Professional Documents
Culture Documents
Sponsored by
All rights reserved. No part of this publication may be reproduced, stored in a retrieval
system, or transmitted by any means, electronic, mechanical, photocopying, recording
or otherwise, without the prior permission of FEDMA.
Further copies of this report can be purchased from FEDMA at the above address, priced at
€1.200, or €349 for FEDMA members.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
3
Table of contents
Section I:
A. Introductions/welcome by:
B. Executive Summary P. 8
C. Sponsors:
D. Survey - Clients:
E. Campaign metrics:
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
4
Table of contents
Section II:
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
5
About Nick Martin
Nick spent many years at Reed Business Information (RBI), leading their
global B2B marketing services operation Mardev. Latterly he was
European Vice President and UK Managing Director at Acxiom.
He first launched a B2B email marketing service in 2000, online B2B lead
generation in 2006, before developing Acxiom's integrated
consumer demand generation solution across Europe.
With thanks to Eduardo Ustaran and Michelle Levin of Field Fisher Waterhouse LLP.
Field Fisher Waterhouse LLP is a full-service European law firm with offices in London, Manchester,
Brussels, Hamburg and Paris.
Field Fisher Waterhouse LLP's market leading Privacy and Information Law Group comprises a
dedicated team of lawyers supported by an international network covering over 40 jurisdictions with
specialist knowledge across all areas of privacy and data protection law. Its work embraces all aspects
of privacy-related law, including working with regulators across the world and contributing to the
policy-making process
Eduardo Ustaran is the head of the Privacy and Information Law Group and an internationally
recognised expert in privacy and data protection law. Eduardo advises international clients, including
FTSE 100 companies and leading Internet businesses, on the adoption of global privacy strategies.
Named by Revolution magazine as one of the 40 most influential people in the growth of the digital
sector in the UK, Eduardo is co-author of E-Privacy and Online Data Protection and of the Law
Society‟s Data Protection Handbook.
Michelle Levin is a solicitor in the Privacy and Information Law Group. Michelle's practice focuses
privacy and security issues in relation to the Internet and e-commerce, marketing activities and
information sharing.
www.ffw.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
6
Introduction
Alastair Tempest, Director General,
Federation of European Direct and Interactive Marketing
Thanks to the national direct marketing associations (DMAs), and other sources that we had at our disposal we were
able to send at the survey to a wide range of ESPs and clients across Europe – and, indeed, far beyond.
Email marketing has not had a very easy beginning. Unlike most marketing channels, it was immediately seized upon
by unscrupulous operators, and naive amateurs who created an era of spam, which lost the trust and confidence of
consumers, and greatly irritated regulators. Email marketing was almost strangled at birth by the activities of
spammers, sending out millions of unsolicited, untargeted and unwelcomed messages, which not only clogged up
consumers‟ mail boxes, but also played havoc with the ISPs‟ systems. Since email remains a cheap marketing
medium there is a temptation to forget two of direct marketing‟s cardinal rules – always target your
communications and never over-do a good thing! Consumers who have opted in can become frustrated by too many
irrelevant messages and then opt out – when that happens the customer / potential customer is lost forever. Over-
mailing also can cause problems with ISPs and trigger other systems which block bona fide senders as well as
spammers. In 2002, the European regulators applied opt-in (consent) laws for electronic communications, and over
time there have been some successful prosecutions of spammers. But by far the most important development have
been technical solutions (firewalls, spam filters, etc). Spam volumes have continued to rise over time and are now
variously estimated to be about 40 billion messages a year, 95% of total email traffic. The European Network and
Information Security Agency (Enisa), Microsoft and Symantec all come to about the same estimate. Symantec points
out that the percentage change from 2006 to 2009 has been 39% (from 56% to 95%), which is horrific. Effective
filtering has reduced the numbers of spam actually delivered. However, in another concerning development, while
the amateur spammer is now less active, professional and highly organized criminal spam operators have appeared
with their “bots”, viruses, spyware, etc, to plague both the consumer and business. FEDMA recognized the need to
be actively engaged in the fight against spam early on, and became one of the first business organisations in the
London Action Plan (LAP) – a unique, global cooperation between the regulators, enforcement bodies and business.
However, despite the problems created by spam, email marketing has not only survived but flourished on the basis
of opt-in (consent) from the consumer (and now in some countries, also applied to business to business emailing, as
the reader will see in the section on legal requirements at the end of this report).
Email marketers are tackling the problem of getting their messages accepted both by ISPs, and also by the individual
firewalls and spam filters on personal computers. This is not easy and there are a number of national initiatives to
try to solve the problems, such as the German ISPs‟ (ECO) system, which recognizes specific ESPs (email service
providers) and provides a strict code of best practice. FEDMA does not believe that the spam issue has stopped
damaging bona fide marketing messages – far from it, spammers use sophisticated and state-of-the-art software to
avoid being blocked – however, properly done email marketing is now much better recognised and accepted.
Email is a fast, effective, and efficient medium for getting marketing messages, and supporting information (such
as regular email information sheets – “ezines” – and other supporting information alerts, customer relations info,
etc) to the recipient. Email may even be helped by its ephemeral nature – it can be easily stored in the email
mailbox of the receiver, and equally easily deleted. Interested – but not now – leave it in the inbox; not interested –
delete with a click.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
7
Introduction Contd
As direct marketing has rapidly evolved over the last decade into multi-channel, convergence (relationship)
marketing, all means of communication are finding their place. Email is particularly powerful in both a “passive”
and “active” context – it is used to send information to the consumer (which can of course include active links to
websites, etc); and it is used by the consumer to send messages to the marketer. As our survey shows, email has
moved from being used by marketers simply as an acquisition tool, and is now recognized as a very effective method
for demand generation, combining push and pull, as part of integrated programme in web marketing. Email within
these parameters has proved to be the key to success for many campaigns.
As the legal section of this report shows the regulations in place within the European Union vary enormously. Opt in
is universally required in the EU, however, how that is applied is not at all consistent, with a number of the 27 EU
Member States simply ignoring part of the EU directives. This makes the email marketers‟ job difficult and raises
questions in cross border email marketing campaigns. FEDMA is constantly being approached by marketers for advice
on these issues.
FEDMA intends in the future also to produce benchmark studies for Europe on mobile marketing and multi-channel.
We expect that we will find considerable convergence between all these major marketing communications channels.
Each provides specific benefits, within the general marketing strategies of marketers. Direct mail, for example, can
help drive permission (consent) for email; SMS through short messages provides links which the consumer can either
activate to eventually receive, or send, emails to the marketer, etc. The website and the telephone also play key
roles in this convergence or integrated marketing. The new generation of mobile phones has brought email to the
handset of consumers as well as business.
As marketers, we need always to be careful to nurture the trust and confidence of our customers. Email (as spam
has shown) can become very intrusive if used unwisely. Excessive use of an opted-in email list will rapidly lead to
loss of consent. Recipients will simply exercise their right to opt out, and once that happens the contact is most
likely to be lost forever. Codes of conduct (and best practices, suggested in reports such as this one) are useful
guidance to prevent the over-use of, or even misuse of, email lists. But the most important thing an email marketer
has is the common sense to avoid over-using its email lists.
Creativity is another issue which many experts have written about. The creativity to create great email copy is
completely different from the skills needed to write a great direct mail letter! Experience is providing excellent
case studies and training courses to help the marketer / agency new to email to find its way through the pitfalls and
achieve excellent results. But training is important.
This report would never have been prepared had it not been for the work of a number of people.
We are extremely grateful to the UK DMA Email Marketing Council for allowing us to use their well-established
template and results; to Nick Martin who has carefully analysed the data and provided the commentary; to Michael
Leander Nielsen of Fokus Integrated and to all the FIMAC Council of FEDMA for their invaluable assistance. Eduardo
Ustavan of Field Fisher Waterhouse and his colleagues provided essential legal input to the Legal Section. And of
course, we are greatly indebted to the national direct marketing associations; and to all those ESPs and marketers
who took the time to fill in the questionnaire. We do hope that you will continue to answer our annual
questionnaire from now on!
The report would not have been possible without the generous support of Alterian and Opt4, and to Mardev which
sponsored its publication.
Finally, the FEDMA staff, Jorgen Andreassen, Razvan Antemir, Lena Jaggi, Salima Hassan and our intern Victory Budd
have been invaluable in bringing this baby to term!
If you see any errors, or have suggestions please let us know so that we can improve the study in the future.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
8
Executive Summary
The first pan-European Email Marketing Benchmark Survey
FEDMA has published the first pan-European Email Marketing Benchmark Survey. This is sampled from
clients directly and Email Service Providers (ESP), comprised of 464 end users and 75 email service
providers (ESPs), with respondents operating across 16 European countries. There is broad
representation from across sectors and size of organisations.
The Survey published by FEDMA contains 31 charts. In addition there is a 102 page report on the legal
situation in 22 countries.
At the survey shows, over the last decade email marketing has grown from being a discrete
marketing activity, delivering exceptional rates of return, to a connected part of an organisation‟s
overall marketing mix.
Today it is rare for an organisation not to employ email marketing as a prime channel, whether for
acquisition, list building, lead generation, nurturing, customer management, up and cross sell,
retention marketing or win-back programmes.
Inevitably as its use has become embedded as an essential part of any customer communication or
engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing
in particular has moderated. Notwithstanding it is proving a phenomenally successful marketing
channel in the hands of responsible practitioners, and the vast majority of organisations now use
email as a key communication channel.
Years practised
Yet the average length of time that respondents to the benchmark report have been deploying email
marketing is just over 5 years, ranging from 3 1/2 to just under 7 years. So for many practitioners it
is a relatively new medium.
A quarter of email marketing practitioners still do not personalise, which also suggests that among
that group, limited segmentation and targeted list selection takes place. This will need to change if
email marketing is to justify continuing increased levels of investment based on performance due to
rising market activity levels.
With 56.7% of end users undertaking email marketing entirely in-house, there is a parallel need to
apply more rigorous analysis; and as marketing departments find themselves increasingly stretched
in an increasingly challenging world, they may well need to reconsider outsourcing key aspects of
their email marketing operations.
Executive Summary - FEDMA Pan European Email Marketing Benchmark Report First edition 2010
9
Executive Summary
Email marketing growth prospects
Email marketing activity levels are set to continue to grow, and campaigns are likely to proliferate.
72.3% of respondents plan on sending out more marketing emails, and practically no one expects to
do less. Yet opt out rates as a proportion of total volumes are expected to hold steady. This assumes
at least as much or better targeting in spite of the higher volumes.
• Email marketing is gaining a greater share of the marketing wallet along with other forms of
digital media, at the expense of traditional advertising and offline media, due to immediacy of
results (notwithstanding the considerable scope for improving performance measurement).
• Driving sales is the main motivation for using email marketing, along with lead generation and
driving web traffic. A lot of that activity is in support of new customer acquisition. Whilst that
will continue, expect the biggest growth over the next year to come in customer management
cross and up sell programmes.
• Email marketing‟s expanding role within integrated marketing campaigns, lead generation, social
media and customer management programmes shows that it is ripe for further growth as more
sophisticated consumer engagement rule sets are defined and applied that reflect buyer and
customer behaviour; and permit practitioners to act upon it quickly.
• Better targeting and the use of properly permissioned and managed customer information
databases; the relevancy of campaigns and careful application of local/ EU laws.
• Careful stewardship of customer information databases, and developing email marketing use
further into the consumer/ buyer engagement process. The impetus to increase volume and
activity can only be successfully achieved where it remains engaging.
• Delivery to inbox, which will be increasingly seen as a barrier to overcome, especially in B2C.
1 I am indebted to Richard Gibson of Return Path for his advice and knowledge on IPR issues.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
10
Executive Summary
IPR is tied in with reputation. If reputation is poor, acquired through issues like indiscriminate use or
poor targeting, large groups of consumers belonging to the same ISP domain, for example, such as
GMail or Hotmail will not receive bulk email from that source into their inbox. It is estimated as a
much as 7% of email marketing campaigns go missing, which historically has not been accounted for.
Strategic vs tactical
End users overwhelmingly believe email marketing to be strategically important, but that belief is
yet to translate into a strategic approach around execution. Poor visibility of conversions to sale and
conversions to action, and the lack of testing around aspects such as creative templates and
frequency suggests there is much more critical measurement and insight needed.
ESPs support this view, characterising end users as much more focused on tactical vs strategic use of
email marketing, according to the DMA UK benchmark survey Q3 2009. That survey also highlights
just 38% of email marketing driven by some data, and only 16% whose content is driven entirely by
data.
Compliance
Just 7% of end users polled lacked confidence in their compliance with legislation, with B2B
organisations twice as concerned by this issue compared with B2C organisations. Nonetheless there is
some evidence that in certain countries tougher regulation significantly holds back companies from
undertaking acquisition marketing based on concerns of strict legal compliance.
A full 102 page report on the legal requirements in 22 countries completes the Email Benchmark
Survey. This shows the considerable legal differences that exist between the European national laws,
despite the supposed “harmonization” of national regulations by the European Union. In particular,
there are wide differences in the local interpretation of the concept of “soft opt-in” for email
marketing. This principle in the EU directive is supposed to allow a marketer to email a customer,
whose email address has been given “in the process of sale”, without having to get any further opt in
(the customer always has the right at any time to opt out). But the national variations on this
principle vary greatly which make it impossible for an email marketer which is established in many
EU states to follow the same legal procedures.
Nearly three-quarters of end users deploy email marketing for sales or related campaign activity.
Open rates typically range 10%-25%. Unsurprisingly, sales and product/ service information
campaigns generate conversion to sales 4x better than newsletters or customer surveys.
53% of respondents do not use email marketing for customer or product (development) surveys.
Where they do, they experience excellent results.
The majority of companies do not use email marketing for win-back campaigns following the loss of
customers. The minority of respondents who do use email for win back, have experienced excellent
results, with conversion to sale or action of between 2% and 5%.
Executive Summary - FEDMA Pan European Email Marketing Benchmark Report First edition 2010
11
Executive Summary
Nor do they systematically use transactional emails for cross and up selling.
In both cases here are clearly opportunities missed, which once again suggests that email marketing
is deployed typically as a series of standalone activities, in some cases integrated with online, but
generally not implemented as an end-to-end programme or integrated with other customer channels.
Compared to end user respondents, results favour those campaigns conducted exclusively via ESP
platforms.
Practitioners would do well to test more rigorously each element of an email campaign, beyond the
generally adopted focus on subject lines, sender name, time of day and week, and spam filter
scoring.
19% of the respondent ESP base expect their clients to increase volume of email marketing between
a quarter and a half year on year, a continuation of the shift from offline to digital channels.
Nick Martin
& FEDMA
April 2010
Executive Summary - FEDMA Pan European Email Marketing Benchmark Report First edition 2010
12
Sponsors
FEDMA would like to thank the following sponsors for their kind support:
Main sponsors:
Alterian (LSE: ALN) empowers organizations to create relevant, effective and
engaging experiences with their audience that help build value and reinforce
commitment to their brand, through the use of the Alterian Integrated
Marketing Platform. Alterian drives the transformation of marketing and
communications, making it practical and cost-effective for companies to
orchestrate multichannel engagement with the individual.
The Alterian platform combines campaign management, web content
management, email and social media monitoring tools to help marketers be
more insightful, engaging and accountable than ever before, by sending the
best, most relevant message at the right time – regardless of channel. One of
the key differentiators of the Alterian offering is that the various elements are
integrated. The marketer can move seamlessly between organizing their
resources, undertaking analytics, planning a campaign and overseeing the
approvals necessary to drive things to timely completion.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
13
Sponsors
Main sponsors:
www.opt-4.co.uk
Our mission is to solve our client‟s prospecting, lead generation and business
development needs. We achieve this through a range of highly responsive
B2B contacts, an unrivalled online community of B2B decision makers, brand
leverage and our quality marketing services.
With a lists portfolio of more than 300 databases made up of business and
professional contacts from around the world we can improve the accuracy
of your business targeting.
www.mardev.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
14
Sponsors
Other sponsors:
www.par.se
www.fokusintegrated.com
TeleFaction helps your organisation increase loyalty and increase sales fast and
efficiently. When it comes to increasing customer loyalty and reducing customer
defections, everyone with high contact intensity with customers and subjects
may benefit from TeleFaction‟s Return on Behavior® concept.
www.telefaction.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
15
SECTION I – Survey
Germany
Austria
United Kingdom
Sweden
Switzerland
Belgium
Denmark
Netherlands
Slovenia
Norway
Finland
Ireland
Italy
France
Hungary
Spain
For the quantitative benchmark questions, respondents were asked to either a) report the results of last
3 email campaigns individually, or b) the average of the last 3 email campaigns sent out.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
16
SECTION I – Survey
1.0 Does your organization use promotional emails as part of your marketing mix?
No; 5,8%
Yes; 94,2%
Copyright © by FEDMA
Over the last decade email marketing has grown from being a discrete marketing activity, delivering
exceptional rates of return, to a connected part of an organisation‟s overall marketing mix.
Today it is rare for an organisation not to employ email marketing as a prime channel, whether for
acquisition, list building, lead generation, nurturing, customer management, up and cross sell,
retention marketing and win-back programmes.
Inevitably, as its use has become embedded as an essential part of any customer communication or
engagement strategy, and email volumes have rocketed, its effectiveness for acquisition marketing has
moderated. Notwithstanding it is proving a phenomenally successful marketing channel in the hands of
responsible practitioners.
The vast majority of organisations use email as a key communication channel. That trend is set to
continue. According to the Email Marketing Industry Census from Econsultancy (in association with
Adestra); email now accounts for 17% of brands‟ digital marketing budget, up from 14% at the start of
2009.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
17
SECTION I – Survey
Represented industries/segments
1.1 Which industry do you belong to?
14,0%
12,0%
Copyright © by FEDMA
10,0%
8,0%
6,0%
4,0%
2,0%
0,0%
FMCG (Fast Moving Consumer …
IT software
Realestate
Wholesale / Distribution
IT hardware
Government
Business Services / Consulting
Manufacturing
Travel / Transportation
Hospitality (hotel, restaurant)
Telecommunications
Consumer Electronics
Media / Publishing
Medincal/Dental/Healthcare
Internet business, pureplay
The benchmark survey is sampled from end user practitioners directly and ESPs. Although all industries
were represented, there is a slight respondent bias towards B2B organisations, with 56.2% of companies
marketing solely to other businesses, with 28% marketing to both businesses and consumers, and the
remaining 15.8% representing consumer-only brands or offerings.
The most represented sectors are business services/ consulting and hi tech organisations (both 12%),
Media/ publishing (11%), IT small & medium sized B2B firms (9%) other large B2B organisations (7.5%),
manufacturing (5.5%) and wholesale/ distribution (4.75%).
Other sectors with less than 5% are financial services, telecommunications, ecommerce and internet
pure-plays, utilities, retail, travel, entertainment, health, education and not for profit.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
18
SECTION I – Survey
Number of employees
>10000 6,8%
5000-9999 3,5%
3000-4999 2,5%
2000-2999 1,3%
1000-1999 4,3%
500-999 5,5%
200-499 12,6%
100-199 5,0%
50-99 11,6%
30-49 4,5%
20-29 13,4%
15-19 3,3%
10-14 7,6%
5-9 5,3%
1-4 12,8%
Copyright © by FEDMA
Sampling by company size is very evenly distributed when comparing to the business population of the
major economies in Europe by size, with 24% of responses from organisations of more than 500
employees. A further 29% of responses were from companies of 50-500 employees. 47% of respondents
belonged to companies employing less than 50 people.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
19
SECTION I – Survey
10-19 employees;
9,7%
5-9 employees;
13,7%
2-4 employees;
37,9%
Copyright © by FEDMA
Can you estimate how many employees in your marketing department work with email marketing?
European Average: 4,4
Approximately how many years has your organization practiced email marketing?
European Average: 4,9
Almost two thirds of respondent organisations employ less than 4 people in their marketing
department, with 23.7% employing more than 10 marketing personnel.
Whilst email marketing has enjoyed a decade of rapid growth, the average time that organisations have
adopted email as a marketing channel is just under 5 years.
Variation ranges between a mean average of 3.5 years for Norway, Italy, Spain, Hungary, Finland and
Slovenia, to 6.9 years in France.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
20
SECTION I – Survey
Target groups
1.4 Which of the following groups are you primarily marketing to?
Only businesses;
56,2%
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
21
SECTION I – Survey
Copyright © by FEDMA
2,3%
Given the pressure on resources that many marketing teams are under (62.6% of marketing departments
are staffed with 4 or less people), it is notable that 56.7% of all companies still undertake their email
marketing entirely in-house.
Only 2.3% outsource everything, suggesting activities such as campaign definition and key parts of the
operational process are still managed in-house. 40.9% say they manage a mix of outsourced and in house
activities.
B2C brands are more likely to outsource all marketing efforts, although that still accounts for only 6% of
respondents, with most (55%) preferring to do everything in-house. B2B brands on the other hand have
not as yet considered outsourcing email marketing in its entirety, with 62% doing it all in-house.
With greater sensitivity in the practise of direct to consumer email marketing and the need for
correspondingly more support and expertise, perhaps these differences are not altogether surprising.
A few trends are likely to change that over the next couple of years, given the number of ESPs that
operate a Software as a Service (SaaS) model:
-The need for greater (ie more sophisticated) targeting and personalisation.
-Increased data mining and profiling activity, as segmentation by online personas and behaviour becomes
more widespread.
-Tighter definition and management of permissions.
-Greater use of campaign rules.
-Integrated use of email with online advertising, social media and other interactive channels.
In other words, marketing is becoming a more complicated discipline, customers need to be engaged
with and across many more channels than ever before, and are far less predictable in their purchasing
and/ or engagement patterns. It is therefore increasingly difficult to cover the ground through a
stretched, in-house resource, and increasingly unlikely that the necessary skills exist within an in-house
team to do everything.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
22
SECTION I – Survey
Campaign frequency
1.6 Do you send email newsletters and if so, how often do you send them?
Quarterly 21,3%
Monthly 30,6%
Weekly 16,1%
Daily 4,9%
Copyright © by FEDMA
Of the 79 respondents who sent newsletters via email, 70% on average were used in context of B2B
activity, 10% were a mix of B2C and B2B, whilst 20% related to B2C activity.
The most popular campaign frequency for sending email newsletters out is monthly. In Italy and
Slovakia the average frequency increases to weekly, whilst Sweden, Norway and Spain the average falls
to quarterly sends.
There appears to be no correlation between other factors, such as bounce or opt out rates, and the
frequency with which newsletters are sent.
