to provide them.
d) The possibility of exercising rights of access, rectification, erasure and objection.
e) The identity and address of the controller or of his representative, if any.
141
 Consent of the data subject. Processing of personal data shall require the unambiguous consent of
the data subject, unless established otherwise by law.
 Data security and the duty of secrecy. The controller or, where applicable, the processor shall
adopt the technical and organisational measures necessary to ensure the security of the personal
data. The data controller and any person involved in any stage of the processing personal data
shall be subject to professional secrecy.
 The specific regulation of data sharing and access to data on behalf of third parties.
 Additional requirements for the processing of sensitive data.
Article 30 LOPD and Articles 46 to 51 RD LOPD specifically regulate files processed for the purpose of
advertising and market research. Article 30 states that the files processed for this purpose must be
collected whether from sources accessible to the public or provided by the data subjects themselves
or with their consent. When the personal data are collected from public sources, the data controller
will have to include in each communication to the data subject information about the origin of the
data and the identity of the data controller, as well as the rights available to the data subject. Data
subjects have the right to oppose to the processing of their personal data for this purposes.
Public sources are precisely identified in Article 28 LOPD and Article 7 RD LOPD as:
 Personal data included in the promotional census;
 Lists of persons belonging to professional groups;
 Data contained in guides to electronic communications services available to the public;
 Data obtained from official journals and gazettes;
 The media.
No other sources are accepted as public sources.
Please note that the RD LOPD expands the regulation of the processing of personal data for the
purposes of advertising and market research introducing relevant provisions regulating:
 the role of organizations (data controllers or data processors) that carry out advertising
campaigns;
 the implications of depuration of data controllers‟ databases;
 the conservation of personal data of opt-outs;
 the creation of a Robison list for electronic communications;
 the exercise of the rights of access, rectification, cancelation and opposition by data subjects;

As a general rule, the data subject‟s consent is required for the processing of personal data. . There
are some exceptions to this general rule. Consent is not needed when personal data are collected
from public sources as long as the data controller has a legitimate interest to process the data and
the fundamental rights of the data subjects are not violated.
Express consent is required for the processing of sensitive data.
Express consent is also needed for sending commercial emails or other commercial electronic
communications unless to a person with whom the sender has a commercial relationship and the
requirements established in Article 21.2 LSSI apply.
Implied consent
Implied consent is generally acceptable in Spain. Apart from the type of consent needed, the data
controller must always provide data subjects with information related to the purposes for which
personal data is processed.
142
Consent may also be obtained by sending, in a way that will allow the data controller to track
whether the communication has bounced back, a communication to the data subject with the
information required in Article 5 LOPD providing the consumer with 30 days to object to the
processing. This request of consent can only be sent to the data subject once a year.
Consent by data subject is required when using all means of communication media for marketing
purposes.
Express consent.
health, and trade union memberships Personal data related to beliefs and criminal or administrative
offences.
The addressee must have given their consent to the sender before sending them email or any other
electronic communication system. As stated in the Preliminary Recitals of the LSSI (mentioned in
above), and Articles 19 to 22 related to commercial electronic communications, these
communications should be identified as commercial.
The principles governing commercial electronic communications regulation are the consent of the
addressee and the right to revoke the consent at any time by letting the sender know.
There is one exception to this principle, which was introduced by the LGTel. Consent will not be
required when the sender and the addressee have a previous contractual relationship, the data have
been collected in a lawful way and the commercial electronic communications send to them relate to
products or services which are similar to those originally purchased by the addressee.
Article 38 of the LGTel establishes the rights which correspond to electronic communication services
subscribers. This regulation, in relation to marketing issues, prohibits the use of traffic data for
commercial use without the informed consent of the subscriber. Automatic calls or fax messages for
Direct Marketing purposes without informed consent are also banned.

Soft opt-in is allowed by the Spanish DPA under conditions. Express consent is not required when
there is prior contractual relationship between the sender and addressee . The requirements that
must be met for this exception to apply are described above.

Article 38.3 LGTel regulates the rights of subscribers in electronic communication services and,
includes in the scope of protection companies or professionals subscribers to these services.
This regulation prohibits the use of traffic data for commercial use without the informed consent of
the subscriber, and also requires that automatic calls or fax messages for Direct Marketing purposes
must have informed consent.
Purposes
Data controllers must be precise when they provide information about the purpose of processing
personal data.
143
Generic terms
Article 46 RD LOPD states that data subjects must be provided with information about the specific
sectors from which the data subject may receive information.