Infrequent newsletters suggests a one size fits all approach to newsletter content, whereas the scope
for dynamic content ordering, for example, to reflect different customer segments and recent
behaviour arguably increases with frequency.
More frequent newsletters certainly demand closer integration with an up to date customer
information database to reflect recent transactional history or other pertinent factors.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
23
SECTION I – Survey
Campaign frequency
1.7 Does your newsletter registration form say how often they will be sent
and if so, what frequency do you say?
Quarterly 10,5%
Monthly 18,4%
Weekly 9,1%
Daily 2,9%
Copyright © by FEDMA
The majority of respondents do not inform newsletter subscribers of the frequency with which they will
receive them.
Whilst on the face of it this appears to be a general omission, in practise the more targeted and
„triggered‟ email newsletter content is based on a predetermined range of behaviours, the less
predictable frequency becomes. In this context, notifying customers of newsletter frequency in
advance may become restrictive.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
24
SECTION I – Survey
Campaign frequency
1.8 Do you send email campaigns with promotional content, such as sales
offers, and if so, how often do you send them?
Quarterly 18,1%
Monthly 23,8%
Weekly 13,6%
Daily 3,4%
Copyright © by FEDMA
21.7% of all companies do not use email for promotional content such as sales offers, whilst 41.9% send
promotional emails monthly or quarterly. 17% of companies send out promotional emails weekly or
daily, the balance of 11% sending them out every two weeks.
There are differences in the most practised frequency of promotional contact by email depending on
the country:
Weekly – Slovenia (43%), Hungary (50%), Ireland (25%) and Sweden 23.1%
Monthly – Norway (41.7%), Switzerland (27%), Finland (33%), UK (31.6%), France (50%), Denmark
(31.8%)and Germany (29.2%), Austria (27.5%)
Quarterly – Netherlands (28.6%), Belgium (32.1%) and Austria (27.5%)
Those countries most likely not to send promotional content by email are Finland, Spain (33.3%), Italy
(28.6%) and Germany (29%). Privacy regulation, and an organisation‟s interpretation of it, is likely to
determine corporate policy towards unsolicited commercial email (UCE) in many cases. It is surely no
coincidence that those countries with the most restrictive and/or punitive data protection laws are
those where email marketing is least used as a sales channel (see legal report in this survey from page
57).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
25
SECTION I – Survey
1.9 If you use transactional emails, such as order confirmations, are they an
integrated part of your cross- and up selling process, for example do they
include sales offers?
No; 32,5%
Copyright © by FEDMA
Where transactional emails are generated as part of an order confirmation process, just under half do
not use them for cross and up sell strategies - what traditional direct mail order companies would have
described as „free rides‟.
Notable exceptions to the average results are Italy, where 43% of companies do use transactional
emails to cross an up sell together with Norway (41.7%), and Austria (37%).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
26
SECTION I – Survey
Ranked 1 2 3 4 5
When it comes to marketing and sales application areas for email marketing, driving sales is the
overwhelming priority, either directly (as direct sales) or indirectly (as lead generation).
In the case of lead (or demand) generation, email will most often work as part of an integrated
campaign that encompasses primarily online affiliate marketing, the use of lead generation networks,
and paid for search.
Relatively little attention tends to be paid to the continuation of email marketing in order to nuture
unconverted interest from lead generation and inbound sales channels over a longer period of time. This
is an area of considerable future development that should yield excellent returns, but requires careful
planning.
For most countries the second priority is to drive web traffic or lead generation. It should be noted that
whilst the two activities can be applied to different purposes, at least some of the responses that
identify driving web traffic will likely relate to lead generation activities as well, i.e. activity that is
designed to lead to consumer engagement with the goal of increasing sales or building an opted in
prospect base.
Brand awareness is considered the next most important use in Belgium, France and Spain.
In those countries where direct sales is not the most important motivation for using email marketing
(Austria, Norway and Finland), it is considered the second most important use.
Only in Italy, Spain, Slovakia and Ireland do companies not consider the use of email for lead generation
in their top 2 priorities.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
27
SECTION I – Survey
Neither
increase nor
decrease;
30,8% Increase; 66,2%
Copyright © by FEDMA
Spend on email is forecast to grow over the course of 2010, with 2/3rds of respondents expecting to
grow their investment in email marketing. Tellingly, only 3% would expect to decrease their spend in
this time period.
This clear trend is reflected in Ipsos Mori‟s poll for the Chartered Institute of Marketing report The
Shape of Digital to Come? Senior marketing practitioners in Q4 2009 were polled to ask how their spend
would vary year on year across different marketing activities. Email (1.6%) and online (2.5%) were
expected to be the biggest winners in attracting additional marketing investment, at the expense of
offline advertising (-3%), sponsorship (-2.3%), direct mail, and internal marketing (-1.6% each).
Geographical markets will vary according to their relative maturity.
The first is ongoing effectiveness of email as a push marketing medium, which depends principally upon
targeting/ use of properly permissioned and managed customer information databases; the relevancy of
campaigns and careful application of local/ EU laws.
If greater spend is driven by higher volumes in conjunction with looser qualification of who receives
what and how often, then it follows that more people will receive less relevant unsolicited commercial
email (UCE), and Return on investment (ROI) will drop.
Secondly, successful growth can only come through careful stewardship of customer information
databases, and developing its use further into the consumer/ buyer engagement process.
For example, its expanding role within integrated marketing campaigns, lead generation, social media
and customer management programmes. These are ripe for expansion as more sophisticated consumer
engagement rule sets are defined and applied that reflect buyer and customer behaviour; and permit
practitioners to act upon the information quickly.
Thirdly ,delivery to inbox will be increasingly seen as a barrier to overcome, especially in B2C.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
28
SECTION I – Survey
Deliverability rates are expected to improve or remain the same. A small percentage do not measure,
presumably those undertaking email marketing in-house using generic transmission. Just 13.5% believe
deliverability will worsen.
This raises a key question of how deliverability is measured. Most practitioners will determine
deliverability as delivery to Internet or to mail server as the primary measure, but delivery to inbox is an
increasingly key metric. This is because reputation, the measure of trust that an ISP places on the
sender, determines whether the majority of emails transmitted in a campaign are blocked.
Increasingly important, in particular in B2C, is the issue of deliverability to inbox. If reputation is poor,
acquired through issues like indiscriminate use or poor targeting, large groups of consumers belonging to
the same ISP domain, for example such GMail or Hotmail, will not receive the email into their inbox.
B2B deliverability is also an issue, albeit a different cause, due to corporate systems like Postini,
Symantec and Messagelabs.
Companies like Return Path and Pivotal Veracity use seeds or panels to measure the difference between
deliverability to Internet/ server vs inbox. Research from Return Path suggests that approximately an
additional 10% of European email volume does not make it into the intended inbox (source: The Global
Email Deliverability Benchmark Report, 2H 2009).
The same report indicates deliverability to inbox to be less of an issue in Germany (with one or two ISP
exceptions) and more of an issue in the UK and France (11%). Non delivery to inbox is accounted for by a
third being placed directly into spam folders, and two thirds going missing.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
29
SECTION I – Survey
Respondents clearly believe that their use of the email medium is improving, based on the
overwhelming majority of 56% who believe their click through rates will increase. Just 8% of
respondents expect their click through rates to decrease.
Volumes are expected to rise across the board, with 72.3% of respondents planning on sending out more
marketing emails, whilst practically no one expects to do less. Yet opt out rates as a proportion of total
volume are expected to hold steady. This assumes at least as much or better targeting in spite of the
higher volumes, which either suggests:
a) email marketing taking a greater channel share of a company‟s overall marketing plan, at the
expense of direct mail and telemarketing, or
b) Further targeting leading to a proliferation of campaigns of volumes that are more segmented than
current ones.
One thing is certain: for the expected performance improvements to occur against a backdrop of higher
volume, targeting and relevance at least will need to be maintained.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
30
SECTION I – Survey
Neutral 9,1%
How much of the marketing budget within your company covers email marketing?
European Average: 14,8
Not surprisingly given the growth forecasts, most respondents see email marketing as strategically
important in meeting marketing objectives, with 46.% characterising it as very important, whilst 41.4%
see it as somewhat important.
Analysis by country shows that whilst the majority see it as very important overall, companies in
Switzerland, Norway, Germany and Austria generally see it as somewhat important.
Where email is primarily used to support direct sales and lead generation programmes, its importance
will be seen as correspondingly higher.
Even where lead generation programmes are online, the added targeting of email by consumer or buyer
profile means that conversion to action is generally higher from the email push when compared to the
online pull. As a result email is an important component of most online lead generation programmes,
which are generally priced on performance.
The temptation to increase email volumes in support of lead generation at the expense of targeting
should be resisted, since this is likely to be a principal cause of reputation damage. However this is not
currently problematic based on the reported statistics. If opt-out rates are a primary measure of
relevancy, 18% of respondents reported average opt out rates of 1.5%-3%, but most (76%) were less than
1%.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
31
SECTION I – Survey
Are users reconsidering how email marketing is used, in the context of how strategically important it is
considered? The relatively high proportion of practitioners who do not measure beyond the basics is
concerning: 26% of end users were not able to say what their average opt out rates were, whilst 57%
experienced rates of less than 1%.
Between a third and half of end user respondents were not able to measure conversion to sale, for
example - the rate depends on the email marketing use, with newsletters worst and acquisition best.
This echoes the Email Marketing Industry Census 2010 by Econsultancy in association with Adestra which
shows similar lack of insight.
When asked the same question about their clients, ESPs beg to differ, characterising end users as much
more focused on tactical use vs strategic use of email marketing, according to the DMA UK benchmark
survey Q3 2009. That survey also highlights just 38% of email marketing driven by some data, and only
16% whose content is driven entirely by data.
In other words, when end users overwhelmingly talk about the strategic importance of email marketing,
that belief is yet to translate into rigorous action, and there is a quite some way to go.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
32
SECTION I – Survey
2.4 How confident are you that all of your email marketing activities are in
compliance with legislation in your country and in any other country you are
marketing to?
Not confident at
all; 6,9%
Rather confident;
35,7%
Very confident;
57,4%
Copyright © by FEDMA
Hungary stands out as being only „rather confident‟ across the majority of organisations
about compliance with legislation domestically and to other marketed countries. The
majority of countries are very confident, whilst 6.9% of respondents have no confidence in
their compliance with legislation.
There is a marked difference in confidence between B2C and B2B organisations, with those
engaged in B2B only email marketing twice as likely to lack confidence in their compliance
with legislation (9.8%) compared with B2C only organisations (5.4%).
This may suggest that regulation around B2B marketing is perceived as less clear-cut, such
as for example the definition of „natural persons‟ in the case of sole traders and small
partnerships that render them subject to the same rules as apply to consumers. In this case
B2B organisations may face difficulty in identifying incorporated versus non incorporated
entities.
For the details on the legal aspects see Section II – Legal Overview.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
33
SECTION I – Survey
Regular newsletter
2.5 Do you use regular newsletters as part of your communication?
No; 23,2%
Yes; 76,8%
Copyright © by FEDMA
Email is used for the distribution of regular newsletters by 76.8% of client (end user) respondents. The
majority of campaign open rates range from 15-37% in the UK; 10-35% in Germany and Austria; 24-46% in
Belgium.
The low completion levels of individual campaign performance for regular newsletters suggest that
organisations are less likely to measure newsletter performance to the same extent as other email
marketing purposes, such as acquisition.
Yet newsletter and related customer management activity is likely to be a main growth area over the
next 12 months, with the growing recognition that email marketing is especially well suited to these
applications. This is reflected in the difference in click through rates between newsletter which average
17% higher than sales or product/service information campaigns.
This is an area of customer engagement where companies would do well to increase their focus, since
added targeting by transactional and behavioural history, that drives dynamic segmentation, content
ordering and personalisation, is likely to generate an additional payback for a little extra time invested.
Regular newsletters are an obvious opportunity to generate cross and up sell revenues.
One in 4 organisations do not currently appear to measure opt out and hard bounce rates to keep
current their customer database and preferences, or at least do not have ready access to that data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
34
SECTION I – Survey
No; 27,2%
Yes; 72,8%
Copyright © by FEDMA
72.8% deploy email marketing for sales or related campaign activity. Open rates typically range 10-20%
in the UK; 10-23% in Germany; 10-26% in Austria; 10-26% Switzerland.
Average click through rates vary tremendously by country for this type of campaign activity, and need to
be viewed cautiously as smaller countries report results from a low respondent base. Notwithstanding
the differences are marked, with Finland reporting less than 1%, and Austria averaging 21%. This figure
reflects a spread of 13%-28%, and is typical of the distribution of answers.
Also at the low end of reported rates is Norway, with 2%, yet Sweden averages 6%, whilst Denmark sees
average rates of 11%.
Unsurprisingly, sales and product/ service information campaigns generate conversion to sales four times
better than newsletters or customer surveys, with 12.5% of respondents claiming rates of between 2%-
2.25%.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
35
SECTION I – Survey
Customer/Product surveys
Yes; 47,0%
No; 53,0%
Copyright © by FEDMA
53% of respondents do not use email marketing for customer or product (development) surveys.
Those that do average open rates of 36% (UK); 25% (Italy); 18% (Switzerland); 33% Denmark.
In countries where responses were isolated and therefore difficult to draw statistical conclusions from
with great confidence, nevertheless open rates ranged from the 20% to 40% range, with fewer
outlying results below 15% or higher than 50%.
These healthy open rates, whilst not necessary conclusive in their own right, are allied to high click
through rates that start at circa 7% and can top 25%+. It goes to show that customers appreciate being
asked for feedback, and represents a useful plank to a strong customer engagement strategy.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
36
SECTION I – Survey
Win-back campaigns
Yes; 23,8%
No; 76,2%
Copyright © by FEDMA
The majority of companies do not use email marketing for win-back campaigns following the loss of
customers.
Click through rates are comparatively high, with 25% of all win-back campaigns achieving rates of
between 10%-12%. This is two times the results reported for sales and product/ service information
campaigns, and 60% better than newsletter click through rates.
The minority of respondents who do use email for win back, have experienced excellent results, with
conversion to sale or action of between 2% and 5%.
Ranges are Denmark and Netherlands (4%), Austria (3%), UK (2.5%), Germany and Switzerland (2%),
France and Slovenia (2.25%).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
37
SECTION I – Survey
Next we turn to the results of the benchmarking survey undertaken among Email Service Providers
(ESP).
Each ESP may undertake hundreds of campaigns per month, representing a significant number of end
user firms who outsource their email marketing or use a Software platform as a Service (SaaS) that they
use to define, create, send and measure themselves.
Austria
Belgium
Denmark
France
Germany
Greece
Hungary
Ireland
Italy
Netherlands
Norway
Poland
Romania
Spain
Sweden
Switzerland
United Kingdom
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
Average delivery rates:
38
SECTION I – Survey
Replied
0-10%
(31%)
Replied
85-100%
(66%)
Replied
10-85%
(3%)
Copyright © by FEDMA
Average delivery rates of end user client organisations using ESP platforms are reported in the region
of 85-99.6%. These effectively are acceptance rates, that is a calculation based on number of emails
delivered to the Internet less, the bounces.
As highlighted earlier in the report, it does not take into account missing emails that go to spam folders
or do not make it into the inbox (and where no bounce codes are received back from ISPs).
These are early days in terms of discussing delivery rates in terms of inbox placement rates (IPR) and
therefore would be extremely difficult to assess in a current benchmark survey. We anticipate being
able to benchmark and track these trends in future, as practitioners become more aware and adopt
seeding, panels or pixel tracking solutions, or via benchmark statistics from deliverability software/
service providers.
Variations by country fall within the wider range, but appear to be much more dependent on the
campaign (influenced by variables such as content and targeting) than on the national differences.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
39
SECTION I – Survey
Replied
7-10% Replied
(8%) 0.50-1%
(11%)
Replied
3-7%
(19%)
Replied
Copyright © by FEDMA
1-2%
Replied 2-3% (30%)
(6%)
If hard bounce rates are a primary measure of list quality, there is scope for improvement in email data
quality, with 15% of all campaigns seeing hard bounce rates of more than 7%, and a further 20%
experiencing hard bounces of between 3%-7%.
This finding is echoed in Econsultancy‟s Email Marketing Industry Census 2010. The report highlights
quality of databases as the biggest barrier to effective email marketing. This is cited as a problem by
61% of marketers, up from 44% in 2009.
Compared to end user respondents, results favour those campaigns conducted exclusively via ESP
platforms.
ESPs report that 59% of campaigns experience hard bounce rates of less than 2%, compared with 50%
among end user respondents.
Furthermore the difference in hard bounce rates between different campaign types does not appear to
be material, suggesting there is work to be done on maintaining the quality of customer information
databases as well as selecting email cold lists.
There is little difference in hard bounce rates between countries, with France, Germany, Spain and
Italy all reporting hard bounce rates of less than 2%, whilst Sweden, Norway, Belgium, UK, Romania
averaging 4-6%.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
40
SECTION I – Survey
Replied
2.1-3%
Replied (6%) Replied
1.50-2%
0-0.11%
(12%)
(21%)
Replied
1.1-1.50%
(6%) Replied
0.12-0.25%
(12%)
Replied
0.50-1% Replied
(28%) Copyright © by FEDMA 0.26-0.50%
(15%)
Opt-out rates are a primary measure of relevancy. 18% of respondents reported average opt out rates
of 1.5%-3%, but most (76%) were less than 1%.
26% of end users were not able to say what their average opt out rates were, whilst 57% experienced
rates of less than 1%.
These ESP results are considerably better than the end user ones (of the end user sample 57% of
respondents did not outsource, either in part or whole).
This may suggest that practitioners are better able to manage, pre-screen (and filter out or correct)
their customer information data using tools provided by the ESP SaaS platforms than email marketers
which use in-house programme or processes.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
41
SECTION I – Survey
Replied Replied
21-50% 0-2%
(9%) (12%) Replied
2.1-3%
(6%)
Replied
10.1-20% Replied
(24%) 3.1-4%
(12%)
Copyright © by FEDMA
Replied
4.1-10%
(37%)
Click through rates, indicating how effectively the email is engaging with the buyer or consumer,
predominantly (61%) fall within the broad range of 4-20%. Within that broad range, the tightest
distribution reported by ESPs falls into the 4-8% range.
This broadly correlates with the click through rates reported by end users, and also correlates with the
latest benchmarking results for Q3 2009 from the UK DMA, which shows average click through rates of
5.7% for acquisition marketing and 7.9% for retention (customer) marketing.
It is important to recognise that these numbers are global averages, with individual campaigns capable
of achieving click through rates of 30-50% when associated with customer marketing, retention
campaigns and surveys. Once again these variations are far more material than country differences,
which demonstrate the value of defining the correct audience for each proposition, and crafting the
communication to optimise results.
Results from the UK DMA‟s email benchmarking research shows click through rates are 40%+ higher for
retention (customer) campaigns compared with acquisition campaigns.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
42
SECTION I – Survey
Replied
30.1-40% Replied
(17%) 15.1-20%
(8%)
Replied Replied
25.1-30% Copyright © by FEDMA 20.1%-25%
(19%) (26%)
Open rates reported were across a very wide range, and reflect the varying performances of individual
campaigns. There is no discernable country pattern within ESPs.
This goes to show that that campaign design, the ability to engage the consumer/ buyer and cut
through the inbox clutter, is paramount.
Practitioners would do well to test more rigorously each element of an email campaign, beyond the
generally adopted focus on subject lines, sender name, time of day and week, and spam filter scoring,
as illustrated in the Email Marketing Industry Census 2010 by Econsultancy.
The same report indicates that between 33% and 58% of client practitioners are not testing creative
templates, frequency, landing pages, and multivariate campaign strategies. This points to the need for
greater segmentation, and carefully planned user experience to support better engagement within the
email and online. As highlighted in the DMA UK benchmark survey Q3 2009, end users favour email
marketing for tactical campaigns (circa 65%) versus strategic campaigns (circa 35%), and this
inevitably influences the amount of time spent planning, segmenting and bespoking offers and analysis.
End users across Europe directly report lower average open rates compared with client campaigns
reported by ESPs, with 19% unable to report this statistic. Whilst 46% of ESPs‟ client campaigns see
open rates in the 20%-30% band, that falls to 24% reported by end users for acquisition related sales
campaigns, and rises to 42% for customer product survey campaigns.
Comparing the proportion of open rates between 30-40%, the end user results dissect the ESP reported
rate of 17%, between sales campaigns (12%) customer product survey campaigns (22.5%), providing
interesting insight into the possible make-up of the ESP average values.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
43
SECTION I – Survey
Replied
75.1-100% Replied
(3%) 100.1-150%
(3%)
Replied
50.1-75%
(8%)
Replied Replied
25.1-50% 0-15%
(19%) (50%)
Replied
15.1-25% Copyright © by FEDMA
(17%)
Email marketing is poised for strong growth this year, at the expense of traditional offline channels.
19% of the respondent ESP base expect their clients to increase volume of email marketing between a
quarter and a half year on year, a continuation of the shift from offline to digital channels.
In Ipsos Mori‟s poll for the Chartered Institute of Marketing report,The Shape of Digital to Come?, the
question was asked which activities delivered the best return on investment. Top of the charts comes
CRM by some margin, followed by online advertising (12%) and email marketing (11%). Those activities
considered to deliver the worst return were direct mail, sponsorship, and internal marketing, mirroring
the evident shift in spend.
Econsultancy‟s email marketing census 2010 also predicts a net increase in email marketing over the
course of the year, with the greater proportion coming from retention marketing, where 71% expect to
ramp up their activities in this area, and only 1% expect to reduce activity on email campaigns to their
customer base. This reflects a growing recognition that email marketing is the perfect medium for
customer management and development, and a key component within integrated multi-channel
consumer engagement.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
44
SECTION I – Survey
Replied Replied
1.000.000.001- 500.001-1.500.000
2.000.000.000 (9%)
(3%)
Replied
100.000.001-
1.000.000.000 Replied
(29%) 1.500.001-
10.000.000
(30%)
Copyright © by FEDMA
Replied
10.000.001-
100.000.000
(29%)
The next 3 charts show activity by total volumes for April – May 2009 within the ESP sample base, and
will form the basis of year on year tracking as part of the benchmarking methodology once
comparative 2010 data is collected.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
45
SECTION I – Survey
Replied
100.000.001-
1.000.000.000 Replied
26% 1.500.001-
10.000.000
27%
Replied
Copyright © by FEDMA
10.000.001-
100.000.000
35%
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
46
SECTION I – Survey
Replied
100.000.001-
1.000.000.000
(27%) Replied
500.001-
10.000.000
(37%)
Copyright © by FEDMA
Replied
10.000.001-
100.000.000
(27%)
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
47
SECTION I – Survey
Sunday 3%
Saturday 0%
Friday 18%
Thursday 26%
Wednesday 13%
Tuesday 26%
Monday 13%
Copyright © by FEDMA
Days of week with largest volume of emails cited by ESPs for sending out email marketing campaigns
are Tuesday and Thursday (26% each). Whilst overall email activity over weekends is extremely low,
there are some marked differences by country:
Saturday and Monday are the least selected to execute an email marketing campaign, which, whilst
indicating a universal experience of low responsiveness on those days, also suggests an opportunity to
re-test given a) increased email volumes, and b) the growing challenge of „cut through‟ in an
increasingly media-cluttered landscape.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
48
SECTION I – Survey
3.9 Please indicate for Q2 2009, if any, which day of the week your clients
send the lowest volume of emails?