There is no official statement that data controllers must use, however, certain information must
always be provided to the individual. This information is listed above.
This statement must also include reference to any transfer of data to a third party that is not a data
processor. Consent of the individual is required to transfer personal data to a third party.
In relation to direct marketing and market research files it is vital to note that data controllers have
the obligation to be precise when informing data subjects about the specific and concrete sectors in
relation to which the data subject may receive information.
When, in the context of entering into a contract with the data subject, the data controller requests
the data subject‟s consent for the processing of their personal data for a purpose other than the
contract, data subjects must be given the opportunity to object to this processing or data transfer of
their personal data.
Data subjects do not need to be given information about the processing of their personal data more
than once unless any circumstance related to the processing has varied. When the data subject‟s data
has been obtained from a public source, data subjects must be provided the following information in
every commercial communication that is sent to them: origin of their data; identify of the data
controller, their rights and how to exercise them.
Opt-out
Every electronic communication must offer the data subject the possibility to opt out from receiving
marketing communications, this must be easy and free of charge.
Yes.
Data Storage

None

Access control registries and CCTV recordings can only be held for 1 month.
A principle of the Spanish legislation is that personal data may be collected for processing, and
undergo such processing, only if it is adequate, relevant and not excessive in relation to the scope
and the specified, explicit and legitimate purposes for which they were obtained. Personal data must
be erased when it has ceased to be necessary or relevant for the purpose for which they were
obtained or recorded.
144
Data controllers must observe the terms of storage of personal data required by law .
Cancellation (opt out) must lead to the personal data being blocked and maintained solely at the
disposal of the public administrations, judges and courts, for the purpose of determining any liability
arising from the processing, and for the duration of such liability. On expiry of this liability, the data
must be deleted.
Penalties
National penalties which the DPA can apply

For infringements of data protection regulation (LOPD and RD LOPD) economic fines and the blocking of
the file in order to restore the rights of the data subjects.
These are the amounts of the fines set out by LOPD:

1. Minor infringements shall be punished by a fine of 601,01 € up to 60.101,21 €
2. Serious infringements shall be punished by a fine of 60.101,21 € up to 300.506,05 €
3. Very serious infringements shall be punished by a fine of 300.506,05 € up to 601.012,10 €
Infringements of electronic communications and e-commerce regulation (LSSI) are the following:
1. Very serious infringements shall be punished by a fine of 150.001 € up to 600.000 € (two or more
very serious infringements within 3 years can result in the company being barred from carrying out
any activity in Spain for a maximum of 2 years)
2. Serious infringements shall be punished by a fine of 30.001 € up to 150.000 €
3. Minor infringements shall be punished by a fine of up to 30.000 €
LGTel establishes a complex fine calculation based on criteria such as the type of infringement or the
profit obtained from the infringement for serious and very serious infringements. In the event that these
criteria cannot be applied, the maximum fine for very serious infringements goes up to 2 million €, and
for serious infringements up to 500.000 €. The maximum fine for minor infringements is 30.000 €.

Penalties established by LOPD, LSSI and LGTel (note: under certain circumstances, a data controller or a
data subject can have multiple fines imposed upon them from these three laws for the same actions).

Collection of data with cookies is regulated in LSSI.
This regulation establishes that services providers using data storage devices (cookies) shall inform the
user, in a clear way, about their use and purpose, offering them the possibility of rejecting the
processing of these data by means of a simple and free procedure.

Both rights must be free of charge for the data subject giving them enough information of how to
exercise these rights.
 Access: the data controller has 1 month to honour the request of the data subject.
 Rectification and Cancellation: the data controller has 10 days to honour the request of the data
subject.
145
SECTION II – Legal Overview – Sweden
Sweden
 The Swedish Personal Data Act 1998;
 The Marketing Practices Act 2008 (MPA);
 The Credit Information Act 1973.
Swedish marketing law is mainly regulated by the MPA, which is based on Directive 2005/29/EC. A
public authority, the Consumers Ombudsman, has the primary responsibility for ensuring compliance
with the MPA. The MPA contains general provisions stating that marketing practices shall be consistent
with generally accepted marketing practices and that marketing practices which contravene this
standard shall be deemed unfair if they noticeably affect or are likely to affect the recipient‟s ability
to take a well-founded commercial decision. These general provisions are supplemented by explicit
provisions and a more detailed system of sanctions. The MPA is both aimed at consumer protection
and to protect commercial and industrial actions.
The legislative technique used in the MPA is based on a combination of having a general clause
requiring all commercial marketing to be fair and compatible with good marketing practice and a
number of detailed legal provisions. These provisions address specific types of marketing practices,
which are to be regarded as unlawful.
The detailed legal provisions concern aggressive marketing practices, misleading marketing practices,
comparative advertising, unsolicited advertising and warranty information. The misleading practices
are specified in provisions regarding
 Identification in advertisements;
 Misleading claims or other presentations;
 Purchase offers;
 Misleading copies;
 Discount;
 Liquidation sales;
In addition, sections 1-23 of Annex I to the Unfair Commercial Practices (UCP) Directive 2005/29/EC,
detail various misleading marketing practices which will always be deemed to be unfair. If a trader is
found to be using unfair marketing practices it may be subject to a prohibition or information in
conjunction with a conditional fine and could also be sued for damages. The advertiser can also be
ordered to pay a fine to the State, a so-called market disruption fee.