Sunday 35%
Saturday 11%
Friday 24%
Thursday 0%
Wednesday
3%
Tuesday 0%
Monday 27%
Copyright © by FEDMA
The diapositive of most activity by volume for email campaign execution, shows Sunday and Monday
as the least popular days by volume (62%) as cited by ESPs, with Friday running a close third (24%).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
49
Email Service Providers
The Adestra difference can be summed up in two ways - our approach and
our people. Underpinning this is our technology which is cutting edge,
user-friendly and is relied upon by well over 3,500 marketers to support
their email marketing programs. Our approach to email marketing is
focused on working with leading publishers, who deploy our technology
and use it to achieve their goals and targets.
We have the largest support team of any UK based ESP and unlike most
other companies we actively recruit email marketers to work alongside
you. This collaborative approach ensures that Adestra work with you as a
partnership to evolve and deliver your email marketing objectives.
Web: www.adestra.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
50
Email Service Providers
AGNITAS AG offers e-marketing solutions for direct and dialog marketing in the
form of services, software and consultation.
Apsis makes good email marketing easier. We supply Apsis Newsletter Pro, a
user friendly, powerful and flexible solution used by over 5 000 customers to
create, personalize, deliver and analyze email marketing. We take pride in
our solution, our commited support and in our email marketings handbooks
containing research and email marketing knowledge.
Web: www.apsis.com
Web: www.bring.no/dialogue
BusinessFinder is the leading provider of B2B email marketing services in Italy; its
database is made by 600.000 opt-in e-mail addresses of Italian companies
selectable by geographical area, industry, legal status and size (employees and
turnover).
Web: www.businessfinder.it
Concep is the digital agency for B2B. If your business is serious about digital we
need to talk. Concep understands your market, understands digital
communications, but above all understands that it‟s about people. We go the extra
mile to really understand your business and its requirements. Concep‟s clients
value our people and our personality, not just our technology. Our expert
knowledge of digital channels and unrivalled sector knowledge allows us to cut
through the confusion and provide your business with insight that will increase
profit, build client loyalty and push your marketing to work harder.
Web: www.concepglobal.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
51
Email Service Providers
Web: www.contactlab.com
Web: www.dotmailer.co.uk
Web: www.ecircle.com/en
Web: www.emailgarage.com
Web: www.createaclang.com
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
52
Email Service Providers
Web: www.graphicmail.de
Web: www.getresponse.com
Web: www.httpool.com
Web: www.kern.ch
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
53
Email Service Providers
Our job is to identify sales problems and bring relevant solutions to them by
using our capability to integrate direct & digital communication channels.
Web: www.mediapost-hitmail.ro
The BizWizard system provides users with a common work platform offering
rich functionality, so that they can work without external tools to produce,
distribute, measure and follow up newsletters, product information,
campaigns, events, invitations, training courses and surveys. BizWizard
eMarketing Suite is a Web-based system which can be used entirely
independently or integrated with the company's other information systems
(CRM, ERP, CMS, etc.). This system is based on Microsoft .NET, IIS and SQL
Server, and is offered as a service via the Netoptions Hosting Center or as
packaged software for installation in the company's own operating
environment.
www.netoptions.se
optivo is a professional email marketing provider, including sms and fax. The
company's product portfolio encompasses the permission-based distribution of
electronic mailing and email newsletters via an efficient and secure platform
(optivo® broadmail), consulting and strategic advice as well as professional
services and tailor-made customer solutions.
More than 500 customers from all sectors rely on optivo, including renowned
companies such as Tchibo, Henkel, Jack Wolfskin, Accor Hotels,
ArabellaStarwood, Europcar, Germanwings, German Railways, Siemens, Sixt,
Bosch and HypoVereinsbank. optivo is actively committed to promoting high
standards of quality and transparency in the field of email marketing through
its memberships of the German Direct Marketing Association (DDV), the Federal
Association of the Digital Economy (BVDW) and the Association of the German
Internet Economy (eco).
Web: www.optivo.net
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
54
Email Service Providers
Web: www.rabbit-emarketing.de
Relation & Brand is a leading provider of both boxed and tailored e-mail
marketing solutions with state of the art measuring functionality helping
companies to build strong and profitable relationships.
Web: http://www.relationbrand.com
Web: www.reputy-europe.com
Schober is the leading provider in Europe for data and services for
interactive marketing. We have a consolidated invoicing of 130 million
Euros and more than 400 employees present in 15 countries, providing
information and marketing services to more than 25,000 customers each
year. Schober is the owner and developer company of the eCRM solution,
Xprofiler, eMailing technology solution used by more than 350 current
successful mailers in Europe.
Web: www.schober.es
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
55
Email Service Providers
Web: www.whiteimage.net
Web: www.winholistic.dk
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
56
DMAs who contributed to this report
Austria Greece Portugal
Dialog Marketing Verband Österreich (DMVÖ) Hellenic Association of Communications Agencies (HACA) Associação Portuguesa de Marketing Directo, Relacional e
Heumühlgasse 11 7, Ypereidou Street Interactivo (AMD)
1040 Vienna 105 58 Athens Estrada de Queluz 91
AUSTRIA GREECE 2794-100 Carnaxide
Tel: +43 1 911 43 00 Tel: +30 210 3246 215 PORTUGAL
Fax: +43 1 911 2972 Fax: +30 210 3246 880 Tel: +351 21 436 67 27
E-mail: office@dmvoe.at E-mail: edee@edee.gr Fax: +351 21 436 78 45
Website: www.dmvoe.at Website: http://www.edee.gr/ E-mail: amdportugal@amd.pt
Website: www.amd.pt
Edited by Field Fisher Waterhouse LLP in collaboration with Legis (Austria), Noblex Ltd (Bulgaria),
Plesner Svane Grønborg (Denmark), Luiga Mody Hääl Borenius (Estonia), HH Partners (Finland),
Avramopoulos & Partners (Greece), Bogsch & Partners (Hungary), Beauchamps Solicitors (Ireland),
La Scala & Associati (Italy), Kennedy Van der Laan (The Netherlands), Thommessen Krefting Greve
& Lund (Norway), Laszczuk & Wspólnicy (Poland), Nestor Nestor Diculescu Kingston Petersen
(Romania) Colja, Rojs & partnerji (Slovenia) Fylgia (Sweden), Python & Peter (Switzerland) and
Minnesota Privacy Consultants (United States).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
58
SECTION II – Introduction
SECTION II – THE LEGAL INS AND OUTS OF E-MAIL MARKETING IN EUROPE
This section is designed as a detailed guide to the data protection regulations which impact on email
marketing in Europe today. We have prepared, with the invaluable help from Field Fisher Waterhouse, an
overview of the relevant laws in 22 countries – 19 from the European Union, two from the European
Economic Area (Switzerland and Norway), and also the USA. In the future we hope to be able to complete a
report on all 27 European Union countries.
Inevitably any section covering regulations is legalistic – and I am afraid this section cannot dodge the legal
issues and texts, however, also inevitably, if you want to avoid legal problems, or embarrassing and costly
complaints, you need to study these pages.
The key question we receive constantly form members is – “how on earth can I do a cross-border email
campaign covering a number of European countries when the national laws are so different?”
At present the good news is that you should, in theory, only have to apply one national law – that of your
“controller of the data”. In other words, if you have a central database (say you create one for the
campaign), and there is one controller (a data privacy officer, or a subsidiary company, etc), so long as the
data are correctly collected at national level, and the data security is correctly done, then the central (EU
based) controller can use those data under his/her own national law to send out an email (some applies
most other DM campaigns across Europe).
This makes doing a centrally organized EU-wide email campaign more simple. Some countries may not
agree (for example, Spain may prove a challenge), in which case at national level it may be advisable to
approach and discuss the issues with the national Data Protection Authorities (DPAs).
To help strengthen your case there is always the FEDMA code, which was negotiated with the national
DPAs, and the annex to that code which is now being finalized, and also there are many national codes
negotiated between the local direct marketing associations (DMAs) and the DPAs. Examples, France, UK,
Italy, the Netherlands, Belgium, Sweden, etc. These are referred to in this section.
It likely that the European Union will revise its present Data Protection regulations (the 1995 Directive)
over the coming year. This will be an opportunity for business to explain the difficulties they face when
trying to meet the demands of all the national regulatory differences to the European Institutions (the
Commission, Parliament and Council).
This report clearly shows the practical differences between the national laws. In addition, FEDMA will be
collecting evidence and case studies to help us make the case to the regulators. Please let us have your
experiences and your help to ensure better, not tougher, regulations will result from this present review.
In particular, our sector must protect the right to use only one regulation (that of the data controller) when
emails are sent out in a cross-frontier campaign. If we fail to protect that principle, and all national
regulations are applied, it will become extremely difficult to undertake any cross-border campaigns.
National laws, unfortunately, fail dismally to be comparable, despite the ideal of a “Single European
Market”, and FEDMA has noted a worrying trend towards increasing regulation with little regard for the
EU‟s central principles of compatibility and harmonization. The latest major change has been the new
German Data Protection Law of August 2009 which has introduced more restrictions.
Some of these are still unclear at the time of writing: we have attempted to give an interpretation of the
new law which should be of help to the marketer, but the German regional (Land) DPAs and courts may
change the way in which the new law is applied.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
59
SECTION II – Introduction Contd
Fortunately not all EU Member States have such a regional structure as Germany, however, changes in
national regulations have in most cases been more, rather than less, strict. A notable exception is Latvia,
where the national law has been brought more into line with the 1995 EU Directive. Previously it had been
far more restrictive than the Directive.
Any report on the national regulations of 23 countries can only expect a limited shelf life: regulations – and
particularly their interpretation by the local data protection authorities – change regularly. If you have
information on new rules or interpretational regulations please share with us. FEDMA wants to keep its
information up to date, and members are always most welcome to ask questions, and get updates. This is
an important membership service which we provide. However, as data protection regulations become
increasingly complex and variable across frontiers, and marketers use a far great mix of media and
techniques - from email to SMS; from viral marketing to online behavioral advertising – it becomes
necessary to be very sure of the detailed ins and outs of data protection in multiple countries.
Law firms, such as Field Fisher Waterhouse, are essential advisors on these complexities across the EU, the
EEA, and in the main markets outside Europe from the USA to Russia, Australia to China. FEDMA strongly
advises its members to be safe rather than sorry when dealing with complex data protection issues – and in
particular with some of the stricter countries, such as Spain, or the new law in Germany. As this section
shows many of the national data protection authorities now have the ability to impose fines and / or to
seize databases, etc. Making a mistake when applying data protection rules can be an expensive error.
Finally, we would like to stress that the information we have provided here is in good faith, but neither
FEDMA, nor Field Fisher Waterhouse can guarantee its accuracy for liability purposes. As we point out, the
interpretation of national regulations continually evolves. In particular the DPAs produce new
interpretations of the relevant laws on a regular basis. The material in this report is therefore a guide to
assist the email marketer; not a firm recipe.
Alastair Tempest
Federation of European Direct and Interactive Marketing
April 2010
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
60
SECTION II – Legal Overview - Austria
Austria
Major Current Data Protection Laws
The Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000) implements
Directive 95/46/EC and provides a fundamental right to data protection regulating all processing of
personal data, including collection, storing, committing and transmission of data.
The Telecommunication Act (Telekommunikationsgesetz 2003) implements Directive 2002/58/EC and
regulates (among other things) data processing in the electronic communication sector.
Section 151 of the Trade Act (Gewerbeordnung) contains specific data protection provisions for direct
marketing businesses and list brokers.
Expected time duration for registering marketing lists with the DPA
The notification process in Austria is quite simple. The Data Protection Authority provides forms on its
website. These can be found at: http://www.dsk.gv.at.
The process takes several months. However, in most cases the data application may be run as soon as
the notification is filed, unless the application contains sensitive data.
Registration costs
The authority does not charge fees for notification.
Common legal grounds for the processing of (non-sensitive) personal data for marketing purposes
carried in all media
Overriding legitimate interests of the controller, such as execution of a contractual obligation to
the data subject
Consent by the data subject
For (licensed) direct marketing businesses and list brokers only: explicit statutory authorisation
(sec. 151 Trade Act)
Implied consent
The Datenschutzgesetz 2000 does not require a specific wording for collecting data. Generally,
consent, including implied consent, must be informed consent –see above.
A tick box is not required by law. However, providing a check box linked to, or placed next to, the
statement of consent helps the controller to prove that the data subject approved of the data
processing.
Sensitive Data: Required form of consent for the processing of sensitive data
Sensitive data may only be processed under very strict conditions; the most important is to have prior,
expressed consent from the data subject. The consent does not have to be in writing but written
consent is recommended for purposes of proof.
Information on (alleged) criminal behaviour and criminal convictions relating to the data subject, as
well as information on the data subject‟s credit history (if processed for the purpose of providing such
information to third parties) are by definition not sensitive data, but are subject to specific
restrictions.
Common legal ground for the use of electronic messages for marketing
Direct marketing is regulated in the Telecommunication Act (Telekommunikationsgesetz 2003), in
sections 5a – 5h, and 28a of the Consumer Protection Act (Konsumentenschutzgesetz) and the Federal
Act concerning the Protection of Personal Data (Datenschutzgesetz 2000).
Telemarketing in terms of unsolicited marketing by phone, email, SMS or MMS is regulated in the
Telecommunication Act (Telekommunikationsgesetz 2003). Section 107 paragraph 1, generally forbids
phone calls and communications by fax for marketing purposes without the prior consent of the
addressee. Furthermore, section 107 paragraph 2 forbids sending electronic mail (including SMS)
without the prior consent of the addressee if:
the message is sent for Direct Marketing purposes, or
the message is addressed to more than 50 addressees.
Electronic mail for direct-marketing purposes is illegal if the identity of the sender is concealed or if
there is no address displayed in the mail to which the addressee can send his request for removal
from the mailing list.
Purposes
Provided that the controller gives the data subject a very detailed list of purposes, the data subject‟s
(implied) consent will cover all such purposes.
Generic terms
Generic terms describing purposes and destination of data transmission may be insufficient –
especially in respect of consumers. However, “direct marketing” and “market research” may be
sufficient for the purpose of data processing. Wording like “transmission to all linked companies of
the X-group” was considered too vague by the courts.
When collecting data the controller must inform the data subject of:
the purpose of the processing
the name and address of the controller
and provide such additional information as required from time to time for fair data processing, in
particular, if the data subject has a right to object against the processing; if it is not clear to the data
subject whether or not he/she is obliged to provide certain data; or if data are processed in a data
pool where the data are equally accessible to multiple controllers (Joint Information System /
Informationsverbundsystem).
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes for processing should be provided each time data are collected or used for
alternative/additional purposes. It is irrelevant whether or not the data subject is an existing client.
Opt-out
There is no specific form or wording for opting-out. Data subjects can revoke their consent at any
time in any form, thus making further data processing illegal. Data subjects also have the right to
rectification and/or erasure of his/her data. In regards to addressed mail, email and SMS the
addressee can opt-out by registering with a Robinson list (see below).
Do you have to offer the opt-out each time when approaching the customer?
When using email and SMS for marketing purposes, you have to give the addressee the opportunity to
refuse the use of his electronic contact information in every single message.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
63
SECTION II – Legal Overview - Austria
Data Storage
Security of data
Section 14 of the Data Protection Act provides several measures to ensure data security, which have
to be taken by the Data Controller or Processor.
Among them are:
The use of data must be tied to valid orders of the authorised organisational units or operatives;
Every operative must be instructed about his duties according to the Datenschutzgesetz and the
internal data protection regulations, including data security regulations;
The right of access to the premises, data and programmes of the data Controller or Processor has
to be regulated;
The right to operate the data processing equipment has to be laid down and every device has to
be secured against unauthorised operation by taking precautions with the systems and
programmes used.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
64
SECTION II – Legal Overview - Austria
Penalties
The Datenschutzgesetz defines certain violations as administrative offense punishable with a fine of
up to EUR 25.000,00 or 10.000,00, as the case may be.
A list concerning mailings by post is operated by the Fachverband Werbung und Marktkommunikation
der Bundessparte "Gewerbe, Handwerk, Dienstleistung" der Wirtschaftskammer Österreich. For more
information, please visit: http://www.fachverbandwerbung.at/de-service-robinsonliste.shtml
The above-mentioned Robinson lists do not concern collecting of addresses, but the sending of
unsolicited mail. The DPA is not the competent authority in the field of unsolicited mail.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
65
SECTION II – Legal Overview - Austria
Consumer Protection Legislation
The term “inbound telemarketing” does not exist in Austrian law. When a consumer calls a company
to get information about a product or to order a product on a hot-line or via a call-centre, this
situation would be regulated by the Consumer Protection Act (Konsumentenschutzgesetz).
Internet
Service provides are defined as every individual or legal person or other construct with legal capacity
who/which provides an information society service.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
66
SECTION II – Legal Overview - Belgium
Belgium
Major Current Data Protection Laws
« Loi relative à la protection de la vie privée à l'égard des traitements de données à caractère
personnel / Wet tot bescerming van de persoonlijke levensfeer ten opzichte van de verwerking van
persoonsgegevens » (Data Protection Act) dated 8 December 1992, as amended especially by the law
of 26 February 2003.
There is however an exception where there is no need for such a notification: If (i) the marketing list
will only be used for client management (i.e. not for direct marketing), (ii) the data collected are not
sensitive data, (iii) the data have been obtained directly from the data subject and (iv) there will not
be any transfer of those data to another person or company.
Expected time duration for registering marketing lists with the DPA
Under Belgian law, only processing of personal data for marketing purposes needs to be registered
with the DPA. The marketing list as such does not need to be registered. The notification process
approximately takes 4-6 weeks.
Registration costs
The costs for such a notification amount to 25 Euros if it is done by Internet, but increase to 125 Euros
if the notification is submitted on a paper form. The cost to modify notifications is 20 Euros.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Article 5 of the Data Protection Act states the legal grounds that allow for the processing of personal
data in general. As far as marketing is concerned, in order to process personal data an opt-in is
generally required, and in some instances mandatory (see below). Therefore, the DPA is of the
opinion that obtaining the data subjects consent is best practice.
However, the DPA recognises that processing of personal data for marketing purposes may in some
cases be justified if the processing is necessary for the performance of a contract to which the data
subject is party (existing clients) or in order to take steps at the request of the data subject prior to
entering into a contract (prospects), provided that no express consent is required by law.
In certain (more exceptional) cases, the processing could even be justified based on the fact that the
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the
third party to whom the data are disclosed, provided the interests or fundamental rights and
freedoms of the data subject are not infringed.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
67
SECTION II – Legal Overview - Belgium
How the data subject exercises „consent‟
The data subject, whose data are collected and processed, has to give his/her unambiguous consent
(i.e. freely given, specific and informed). (Article 5.a of the Data Protection Act)
Implied consent
In principle, the consent has to be unambiguous (i.e. freely given, specific and informed). Implied
consent may be acceptable in certain circumstances, but it may lead to uncertainty, especially if the
existence of the data subject‟s consent is the only legal ground for the processing of his personal
data.
In certain cases, soft opt-in, which is a form of implied consent, can be expressly considered to be a
valid consent.
Consent by data subject is required when using the following communication media:
Subject to the soft opt-in and opt-out exceptions set out below, express consent (opt-in) shall be
mandatory by virtue of the law for the following categories: SMS, MMS, EMAIL, Telephone, Fax, Mail
and Chat
Sensitive Data: Required form of consent for the processing of sensitive data
In principle, it is prohibited to process sensitive data. However, there are some exceptions, the most
important one being the written consent of the data subject (unless prohibited by law). (Articles 6 §
2, a-e, 7 § 2 a-k and 8 § 2 a-e of the Data Protection Act)
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Personal data relating to litigation that have been submitted to courts or administrative judicial
bodies, relating to allegations, charges, or convictions in matters of criminal offences,
administrative sanctions or security measures.
Biometric data may be sensitive if they can be considered as health related data (e.g. DNA).
Common legal ground for the use of electronic messages for marketing purposes
The Act of 11 March 2003 on the information society, together with the Royal Decree of 4 April 2003
regulate marketing by electronic communication. These transpose parts of the EU Directive
2000/31/CE and specifically apply to e-commerce.
The first one concerns direct marketing sent electronically to a person whose data have been
obtained at the occasion of a previous sale if: - (i) at the time of collection it had been mentioned
that the person could refuse such use; (ii) the marketing message concerns the same kind of product
or service as the one the person had previously bought, and (iii) the marketing message is sent by the
entity that was involved in the previous sale (soft opt-in for existing clients).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
68
SECTION II – Legal Overview - Belgium
The second exception concerns emails sent to impersonal email addresses belonging to legal entities,
for example info@befirm.be (but not firstname.surname@befirm.be). But these should still be opt-out
for impersonal email addresses of legal entities.
Purposes
If the personal data are obtained directly from the data subject, the data subject must be informed
of the purpose of the processing no later than at the moment at which the data are obtained.
If the personal data are not obtained from the data subject, the data subject must be informed of the
purpose of the processing at the time the personal data are recorded, or, if a transfer to a third party
is envisaged, no later than the moment at which the data are first disclosed.
Generic terms
Generic terms are not acceptable in the following instances:
When notifying a declaration to the DPA, the controller has to select the most appropriate
purpose from a list of purposes proposed by the DPA (e.g. direct marketing, trade of commercial
information); and
When the data are effectively collected. When a data subject is asked whether she/he agrees to
give personal data, this person needs to know exactly the reason why these data are being
collected. The data cannot be used for another purpose other than the one mentioned.
In French:
“Vos données sont reprises dans le fichier [d‟adresses] de [nom du responsable de traitement] pour
[finalité du traitement]. Vos données seront communiquées par [nom du responsable de traitement]
à [catégories de destinataires] à des fins de [finalité du traitement].
Vous diposez à tout moment d‟un droit d‟accès et de rectification de vos données et du droit de vous
opposer, gratuitement, à leur traitement et à leur communication”
In Dutch :
“Uw gegevens worden opgenomen in het [addressen]bestand van [naam van de verantwoordelijke van
de verwerking] met het oog op [doeleinde van de verwerking]. Uw gegevens worden door [naam van
de verantwoordelijke van de verwerking] meegedeeld aan [categorie van ontvangers] met het oog op
[doeleinde van de verwerking].).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
69
SECTION II – Legal Overview - Belgium
U beschikt te allen tijde over een recht op toegang en op verbetering van uw gegevens en u heeft het
recht om u kosteloos te verzetten tegen de verwerking en de doorgifte van die gegevens”.
This example clause mentions the purpose of the data processing, the name of the controller, the
identity of the people who will have access to the data and the rights of the data subject.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes have to be given when collecting personal data from both existing and prospective
clients.
Opt-out
The data subject may choose to opt-out, free of charge, at any time, without any justification.
Do you have to offer the opt-out each time when approaching the customer?
The controller must inform the data subject of this right each time an electronic marketing message is
sent and must offer the data subject the possibility to exercise this right electronically (i.e. either by
clicking on a link or via an email address for this purpose).
Data Storage
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
70
SECTION II – Legal Overview - Belgium
Codes of Practice & Preference Services (Robinson Lists)
There is a “Code de déontologie” (professional Code of Ethics) that is published by the Belgian Direct
Marketing Association (BDMA) and that is available on its website (www.bdma.be). This code was
drawn up together with the DPA.
The DPA also published a recommendation on direct marketing and the protection of personal data,
which contains guidelines on the matter ( “Recommandation 04/2009 du 14 octobre 2009 concernant
le marketing direct et la protection des données à caractère personnel /Aanbeveling 04/2009 van 14
oktober 2009 betreffende direct marketing en bescherming van persoonsgegevens”).
Internet
Rules to apply for the use of new media such as Bluetooth or other mobile messaging
The above mentioned regulations apply to the use of new media.
Moreover, there is a general requirement that, upon receipt of the (viral) advertising message, it
should be clear to the recipient that the message has an advertising purpose. The (viral) advertising
message should mention the word “publicité / reclame” [advertisement] as well as the identity and
address of the sender.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
71
SECTION II – Legal Overview - Bulgaria
Bulgaria
Major Current Data Protection Laws
Promulgated State Gazette No. 1/4.01.2002, effective 1.01.2002, supplemented,
SG No. 70/10.08.2004, effective 1.01.2005, SG No. 93/19.10.2004, No. 43/20.05.2005, effective
1.09.2005, amended and supplemented, SG No. 103/23.12.2005, amended, SG No. 30/11.04.2006,
effective 12.07.2006, amended and supplemented, SG No. 91/10.11.2006, supplemented, SG
57/13.07.2007, effective 13.07.2007, emended, SG No.42/05.06.2009
Expected time duration for registering marketing lists with the DPA
2 months
Registration costs
Registration as an administrator is free.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
There must be a legitimate interest from the direct marketer.
Implied consent
Implied consent is acceptable in Bulgaria. A tick box is not a compulsory element.
Consent by data subject is required when using the following communication media: SMS, MMS,
EMAIL, Telephone, Fax, Mail
Sensitive Data: Required form of consent for the processing of sensitive data
There must be explicit consent from the physical person.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Data about the ethic origin, philosophical conviction and genetic make-up of the data subject.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
72
SECTION II – Legal Overview - Bulgaria
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing purposes
Sending unwanted commercial communications to consumers without their prior consent is forbidden.
Electronic messages are regulated by the Electronic Commerce Law and by the Electronic
Communications Act. These two Laws transpose the provisions of Directive 2000/31/EC and of
Directive 2002/21/EC..
Purposes
When giving the purposes for processing personal data generic terms are acceptable.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Legally, the purposes for processing personal data only need to be given to prospective clients
Opt-out
The laws provide the right for the consumer to object to the processing of his/her personal data for
the purposes of direct marketing. It is not necessary to offer opt-out each time when approaching a
customer.
Data Storage
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
73
SECTION II – Legal Overview - Bulgaria
Penalties for breaching the rules on unsolicited electronic communications for Email are between
2500 - 5000 Euros.
The processor has to reply within a definite period and no response is considered a refusal for
access/rectification. Access may be denied if there is an adequate reason, and access by third parties
is restricted.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
74
SECTION II – Legal Overview - Denmark
Denmark
Major Current Data Protection Laws
Persondataloven (Personal Data Act)
There is no expected time duration for registering marketing lists with the DPA.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Implied consent
Implied consent is as a general rule is not acceptable in Denmark. In certain cases, the disclosure of
non-sensitive data may be deemed to be implied consent to the processing for which the data was
disclosed.
Consent by data subject is required when using the following communication media: SMS, MMS,
Email, Telephone (except if the call concerns the sale of insurances, books or newspapers/magazines
in which case consent is not required. The Robinson list must, however, still be observed), FAX, Mail
(normally consent is not required for Mail, unless the data subject has signed up to the Robinson list,
in which case consent is required).
Sensitive Data: Required form of consent for the processing of sensitive data
The consent must be explicit and informed.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
75
SECTION II – Legal Overview - Denmark
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Under the Personal Data Act, in addition to the above, there is a special category called "semi-
sensitive data", which covers data about criminal offences, serious social problems and other purely
private matters. In practice, “semi-sensitive data” are subject to the same limitations/conditions as
sensitive data.
Common legal ground for the use of electronic messages for marketing purposes
Consent, cf. Section 6(1) of the Danish Marketing Practices Act.
Opt-in is required for electronic communication for B-to-B marketing purposes is required for:
Automated Calling Machines, SMS, MMS, EMAIL, Telephone, FAX, Mail
Purposes
It is necessary to be precise when providing the purposes for processing personal data.
Generic terms
It is necessary to be precise to a certain extent.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes only have to be stated once.
Opt-out
The opportunity to opt-out must be easy and free of charge.
Do you have to offer the opt-out each time when approaching the customer?
Yes, if the customer is approached by email. For communications by ordinary mail to consumers, the
opt-out must be stated in the first letter to the customer.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
76
SECTION II – Legal Overview - Denmark
Data Storage
Transfer of data from one company to another for marketing purposes requires active or passive
consent, depending on the categories of data being transferred.
Penalties
31. – (1) Where a person submits a request to that effect, the controller shall inform him whether or
not data relating to him are being processed. Where such data are being processed, communication
to him shall take place in an intelligible form about:
(2) The controller shall reply to requests as referred to in subsection (1) without delay. If the
request has not been replied to within 4 weeks from receipt of the request, the controller shall
inform the person in question of the grounds for this and of the time at which the decision can be
expected to be available.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
77
SECTION II – Legal Overview - Denmark
33. A data subject who has received a communication in accordance with section 31 (1) shall not be
entitled to a new communication until 6 months after the last communication, unless he can prove
that he has a specific interest to that effect.
34. – (1) Communication in accordance with section 31 (1) shall be in writing, if requested. In cases
where the interests of the data subject speak in favour thereof, the communication may, however,
be given in the form of oral information about the contents of the data. (2) The Minister of Justice
may lay down rules for payment of a fee for communications, which are given in writing by private
companies, etc.
The Robinson list is operated by the Det Centrale Personregister (CPR register). For more information
please visit: www.cpr.dk
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
78
SECTION II – Legal Overview - Estonia
Estonia
Major Data Protection Laws
The Constitution – basic principles
Personal Data Protection Act came, into force 01/01/2008
Public Information Act, came into force 01/01/2001
Information Society Services Act, came into force 01/05/2004
The processor of personal data is only required to register the processing of personal data with the
DPA in cases where the marketing list, or creation, involves the processing of sensitive personal data,
and the processor has not appointed (and informed the DPA) a person responsible for the protection
of personal data.
Expected time duration for registering marketing lists with the DPA:
Marketing lists do not have to be registered.
The registration of processing of sensitive personal data with the DPA (as referred to above) takes up
to 20 working days; but the DPA may extend this period by up to 10 working days. A registration
application shall be submitted to the DPA at least one month before processing of sensitive personal
data commences.
Registration costs
There are no specific fees for the registration of the processing of sensitive personal data.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
As a general rule - processing of personal data is permitted only with the consent of the data subject,
unless otherwise provided by law.
The law provides that processing of personal data without the consent of a data subject is permitted,
if the personal data are to be processed:
1) on the basis of law;
2) for performance of a task prescribed by an international agreement or directly applicable
legislation of the EU Council or the European Commission;
3) in individual cases for the protection of the life, health or freedom of the data subject if
obtaining the consent of the data subject is impossible;
4) for performance of a contract entered into with the data subject or for ensuring the performance
of such contract, unless the data to be processed are sensitive personal data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
79
SECTION II – Legal Overview - Estonia
In order to obtain valid consent the data subject shall be clearly informed of:
the data to which the permission relates,
the purpose of the processing,
the persons to whom the data may be transferred,
the conditions for communicating the data to third persons, and
the rights of the data subject concerning further processing of his or her personal data.
Silence or inactivity shall not be deemed a declaration of intention to grant the consent.
Before obtaining a data subject's consent for the processing of personal data, the processor of
personal data shall notify the data subject of the name, address and other contact details of the
processor of the personal data. If the personal data is to be processed by the chief processor and
authorised processor then the name of the chief processor and authorised processor or their
representatives, and the address and other contact details of the chief processor or authorised
processor shall be communicated and made available.
For processing sensitive personal data, the data subject must be informed that the data to be
processed are sensitive personal data, and the data subject's consent has be obtained in a format
which can be reproduced in writing.
A data subject has the right to prohibit, at all times, the processing of data concerning him or her for
the purposes of marketing research or direct marketing, and communication of data to third persons
who intend to use such data for market research or direct marketing.
In the case of a dispute it shall be presumed that the data subject has not granted consent for the
processing of his or her personal data. The onus is on the processor to provide proof of the consent of
a data subject.
Implied consent
The law says that silence or inactivity does not mean that consent has been given. Consent shall be
given in a format which can be reproduced in writing, unless this is not possible due to a specific
manner of data processing (the last exception does not apply to sensitive personal data).
Consent by data subject is required when using the following communication media
As a general rule under Personal Data Protection Act - any kind of data processing requires the
consent of the data subject.
In the case that the use of data involves sending commercial communications to natural persons (not
processing), then the Information Society Services Act provides the following rule - the service
providers may transmit digital commercial communications to natural persons through a public data
communication network only with the prior consent of the addressee. The term “public data
communication network” is not currently defined in the law, therefore we suggest that it is
interpreted widely to cover not just e-mail, but also telephone, SMS; MMS; and fax.
Thus, consent is required for SMS, MMS, EMAIL, Telephone, FAX but not for Mail.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
80
SECTION II – Legal Overview - Estonia
Sensitive Data: Required form of consent for the processing of sensitive data
For processing sensitive personal data, the person must be informed that the data to be processed is
sensitive personal data and the data subject's consent shall be obtained in a format which can be
reproduced in writing.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Common legal ground for the use of electronic messages for marketing purposes
Information Society Services Act provides that a "Commercial communication" is any form of
communication designed to promote, directly or indirectly, the goods, services or image of a service
provider.
Service providers are permitted to transmit digital commercial communications to consumers (natural
persons) through a public data communication network only under the following conditions:
The service provider must record the consent, or refusal of an addressee. The obligation to prove the
consent rests with the service provider.
Purposes
The consent of the data subject shall clearly determine the purpose of the processing of the data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
81
SECTION II – Legal Overview - Estonia
Generic terms
See section on “How consent is exercised by the data subject”. Provided those requirements are
fulfilled, there are no restrictions on the use of generic terms.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes for processing should be stated each time data are collected or data are used for
alternate/additional purposes. It does not matter whether the data subject is an existing client or
not.
Opt-out
The consent of the data subject may be withdrawn by the data subject at any time. The law requires
that while asking for the consent of the data subject, the controller shall clearly state, among other
things, the rights of the data subject concerning further processing of his or her personal data and
his/her possibility to withdraw the consent at any time. (Personal Data Protection Act)
Information Society Services Act provides additional rules for transmission of digital commercial
communications to natural persons through a public data communication network. It states that when
sending commercial communications through the public data communication network the addressees
must be informed, in a clear and unambiguous manner, of the right (and how to exercise this right) to
cancel the commercial communications and there sender must provide the opportunity to exercise
this right.
Do you have to offer the opt-out each time when approaching the customer?
In case of general data processing, when covered by wider consent of the data subject, there is no
such need, as the right of the data subject to withdraw the consent was offered when the consent
was obtained.
In case of sending commercial communications to natural person through a public data communication
network, then the Act provides the additional rule, described above, which specifically requires that
the opt-out must be offered.
Data Storage
There are no additional rules for on-time collection of data on the internet
The processor of personal data is required to provide a data subject with information and the
requested personal data, or state the reasons for refusal to provide data or information, within five
working days after the date of receipt of the corresponding request.
The rights of a data subject to receive information and personal data concerning him or her upon the
processing of the personal data shall be restricted only if this may:
1. damage rights and freedoms of other persons;
2. endanger the protection of the confidentiality of the filiation of a child;
3. hinder the prevention of a criminal offence or apprehension of a criminal offender;
4. complicate a criminal proceeding.
A data subject has also the right to demand the correction of his/her inaccurate personal data from
the processor.
The processor must immediately perform the correction and notify the data subject that that has
been done. Reasons for denial shall be provided to the data subject.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
83
SECTION II – Legal Overview - Finland
Finland
Major Data Protection Laws
The Personal Data Act requires that the purpose of processing personal data; the regular sources of
personal data; and the regular recipients of the personal data shall be defined before personal data,
which are intended to be recorded, are collected. Personal data must not be used or otherwise
processed in a manner incompatible with these purposes. The controller has to describe the personal
data files for which it (he/she) is responsible.
The Data Protection Ombudsman (DPA) has right of access to personal data that are being processed
and also has the right to inspect personal files. The Personal Data Act contains provisions on the
processing of personal data for special purposes such as research, statistics, official plans and reports,
direct marketing and other personalized mailing.
All direct marketing and other personalized mailing files stored in a relevant system (an ADP system)
must be notified. The duty to notify the DPA does not apply to the files concerning data subjects who
are a client or member of, or in the service of, the controller or, if the data has been entered into
the register with the consent of the data subject. There is a light notification procedure, the model
form is available at the DPA‟s website.
Non-Sensitive Data
Opt-in is just one ground for collecting/processing non-sensitive data. General processing purposes
like relevant connection and collection of payment, etc. are mentioned in the PDA (Article 8).
Opt-in is generally required for email, SMS, MMS and other so-called automatic systems such as
communications via fax where the marketing is targeted to consumers.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
84
SECTION II – Legal Overview - Finland
However, there is an exception for e-mail, text, voice, sound or image messages where the service
provider or product seller obtains the consumer‟s contact information in the context of the sale of a
product or service. In such cases that marketer may use this contact information for direct marketing
of its own similar products or services and for those products in the same product group. This
exception only applies if the marketer provides the consumer with the opportunity to opt-out, easily
and at no charge, from future marketing at the time when the data are collected, and in any
subsequent e-mail, text, voice, sound or image message.
Purposes
Basic purposes in common terms should be given.
Religion, Trade Union Members, Race, Politics, Sexual Interests, Health, Criminal act, punishment
or other criminal sanction, Social welfare of a person or the benefits, support or other social
welfare assistance received by the person.
Data Storage
There are no specific limits on the retention periods for data. It depends on the defined purposes of
processing and the duration of the relationship with the customer, which may vary in different sectors
of business.
The DPA may impose a conditional fine to enforce his right of access to a data file and to enforce his
decision on the data subject‟s right of access and right to have erroneous data corrected. At the
request of the DPA, the Data Protection Board may prohibit processing of personal data which is
contrary to the provisions of this Act or the rules and regulations issued on the basis of this Act. The
Board may enforce its decision with a conditional fine. In addition, certain breaches of the data
protection legislation are subject to penal sanctions.
Section 29 – Rectification
1. The controller shall, on its own initiative or at the request of the data subject, without
undue delay rectify, erase or supplement personal data contained in its personal data file
and erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
The controller shall also prevent the dissemination of such data, if this could compromise the
protection of the privacy of the data subject or his/her rights.
2. If the controller refuses the request of a data subject to rectify of an error, a written
certificate to this effect shall be issued. The certificate shall also mention the reasons for
the refusal. In this event, the data subject may bring the matter to the attention of the Data
Protection Ombudsman.
3. The controller shall notify the rectification to the recipients to whom the data have been
disclosed and to the source of the erroneous personal data. However, there is no duty of
notification if this is impossible or unreasonably difficult.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
86
SECTION II – Legal Overview - Finland
Section 30 - Right to prohibit processing.
A data subject has the right to prohibit the controller to process personal data for purposes
of direct advertising, distance selling, other direct marketing, market research, opinion
polls, public registers or genealogical research.
If discounts, additional benefits or other specific benefits are offered in the marketing, or if the
marketing involves lottery, prize contests for the public, or games, the conditions for receiving the
benefits or for participating in the lottery, contest or game shall be stated in a clear and
comprehensible manner and be easily accessible (461/2002).
Other Regulation
Public authorities have to follow rules regarding the Swedish and Sami languages.
Other Information
The Finnish Direct Marketing Association (FDMA) approved, in June 2000, the Code of Practice for the
use of personal data in B to C marketing. The Code is based on the Personal Data Act. The Act states
that the controllers of the personal data files or their representatives may draft Sectoral codes of
practice for the application of the Act and the promotion of good processing practice. The Data
Protection Ombudsman has stated that the Code of Practice is in conformity with the Act and other
provisions relating to the processing of personal data.
FDMA, with three other organisations, published in December 2002 the Code of e-Commerce, which
also contains guidelines regarding on-line marketing and data protection issues. FDMA has also
published two Codes on Telemarketing in March 2004, updated in 2008 and complemented with a
separate supplement in 2009. FDMA has issued further guidelines on mobile marketing in 2008, which
also address data protection issues.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
87
SECTION II – Legal Overview - France
France
Major Current Data Protection Laws
The Data Protection Act No. 78-17 of 6 January 1978 (La Loi relative à l‟Informatique, aux fichiers et
aux libertés) is the cornerstone of data protection in France. It was amended by a bill implementing
the European Directive No. 95/46/EC of 24 October 1995 into French law. This bill was published on 6
August 2004. A draft Bill is presently before the Senate and time of writing (February 2010), which
will make new changes to the data privacy rules for e-communications following the recent adoption
of the EU Telecoms Package.
In some cases, exemptions are granted and no notification is required. In other cases, only a
simplified notification must be provided. A controller must therefore check whether his processing of
personal data needs to be notified to the CNIL and, if this is the case, which of the above categories
his processing falls. When a company contracts with a French data processor, the contract must
contain clauses addressing the data protection obligations. Since the of 6 August 2004, any company
having appointed a personal data protection officer (“correspondant Informatique et Libertés (CIL)”)
is exempt from the declaration formalities, except where data are transferred outside of the EU.
According to this Act, the CNIL keeps a record of all databases registered. Any member of the public
can consult this record, which contains the major characteristics of the registration.
In addition, in most cases, the data subject must consent to the collection and processing of his data.
Collecting sensitive data without the data subject‟s consent is usually prohibited. This involves data
referring directly or indirectly to racial or ethnic origin, political opinions, philosophical or religious
beliefs or trade-union membership or data concerning health or sex life (sensitive data). However,
derogations are possible. In all cases involving the processing of sensitive data, authorisation from the
CNIL is required.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
88
SECTION II – Legal Overview - France
Opt-In, Opt-out
Specific provisions apply to the electronic sending of direct marketing information. Direct marketing
by phone, fax or automatic calling machine is today governed by two distinct bodies of law, the
Consumer Code and the Posts and Telecommunications Code.
The law on the Confidence in Digital Economy, adopted by the Parliament on 21 June 2004, provides
the following (Law No. 2004-575 Article 22-I4):
-“Sending direct marketing by automated calling system, fax machines or electronic mails by
using, in any form whatsoever, the contact information of an individual who has not express
his prior consent to the receipt of direct marketing materials via this mean is strictly
prohibited”.
Another interesting point of the Confidence in Digital Economy Bill is that it defines “consent”: “For
purposes of this Article, „consent‟ shall mean any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal data relating to him used for
direct marketing purposes.” (Article 22.5)
Direct marketing sent by those means must obtain the prior consent of the data subjects. The new
law thus adopts an "opt-in" approach for the internet user to receive advertising messages.
Exemptions are nevertheless provided for emailing. Companies may send advertising messages to their
clients for "similar products and services" to those previously purchased by these clients on the
condition that:
“the recipient is expressly and unambiguously offered the possibility, at no cost, except
those related to the transmission of the refusal, to object in a simple manner to the use of
his contact information when the latter are collected and every time a direct marketing
electronic mail is sent to him”.
Data Storage
For computerised data storage, the law states that data shall be stored for a period no longer than is
necessary for the purposes for which they are obtained and processed.
Security of Data
The data controller must ensure the security of the collected and processed data by, in particular,
protecting the network from unauthorised access and by protecting the data. Where data are
disclosed to third parties, the data controller must complete a very detailed document concerning the
IT environment which will be attached to its CNIL declaration.
Penalties
Penalties may be imposed either by the CNIL (French Data Protection Authority) or by the criminal
courts. The penalty imposed by the CNIL must be proportional to the severity of the breaches
committed and the profits obtained from the breach. In case of a first breach, the penalty may not
exceed 150,000 Euros. In the event of a second breach within five years from the date on which the
preceding penalty was imposed, it may not exceed 300,000 Euros.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
89
SECTION II – Legal Overview - France
The processing of personal data without complying with the French Data Protection Act, is punishable
by five years‟ imprisonment and a fine of up to 300,000 Euros, for individuals, and up to 1,500,000
Euros for legal entities.
Where the criminal courts and the CNIL pursue actions against a controller for a breach on the same
or related facts, the criminal courts have the power to order that the fine they impose is reduced by
an amount equivalent to the CNIL penalty .
Under the Penal Code it is prohibited to “(i) send to someone any good, (ii) without
permission, (iii) where the goods are accompanied by a letter indicating that the goods may
be accepted on the payment of a fixed price or returned to the sender, even if there is no
cost to return the goods.” This action may be punished by a fine of up to 1,500 Euros.
Under the Consumer Code it is prohibited to demand money for any good or service from a consumer,
without prior order from the consumer. In such circumstances, the consumer will not be obliged to
pay the money and the vendor must reimburse any money paid by the consumer.