Registration of Marketing Lists with the DPA

There is no requirement to register marketing lists with the Data Commission. Processing shall
however be notified but the notification procedure contains several exceptions.
Purposes
The data subject has to be provided with the purpose for the collection of data.
146
Wording for Collecting Data and consent to marketing activities
There is no particular wording required for collecting data. However generally, an the data subject
must be made aware of the purposes for data processing, including that the data are to be used for
direct marketing purposes. From a personal data perspective, implied (opt-out) consent is generally
sufficient for direct marketing purposes. However, under the MPA the data subject must give prior
explicit consent (opt-in) to his data being used for direct marketing through electronic communication
means, such as SMS, telefax and e-mail, but certain exemptions are made, such as marketing of the
traders own products.

Data that reveals any of the following is considered sensitive data:
 Religious or philosophical belief;
 Membership of a Trade Union;
 Race or ethnic origin;
 Political opinions;
 Sexual Interests;
 Health issues;
The government may issue regulations concerning exemptions from the prohibition on processing
sensitive personal data if this is necessary having regard to an important public interest. The rules for
processing of sensitive personal data apply in addition to the fundamental and general requirements
that must be satisfied in the processing of personal data.
Data Storage
Under the Swedish Personal Data Act, personal data should not be kept for a longer period than
necessary. As regards processing of personal data for historical, statistical or scientific purposes
certain rules apply. If personal data that are processed for such purposes are also processed later, this
is not considered incompatible with the original purpose for which the data were gathered. It is also
permitted, for such purposes, to save personal data for a longer period. Personal data can only be
stored during a time when there is a purpose for the information:
 The time limit for maintaining registrations on dormant customers is three years;
 The three year limit can be extended if an active customer contact is established.
The advertiser must get rid of the information if he hasn‟t received any response. When destroying
the information, it should be done so there is no way to recreate the information. It is not enough
merely to write the information in cipher.

No specific data confidentiality clause exists.
Penalties
Breaches regarding processing of personal data may render fines, imprisonment and/or damages.

Presently, the European Commission has started an action at the European Court of Justice (ECJ)
against Sweden for not applying the EU Directive adequately.
147
The controller is liable, upon request by the data subject, to correct, block, restrict or erase as soon
as practicable personal data which has not been processed in accordance with the Personal Data Act
or regulations issued under the Act. If a disagreement arises between the controller and the
registered person about whether data should be corrected or not, the data subject can report the
matter to the DIB.
National DPA‟s Contact Details
Datainspektionen
Box 8114
SE-104 20 Stockholm
Sweden
Office Address:
Drottninggatan 29
5th Floor
Stockholm
Sweden
Tel: (+46) 8 657 61 00
Fax: (+46) 8 652 86 52
Email: datainspektionen@datainspektionen.se
Web: http://www.datainspektionen.se/in_english/contact_us.shtml
Industry Codes of Practice

For information, contact SWEDMA:
David Bagares Gata 3
P.O. Box 3276
103 65 Stockholm
Sweden
Tel. + 46 8 534 802 60
Email: direkt@swedma.se
Website: www.swedma.se
148
SECTION II – Legal Overview – Switzerland
Switzerland
 Swiss Federal Act on Data Protection (“DPA”), 19 June 1992 (Status as per January 2008)
 Ordinance on the Data Protection Act, 14 June 1993 (Status as per 1 January 2008)
 Ordinance on the Certification Procedure, 28 September 2007 (Status as per 1 January 2008)
 Art. 28 of the Swiss Civil Code dealing with the protection of personality rights.
The Act regulates the processing of data of private individuals and legal entities undertaken by both
private individuals and Federal Authorities. It does not apply to:
 personal data that are processed by a private individual exclusively for personal use and that are
not disclosed to a third party;
 deliberations of the Federal Parliament and Parliamentary Committees;
 pending civil, penal, or international legal assistance proceedings, or public or administrative law
proceedings, with the exception of administrative proceedings of the first instance;
 public registers relating to private law matters;
 personal data processed by the International Committee of the Red Cross.
The DPA maintains a register of data files that is accessible online. Anyone may consult that register.
Federal authorities must declare all of their data files to the DPA for registration purposes.
Private individuals must register their data files (i)_ if they regularly process sensitive personal data
or personality profiles or (ii) if they regularly disclose personal data to third parties.
However, the controller of data files is not required to declare his files to the DPA under certain
conditions (Art. 11a § 5 lit. a to f DPA and Article 4 of the Ordinance).
Purposes
Personal data may only be processed for the purposes for which it was collected, which are evident
from the circumstances of the collection, or which are provided for by the law.
Wording for Collecting Data (art. 4 DPA)