The practice known as “pyramid selling” is prohibited. This consists, in particular, of offering the
public goods in the hope that they may obtain goods free of charge or cheaper than their real value
and making the sales subject to the placing of forms or tickets with third parties or the collection of
memberships or registrations, or of proposing to persons that they collect memberships or register on
a list in the hope of financial gain resulting from a geometric progression of the number of people
recruited or registered. (Article L.122-6 of the Consumer Code)
The Consumer Code also prohibits, in its article L.121-35, the sale or offer for sale of goods or any
provision, or offer to provide services made to consumers and giving entitlement, free of charge,
immediately or at the end of a fixed period, to a bonus consisting of products, goods or services, if
these are identical to those forming the subject of the sale or the service provision.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
90
SECTION II – Legal Overview - Germany
Germany
Major Current Data Protection Laws
Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), Version of 14.8.2009
Telemedia Service Act (Telemediendienstegesetz, TMG) Version of 14.8.2009
Telecommunication Act (Telekommunikationsgesetz, TKG) Version of 14.8.2009
Furthermore, every company with more than 9 people permanently dealing with automated
processing of personal data, or any company with more than 20 employees, is obliged to register with
the DPA unless it appoints a Data Protection Officer (DPO).
Expected time duration for registering marketing lists with the DPA:
3 – 6 weeks, if necessary
Registration costs
There are no registration costs when registering with the DPA.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Balance of Interest Clause, Sect. 28 SS. 1 No. 2 BDSG.
Consent of the data subject is necessary to create a detailed profile for marketing purposes
Implied consent
Implied consent is acceptable in Germany. However, this is on the precondition that the controller
has clearly informed the data subject about the further use of the contact details presented.
Consent by data subject is required when using SMS, EMAIL, MMS, Telephone (for B2B assumed
consent), Fax.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
91
SECTION II – Legal Overview - Germany
Required form of consent for the processing of sensitive data
In Germany, it is required to have consent in writing.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
This definition is slightly modified in Sect. 3 SS. 9 BDSG as it includes race and ethnic origin, and
religion or philosophical beliefs.
Common legal ground for the use of electronic messages for marketing purposes
There must be consent from the recipient of the electronic messages.
A company has received the email address in the context of the sale of a product or a service,
The company uses the email for direct marketing of its own similar products or services,
The customer has not objected the use of the email address, and
The customer has clearly and distinctly been informed about the opportunity to opt out the use of
the email address upon collection and upon each use of the email address.
Purposes
Purposes
When giving the purposes for processing personal data, it is necessary to be precise.
Generic terms
These terms are commonly used, but the DPA requires a more detailed description of a consent clause
especially when a data warehouse is established.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes only have to be given when collecting personal data from prospective clients and not
from existing clients, however the existing clients will have to be informed of the opportunity to opt-
out within each email sent to him based on the soft opt-in.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
92
SECTION II – Legal Overview - Germany
Opt-out
There are no legal requirements on how opt-out is exercised. Normally controllers mention a certain
postal address or an email address for exercising an opt-out.
Do you have to offer the opt-out each time when approaching the customer?
Yes.
Data Storage
Penalties
Expected time duration for registering marketing lists with the Data Commission:
The notification is effective immediately upon submission, provided the processing and collection
does not involve sensitive data.
Registration costs
No costs to register marketing lists.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Consent from the Data Subject must be obtained.
Implied consent
Implied consent is not acceptable..
Consent by data subject is required when using SMS, MMS, Email, Telephone, Fax and Mail.
Sensitive Data: Required form of consent for the processing of sensitive data
The collection and processing of sensitive data is generally prohibited. However, the collection and
processing of sensitive data, as well as the establishment and operation of the relevant file, will be
permitted by the DPA, when certain conditions are met including the specific explicit consent of the
Data Subject.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
94
SECTION II – Legal Overview - Greece
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing purposes
There is no way to opt-in for all electronic messages, except e-commerce when the specific website
provides such a facility.
There is no soft opt-in for electronic communications. There are no rules on electronic
communication for B-to-B marketing purposes.
Purposes
Personal Data, in whatever medium, in order to be lawfully processed, must be: (a) collected fairly
and lawfully for specific, explicit and legitimate purposes, and fairly and lawfully processed in view of
such purposes, (b) adequate, relevant and not excessive in relation to the purposes for which they are
processed at any given time, (c) accurate and, where necessary, kept up to date, (d) kept in a form
which permits identification of Data Subjects for no longer than the period required, according to the
DPA, for the purposes for which such data were collected or processed.
Generic terms
Generic terms are not acceptable when giving purposes.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
If the purposes for processing personal data have altered and/or changed then existing and
prospective clients must be notified again.
Do you have to offer the opt-out each time when approaching the customer?
The opt-out must be offered each time when approaching a customer.
Data Storage
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
95
SECTION II – Legal Overview - Greece
Time limits on holding data
Greek Law expressly states that personal data should be kept “for no longer than the period
required, for the purposes for which such data were collected or processed. Once this period of time
is lapsed, the Authority may, by means of a reasoned decision, allow the maintenance of personal
data for historical, scientific or statistical purposes, provided that it considers that the rights of the
data subjects or even third parties are not violated in any given case”. Personal data collected by
CCTV however cannot be kept for longer than 15 days.
Penalties
National penalties which the national DPA can apply, including Penalties for breaching the rules
on unsolicited Email messages
Fines and penal responsibility for data managers.
INFORMATION
The Controller must, during the stage of collection of Personal Data, inform the Data Subject in an
appropriate and express manner of the following data:
ACCESS
All persons are entitled to know whether Personal Data relating to them are being processed or have
been processed. The Controller must respond in writing to any enquiry.
OBJECT
The Data Subject shall be entitled to object at any time to the processing of data relating to him.
Such objections shall be addressed in writing to the Controller and must contain a request for a
specific action, such as correction, temporary non-use, locking, non-transfer or deletion. The
Controller must reply in writing within a deadline of fifteen days.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
96
SECTION II – Legal Overview - Hungary
Hungary
Major Current Data Protection Laws
Act No LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest
(Data Protection Act)
Act CXIX of 1995 on the Use of the Name and Address Information for Research and Direct
Marketing (Direct Marketing Act)
Act XLVII of 2008 on Unfair Commercial Practices against Consumer (UCP-Act)
Act XLVIII of 2008 on the Essential Conditions of and Certain Limitations to Business Advertising
Activity (Advertising Act)
Act CVIII of 2001 on on certain issues of electronic commerce services and information society
services (E-Commerce Act)
Act C of 2003 on Electronic Communications
Expected time duration for registering marketing lists with the DPA:
Registration (release of the DP registry number) might take 12-18 weeks following the filing of the
notification.
Registration costs
There are no registration costs/charges
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Prior, express, specific, voluntary and informed consent of the individual to marketing
communications must be obtained. (The Advertising Act and the Data Protection Act.)
Implied consent
In relation to recipients of communications who are also natural persons, implied consent is not valid
under the law, since the consent must be clear and express. However, implied consent is acceptable
in relation to legal entities (including legal entities without legal personality).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
97
SECTION II – Legal Overview - Hungary
Consent by data subject is required when using SMS, MMS, Email, Telephone and Fax. For the
Direct Mail opt out is allowed for bulk mailings (over 500 items), but opt in is still required for
non-bulk mailings.
Sensitive Data: Required form of consent for the processing of sensitive data
Sensitive data cannot be processed in relation to marketing activities.
Common legal ground for the use of electronic messages for marketing purposes
As previously stated, prior, express, specific, voluntary and informed consent is required.
Rules on electronic communication for B-to-B marketing purposes: If the mobile phone or email
address provided by a company to a person can be used also for private purposes, then consent from
the person is necessary. Without this consent their data cannot be used for marketing purposes.
Consent (Opt-in) is required for Automated Calling Machines (both natural and legal person); Fax
(Opt-out, in case of legal persons and persons without a legal personality); Email Opt-in (in case of all
natural person and Opt-out in case of legal persons (including persons without legal personality)); SMS
(Opt-in in case of natural persons and Opt-out in case of legal persons (including persons without
legal personality)); MMS (the same as for SMS, EMAIL).
The law does not recognize B2B communications in the electronic marketing context, since the opt-in
requirement generally applies to all kind of natural persons even if the individual subscribed to the
marketing e-mail in his capacity as a professional.
Purposes
The controller must precisely state the purposes for processing personal data, in clear language. The
Direct Marketing Act provides that the purposes shall be provided in written form to the recipients.
Generic terms
Generic terms are acceptable (e.g. direct marketing, market research, etc.)
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
98
SECTION II – Legal Overview - Hungary
Notifying when Collecting Data
The Direct Marketing Act also lays down requirements as to the information to be provided to data
subjects. This information must be provided in writing and shall include detailed information on the
source of data, the time, method, purpose as well as the duration of data processing and details as to
the identity of the data controller and any data processors. Furthermore, the notice shall state that
the data processing is voluntary and that the data subject may at any time request deletion of his/her
personal data.
All advertisements must be clearly identified as marketing material. The law requires the inclusion of
this information in the subject line of the message. If the marketing e-mail involves a promotion,
promotional game or prize draw, the conditions of rebates, gifts, prize draws or games shall be also
clearly disclosed. The conditions of participation in a prize draw or promotional game must be made
easily available to the recipients;
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
No, in the case of existing clients, the purposes do not have be stated in every communication,
provided that the client is clearly aware of the purpose of the message.
Opt-out
There must be the possibility to opt-out in each marketing message.
Do you have to offer the opt-out each time when approaching the customer?
Yes. All marketing messages must clearly and conspicuously state the e-mail and postal address of the
sender where opt-out requests may be sent if the recipient does not wish to receive further marketing
messages. This information must be provided in every marketing message.
Penalties
On the part of the National Communication Authority the maximum fine is 500 000 HUF, however, the
authorities have the power to impose this repeatedly.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
99
SECTION II – Legal Overview - Hungary
The addressee of unsolicited e-mails may file an action before the ordinary courts with respect to the
infringement of general personal rights. If the Court finds that the personal rights/privacy rights have
been infringed, it can issue a cease and desist order, require the organisation to give satisfaction,
impose a public fine (the amount of which is not limited); or the court may award immaterial and
material damages to the claimant.
Finally, regarding illegal data trafficking, it must be noted that the Hungarian Penal Code (Act IV of
1978) criminalises the misuse of personal data (up to one year imprisonment) if committed for
unlawful personal benefit or if it causes significant detriment to the data subject.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
100
SECTION II – Legal Overview - Ireland
Ireland
Major Current Data Protection Laws
The Data Protection Act 1988 as amended by the Data Protection (Amendment) Act 2003 (referred to
as “DP Acts”)
Expected time duration for registering marketing lists with the DPA:
If all information required is provided registration can be done within a week.
Registration costs
The cost of registration depends on the number of employees in an organisation.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
Personal data may be processed for marketing purposes, where the following four conditions are met:
Condition 3. Fairness
The data must be obtained fairly and processed fairly. Where a data controller is obtaining data from
the data subject, processing of that data will only be considered fair where the data controller
ensures that the following information is readily available to the data subject:
The identity of the data controller;
The identity of the data controller‟s representative for the purposes of the DP Acts (if any);
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
101
SECTION II – Legal Overview - Ireland
The purpose or purposes for which the data are intended to be processed;
The persons or categories of persons to whom the data may be disclosed;
Whether replies to questions asked are obligatory and the consequences of not providing replies
to those questions;
• the existence of the right of access to their personal data;
• the right to rectify their data if inaccurate or processed unfairly; and
any other information which is necessary, having regarding to the specific circumstances in which
the data are to be processed, such as, information as to the recipients or categories of recipient
If the data controller does not obtain the data from the data subject, processing will only be fair
where all the above information is provided to the data subject and they must also be informed of the
identity of the original data controller from whom the information was obtained and the categories of
data concerned.
Condition 4: Compliance with Request that Processing for Direct Marketing Ceases
In respect of data held for direct marketing purposes, the DP Acts places a specific obligation on the
data controller to cease processing the data within specific timetables, if requested by the data
subject.
Implied consent
Implied consent is acceptable in Ireland but it can be withdrawn at any stage.
Consent by data subject is required when using SMS, MMS, Email, Fax and Mail, Telephone:
although first check the National Directory Database.
Consent for any processing is always required, unless consent does not need to be obtained, because
the processing falls within certain necessity grounds set out in the DP Acts
Sensitive Data: Required form of consent for the processing of sensitive data
In respect of the nature of consent in respect of processing sensitive data, the Commissioner notes:
“When processing sensitive personal data, the level of consent must be explicit. This means
that a data subject must be aware of and understand the purposes for which his/her data are
being processed. Explicit consent need not require a data subject to sign a form in all cases.
Consent can be understood to be explicit where a person volunteers personal data after the
purposes in processing the data have been clearly explained. Thus a clear explanation on a
form, a web page, or the delivery of a script by properly trained telephone staff might be
sufficient to demonstrate consent has been explicitly given.”
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Philosophical beliefs, ethnic origin, the commission or alleged commission of any offence by the data
subject or any proceedings for an offence committed or alleged to have been committed by the data
subject, the disposal of such proceedings or the sentence of any court in such proceedings.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
102
SECTION II – Legal Overview - Ireland
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing purposes
Specific rules govern the use of email and mobile phone numbers for unsolicited direct marketing.
The Irish rules on email and SMS unsolicited direct marketing are based on the concept of a
“subscriber”. A subscriber can be a natural person or legal entity, but, either way, he or she or it,
will only be a “subscriber” if he/she/it are the party to a contract with the provider of the publicly
available electronic communications services.
So, an individual at home, presuming that they have signed the contract with the telephone company
for the telephone service, would be a subscriber in respect of their home telephone number. By way
of contrast, they would in all likelihood not be a subscriber with respect to their work telephone
number, as more than likely, that person‟s employer will be the party to the contract with the
telephone provider.
Unless certain conditions are met (sometimes referred to as the Soft Opt-In Condition – as set out
below), a marketer requires opt-in consent to send unsolicited emails or SMS messages for the purpose
of direct marketing to a subscriber who is a natural person.
Opt-out consent is only required if a marketer is sending unsolicited emails or SMS messages for the
purposes of direct marketing to a subscriber who is not a natural person.
The mobile phone number or email of the consumer was obtained by the marketer in accordance
with the DP Acts and specific regulations on email and SMS marketing;
Explicit consent was given within the last 12 months;
The consumer is of a customer of the marketer;
The consumer‟s mobile phone number or email is obtained in the context of a sale of a product or
service;
The consumer‟s mobile phone number or email are only used for direct marketing of the
marketer‟s own similar products or services; within the last 12 months;
The consumer is clearly and distinctly given the opportunity to object, in an easy manner and
without charge, when the mobile phone or email address is collected;
The consumer is clearly and distinctly given the opportunity to object, in an easy manner and
without charge on the occasion of each message, if the customer does not initially refuse the use
BtoB marketing requires the opt out for approaches by any media.
Purposes
The DPA has indicated that where the data controller is collecting the data, the purpose for
processing must be given at the time of collection. The DPA further notes that:
“If a data controller has information about people and wishes to use it for a new purpose
(which was not disclosed and perhaps not even contemplated at the time the information was
collected), he or she is obliged to give an option to individuals to indicate whether or not
they wish their information to be used for the new purpose.”
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
103
SECTION II – Legal Overview - Ireland
Different rules apply if the personal information is not obtained from the data subject. In that case,
the data subject must be informed of the purpose of processing not later than the time when the data
controller first processes the data or if disclosure of the data to a third party is envisaged, not later
than the time of such disclosure.
Generic terms
Once it is clear to the data subject the purpose of processing, generic terms are acceptable.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Both prospective and existing clients will need to be informed of the purpose of processing personal
data.
Opt-out
There are no set rules regarding the exercise of opt-out. It can take the form of any communication
of an objection to processing, or a wish not to be included within data processing. So it can range
from telephoning the data subject, to writing to them, or by ticking a tick box.
Do you have to offer the opt-out each time when approaching the customer?
No, once they have given their consent, that is sufficient, however, opt out must always be given in
respect of email and SMS marketing if relying on the Soft-Opt In basis for unsolicited direct marketing
by email and SMS.
Data Storage
Security of data
The DP Acts provide that as a condition to processing, appropriate security measures be taken against
unauthorized access to or unauthorized alteration, disclosure or destruction of the data, in particular
where the processing involves the transmission over a network.
In assessing the appropriate security measures, and in particular, where processing involves
transmission of data over a network, a data controller may have regard to the state of technological
development and the costs of implementing the measures and shall ensure a level of security
appropriate to:
the harm that might result from unauthorized or unlawful processing, accidental or unlawful
destruction or accidental loss of, or damage to the data; and
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
104
SECTION II – Legal Overview - Ireland
the nature of the data concerned.
The data controller or processor must ensure that persons employed by them and other persons at
the place of work are aware of and comply with relevant security measures.
Where a processor is carrying out processing for a controller, the data controller must ensure that
the processing is carried out as the result of a written contract, which contains provisions that the
controller complies with relevant security obligations; and
the processor provides sufficient guarantees in respect of the technical security measures and
organisational measures governing the processing; and
the processor takes reasonable steps to ensure compliance with the measures.
Further, an undertaking providing a publicly available electronic communications service must take
appropriate technical and organisational measures to safeguard the security of its services, if
necessary in conjunction with undertakings from those upon whose networks such services are
transmitted with respect to network security. These measures must ensure the level of security
appropriate to the risk presented, having regard to the state of the art and the cost of their
implementation.
The Copyright and Related Rights Act 2000 (as amended) provides protection in respect of databases
where there has been a substantial investment in obtaining, verifying or presenting the contents of
the database. It is a breach of the rights in a database if a person extracts or reutilises the database
without the consent of the owner of the rights in the database. This is known as the sui-generis
database right.
For the purpose of copyright and sui-generis protection "database" is defined as a collection of
independent works, data or other materials, arranged in a systematic or methodical way and
individually accessible by any means but excludes computer programs used in the making or operation
of a database.
Section 9(1) of Criminal Justice (Theft and Fraud Offences) Act 2001 contains a general offence in
respect of a person who dishonestly, whether within or outside the State, operates or causes to be
operated a computer within the State with the intention of making a gain for himself or herself or
another, or of causing loss to another.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
105
SECTION II – Legal Overview - Ireland
The Criminal Damage Act 1991 contains an offence of unauthorized access to a computer. The Act
also includes “data” within its definition of property, and so makes it an offence to damage data.
Damage is defined as to:-
“Add to, alter, corrupt, erase or move to another storage medium or to a different location
in the storage medium in which they are kept (whether or not property other than data is
damaged thereby) or . . .do any act that contributes toward causing such addition,
alteration, corruption, erasure or movement …”
Penalties
Requiring someone to make an access request in connection with recruitment, employment or the
provision of services;
Failing or refusing to comply with a requirement of an enforcement notice;
Failing to comply with a prohibition contained in a prohibition notice;
Failing or refusing to provide information as required by an information notice or knowingly
providing false information in response to an information notice;
Processing personal data where it may cause in the opinion of the Commissioner substantial
damage or substantial distress to data subjects, without compliance with conditions laid down by
the Commissioner;
The keeping and processing of personal data by a data controller who is required to register under
the DP Acts and fails to so register;
Failing to notify the change of address of a data controller registered under the DP Acts;
Providing information known to be false and misleading in respect of an entry in the register;
Disclosure of data by a data processor without the prior authority of the data controller;
Disclosure of data by a person whom obtains it without the authority of the data controller or
data processor; and
Obstructing or impeding an authorised officer of the Commissioner.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
106
SECTION II – Legal Overview - Ireland
In addition, where a data subject makes an access request, they are entitled to receive in intelligible
form, relevant personal data, and any information known or available to the data controller as to the
source of those data; and the following information:
whether data processed on behalf of the data controller includes personal data relating to them;
if the data controller is processing the subject‟s personal data, the data subject is entitled to a
description of:
An individual has the right to request in writing, that a data controller rectify, block or erase any data
in relation to which there has been a breach of the data protection principles.
An individual is may write at any time to the data controller to request it to cease within reasonable
time, or not to begin, processing or processing for a specified purpose, or in a manner specified by
the individual, any personal data in respect of which they are the data subject where the processing
is likely to cause damage or distress. This right of objection only applies to processing that is
necessary:-
1. For the performance of a task carried out in the public interest or in the exercise of official
authority vested in the data controller or in a third party to whom the data are or are to be
disclosed; or
2. For the purposes of the legitimate interests pursued by the data controller to whom the data are
or are to be disclosed, unless those interests are overridden by the interests of the data subject in
relation to fundamental rights and freedoms and, in particular, their right to privacy with respect
to the processing of personal data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
107
SECTION II – Legal Overview - Italy
Italy
Major Current Data Protection Laws
“Personal Data Protection Code”, Legislative Decree No. 196 of June 30, 2003 (hereinafter “PDPC”).
The notification to the DPA must be submitted only once, prior to starting the processing, regardless
of the number of operations to be performed, the duration of the processing and it may concern one
or more processing operations for related purposes also in case of transfer of data abroad. It must be
transmitted via electronic networks by using the form made available by the DPA on its website
(https://web.garanteprivacy.it/rgt/.) and following the instructions indicated therein, also with
regard to the arrangements applying to digital signature and receipt confirmation. The relevant
provisions in connection with the registration with the DPA are set forth in Sections 37, 38, 154,
paragraph 1, l), 163, 168, 181, para. 1 c), 16, 162, para. 1, of the PDPC. Please notice that such
obligation stands on the subjects processing certain kind of data, depending on the way the data are
processed but irrespective of the specific number of marketing lists. In other terms it is not a list to
be notified but a subject (data controller) and the way a certain data controller is processing the data
it has been collecting.
Only some categories of data processing must be notified to the DPA. In particular, the processing of
personal data must be notified to the DPA if such processing concerns (Section 37 of the PDPC):
The DPA, in its resolution of 31st March 2004, specified that the data controller does not have to
notify the processing of personal data stored in databanks and used for supplying the data subject
with goods or services, or for accounting or tax purposes (including cases of breach of an agreement
entered into with the data subject, debt collection and legal disputes vis-à-vis the data subject.)
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
108
SECTION II – Legal Overview - Italy
Expected time duration and costs for registering marketing lists with the DPA:
1 – 3 weeks; The cost involved is 150.00 Euros.