Personal data must be processed lawfully, and the processing must be proportionate and carried out
in good faith. The collection of personal data and in particular the purpose of its processing must be
evident to the data subject (principle of transparency).
If the consent of the data subject is required for the processing of personal data, such consent is only
valid only if it is given voluntarily on the provision of adequate information. Additionally, in relation
to sensitive personal data and personality profiles, the consent must be given expressly.
Correctness of the data (art. 5 DPA)

Anyone who processes personal data must make certain that it is correct. Duty to provide information
when collecting sensitive personal data and personality profile (art. 7a DPA)
Sensitive personal data includes data relating to the subjects:

 religious, ideological, political or trade union-related views or activities,
 health, the intimate sphere or the racial origin,
 social security measures,
 administrative or criminal proceedings and sanctions.
149
A personality profile is a collection of data that permits an assessment of essential characteristics of a
private individual.
The controller of a data file is obliged to inform the data subject of the collection of sensitive
personal data or personality profiles; this duty to provide information also applies if the data are
obtained from third parties.
If the data are not obtained from the data subject, the required information must be provided at the
latest when the storage of the data begins, or if the data is not stored, when it is first disclosure to
third parties.
Data Storage (art. 7 DPA and art. 8 to 12 of the Ordinance regarding the DPA)
The DPA does not provide specific provisions regarding data storage. It contains however provisions as
to data security. According to these provisions, personal data must be protected against unauthorised
processing through adequate technical and organisational measures. Moreover, for security purposes,
sensitive personal data and personality profiles should be protected and are to be kept under
restricted access.
Articles 8 to 12 of the Ordinance regarding the DPA address the technical measures to be taken in this
regard.

There is no data confidentiality clause as such however the following rules apply (Article 8 of the Data
Protection Act):
 Anyone may ask a file controller if data stored concerning him are being processed;
 The file controller must provide information on:
a) all data relating to the individual that are contained in the file;
b) the purpose and if necessary the legal basis for the processing, the categories of processed
data, the individuals involved in processing the file, and the individuals designated to receive the
file;
 In the event that the file controller has the personal data processed by a third party, the data
controller shall remain responsible for providing any information that is requested. The third
party shall be obliged to provide information in the event that it does not disclose the name of
the data controller or in the event that the controller is not resident in Switzerland;
 The information should, as a general rule, be provided free of charge and submitted in writing in
printed form. The Federal Council regulates exceptions.
 No one may waive the right to information in advance.
Data Processing by third parties (art. 10 A DPA)

The processing of personal data may be carried out by a third parties by agreement, or by law, if:
 the data are processed only in accordance with the instructions of the data controller; and
 it is not prohibited by a statutory or contractual duty of confidentiality.
The instructing party must in particular ensure that the third party guarantees data security. The
third parties may claim the same justification as the instructing party.
Cross-border disclosure (art. 6 DPA)

Personal data may not be transferred abroad if the privacy of the data subjects would be seriously
endangered, in particular due to the absence of legislation that guarantees adequate protection.
150
In the absence of legislation that guarantees adequate protection, personal data may be disclosed
abroad only under restrictive conditions as mentioned under (Article 6 (2) a to g DPA). The explicit
consent of the data subject may be an alternative to disclose the data. The consent must be given for
each case separately and the person must know which data are concerned by the transfer.
It is not possible to give a "general consent" regarding the transmission of personal sensitive data to a
foreign recipient.
Certification Procedure (art. 11 DPA and Ordinance about the Certification Procedure)
According to the new regulation, private individuals or Federal Authorities can submit their
operational processes and organizational structures relevant for data protection in order to obtain a
"Data Protection Certificate". The definition of "certification" according to Swiss law is not the same
as that in other European countries.
Security of Data
Personal data must be protected against unauthorised processing by appropriate organisational and
technical means. The Federal Council may enact more detailed provisions on the minimum data
security measures (see also above: Data Storage).
Penalties
Private persons violating their obligations with respect to information, notification and granting
access to information are punishable by fine. Unauthorised access to sensitive data is punishable by
fine, i.e. the data subject enjoys all usual remedies available under normal civil procedure (i.e.
injunctions, right to restitution, or right to claim damages). Private individuals who unlawfully
disclose personal data are liable to a fine (see art. 35 DPA).

No information available.
Access and Rectification of Data (art. 29 DPA)

Whoever processes personal data must ensure that the information is correct. Any persons affected
can request the rectification of inaccurate data.
The Commissioner shall investigate cases in more details on his own initiative or at the request of
third parties under various conditions.
On the basis of his investigation, the Commissioner may recommend that the method of processing be
changed or abandoned. If a recommendation made by the Commissioner is not complied with or is
rejected, he may refer the matter to the Federal Administrative Court for a decision. He has the right
to appeal against this decision.
Industry Codes of Practice

The Swiss Code of Best Practice for Corporate Governance contains the principles for corporate
governance in Switzerland and gives recommendations to the Swiss public companies. Unlisted
companies can also use the code. As it was issued by “economiesuisse” (the Swiss Business
Federation), it is considered to be a self regulation tool for all business (industry, financial sector,
other services).
Consumer Protection Regulation

The Office of Consumer Affairs ensures that the collective interests of consumers are upheld.
It promotes consumer protection and the proper functioning of the market. For more information (in
French, Italian, German and English): http://www.ch.ch/urn:ch:en:ch:ch.02.13.02.10:01
151
SECTION II – Legal Overview – UK
United Kingdom
 Data Protection Act 1998
 Privacy and Electronic Communications (EC Directive) Regulations 2003

The DPA does help with enquiries.

If you are a data controller in the UK (i.e. Responsible for compiling and maintaining a marketing list),
the general rule is that you are required to notify. However, you may be exempt from the
requirement to register, but it is still good practice to do so, if you are:
 only using your own customer list for the marketing of your own goods and services to them; and
 you otherwise only process personal information for staff administration purposes (including
payroll) and for accounts and record keeping purposes
Please see:
www.ico.gov.uk/what_we_cover/data_protection/notification/do_i_need_to_notify.aspx
If you are a data processor (i.e. only compiling and maintaining a marketing list on behalf of a client),
then you do not need to notify, but it is good practice to do so.
3 weeks
Registration costs
From October 2009 a new two tiered fee system for registration with the Information Commissioners
Office (DPA) was introduced, based on the organisation‟s size and turnover.
Data contollers will have to pay a registration fee of £35 per year unless they are exempt or if they
meet the following criteria:
 a turnover of £25.9M and 250 or more members of staff; or

 if they are a public authority with 250 or more members of staff
In which case they will have to pay £500 per year.
purposes
1) Balance of interests necessary for the purposes and legitimate interests pursued by marketer or
third parties to whom the data are disclosed, except where the marketing is unwanted in any
particular case because the recipient has registered with the preference services (Robinsons Lists)
2) Consent of the individual
152
Consent is required for email, SMS and fax marketing to individuals. The UK uses the definition of
consent in the Data Protection Directive. Consent is defined as any freely given, specific, informed
action by which the consumer signifies agreement. Consent can be obtained by an opt-in tick box or
by the consumer providing their contact details providing they are told the consequences before they
provide those details.
Implied consent
Implied consent is acceptable for the marketers own marketing, but remember that consumers can
withdraw implied consent at any time. Implied consent is acceptable for email and SMS if using the
„soft opt-in‟ facility. Implied consent is also acceptable, other than for email and SMS, for passing
contact details to third parties. Organisations in the UK often use two tick opt-out boxes:
1. for own marketing
2. for third party marketing
Implied consent can also be obtained by providing consumers with a valid contact address they can
use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.
Consent is required for SMS, MMS, EMAIL, FAX
Consent is not required for Telephone (although the Preference Service needs to be checked first)
and Mail (provided the address was not registered in the Preference Service)
Explicit consent is required to process sensitive data.
No other category.
Consumers have to opt-in to any marketing communications by email, SMS and MMS, however see the
soft opt-in option below.

A soft opt-in is available when the direct marketer has obtained the personal data during negotiations
for the sale of goods or services and the communication will be about similar products or services to
those purchased. Every communication must provide an easy opt-out mechanism and the trader‟s
identity must not be concealed.

The rules requiring an opt-in for email marketing do not apply to emails sent to organisations, even if
there is a named individual. The identity of the sender must be clear and the email must provide a
valid address to which opt-out requests can be sent.. However, the British Code of Advertising, Sales
Promotion and Direct Marketing (the CAP code) recommends that explicit consent should be obtained
for marketing consumer products to named employees of corporate subscribers.
153
Purposes
There is no requirement to be precise when providing the purpose for processing information.
Although the DPA has produced best practice guidance which states that organisations should provide
as much as much detail as possible as to the purposes of processing. Failure to comply with best
practice guidelines can result in an organisation being held to be in breach of the Data Protection Act.
Generic terms
Generic terms are acceptable, however, see the above, not on the DPA‟s best practice guidelines.

There is no requirement or recognized form of wording.
Only on the initial collection of the data
Opt-out
Normally opt-out is exercised through a tick box on a response or data collection form or in the case
of email and SMS a return unsubscribe facility. Opt-out can also be exercised through a valid contact
address.
By means of two tick opt-out boxes:
 for own marketing
 for third party marketing
Implied consent can also be obtained by providing consumers with a valid contact address they can
use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.
Yes- if you are using the soft opt-in exemption for email or SMS.
No – for other channels although it is good practice.
Data Storage

There is no model data confidentiality clause in the UK.

There is no specific limit for holding data, but data should not be kept longer than is necessary. Direct
Marketers should therefore draw up their own retention policies, bearing in mind retention periods
under company and tax legislation and ensure that data are destroyed at the appropriate time.