Non-Sensitive/Sensitive Information
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The use of automated calling systems, without human intervention, for the purposes of direct
marketing or sending advertising materials or else for carrying out market surveys or interactive
business communication shall only be allowed with the data subject‟s consent (opt-in.) (Section 130
paragraph 1 of the PDPC)
The data subject‟s consent can be orally expressed but it must be proved in writing. The data
subject‟s consent is not required when the processing is necessary to perform obligations arising from
a contract entered into by the data subject or in order to comply with specific requests made by the
data subject prior to entering into a contract (Section 24 PDPC). In this case, nevertheless, the
subject has the right to be informed as to the purposes of the processing of his/her data and to object
to the processing of his/her data.
In case of direct mail addressed to a consumer under a business-to-consumer scheme (“B2C”), the use
of telephone, email, automated calling system, without human intervention or fax by a good supplier,
always requires the consumer‟s prior consent (Article 58 paragraph. (Legislative Decree No. 206 of 6th
September 2005 (“Consumer Code”))
However, distance sale communications other than those mentioned above, if personally addressed,
can be used by a good supplier if the consumer does not explicitly oppose to them (Article 58
paragraph. 2 of the Consumer Code.) A subsequent law No. 51 of 23 rd February 2006, clarified that
Article 58 paragraph. 2 of the Consumer Code shall apply derogating from the provisions of the PDPC.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
109
SECTION II – Legal Overview - Italy
Further to this subsequent legislative intervention, in case of direct mail the data subject‟s previous
consent has become irrelevant. Therefore, companies are entitled to contact consumers by direct
mail addressed to them until do expressly object (opts out).
A decision issued by the DPA on June 19th, 2008, which covers B2C schemes and B2B as well, the
suppliers of good or services are entitled to use the ordinary mail address provided by their
customers, for direct marketing, in order to carry out market research and in order to send
commercial communications, provided that the activities relate to products or services which are
similar to the ones previously sold to the recipients by the suppliers.
The data subject must be adequately informed of the possibility not to receive further commercial
communications when the data are collected and in subsequent communications, a soft opt-in.
Implied consent
Implied consent is usually not accepted. A tick-a-box on a form is the minimal form of evidence that
the consent has been given and it is normally used in case of distance sales (e.g. direct marketing on
the telephone or on internet).
Processing by telephone of the data contained in publicly available paper or electronic directories,
for direct marketing purposes, shall be allowed for consumers or other entities who have not opted
out in the public register, via simplified mechanisms including the use of electronic networks.
(Section 130 paragraph 3 bis of the PDPC).
Such an opt out list shall be set up by a decree of the President of the Republic, still to be adopted,
in accordance with general standards and principles. Marketers must ensure presentation of calling
line identification and provide the appropriate information to users, specifically in relation to the
possibility and arrangements to have their data entered in the register so as to object to being
contacted in future.
The DPA expressed its concerns with regard to the new amendment to Section 130 PDPC - added on
November 20th, 2009 – as it represents a considerable exception to the opt in principle and specified
that, until the opt out list is set up, the only data banks that can be used lawfully for direct marketing
purposes, without an express consent of the data subjects, will be the ones created on the basis of
telephone directories issued before August 1st, 2005.
Consent for any processing is always required, unless consent does not need to be obtained
because the processing falls within certain necessity grounds set out in Section 24 of the PDPC.
However, there are two exceptions: Telephone (consent is not needed only for the cases covered by
Section 130 paragraph 3 bis of the PDPC); Mail ( consent is not needed only for the cases covered by
Section 58 paragraph. 2 of the Consumer Code and/or decision of the DPA on June 19 th, 2009)
Sensitive Data: Required form of consent for the processing of sensitive data
The general rule applied to the processing of sensitive data requests the data subject‟s prior consent
expressed in writing and subject to the DPA authorisation. The DPA shall communicate its decision
concerning the request for authorisation within forty-five days; the request shall be regarded as
dismissed in case of no reply at the expiry of this time. Along with, or subsequent to, authorisation,
the DPA may prescribe additional measures and precautions in order to safeguard the data subject,
which are binding for the data controller (Section 26 PDPC.)
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
110
SECTION II – Legal Overview - Italy
Types of data considered “sensitive”
Sensitive data are personal data allowing the disclosure of racial or ethnic origin, religious,
philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or
organisations of a religious, philosophical, political or trade-unionist character, as well as personal
data disclosing health and sex life. (Section 4 of the PDPC)
Although separately regulated within the PDPC, besides the sensitive data there are also judicial data
i.e. data related concerning criminal offences or administrative sanctions related to criminal offences
or the status of being either defendant or subject to investigation as provided by the Italian Code of
Criminal Procedure. Processing of judicial data by private entities or profit-seeking public bodies shall
be permitted only where expressly authorised by law or by a DPA order and always specifying the
reasons under which a public interest to such a processing exists, the purposes of the processing, the
categories of data processed and kind of processing allowed.
Common legal ground for the use of electronic messages for marketing purposes
Electronic communications, performed by email, fax, MMS (Multimedia Messaging Service) or SMS
(Short Message Service) messages or other means for the purposes of direct marketing or sending
advertising materials or else for carrying out market research or interactive business communication
are subject the opt-in rule and therefore always require the data subject‟s previous consent.
Furthermore, the data subject must be adequately informed of the possibility not to receive further
commercial communications either initially or in connection with subsequent communications (Article
130, paragraph. 4 of the PDPC). Apart from this exception and in contrast with other European
countries, Italy has adopted a 'hard opt-in' method. This means the data subject must have given
explicit consent to the data controller allowing contact for marketing purposes by him/it or by third
parties.
The DPA clarified that the consent cannot be gathered by sending the data subject a first email with a
promotional or advertising content, or which offers an opt-out in order to no longer receive messages.
The fact that email addresses can be easily found on the Internet does not imply the right to use them
for advertising messages, since they can only be used exclusively for the purposes for which they have
been published on the Web.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
111
SECTION II – Legal Overview - Italy
Purposes
The individual‟s consent must given on the basis of the information provided by the data controller as
to the nature of data collected, the purposes and means of the processing, the subjects to whom the
data can be communicated and the individual‟s rights to have access to his/her data and to oppose to
their processing. The aforesaid information must be accurate. (Section 13 of the PDPC)
Generic terms
The DPA stated that the data controller must clearly indicate the purposes of the data collection and
the modalities of their processing. Moreover, the controller must specify whether the data will be
processed for purposes strictly related to services requested by the data subject or for other purposes
(i.e. studies or market surveys.)
As far as the transfer of data is concerned, the DPA specified that the controller must inform the data
subject that his/her per personal data may be transferred to a third party for specific purposes: at
this regard, the DPA has considered it insufficient that the third party be indicated as a company
“entrusted” by the controller, but it has accepted the possibility that data can be disclosed to “other
companies operating in the same area of industry”. The name and addresses of these entities must be
available upon the subject‟s request or on the company‟s website.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
All the information related to the processing of data must be provided before the data are processed.
Once the data subject has been given properly the consent and provided that the data are processed
in accordance to the purposes originally disclosed, there is no need for the data controller to restate
the purpose for processing personal data.
Opt-out
Appart from the above mentioned provision regarding telephone communications, included in Section
130 paragraph 3 bis of the PDPC, there are no opt-out lists prescribed by law. AIDiM (Associazione
Italiana per il Direct Marketing) created a voluntary opt-out list available on-line
(www.cancellami.it). Consumers who do not wish to receive unsolicited commercial communications
may register on Cancellami. The means of communications covered by Cancellami are the mail, fax,
telephone, email and SMS. Members of AIDiM are required to “clean” their direct marketing databases
from data registered through Cancellami.
Do you have to offer the opt-out each time when approaching the customer?
The data subject has always the right to object, in whole or in part, on legitimate grounds, to the
processing of personal data relating to him. Such a right must be notified at the time the consent is
gathered.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
112
SECTION II – Legal Overview - Italy
Data Storage
Retaining Data
Section 11 of the PDPC states that personal data shall be collected and recorded only for specific
purposes and for a period of time that cannot exceed the period that is necessary to achieve the
purpose for which the data have been collected or subsequently processed.
The DPA produced a Code of Conduct and Professional Practice on 16 November 2004 which entered
into force as of January 1, 2005. The code applies to information systems managed by private entities
with regard to consumer credit, reliability, and timeliness of payments. Personal data related to
credit applications as communicated by participants may be retained in a credit information system as
long as it is necessary in order to deal with the applications and - in any event - for no longer than
one hundred and eighty days as of the date of submission of the applications.
There are no specific rules on data erasure. According to Section 16 of the PDPC, once the data
processing has been terminated the data must be either destroyed or assigned to another data
controller provided that they are intended to be processed under terms that are compatible with the
purposes for which the data have been collected.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
113
SECTION II – Legal Overview - Italy
The processing of personal data in breach of the minimum security measures provided by Section
33 and/or the provisions laid down in Section 167 of the PDPC (Unlawful Data Processing) is
punished with a fine between 10 000 Euros and 120 000 Euros (Section 162 paragraph 2 bis PDPC).
As well, any breach of the data subject‟s right to object in accordance with the mechanisms set
forth in Section 130 paragraph 3 bis PDPC and the respective regulations shall be punished with
the same fine (162 paragraph 2 quater PDPC).
Should any of the above mentioned violations be less serious, in consideration of the social and
business features of the activities at issue, the upper and lower thresholds may be reduced by two-
fifths.
Should one or more of the above mentioned provisions be violated repeatedly, on different occasions,
in connection with especially important and/or large databases, an administrative sanction shall be
applied as consisting in payment of a fine ranging from 50 000 and 300 000 Euro. In such a case,
reduction of the applicable fine will not be allowed.
With specific regard to more serious cases, in particular if the prejudicial effects produced on one or
more data subjects are more substantial or if the violation concerns several data subjects, the upper
and lower thresholds of the applicable fines shall be doubled.
Finally, the fines referred above may be increased up to four times if they may prove ineffective on
account of the offender‟s economic status.
Should the DPA apply a fine, it may also publish the injunctive order, in whole or in part, in one or
more daily newspapers.(Section 165 PDPC)
Besides the financial penalties that the DPA can apply, a breach of the PDPC also involves the
possibility of a criminal offence – prosecuted by the competent judicial authority - for:
Unlawful processing of data: any person who, with a view to gain for himself or another or with
intent to cause harm to another processes personal data without the data subject‟s consent shall
be punished, if harm is caused by imprisonment for between six and eighteen months or, if the
offence consists in data communication or dissemination by imprisonment for between six and
twenty-four months, unless the offence is more serious or by imprisonment between one and
three years in case of judiciary or sensitive data (Section 167 PDPC.)
Omission or incomplete notification to the DPA: for failure to submit timely the notification
required under Sections 37 and 38 of the PDPC, or who provides incomplete information in breach
of his/her duties, shall be punished by a fine consisting in a payment of between 10.000 and
60.000 euro as well as by the additional sanction of publication of the relevant injunction/order,
in whole or in part, in one or more daily newspapers (Section 163 PDPC.)
In any case, the data subject must always be adequately informed of the possibility not to receive
further commercial communications either initially or in connection with subsequent communications
(Section 130, paragraph. 4 of the PDPC).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
114
SECTION II – Legal Overview - Italy
Online Collection & Processing of Data
The data subject may grant, in writing, a power of attorney to natural persons, associations or
organisations in order to exercise the rights set forth in Section 7 of the PDPC. The rights indicated in
Section 7 which concern deceased persons can be exercised by subjects who have a personal interest
related thereto or by subjects acting on behalf of the deceased or for family-related reasons
deserving to be protected.
An individual may also file a circumstantial claim pursuant to Section 142 of the PDPC, in order to
point out an infringement of the relevant provisions on the processing of personal data. This claim
must contains, with as many details as possible, the facts and circumstances on which the complaint
is grounded, the allegedly infringed provisions and the remedies as well as to the identification data
concerning the data controller, data processor, if available, and claimant. The claim shall be
undersigned by the data subjects or by associations representing them and shall be lodged with the
DPA without any specific formalities being required.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
115
SECTION II – Legal Overview - Netherlands
The Netherlands
Major Current Data Protection Laws
Personal Data Protection Act (Wet bescherming persoonsgegevens), 1 September 2001;
Telecommunication Act (Telecommunicatiewet), 19 October 1998,
Article 11.7 Telecommunication Act (version of 1 October 2009).
Exempt from this notification requirement are the data processing conditions, by general
administrative regulation, in article 11 or article 13 or article 42 Vrijstellingsbesluit Wbp (7 May
2001).
Organisations can also appoint their own internal supervisor, the Data Protection Officer, who is
(publicly) registered with the DPA. The marketing list must be notified to the Data Protection Officer,
instead of the DPA.
On the website of the Dutch DPA (College Bescherming Persoonsgegevens, www.cbpweb.nl) a public
register of the data processing activities by Controllers and a public register of Data Protection
Officers are available (also in English).
Expected time duration for registering marketing lists with the Data Commission:
Registering a marketing list is not a lengthy process for the Controller. Any change in the contact data
of the Controller (for example address, residence) needs to be notified within a week after the prior
notification. Structural changes related to the purposes of the data processing have to be notified to
the DPA or the Data Protection Officer of the Controller. Changes are to be kept on file by the
Controller (or its data protection officer) for a minimum of three years.
Time
0 - 1 week (after the prior notification) Any change in the name or address of the Controller
1-3 weeks
4-6 weeks Expected time duration for a market list to be
published in the public register by the DPA
Within 1 year (after the Structural changes related to:
prior notification) -the purposes of the data processing;
-the categories of data subjects and personal data;
-the receivers to whom the date are disclosed;
the transfer of data to countries outside the European
Union; and
-security measures to protect personal data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
116
SECTION II – Legal Overview - Netherlands
Registration costs
There are no costs involved.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The legal ground for processing (non-sensitive) personal data for marketing purposes is based on the
„legitimate interests of the controller or third party to whom the data are disclosed‟. The consent of
the data subject (opt-in) is often not necessary. As a rule it is sufficient to give the data subject the
opportunity to opt-out if (non-sensitive) personal data are processed for marketing purposes.
Consent by data subject is required when using the following communication media:
Consent is needed for: SMS, MMS, EMAIL, Fax, Automatic Calling Machines, Voice Mail
Consent is not needed for: Telephone and Mail
Sensitive Data: Required form of consent for the processing of sensitive data
Sensitive data cannot be processed (article 16 Personal Data Protection Act), except as otherwise
provided in the articles 17–23 Personal Data Protection Act. Note that the processing of sensitive
personal data must fully comply with all the requirements for legitimate personal data processing
under the Wbp. The processing of sensitive personal data is allowed where the processing is carried
out with the explicit consent of the data subject. Written opt-in can be considered as explicit consent
of the data subject. Explicit consent may also be indicated orally or by behaviour.
In particular circumstances the data subject‟s confirmation of its consent to the processing of the
sensitive data may be necessary, as the Controller may have to prove the express consent. It is not
clear how this burden of proof is achieved in practice.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Other types of data considered „sensitive‟, are data concerning a person‟s criminal behaviour or
related data. Whether data are considered sensitive depends on the nature of the corporate culture.
1 Dutch original: (artikel 1 onderdeel i Wet bescherming persoonsgegevens): „elke vrije, specifieke en op informatie berustende wilsuiting waarmee de
betrokkene aanvaardt dat hem betreffende persoonsgegevens worden verwerkt‟.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
117
SECTION II – Legal Overview - Netherlands
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing purposes
The legal ground for the use of electronic messages for marketing purposes is based on the prior
consent of the subscriber (article 11.7 section 1 Telecommunications Act). The sender of the
electronic messages, like email, needs to prove the prior consent of the subscriber.
Prior consent can be proven by the use of double unticked boxes (□ Yes □ No). The sender must
provide sufficient information on the use of the email address for commercial purposes, just above
the frame where the subscriber actually can fill in his or her email address. These requirements for
(prior) consent are applicable online and offline.
The new subsection 2 of Section 11.7 of the Telecommunications Act stipulates a number of
exceptions to the general obligation to obtain consent. According to this subsection, the (legal)
person that sends electronic messages (email, SMS, MMS) to legal persons and natural persons as part
of their professional and business practice, may assume that consent has been given under certain
circumstances. The first is that consent can be assumed where the legal persons have made it
generally known that they want to receive unsolicited marketing messages, they have given their
contact details where commercial messages can be send to, and, if desired, have indicated the types
of messages they want to receive. Making their contact information available will be put on par with
the giving of prior consent for receiving unsolicited commercial electronic messages. However, the
mere exchange of business cards cannot be considered as giving of consent, according to the
Supervisory Authority OPTA.
A sender is furthermore not obliged to gain prior approval if an electronic message is sent to a
subscriber based in a country outside of the European Economic Area (the European Union, Iceland,
Norway and Liechtenstein) and the sender has satisfied the applicable provisions in that country with
respect to sending unsolicited communications.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
118
SECTION II – Legal Overview - Netherlands
Purposes
Article 7 of the Personal Data Protection Act stipulates that personal data shall be collected only for
specific, explicitly defined and legitimate purposes. A purpose that is too widely formulated almost
always generates data that cannot be used in practice; therefore, the purpose should be precise.
However, it is not advisable to be too precise, as the purpose could limit the use of the data too
much.
Generic terms
It is advisable to be specific when stipulated in the Personal Data Protection Act (the Wbp -for
example contains certain provisions related to direct marketing purposes). Otherwise, sector specific
self-regulation defines generic terms.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Both prospective and existing clients will need to be informed of the purpose of processing personal
data.
Opt-out
The data subject exercises opt-out by sending a note or email directly to the Controller or by using an
unsubscribe hyperlink. The Controller must flag the concerned contact data as not to be used for
direct marketing purposes.
Do you have to offer the opt-out each time when approaching the customer?
Each time when the Controller informs the customer for commercial or charitable purposes, the data
subject needs to be informed of the right to opt-out.
Data Storage
Another confidentiality clause, in general, is stated in article 12 Personal Data Protection Act: anyone
acting under the authority of the Controller or the Processor, as well as the Processor itself, when
they have access to personal data, shall only process such data in accordance with the instructions of
the Controller, except when otherwise required by law (article 12 section 1 Personal Data Protection
Act).
These persons are required to treat the personal data as confidential, except when any legal provision
or the performance of their duties requires communication of such data (article 12 section 2 Personal
Data Protection Act).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
119
SECTION II – Legal Overview - Netherlands
Time limits on holding data
There is a specific time limit on holding data. Article 10 section 1 Personal Data Protection Act states
that data may no longer be kept in a form that identifies a person, if the purposes for which the data
are processed are accomplished. Historical, statistical or scientific purposes are exempted (article 10
section 2 Personal Data Protection Act).
Penalties
National penalties which the national DPA can apply
The administrative infringements are categorized in „less serious and serious‟ infringements, with
regard to the duty to notify the data processing to the DPA (article 66 Personal Data Protection Act /
Policy rules DPA for fining):
Notification after the deadline;
An incorrect or incomplete notification;
Notification of changes after the deadline;
Not capturing the data in relation to a different processing of personal data.
Maximum administrative fine for less serious infringements is €1500,--;
Maximum administrative fine for serious infringements is €3000,--;
Maximum administrative fine for repeated offenses is €4500,--.
The DPA is also authorized to apply administrative measures of constraint, which can lead to halting
the processing of personal data (article 65 Personal Data Protection Act).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
120
SECTION II – Legal Overview - Norway
Norway
Major Current Data Protection Laws
Personal Data Act, 14. April 2000 nr 31
Marketing Control Act, 9. January 2009 nr 2
Norway is a member of the European Economic Area (EEA) and its Data Protection laws are recognised
by the EU.
Obligations in relation to marketing lists with the Data Protection Authority (Datatilsynet)
The processing of personal data in relation to marketing lists must as a main rule be notified with the
DPA.
To the extent that the processing involves sensitive personal data, a licence will, in principle, be
required.
Expected time duration for notification and application for a licence to the DPA
Notification: The DPA does not provide companies with permission; they only use the notification in
their role as supervisors. For licences the time varies. Normally it is approximately 8 weeks.
Registration costs
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The person have given his/her consent
To fulfill a contract to which the data subject is a party (§ 8 a)
The interest of the controller overrides the interest of the data subject (§ 8f)
Implied consent
Implied consent (i.e. if a consumer provides details – address, phone number or email) is generally not
acceptable.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
121
SECTION II – Legal Overview - Norway
Consent by data subject is required when using the following communication media:
Category Yes No N/A
SMS
MMS
Email
Telephone
*
**
Fax
Mail
Other, please specify:
Addressed mail
*
* Consumers may opt out of marketing by telephone or addressed mail by registering their names,
addresses and telephone numbers in the Central Marketing Exclusion Register. Marketing lists must be
compared against the Central Marketing Exclusion Register before a consumer is contacted for the
first time, and subsequently on a monthly basis.
Sensitive Data: Required form of consent for the processing of sensitive data
The required form of consent for sensitive and non-sensitive data is the same.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Data on whether a data subject has been suspected of, charged with, indicted for ,or convicted of a
criminal act.
Common legal ground for the use of electronic messages for marketing
Prior consent, opt–in, is required.
Purposes
When giving the purposes for processing personal data, it is necessary to be precise.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
122
SECTION II – Legal Overview - Norway
Generic terms
Generic terms are acceptable. For example, „fax direct marketing‟ is sufficient.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
If the purposes are clearly stated and consent has been given, it is not necessary to detail the
purposes each time an existing client is approached. Only prospective clients need to be informed of
the purposes for processing.
Opt-out
Do you have to offer the opt-out each time when approaching the customer?
Yes, if you use electronic media such as email, SMS or MMS.
Data Storage
Security of Data
Security of data
“The controller and the processor shall by means of planned, systematic measures ensure
satisfactory data security with regards to confidentiality, integrity and accessibility in connection
with the processing of personal data”
Penalties
Data subjects are entitled to have access to, information about, and rectification of their own data.
Brønnøysundregistrene
Tel. + 47 75 00 75 00
E-mail: info@brreg.no
www.brreg.no
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
124
SECTION II – Legal Overview – Poland
Poland
Major Current Data Protection Laws
the Act of August 29, 1997, on the Protection of Personal Data (hereinafter called the PDPA);
the E-Commerce Act of July 18, 2002, on providing services by electronic means (hereinafter
called the e-Commerce Act); deals with processing of personal data in respect of e-commerce
(art.16-22);
Expected time duration for registering marketing lists with the DPA:
4 – 6 weeks.
Registration costs
There are no administrative fees to be paid.
The fee for the certificate of registration of the data file amounts to PLN 17 (approx. EUR 3.50).
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The possible legal grounds are the prior consent of the data subject, obtained by an opt-in (otherwise
the consent may be invalid) or under a provision of PDPA allowing the data controller to process the
data for marketing purposes, provided the data subject does not object to it (opt-out), cf. art. 23
item 4 point 1 of DPDA.
However, it should be stressed that the latter possibility is limited only to processing of personal data
in the context of marketing by a controller of his own products or services. Opt-out may never be
used in the case of the processing of personal data in an e-commerce context.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
125
SECTION II – Legal Overview – Poland
Implied consent
Implied consent is not acceptable under PDPA.
Consent by data subject is required when using the following communication media:
Category Yes No N/A
SMS
MMS
Email
Telephone
*
Fax
Mail
**
Automatic calling
machines
Sensitive Data: Required form of consent for the processing of sensitive data
The consent must be expressed in writing. Verbal or non-durable explicit (express) consent is not
sufficient. This requirement is regarded to be a serious hindrance for telemarketing and Internet
industries in Poland.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Apart from the above, personal data revealing ethnic origin, philosophical beliefs, as well as the
processing of data concerning, genetic code, addictions and data relating to convictions, decisions on
the penalty, fines and other decisions issued in court or administrative proceedings shall be
considered sensitive data. The exhaustive list of sensitive data is provided for in art.27 of PDPA.
Common legal ground for the use of electronic messages for marketing purposes
Only explicit consent shall be acceptable.
Opt-in is required for all electronic communication for B-to-B marketing purposes.
Purposes
When giving purposes for processing personal data, it is necessary to be precise.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
126
SECTION II – Legal Overview – Poland
Generic terms
Generic terms are acceptable
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes for processing personal data shall be given only to prospective clients. The obligation of
notification has to be fulfilled by a controller only once. The data subject has a right to obtain
information as to the purpose, scope, and the means of processing of the data contained in the
system once for six months.
Opt- out
PDPA does not provide for any specific requirements as to exercise of opt-out. Thus, a controller has
to accept a data subject‟s objection raised in any form. Opt out does not have to be offered each
time when approaching the customer.
Data Storage
Penalties
Penalties for breaching the rules on unsolicited Emails and other means of electronic
communication:
In case of sending unsolicited communications by email or other means of electronic communication,
a fine up to PLN 5,000 (approx. EUR 1,250) may be imposed by a court.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
128
SECTION II – Legal Overview – Romania
Romania
Major Current Data Protection Laws
-Law no. 677/12.12.2001
-Law no. 506/2004
-Law no. 682/21.12.2001
-Law no. 102/03.05.2005
-Law no. 365/2002
-Decision no. 95/2008
-Decision no. 11/2009
Expected time duration for registering marketing lists with the DPA:
6 – 8 weeks
Registration costs
Currently there are no registration costs applicable for filing notifications concerning marketing
processing (and marketing lists) with the DPA.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The common legal ground for the processing of personal data for marketing purposes is that there has
to be a legitimate interest from the direct marketer.
Implied consent
Implicit consent is acceptable in Romania, but it is not recommended in situations where the law
requires opt-in.
Consent by data subject is required when using the following communication media:
Consent is required for SMS, MMS, EMAIL, FAX, and Voice Mail
Consent is not required for Telephone and Mail
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
129
SECTION II – Legal Overview – Romania
Sensitive Data: Required form of consent for the processing of sensitive data
When processing sensitive data, the consent has to be explicit and unequivocal. The DPA has
sometimes expressed the view that processing sensitive data for marketing purposes is excessive and,
thus, not justified.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Categories of sensitive data include ethnic origin, philosophical beliefs or similar nature, personal
numeric code, ID card/passport series and number, genetic and biometric data, data on criminal
offences, criminal convictions/security measures, disciplinary sanctions, administrative sanctions,
criminal record.
Common legal ground for the use of electronic messages for marketing purposes
Explicit consent of the recipient is required.
Opt-in is required for all electronic communication for B-to-B marketing purposes (it is not
required for direct mail).
Purposes
It is not necessary to be precise when giving the purposes for processing personal data, as long as it is
clearly indicated that the data shall be used for future marketing purposes.
Generic terms
Generic terms are acceptable.
Romanian:
For collection via participation tickets or similar means:
“............................................................. (se indică identitatea operatorului sau a
reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) prelucrează datele cu
caracter personal furnizate de dumneavoastră prin acest document.............(se precizează
categoriile de date, dacă acestea nu sunt colectate direct de la persoanele vizate) în scopul
............(se precizează scopul). Datele vor fi dezvăluite ..................................(se precizează
destinatarii cărora le vor fi dezvăluite datele). Pe viitor, aceste date/datele .............. (se
precizează concret datele) ne permit să vă ţinem la curent cu activitatea noastră.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
130
SECTION II – Legal Overview – Romania
În cazul în care nu doriţi aceasta, bifaţi NU
Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul
de a nu fi supus unei decizii individuale. Aveţi dreptul să vă opuneţi prelucrării datelor personale
care vă privesc şi să solicitaţi ştergerea datelor. Pentru exercitarea acestor drepturi, vă puteţi
adresa cu o cerere scrisă, datată şi semnată la .................................................(se precizează
serviciul, organismul sau persoana responsabilă). De asemenea, vă este recunoscut dreptul de a vă
adresa justiţiei.
Datele dumneavoastră vor fi transferate în ............... (precizaţi statele), în
vederea....................(se precizează scopul transferului datelor în străinătate).“
For collection of data online: “Conform cerinţelor Legii nr. 677/2001 pentru protecţia persoanelor cu
privire la prelucrarea datelor cu caracter personal şi libera circulaţie a acestor date, modificată şi
completată şi ale Legii nr. 506/2004 privind prelucrarea datelor cu caracter personal şi protecţia
vieţii private în sectorul comunicaţiilor electronice (se precizează şi acest act normativ, după
caz)..............................................(se precizează denumirea operatorului sau a
reprezentantului, precum şi, dacă este cazul, pe cea a împuternicitului) are obligaţia de a administra
în condiţii de siguranţă şi numai pentru scopurile specificate, datele personale pe care ni le furnizaţi
despre dumneavoastră, un membru al familiei dumneavoastră ori o altă persoană. Scopul colectării
datelor este:.............................. (se indică scopul prelucrării).
Sunteţi/nu sunteţi obligat(ă) să furnizaţi datele, acestea fiind necesare................................(se
precizează scopul). Refuzul dvs. determină.................. (se precizează consecinţele refuzului).
Informaţiile înregistrate sunt destinate utilizării de către operator şi sunt comunicate numai
următorilor destinatari:................. (se precizează destinatarii).
Doriţi să primiţi informaţii despre produsele, serviciile, evenimentele etc. oferite de.................(se
precizează denumirea operatorului sau a reprezentantului, precum şi, dacă este cazul, pe cea a
împuternicitului)?
DA NU
Conform Legii nr. 677/2001, beneficiaţi de dreptul de acces, de intervenţie asupra datelor, dreptul
de a nu fi supus unei decizii individuale şi dreptul de a vă adresa justiţiei. Totodată, aveţi dreptul să
vă opuneţi prelucrării datelor personale care vă privesc şi să solicitaţi ştergerea datelor*. Pentru
exercitarea acestor drepturi, vă puteţi adresa cu o cerere scrisă, datată şi semnată la
.................................................(se precizează serviciul, organismul sau persoana
responsabilă). De asemenea, vă este recunoscut dreptul de a vă adresa justiţiei. Datele
dumneavoastră vor fi transferate în ............... (precizaţi statele), în vederea....................(se
precizează scopul transferului datelor în străinătate)."
Dacă unele din datele despre dumneavoastră sunt incorecte, vă rugăm să ne informaţi cât mai curând
posibil.”
English:
For collection via participation tickets or similar means:
“............................................................. (the identity of the data controller or its
representative and, if the case, of the data processor shall be inserted) processes the personal data
made available by you through this document.............( the categories of data and whether the data
is collected directly from data subjects shall be indicated herein) for the following purpose
............(the purpose shall be inserted). The data shall be disclosed to
..................................(the recipients of the data shall be mentioned herein). In the future,
these data / the following categories of data.............. (the categories of data shall be mentioned)
will allow us to maintain you informed on our activity.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
131
SECTION II – Legal Overview – Romania
If you do not wish to receive such information, please select NO
According to Law no. 677/2001, you have the right to access and intervene on the data, the right not
to be subjected to automated individual decisions. You have the right to object to the processing of
your personal data and to request the deletion thereof. For exercising these rights, you may send a
written, dated and signed request at ................................................. (the office, body or
person responsible for receiving these requests to be inserted). Moreover, you are entitled to address
the competent court of justice. Your personal data shall be transferred to ............... (countries of
destination to be inserted) in order to .................... (the purpose of the transfer to be inserted).”
For collection of data online: “Pursuant to the requirements of the Law No. 677/2001 on the
protection of individuals with regard to the processing of personal data and the free movement of
such data, as amended and completed, and of the Law No. 506/2004 on the processing of personal
data and the protection of personal life in the electronic communication field (such piece of law is
also specified, as the case may be)………………………………………..(it is specified the name of the data
controller or of the representative thereof and, if the case, the name of the data processor) has the
obligation to administrate in safe conditions and only for the specified purposes the personal data
belonging to you, to a member of your family or to any other person which are provided to us. The
purpose of data collecting is:………………………………(the purpose of the processing is specified).
You are/ you are not compelled to provide the data, which is necessary……………………….(the purpose is
specified). Your refusal triggers …………………….(the consequences of the refusal are specified).
The registered information are destined for the use of the data controller and are communicated
only to the following recipients:…………………………… (the recipients are specified).
Do you want to receive information on the products, services, events, etc. offered by ……………………(it
is specified the name of the data controller or of the representative thereof and, if the case, the
name of the data processor)?
YES NO
According to Law no. 677/2001, you have the right to access and intervene on the data, the right not
to be subjected to automated individual decisions and the right to address the competent court of
law. Moreover, you have the right to object to the processing of your personal data and to request
the deletion thereof. For exercising these rights, you may send a written, dated and signed request
at .................................................(the office, body or person responsible for receiving these
requests to be inserted). Moreover, you are entitled to address the competent court of justice. Your
personal data shall be transferred to ............... (countries of destination to be inserted) in order to
....................(the purpose of the transfer to be inserted)."
If some of your data are incorrect, please indicate this as soon as possible.”
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Legally only to prospects.
Opt-out
Opt-out is exercised by written request. The possibility to opt-out should be mentioned in each
marketing message.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
132
SECTION II – Legal Overview – Romania
Data Storage
Penalties
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
133
SECTION II – Legal Overview – Slovenia
Slovenia
Major Current Data Protection Laws
ZVOP-1 (Personal Data Protection Act)
ZEKom (Electronic Communications Act)
ZEPT (Electronic Commerce Market Act)
ZVPot (Consumer Protection Act - official consolidated text)
ZASP (Copyright and Related Rights Act)
Expected time duration for registering marketing lists with the DPA:
1-3 weeks
Registration costs
The registration itself is cost free. However, gathering the required data and creating the required
internal guidelines on processing personal data generates internal costs.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
1) Individual‟s consent is the most common legal ground for the processing of personal data for
marketing purposes
2) Marketing databases can also be compiled from publicly available sources (Article 71 of ZVOP-1),
but should not be used for marketing purposes unless addressees consent (opt-in principle). The
processor then has to comply with the demands of the data protection act (ZVOP-1) – including
the requirement to submit information to the DPA and enact internal rules for the processing of
personal data.
Implied consent
Implied consent is not acceptable.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
134
SECTION II – Legal Overview – Slovenia
Consent by the data subject is required for SMS, email, MMS, fax, telephone, but not mail.
No consent is necessary for the collection of data from publicly available sources according to the
Data Protection Act, but this does not apply to electronic communications. Consent is necessary when
using this data to address consumers according to the Electronic Communications Act (ZEKom) ,
Consumer Protection Act (ZVPot) and Electronic Commerce Market Act (ZEPT ).
The use of automated calling systems for making calls to the subscribers‟ telephone numbers without
human intervention (e.g. automatic calling machines), facsimile machines or electronic mail for the
purposes of direct marketing may only be allowed if the addresses have given their prior consent (opt-
in).
Irrespective of this, natural persons or legal entities that obtain electronic mail addresses from the
customers of their products or services may use such addresses for direct marketing of their similar
products or services, but they shall be obliged to give their customers the possibility, at any time,
free of charge and by using simple means, of preventing such use of their electronic address (soft opt-
in)
Sensitive Data: Required form of consent for the processing of sensitive data
In the private sector processing of sensitive data is only allowed if an individual gave his explicit
(express) written consent.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
Categories of Sensitive data also include national or nationalistic origin, philosophical beliefs, criminal
and minor offense records and biometric characteristics if they can identify an individual. The
provisions of the Slovenian Data Protection Act are very similar to the EU Data Protection Directive.
Common legal ground for the use of electronic messages for marketing purposes
ZEKom (which sets the rules for electronic communications for both businesses and consumers)
defines the (soft) opt-in principle. See below.
ZVPOT (which sets the rules for automatic means of communication with consumers, physical persons,
at the receiving end) defines the opt-in principle (prior consent of the consumer).
Purposes
When providing the purposes for processing data, the purposes must be precise. Generic terms are
acceptable.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
135
SECTION II – Legal Overview – Slovenia
Notifying when Collecting Data
Moje osebne podatke lahko __________________obdeluje za dobo _____ let oziroma do preklica moje
pisne privolitve.
Seznanjen sem, da bo __________________ v primeru preklica moje pisne privolitve moje osebne
podatke še naprej uporabljala, vendar le za izpolnjevanje pogodbenih obveznosti in
uveljavljanje pravic iz pogodbenega razmerja.
In English:
I, the undersigned _________ agree that company ___________ may collect my personal data in their
databases for market segmenting, statistical needs, past purchase statistics (add
appropriate) and marketing and surveying activities.
My data can be used for ____ years or until my written cancellation.
I understand that the company ______ will use just contractual data after my cancellation.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
The purposes must be given the first time a client is approached. If the relationship is an on-going
one, it is only necessary to provide the purposes once. Should the scope of the processing expand,
consent is to be obtained once again.
Opt-out
When the vendor receives an email, or other request, to remove data, , he should delete the sender‟s
personal data from his lists and databases.
Mail receivers can buy stickers and attach them to their mailboxes, which means that they do not
want to receive unaddressed printed advertisements anymore.
Do you have to offer the opt-out each time when approaching the customer?
Yes, it is necessary to offer an opt-out mechanism each time when approaching the customer.
Data Storage
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
136
SECTION II – Legal Overview – Slovenia
Time limits on holding data
There are time limits on holding data. If the legal basis for the processing of data is by statute,
personal data can only be held for the period defined by the legislation and then deleted.
If the legal basis for the processing of data is a contract, then there is a prescriptive deadline in
which all claims from the contract expire.
If the legal basis for the processing of data is consent, the proportionality principle applies (data is
held until they are needed for the purpose for which it was collected. The purpose has to be
communicated.)
Penalties
Article 91
(1) A fine of between 4170€ and 12510€ shall be imposed for a minor offence on a
legal person or sole trader:
1. if he processes personal data without having the statutory grounds or personal consent of the
individual to so do;
2. if he entrusts an individual task relating to the processing of personal data to another person
without concluding a contract;
3. if he processes sensitive personal data or does not protect them;
4. if he automatically processes personal data;
5. if he collects personal data for purposes that are not defined and lawful, or if he continues to
process them;
6. if he supplies personal data to a data recipient;
7. if he does not inform the individual of the processing of personal data;
8. if he uses the same linking code;
9. if he does not delete, destroy, block or make anonymous personal data after the purpose for
which they were processed has been achieved;
10. if he fails to ensure that the filing system catalogue contains data provided by statute;
11. if he fails to supply data for the needs of the Register of Filing Systems.
(2) A fine of between 830€ and 1250€ can be imposed for a minor offence (see above) on a company‟s
controller or a sole trader.
(3) A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person of
a state body or body of self-governing local community who offends against any element of the first
paragraph of this Article.
(4) A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who offends
against any element of the first paragraph of this Article.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
137
SECTION II – Legal Overview – Slovenia
Violation of the provisions on contractual processing
Article 92
A fine of between 4170€ and 12510€ can be imposed for a minor offence on a legal person or sole
trader, if he oversteps the authorisation contained in the contract from the second paragraph of
Article 11 or does not return personal data in accordance with the third paragraph of Article 11.
A fine of between 830€ and 1250€ can be imposed for a minor offence from the previous
paragraph on a company‟s controller.
A fine of between 830€ and 1250€ can be imposed for a minor offence on the responsible person
of a state body or body of self-governing local community who offends against the first paragraph
of this Article.
A fine of between 200€ and 830€ can be imposed for a minor offence on an individual who
commits the act from the first paragraph of this Article.
E-mail - ZEKom:
A fine of between 50000€ to 400000€ shall be imposed on a medium-sized or large company, as
defined by the Companies Act, if it uses:
a customer‟s e-mail address for direct marketing after the customer has declared that he does not
want to receive it,
electronic communications for direct marketing without subscriber‟s consent
a false identity or false address for direct marketing by use of electronic communications
A fine between 2000€ and 20000€ shall be imposed on other legal entities (not being medium-sized or
large companies), entrepreneurs or individuals performing such activities.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
138
SECTION II – Legal Overview – Slovenia
A fine between 500€ and 10000€ shall be imposed on the responsible person of legal entity or
entrepreneur for committing one of the above mentioned minor offences.
E-mail - ZVPot:
A fine of between 3000€ and 40000€ shall be imposed on a legal person, entrepreneur or individual:
1. for advertising goods or services in a manner which is against the law, indecent or misleading, or
for not advertising goods or services in the Slovene language (Articles 12, 12a and 12b);
2. for advertising goods or services through a means of comparative advertising which is contrary to
provisions of Article 12c;
3. for advertising messages which are part of or present a service of an information society and are
not in accordance with Article 15a;
4. for using an automatic calling machine without the mediation of an individual, facsimile
transmission machine or electronic mail without prior consent from the consumer, to whom a
message was addressed (first paragraph of Article 45a);
5. for sending messages to consumers with the intention of concluding a contract to supply goods or
services, regardless of a consumer's declaration that he/she no longer wishes to receive such mail
(third paragraph of Article 45a);
ZEPT
A fine of between 10000€ and 50000€ for a minor offence on a service provider which is considered a
mid-sized or large if it sends commercial messages contrary to Article 6 (without consent of the
receiver).
A fine of between 2000€ and 2000€ for a minor offence on a service provider, performing activity as
legal person (but no meeting the criteria of a mid-sized or large company), entrepreneur or
individual.
A fine between 1000€ and 4000€ shall be imposed for a minor offence on a responsible person of legal
person or entrepreneur.
When commercial messages are sent contrary to the provisions of ZEPT and are considered unsolicited
messages pursuant to ZVPOT, the provision of ZEPT apply.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
140
SECTION II – Legal Overview – Spain
Spain
Major Current Data Protection Laws
Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal. (Commonly known as LOPD)
Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarrollo
de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal
(Commonly know as RDLOPD)
Ley de Servicios de la Sociedad de la Información y del Comercio Electrónico. (Commonly known
as LSSI)
Ley 32/2003, de 3 de Noviembre, General de Telecomunicaciones (Commonly known as LGTel).
Articles 33 to 38 regulate the privacy of communications and the protection of personal data,
public rights and obligations related to networks and electronic communication services.
Extent of the Spanish Data Protection Authority‟s (“Spanish DPA”) Assistance with Enquiries
The Spanish DPA will assist with enquiries but the answers to those enquiries are not binding for the
Spanish DPA. There are examples of decisions of the DPA in contradiction with previous enquiries.
Expected time duration for registering marketing lists with the Data Commission:
If the data controller has not received any express notification from the DPA to a request within one
month the file will be considered registered.
There are no registration costs.
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The protection of the Fundamental Right to privacy, as stated in the Spanish Constitution and
developed by the LOPD (Ley Orgánica 15/1999, de Protección de Datos de Carácter Personal) and the
RD LOPD (Real Decreto 1720/2007, por el que se aprueba el Reglamento de desarrollo de la Ley
Orgánica 15/1999).
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
141
SECTION II – Legal Overview – Spain
Consent of the data subject. Processing of personal data shall require the unambiguous consent of
the data subject, unless established otherwise by law.
Data security and the duty of secrecy. The controller or, where applicable, the processor shall
adopt the technical and organisational measures necessary to ensure the security of the personal
data. The data controller and any person involved in any stage of the processing personal data
shall be subject to professional secrecy.
The specific regulation of data sharing and access to data on behalf of third parties.
Additional requirements for the processing of sensitive data.
Article 30 LOPD and Articles 46 to 51 RD LOPD specifically regulate files processed for the purpose of
advertising and market research. Article 30 states that the files processed for this purpose must be
collected whether from sources accessible to the public or provided by the data subjects themselves
or with their consent. When the personal data are collected from public sources, the data controller
will have to include in each communication to the data subject information about the origin of the
data and the identity of the data controller, as well as the rights available to the data subject. Data
subjects have the right to oppose to the processing of their personal data for this purposes.
Public sources are precisely identified in Article 28 LOPD and Article 7 RD LOPD as:
Personal data included in the promotional census;
Lists of persons belonging to professional groups;
Data contained in guides to electronic communications services available to the public;
Data obtained from official journals and gazettes;
The media.
Please note that the RD LOPD expands the regulation of the processing of personal data for the
purposes of advertising and market research introducing relevant provisions regulating:
the role of organizations (data controllers or data processors) that carry out advertising
campaigns;
the implications of depuration of data controllers‟ databases;
the conservation of personal data of opt-outs;
the creation of a Robison list for electronic communications;
the exercise of the rights of access, rectification, cancelation and opposition by data subjects;
Implied consent
Implied consent is generally acceptable in Spain. Apart from the type of consent needed, the data
controller must always provide data subjects with information related to the purposes for which
personal data is processed.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
142
SECTION II – Legal Overview – Spain
Consent may also be obtained by sending, in a way that will allow the data controller to track
whether the communication has bounced back, a communication to the data subject with the
information required in Article 5 LOPD providing the consumer with 30 days to object to the
processing. This request of consent can only be sent to the data subject once a year.
Consent by data subject is required when using all means of communication media for marketing
purposes.
Sensitive Data: Required form of consent for the processing of sensitive data
Express consent.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships Personal data related to beliefs and criminal or administrative
offences.
Common legal ground for the use of electronic messages for marketing purposes
The addressee must have given their consent to the sender before sending them email or any other
electronic communication system. As stated in the Preliminary Recitals of the LSSI (mentioned in
above), and Articles 19 to 22 related to commercial electronic communications, these
communications should be identified as commercial.
The principles governing commercial electronic communications regulation are the consent of the
addressee and the right to revoke the consent at any time by letting the sender know.