There are no model clauses to govern the rules. Data can be transferred between companies provided
there is a contract in writing in place which meets the requirements of Schedule 1 Part II paras 9 – 12
(see section „Security of Data‟ below). The UK DMA has an example contract.
154
Transfer of data to non-EU countries
Procedure for transferring data to non-EU countries

The Information Commissioners Office (ICO) has produced guidance but does not require notification
of individual transfers nor does it wish to see individual contracts. However, when you initially notify
the ICO, you must state whether you transfer data to such countries.
Security of data
In order to comply with the security principle in the Data Protection Act 1998, where processing of
personal data is carried out by a data processor on behalf of a data controller, the data controller
must:
a) choose a data processor providing sufficient guarantees in respect of the technical and
organisational security measures governing the processing to be carried out, and
b) take reasonable steps to ensure compliance with those measures.

Data Processors may have to incur costs to keep up with technological developments.

Database owners have protection under copyright legislation (sui generic right) in respect of their
databases, specifically the Copyright and Rights in Databases Regulations 1997. These rights were
seriously limited by the William Hill v British Horseracing Board case.
Penalties

The DPA has the power to issue an enforcement notice, in which it can order the controller to take
specific steps to rectify a breach. It can also carry out an assessment of how an organisation processes
personal data either in response to a complaint or on its own initiative. It can also issue an
information notice requiring the production of specified information. From the 6 April 2010 the DPA
will have the power to fine organisations for serious breaches of the Act. The maximum fine will be
£500,000, depending on, amongst other things, the seriousness of the breach, and the ability of the
organisation to pay the fine.
If an organisation fails to comply with an enforcement notice, court action can be taken and a fine of
£5,000 (7,500 Euros) in the Magistrates Court or an unlimited fine in the Crown Court. The DPA can
also apply for a warrant for powers of entry and inspection in the case of suspected breaches of the
Data Protection Act 1998.
There is also a criminal offence under section 55(1) Data Protection Act 1998 for unlawfully obtaining
or disclosing personal data without the consent of the data controller.
Penalties for breaching the rules on unsolicited Email

The DPA has the same powers of enforcement as under the Data Protection Act 1998 to deal with
breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
individual has the right to request the data controller to correct this.
155

There are no special rules but the Privacy and Electronic Communications (EC Directive) Regulations
must be complied with in respect of marketing by email.

Individuals have the right to ask data controllers for a copy of all the personal information they hold
on them. The request must be in writing and a maximum fee of £10 (15 Euros) can be charged. Data
controllers have a maximum of 40 days to provide the information. If there are any inaccuracies in the
information, the individual has the right to request the data controller to correct this.

The UK DMA have a Code of Practice which is mandatory for all members. The Mail Preference Service
(MPS) is a self-regulatory scheme run by the UK DMA. Use of it is required under the DMA Code of
Practice and the British Code of Advertising, Sales Promotion and Direct Marketing (the CAP code).
The Telephone Preference Service (TPS); Corporate Telephone Preference Service (CTPS); and the Fax
Preference Service (FPS) are run by the UK DMA on behalf of OFCOM (Office of Communications). Use
of the registers is a legal requirement under the Privacy and Electronic Communications (EC Directive)
Regulations 2003.
The UK DMA Code of Practice is not formally agreed with the DPA, but the DPA wrote the forward for
the Code, welcoming its introduction.
The UK DMA runs the Email Preference Service. Use of it is a requirement under the UK DMA Code of
Practice if you are emailing to recipients outside Europe. All the above can be found on the DMA
website at www.dma.org.uk.
156
SECTION II – Legal Overview – USA
United States of America
 Fair Credit Reporting Act (FCRA, 1970)/Fair and Accurate Credit Transactions Act (FACTA, 2003) –
credit-report privacy
 Privacy Act (1974) – government privacy
 Video Privacy Protection Act (VPPA, 1988) – video-rental privacy
 Health Insurance Portability and Accountability Act (HIPAA, 1996) / Health Information
Technology for Economic and Clinical Health Act (HITECH, 2009) – healthcare privacy
 Drivers Privacy Protection Act (DPPA, 1994) – driver‟s license privacy within government
 Telemarketing & Consumer Fraud and Abuse Prevention Act (1994) / Telemarketing Sales Rule
(2003) – telemarketing privacy
 Children‟s Online Privacy Protection Act (COPPA, 1998) – children‟s privacy
 Gramm-Leach-Billy Act (GLBA, 1999) – financial privacy
 Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN SPAM, 2003) – e-mail
marketing privacy
 State-level data-breach notification laws (ex: California SB 1386)
 State-level Social Security Number privacy and security laws
 State-level information-security laws (ex: Massachusetts 201 CMR 17)
 State-level healthcare privacy laws
 State-level government privacy laws (ex: Minnesota Data Practices Act)
In the US, there is no data-protection regime in the European sense of a federal data-protection
commissioner (DPA) overseeing the enforcement of a national data-protection law governing all
personal data. That said, an array of US federal and state regulations govern the protection of many
types of personal information in a similar manner to European data-protection laws. The laws
variously provide the data subject access and correction rights. There also exist:
 Limitations on transfers to third parties;
 Limits on the purposes for which information can be used;
 Rights to be notified of data breaches;
 In some cases, individual rights of action.
The varying privacy laws that exist in different sectors and states should be reviewed before doing
business with the US. Generally, one should begin this review with the „business sector‟ the
organization is involved in, then proceed to consider the states it is located in or does business in. For
example, the Fair Credit Reporting Act is extremely complex and has been amended several times but
effectively regulates collecting personal data for sale.
Another example is that of the Health Insurance Portability and Accountability Act (HIPPA) which is
also very complex and it imposes the data protection regime on medical providers. To market in this
area, a signature is required from the data subject.
US laws in data protection are supplemented by self-regulatory regimes, such as those administered
by the Direct Marketing Association, TRUSTe, and Better Business Bureau, and industry-led initiatives
such as the Payment Card Industry Data Security Standard. In addition, the US Department of
Commerce administers, and the Federal Trade Commission enforces, the EU-US Safe Harbor
Agreement, a programme wherein US companies can voluntarily conform their processing of EU
personal data to European data-protection principles.
157
N/A
purposes
The United States, neither at the federal or state level, distinguishes between sensitive or non-
sensitive data in the European sense. Where its laws impose restrictions on using data for direct
marketing, they do so from the perspective of the category of data subject (children, for example),
the business sector in question (healthcare, for example), or the mode of communications used (e-
mail, for example). At a fundamental level, the Constitution of the United States of America has
established the legal grounds for processing personal data for marketing purposes, as US courts tend
to see this type of communications as within the freedom of speech. Under the self-regulatory model
of the US Direct Marketing Association, customers and prospects should be clearly informed of their
right to tell the member company to suppress the processing or transfer of their details.

In general, consumers exercise an opt-out approach to consent, either by clicking on an “unsubscribe”
link on an e-mail, checking an “opt-out” box on an online profile, posting an opt-out form, or calling a
call center. Patients sign authorization forms to provide consent for the processing of their
protected-health information. Parents give consent for data collection from and marketing to their
children by, for example, providing a verifiable credit-card number. In the self-regulatory model of
the US Direct Marketing Association, data subjects should be clearly told if their details might be
transferred and be provided with an easily exercisable way to opt-out of the direct marketing process.
Implied consent
Implied consent is acceptable in the US and is done by inactivity and failure to object.
Please note that affirmative consent is required for marketing through certain media. See below.
Consent is required for SMS and FAX
Consent is not required Email, Telephone and Mail
There is no information on the sending of MMS messages.
Express consent is required under some federal and states laws, particularly regarding health and
children‟s information.

Health information, which would include sexual interests if the information was obtained in the
context of seeking medical advice or care. Financial information is also considered “sensitive” and is
subject to many regulations on the Federal and State level as to disclosures on gathering and to whom
the data may be disclosed.
158
The Constitution of the United States of America, modified in case of SMS by Congress, which requires
opt-in in the case of transmission of commercial messages where the recipient pays the cost of
receiving the message (e.g. SMS, Fax).

“Soft” opt-in is referred to in the US as a “pre-existing business relationship”. A business relationship
is defined as a purchase or enquiry within defined periods of time.
Rules on electronic communication for B-to-B marketing purposes, specified by subject:
Category Opt–in Opt-out
Automated calling machines


Fax

Email

SMS

MMS

Purposes
When giving the purposes for processing personal data, it is required to be precise when the
information is sensitive. However, it is generally not necessary to be as precise for non-sensitive
information.
Generic terms
Generic terms are acceptable for non-sensitive information.

There are a required and recognized wording for collecting data, and where required, best practices
generally produce common forms of wording in different industries, particularly in the financial and
healthcare sectors.
Generally, only to prospects, although in the sensitive area (financial/medical) most organisations
also disclose to existing clients.
159
Opt-out
Can be oral through a phone call; letter, or electronic through an e-mail or Web site.
For commercial e-mails.
Data Storage

Data confidentiality is a major, ongoing focus of enforcement in the US. In practice, required
notifications of data breaches can result in class-action lawsuits, investigations by state attorneys
general, the Federal Trade Commission, and – depending on the sector of the company involved – by
state insurance commissioners, federal financial regulators, and the US Department of Health and
Human Services. In this regard, the Payment Card Industry Data Security Standard and the Gramm-
Leach-Bliley Safeguards Rule have become de facto national standards of „reasonable security‟ and
confidentiality.

Sectoral and state laws and standards dictate an array of different time limits for holding personal
data, particularly employee records, financial records, and credit-card information.
Penalties
National penalties
The Federal Trade Commission can apply to fines in excess of $1 million.