There is one exception to this principle, which was introduced by the LGTel. Consent will not be
required when the sender and the addressee have a previous contractual relationship, the data have
been collected in a lawful way and the commercial electronic communications send to them relate to
products or services which are similar to those originally purchased by the addressee.
Article 38 of the LGTel establishes the rights which correspond to electronic communication services
subscribers. This regulation, in relation to marketing issues, prohibits the use of traffic data for
commercial use without the informed consent of the subscriber. Automatic calls or fax messages for
Direct Marketing purposes without informed consent are also banned.
This regulation prohibits the use of traffic data for commercial use without the informed consent of
the subscriber, and also requires that automatic calls or fax messages for Direct Marketing purposes
must have informed consent.
Purposes
Data controllers must be precise when they provide information about the purpose of processing
personal data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
143
SECTION II – Legal Overview – Spain
Generic terms
Article 46 RD LOPD states that data subjects must be provided with information about the specific
sectors from which the data subject may receive information.
This statement must also include reference to any transfer of data to a third party that is not a data
processor. Consent of the individual is required to transfer personal data to a third party.
In relation to direct marketing and market research files it is vital to note that data controllers have
the obligation to be precise when informing data subjects about the specific and concrete sectors in
relation to which the data subject may receive information.
When, in the context of entering into a contract with the data subject, the data controller requests
the data subject‟s consent for the processing of their personal data for a purpose other than the
contract, data subjects must be given the opportunity to object to this processing or data transfer of
their personal data.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Data subjects do not need to be given information about the processing of their personal data more
than once unless any circumstance related to the processing has varied. When the data subject‟s data
has been obtained from a public source, data subjects must be provided the following information in
every commercial communication that is sent to them: origin of their data; identify of the data
controller, their rights and how to exercise them.
Opt-out
Every electronic communication must offer the data subject the possibility to opt out from receiving
marketing communications, this must be easy and free of charge.
Do you have to offer the opt-out each time when approaching the customer?
Yes.
Data Storage
A principle of the Spanish legislation is that personal data may be collected for processing, and
undergo such processing, only if it is adequate, relevant and not excessive in relation to the scope
and the specified, explicit and legitimate purposes for which they were obtained. Personal data must
be erased when it has ceased to be necessary or relevant for the purpose for which they were
obtained or recorded.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
144
SECTION II – Legal Overview – Spain
Data controllers must observe the terms of storage of personal data required by law .
Cancellation (opt out) must lead to the personal data being blocked and maintained solely at the
disposal of the public administrations, judges and courts, for the purpose of determining any liability
arising from the processing, and for the duration of such liability. On expiry of this liability, the data
must be deleted.
Penalties
Infringements of electronic communications and e-commerce regulation (LSSI) are the following:
1. Very serious infringements shall be punished by a fine of 150.001 € up to 600.000 € (two or more
very serious infringements within 3 years can result in the company being barred from carrying out
any activity in Spain for a maximum of 2 years)
2. Serious infringements shall be punished by a fine of 30.001 € up to 150.000 €
3. Minor infringements shall be punished by a fine of up to 30.000 €
LGTel establishes a complex fine calculation based on criteria such as the type of infringement or the
profit obtained from the infringement for serious and very serious infringements. In the event that these
criteria cannot be applied, the maximum fine for very serious infringements goes up to 2 million €, and
for serious infringements up to 500.000 €. The maximum fine for minor infringements is 30.000 €.
This regulation establishes that services providers using data storage devices (cookies) shall inform the
user, in a clear way, about their use and purpose, offering them the possibility of rejecting the
processing of these data by means of a simple and free procedure.
Swedish marketing law is mainly regulated by the MPA, which is based on Directive 2005/29/EC. A
public authority, the Consumers Ombudsman, has the primary responsibility for ensuring compliance
with the MPA. The MPA contains general provisions stating that marketing practices shall be consistent
with generally accepted marketing practices and that marketing practices which contravene this
standard shall be deemed unfair if they noticeably affect or are likely to affect the recipient‟s ability
to take a well-founded commercial decision. These general provisions are supplemented by explicit
provisions and a more detailed system of sanctions. The MPA is both aimed at consumer protection
and to protect commercial and industrial actions.
The legislative technique used in the MPA is based on a combination of having a general clause
requiring all commercial marketing to be fair and compatible with good marketing practice and a
number of detailed legal provisions. These provisions address specific types of marketing practices,
which are to be regarded as unlawful.
The detailed legal provisions concern aggressive marketing practices, misleading marketing practices,
comparative advertising, unsolicited advertising and warranty information. The misleading practices
are specified in provisions regarding
Identification in advertisements;
Misleading claims or other presentations;
Purchase offers;
Misleading copies;
Discount;
Liquidation sales;
In addition, sections 1-23 of Annex I to the Unfair Commercial Practices (UCP) Directive 2005/29/EC,
detail various misleading marketing practices which will always be deemed to be unfair. If a trader is
found to be using unfair marketing practices it may be subject to a prohibition or information in
conjunction with a conditional fine and could also be sued for damages. The advertiser can also be
ordered to pay a fine to the State, a so-called market disruption fee.
Purposes
The data subject has to be provided with the purpose for the collection of data.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
146
SECTION II – Legal Overview – Sweden
Wording for Collecting Data and consent to marketing activities
There is no particular wording required for collecting data. However generally, an the data subject
must be made aware of the purposes for data processing, including that the data are to be used for
direct marketing purposes. From a personal data perspective, implied (opt-out) consent is generally
sufficient for direct marketing purposes. However, under the MPA the data subject must give prior
explicit consent (opt-in) to his data being used for direct marketing through electronic communication
means, such as SMS, telefax and e-mail, but certain exemptions are made, such as marketing of the
traders own products.
The government may issue regulations concerning exemptions from the prohibition on processing
sensitive personal data if this is necessary having regard to an important public interest. The rules for
processing of sensitive personal data apply in addition to the fundamental and general requirements
that must be satisfied in the processing of personal data.
Data Storage
Under the Swedish Personal Data Act, personal data should not be kept for a longer period than
necessary. As regards processing of personal data for historical, statistical or scientific purposes
certain rules apply. If personal data that are processed for such purposes are also processed later, this
is not considered incompatible with the original purpose for which the data were gathered. It is also
permitted, for such purposes, to save personal data for a longer period. Personal data can only be
stored during a time when there is a purpose for the information:
The time limit for maintaining registrations on dormant customers is three years;
The three year limit can be extended if an active customer contact is established.
The advertiser must get rid of the information if he hasn‟t received any response. When destroying
the information, it should be done so there is no way to recreate the information. It is not enough
merely to write the information in cipher.
Penalties
Breaches regarding processing of personal data may render fines, imprisonment and/or damages.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
147
SECTION II – Legal Overview – Sweden
Access and Rectification of Data
The controller is liable, upon request by the data subject, to correct, block, restrict or erase as soon
as practicable personal data which has not been processed in accordance with the Personal Data Act
or regulations issued under the Act. If a disagreement arises between the controller and the
registered person about whether data should be corrected or not, the data subject can report the
matter to the DIB.
Datainspektionen
Box 8114
SE-104 20 Stockholm
Sweden
Office Address:
Drottninggatan 29
5th Floor
Stockholm
Sweden
Tel: (+46) 8 657 61 00
Fax: (+46) 8 652 86 52
Email: datainspektionen@datainspektionen.se
Web: http://www.datainspektionen.se/in_english/contact_us.shtml
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
148
SECTION II – Legal Overview – Switzerland
Switzerland
Major Current Data Protection Laws
Swiss Federal Act on Data Protection (“DPA”), 19 June 1992 (Status as per January 2008)
Ordinance on the Data Protection Act, 14 June 1993 (Status as per 1 January 2008)
Ordinance on the Certification Procedure, 28 September 2007 (Status as per 1 January 2008)
Art. 28 of the Swiss Civil Code dealing with the protection of personality rights.
The Act regulates the processing of data of private individuals and legal entities undertaken by both
private individuals and Federal Authorities. It does not apply to:
personal data that are processed by a private individual exclusively for personal use and that are
not disclosed to a third party;
deliberations of the Federal Parliament and Parliamentary Committees;
pending civil, penal, or international legal assistance proceedings, or public or administrative law
proceedings, with the exception of administrative proceedings of the first instance;
public registers relating to private law matters;
personal data processed by the International Committee of the Red Cross.
The DPA maintains a register of data files that is accessible online. Anyone may consult that register.
Federal authorities must declare all of their data files to the DPA for registration purposes.
Private individuals must register their data files (i)_ if they regularly process sensitive personal data
or personality profiles or (ii) if they regularly disclose personal data to third parties.
However, the controller of data files is not required to declare his files to the DPA under certain
conditions (Art. 11a § 5 lit. a to f DPA and Article 4 of the Ordinance).
Purposes
Personal data may only be processed for the purposes for which it was collected, which are evident
from the circumstances of the collection, or which are provided for by the law.
If the consent of the data subject is required for the processing of personal data, such consent is only
valid only if it is given voluntarily on the provision of adequate information. Additionally, in relation
to sensitive personal data and personality profiles, the consent must be given expressly.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
149
SECTION II – Legal Overview – Switzerland
A personality profile is a collection of data that permits an assessment of essential characteristics of a
private individual.
The controller of a data file is obliged to inform the data subject of the collection of sensitive
personal data or personality profiles; this duty to provide information also applies if the data are
obtained from third parties.
If the data are not obtained from the data subject, the required information must be provided at the
latest when the storage of the data begins, or if the data is not stored, when it is first disclosure to
third parties.
Data Storage (art. 7 DPA and art. 8 to 12 of the Ordinance regarding the DPA)
The DPA does not provide specific provisions regarding data storage. It contains however provisions as
to data security. According to these provisions, personal data must be protected against unauthorised
processing through adequate technical and organisational measures. Moreover, for security purposes,
sensitive personal data and personality profiles should be protected and are to be kept under
restricted access.
Articles 8 to 12 of the Ordinance regarding the DPA address the technical measures to be taken in this
regard.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
150
SECTION II – Legal Overview – Switzerland
In the absence of legislation that guarantees adequate protection, personal data may be disclosed
abroad only under restrictive conditions as mentioned under (Article 6 (2) a to g DPA). The explicit
consent of the data subject may be an alternative to disclose the data. The consent must be given for
each case separately and the person must know which data are concerned by the transfer.
It is not possible to give a "general consent" regarding the transmission of personal sensitive data to a
foreign recipient.
Certification Procedure (art. 11 DPA and Ordinance about the Certification Procedure)
According to the new regulation, private individuals or Federal Authorities can submit their
operational processes and organizational structures relevant for data protection in order to obtain a
"Data Protection Certificate". The definition of "certification" according to Swiss law is not the same
as that in other European countries.
Security of Data
Personal data must be protected against unauthorised processing by appropriate organisational and
technical means. The Federal Council may enact more detailed provisions on the minimum data
security measures (see also above: Data Storage).
Penalties
Private persons violating their obligations with respect to information, notification and granting
access to information are punishable by fine. Unauthorised access to sensitive data is punishable by
fine, i.e. the data subject enjoys all usual remedies available under normal civil procedure (i.e.
injunctions, right to restitution, or right to claim damages). Private individuals who unlawfully
disclose personal data are liable to a fine (see art. 35 DPA).
only using your own customer list for the marketing of your own goods and services to them; and
you otherwise only process personal information for staff administration purposes (including
payroll) and for accounts and record keeping purposes
Please see:
www.ico.gov.uk/what_we_cover/data_protection/notification/do_i_need_to_notify.aspx
If you are a data processor (i.e. only compiling and maintaining a marketing list on behalf of a client),
then you do not need to notify, but it is good practice to do so.
Expected time duration for registering marketing lists with the Data Commission:
3 weeks
Registration costs
From October 2009 a new two tiered fee system for registration with the Information Commissioners
Office (DPA) was introduced, based on the organisation‟s size and turnover.
Data contollers will have to pay a registration fee of £35 per year unless they are exempt or if they
meet the following criteria:
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
1) Balance of interests necessary for the purposes and legitimate interests pursued by marketer or
third parties to whom the data are disclosed, except where the marketing is unwanted in any
particular case because the recipient has registered with the preference services (Robinsons Lists)
2) Consent of the individual
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
152
SECTION II – Legal Overview – UK
How „consent‟ is exercised by the data subject
Consent is required for email, SMS and fax marketing to individuals. The UK uses the definition of
consent in the Data Protection Directive. Consent is defined as any freely given, specific, informed
action by which the consumer signifies agreement. Consent can be obtained by an opt-in tick box or
by the consumer providing their contact details providing they are told the consequences before they
provide those details.
Implied consent
Implied consent is acceptable for the marketers own marketing, but remember that consumers can
withdraw implied consent at any time. Implied consent is acceptable for email and SMS if using the
„soft opt-in‟ facility. Implied consent is also acceptable, other than for email and SMS, for passing
contact details to third parties. Organisations in the UK often use two tick opt-out boxes:
1. for own marketing
2. for third party marketing
Implied consent can also be obtained by providing consumers with a valid contact address they can
use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.
Consent by data subject is required when using the following communication media:
Consent is required for SMS, MMS, EMAIL, FAX
Consent is not required for Telephone (although the Preference Service needs to be checked first)
and Mail (provided the address was not registered in the Preference Service)
Sensitive Data: Required form of consent for the processing of sensitive data
Explicit consent is required to process sensitive data.
Types of data considered “sensitive”, apart from race, religion, politics, sexual interests,
health, and trade union memberships
No other category.
Common legal ground for the use of electronic messages for marketing purposes
Consumers have to opt-in to any marketing communications by email, SMS and MMS, however see the
soft opt-in option below.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
153
SECTION II – Legal Overview – UK
Purposes
There is no requirement to be precise when providing the purpose for processing information.
Although the DPA has produced best practice guidance which states that organisations should provide
as much as much detail as possible as to the purposes of processing. Failure to comply with best
practice guidelines can result in an organisation being held to be in breach of the Data Protection Act.
Generic terms
Generic terms are acceptable, however, see the above, not on the DPA‟s best practice guidelines.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Only on the initial collection of the data
Opt-out
Normally opt-out is exercised through a tick box on a response or data collection form or in the case
of email and SMS a return unsubscribe facility. Opt-out can also be exercised through a valid contact
address.
By means of two tick opt-out boxes:
for own marketing
for third party marketing
Implied consent can also be obtained by providing consumers with a valid contact address they can
use to opt-out, but if this method is used, any request has to be acknowledged within 21 days.
Do you have to offer the opt-out each time when approaching the customer?
Yes- if you are using the soft opt-in exemption for email or SMS.
No – for other channels although it is good practice.
Data Storage
Security of data
In order to comply with the security principle in the Data Protection Act 1998, where processing of
personal data is carried out by a data processor on behalf of a data controller, the data controller
must:
a) choose a data processor providing sufficient guarantees in respect of the technical and
organisational security measures governing the processing to be carried out, and
b) take reasonable steps to ensure compliance with those measures.
Penalties
If an organisation fails to comply with an enforcement notice, court action can be taken and a fine of
£5,000 (7,500 Euros) in the Magistrates Court or an unlimited fine in the Crown Court. The DPA can
also apply for a warrant for powers of entry and inspection in the case of suspected breaches of the
Data Protection Act 1998.
There is also a criminal offence under section 55(1) Data Protection Act 1998 for unlawfully obtaining
or disclosing personal data without the consent of the data controller.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
155
SECTION II – Legal Overview – UK
Online Collection & Processing of Data
The Telephone Preference Service (TPS); Corporate Telephone Preference Service (CTPS); and the Fax
Preference Service (FPS) are run by the UK DMA on behalf of OFCOM (Office of Communications). Use
of the registers is a legal requirement under the Privacy and Electronic Communications (EC Directive)
Regulations 2003.
The UK DMA Code of Practice is not formally agreed with the DPA, but the DPA wrote the forward for
the Code, welcoming its introduction.
The UK DMA runs the Email Preference Service. Use of it is a requirement under the UK DMA Code of
Practice if you are emailing to recipients outside Europe. All the above can be found on the DMA
website at www.dma.org.uk.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
156
SECTION II – Legal Overview – USA
United States of America
Major Current Data Protection Laws
Fair Credit Reporting Act (FCRA, 1970)/Fair and Accurate Credit Transactions Act (FACTA, 2003) –
credit-report privacy
Privacy Act (1974) – government privacy
Video Privacy Protection Act (VPPA, 1988) – video-rental privacy
Health Insurance Portability and Accountability Act (HIPAA, 1996) / Health Information
Technology for Economic and Clinical Health Act (HITECH, 2009) – healthcare privacy
Drivers Privacy Protection Act (DPPA, 1994) – driver‟s license privacy within government
Telemarketing & Consumer Fraud and Abuse Prevention Act (1994) / Telemarketing Sales Rule
(2003) – telemarketing privacy
Children‟s Online Privacy Protection Act (COPPA, 1998) – children‟s privacy
Gramm-Leach-Billy Act (GLBA, 1999) – financial privacy
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN SPAM, 2003) – e-mail
marketing privacy
State-level data-breach notification laws (ex: California SB 1386)
State-level Social Security Number privacy and security laws
State-level information-security laws (ex: Massachusetts 201 CMR 17)
State-level healthcare privacy laws
State-level government privacy laws (ex: Minnesota Data Practices Act)
In the US, there is no data-protection regime in the European sense of a federal data-protection
commissioner (DPA) overseeing the enforcement of a national data-protection law governing all
personal data. That said, an array of US federal and state regulations govern the protection of many
types of personal information in a similar manner to European data-protection laws. The laws
variously provide the data subject access and correction rights. There also exist:
Limitations on transfers to third parties;
Limits on the purposes for which information can be used;
Rights to be notified of data breaches;
In some cases, individual rights of action.
The varying privacy laws that exist in different sectors and states should be reviewed before doing
business with the US. Generally, one should begin this review with the „business sector‟ the
organization is involved in, then proceed to consider the states it is located in or does business in. For
example, the Fair Credit Reporting Act is extremely complex and has been amended several times but
effectively regulates collecting personal data for sale.
Another example is that of the Health Insurance Portability and Accountability Act (HIPPA) which is
also very complex and it imposes the data protection regime on medical providers. To market in this
area, a signature is required from the data subject.
US laws in data protection are supplemented by self-regulatory regimes, such as those administered
by the Direct Marketing Association, TRUSTe, and Better Business Bureau, and industry-led initiatives
such as the Payment Card Industry Data Security Standard. In addition, the US Department of
Commerce administers, and the Federal Trade Commission enforces, the EU-US Safe Harbor
Agreement, a programme wherein US companies can voluntarily conform their processing of EU
personal data to European data-protection principles.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
157
SECTION II – Legal Overview – USA
Extent of DPA‟s Assistance with Enquiries
N/A
Common legal grounds for the processing of (non-sensitive) personal data for marketing
purposes
The United States, neither at the federal or state level, distinguishes between sensitive or non-
sensitive data in the European sense. Where its laws impose restrictions on using data for direct
marketing, they do so from the perspective of the category of data subject (children, for example),
the business sector in question (healthcare, for example), or the mode of communications used (e-
mail, for example). At a fundamental level, the Constitution of the United States of America has
established the legal grounds for processing personal data for marketing purposes, as US courts tend
to see this type of communications as within the freedom of speech. Under the self-regulatory model
of the US Direct Marketing Association, customers and prospects should be clearly informed of their
right to tell the member company to suppress the processing or transfer of their details.
Implied consent
Implied consent is acceptable in the US and is done by inactivity and failure to object.
Please note that affirmative consent is required for marketing through certain media. See below.
Consent by data subject is required when using the following communication media:
Consent is required for SMS and FAX
Consent is not required Email, Telephone and Mail
There is no information on the sending of MMS messages.
Sensitive Data: Required form of consent for the processing of sensitive data
Express consent is required under some federal and states laws, particularly regarding health and
children‟s information.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
158
SECTION II – Legal Overview – USA
Electronic Communication and the Opt-in
Common legal ground for the use of electronic messages for marketing purposes
The Constitution of the United States of America, modified in case of SMS by Congress, which requires
opt-in in the case of transmission of commercial messages where the recipient pays the cost of
receiving the message (e.g. SMS, Fax).
Purposes
When giving the purposes for processing personal data, it is required to be precise when the
information is sensitive. However, it is generally not necessary to be as precise for non-sensitive
information.
Generic terms
Generic terms are acceptable for non-sensitive information.
Do the purposes for processing personal data have to be given only to prospective clients or also
each time an existing client is approached?
Generally, only to prospects, although in the sensitive area (financial/medical) most organisations
also disclose to existing clients.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
159
SECTION II – Legal Overview – USA
Opt-out
Can be oral through a phone call; letter, or electronic through an e-mail or Web site.
Do you have to offer the opt-out each time when approaching the customer?
For commercial e-mails.
Data Storage
Penalties
National penalties
The Federal Trade Commission can apply to fines in excess of $1 million.
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
160
About FEDMA
FEDMA, the Federation of European Direct and Interactive Marketing, represents the sector in all its
forms at European level. FEDMA's objectives are to protect and promote the direct and interactive
marketing sector by creating, through representation, self-regulation and information, acceptance
of, and confidence in, direct and interactive marketing within a healthy commercial and
legislative environment in which the sector can profitably operate and develop. Representing the
interests of over 18,000 companies, FEDMA is the single voice dedicated to building the business
of cross-border direct and interactive marketing, through its vast network of businesses within and
beyond Europe. All our members enjoy a wide range of services.
Today, direct marketing strategies (via mail, email, telephone, mobile, Internet and direct response)
are an essential tool for companies to approach, inform and retain customers, as well as providing
customer relationship services.
The development of sophisticated databases, telemarketing and e-marketing has made direct
marketing increasingly popular as a marketing strategy and has encouraged strong investment.
FEDMA‟s task is dedicated to building the business of cross-border direct marketing, by promotion,
protection, information and best practices.
Protect the European direct and interactive marketing industry and the interests of our members.
FEDMA aims to encourage the European institutions to ensure a healthy commercial and legislative
environment within which the industry may prosper.
Promote the European direct and interactive marketing industry towards governments, media,
businesses, consumers; to encourage the growth and profitability of our members and support the
further development of direct marketing as a marketing strategy .
Inform members, governments, media, businesses, and consumers about the European direct and
interactive marketing industry, and encourage education and training for the sector.
Contact Details
Federation of European Direct Marketing
439, Avenue de Tervuren, B-1150 Brussels
Tel: +32 2 779 42 69
Fax: +32 2 779 42 69
E-mail: info@fedma.org
Web: www.fedma.org
FEDMA Pan European Email Marketing Benchmark Report First edition 2010
161
FEDMA Pan European Email Marketing Benchmark Report First edition 2010