Civil penalties and civil damages.

None

A legally-enforceable right to access and correct data is embodied in the Federal statute regarding
credit-information, the Fair Credit Reporting Act, which governs the collection of financially-related
information, its use, its theft or loss, and a consumer‟s right to correct information if credit is denied.
Consumers may also block the disclosure of their data on demand.

Codes and Practice and Preference Services can be found at the USA DMA. www.the-dma.org
160
About FEDMA
FEDMA, the Federation of European Direct and Interactive Marketing, represents the sector in all its
forms at European level. FEDMA's objectives are to protect and promote the direct and interactive
marketing sector by creating, through representation, self-regulation and information, acceptance
of, and confidence in, direct and interactive marketing within a healthy commercial and
legislative environment in which the sector can profitably operate and develop. Representing the
interests of over 18,000 companies, FEDMA is the single voice dedicated to building the business
of cross-border direct and interactive marketing, through its vast network of businesses within and
beyond Europe. All our members enjoy a wide range of services.
FEDMA's Mission Statement
Today, direct marketing strategies (via mail, email, telephone, mobile, Internet and direct response)
are an essential tool for companies to approach, inform and retain customers, as well as providing
customer relationship services.
The development of sophisticated databases, telemarketing and e-marketing has made direct
marketing increasingly popular as a marketing strategy and has encouraged strong investment.
FEDMA‟s task is dedicated to building the business of cross-border direct marketing, by promotion,
protection, information and best practices.
FEDMA's mission is to:
Protect the European direct and interactive marketing industry and the interests of our members.
FEDMA aims to encourage the European institutions to ensure a healthy commercial and legislative
environment within which the industry may prosper.
Promote the European direct and interactive marketing industry towards governments, media,
businesses, consumers; to encourage the growth and profitability of our members and support the
further development of direct marketing as a marketing strategy .
Inform members, governments, media, businesses, and consumers about the European direct and
interactive marketing industry, and encourage education and training for the sector.
Contact Details
Federation of European Direct Marketing
439, Avenue de Tervuren, B-1150 Brussels
Tel: +32 2 779 42 69
Fax: +32 2 779 42 69
E-mail: info@fedma.org
Web: www.fedma.org
161

Fed Ma Report

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fed Ma Report

Uploaded by

Copyright:

Available Formats

FEDMA Pan European Email

Marketing Benchmark Report

2010 - first edtion

This report is published by FIMAC –

Copyright © FEDMA 2010

1. About Nick Martin; About Field Fisher Waterhouse LLP P. 5

Alterian, Opt4, Mardev, Telefaction, Fokus Integrated, PAR P.12

D1. Geographical distribution of respondents P. 15

E1. Regular newsletter P. 33

F. Survey - Email Service Providers:

F1. Geographical distribution of respondents P. 37

G. ESPs and DMAs P. 49

2010 Legal Overview – Email Marketing in Europe P. 57

Introduction by Alastair Tempest, FEDMA P. 58

Data Protection and Regulations in:

Austria P. 60 Italy P. 107

Up to date guidelines for professional marketers, including detailed information on:

Current Data Protection Laws and Regulations

About FEDMA P. 160

With 25 years spent in marketing information services, Nick's career has

Now independent, he is currently working on ventures in collaborative

Find him on Twitter: http://twitter.com/n1ckma , Linkedin and on his blog

About Field Fisher Waterhouse LLP

Welcome to this, the first pan-European email benchmark survey.

Alastair Tempest, April 2010

Email marketing benchmark survey overview

The insight challenge

A number of factors are driving these growth trends:

Key growth factors/ inhibitors

Deliverability and IPR

Email marketing uses

ESP reported Average delivery rates

ESP reported Hard bounce rates

ESP reported Click through rates

ESP reported Open rates

Volume predictions for 2010-04-07

Alterian‟s unprecedented integration of analytics, content and execution

Alterian is changing the rules of the game through technology – allowing

Alterian works with marketing services partners, system integrators and

Opt-4 is an international permission marketing and privacy consultancy

Mardev, the direct marketing division of Reed Business Information, helps

But we appreciate that successful business targeting involves much more

>> database enhancement

We offer a complete solution, from finding your very best prospects,

PAR is developer of direct marketing information since 1956. PAR is a database

Fokus Integrated is specialized in helping B2B and B2C marketers improve

The results: Client Survey

Use of promotional emails as part of marketing mix

Other - small medium sized…

Other- large business B2C

Other- large business B2B

Retail (not e-commerce)

1.2 How many employees do you have at your company?

Number of employees and Number of years the company

1.3 What are the number of employees in your marketing department?

20+ employees; 1 employee; 24,7%

Both businesses and

Only consumers; Copyright © by FEDMA

Handling of email campaigns

40,9% Everything done in house

Don‟t send email newsletters 10,9%

Every six months 3,6%

Every two weeks 12,5%