GDPR and Partners
What are my GDPR obligations when participating in the OneAffiniti program?
It’s important to bear in mind that the GDPR applies to any business established in the EU. It also applies to organizations based outside of the EU that offer goods and services to people in the EU, monitors their behavior or processes their personal information.
There are four key obligations that partners have when they use OneAffiniti’s services to send marketing materials to their subscribers:
- Establish the lawful basis for processing personal information on Subscriber lists.
This means that you:
- have obtained express consent from the individual recipient on your subscriber list to receive marketing material from you by way of a clear, freely given, fully informed, affirmative action
- are relying on legitimate interests as the lawful basis for using the email address on your subscriber list to send marketing materials having carried out a documented legitimate interests assessment (i.e. there is a reasonable expectation by the recipient that they may receive marketing material due to an existing business relationship and the privacy impact has been assessed as low).
Please see How do I ensure my subscriber list is GDPR compliant? for further information.
- Privacy Notices must give full information about the processing of personal data.
As the controller of your subscriber list, your privacy notice should be compliant with the fairness and transparency requirements under the GDPR, and disclose:
- The lawful basis that is relied upon for collection and processing of personal information, including the processing of email addresses for direct marketing purposes. In most cases, the lawful basis relied upon will be either consent or legitimate interests. You may also rely on other grounds such as performance of contract or legal obligation where you process personal information in the course of business (e.g. contact information to provide products or services to a particular customer).
- What personal information you share with OneAffiniti (this should include notification that customer email addresses and copies of invoices/receipts will be shared in order to administer and validate campaigns).
- Who you share personal information with and a list of third-party processors, which includes OneAffiniti.
- Appropriate technical and organizational measures should be in placeYour systems should be secure – this includes having adequate IT and cybersecurity protections, as well as having good internal controls, policies and guidelines regarding the collection, use, sharing and handling of personal information.
- Be OneAffiniti’s partner in privacy. We need to work together to ensure we adhere to appropriate privacy standards and do our best to protect the personal information we collect and process in the course of sending marketing materials. We need to help each other address any privacy questions, complaints or requests, respond to a potential data breach and conduct privacy investigations or assessments.We are here to support you and you must immediately notify us:
- in the event of a potential or actual data breach
- if you receive a data subject access request
- if you receive any complaints or claims from a subscriber or regulator regarding privacy or personal information
- if you have any questions or concerns about privacy in general.
How do I ensure my subscriber list is GDPR compliant?
Partners should audit their subscriber list and test for GDPR compliance when they first join the program and on a regular basis thereafter.
Auditing your customer list means assessing the email addresses and other information you have collected and checking whether you have a lawful basis for such processing. If you do not have a lawful basis for collection, then the email address should not be included in your subscriber list.
While there are six lawful grounds for processing under GDPR, the bases most likely to apply for the collection and use of an email address for direct marketing purposes are:
- consent; or
- legitimate interest.
It is your responsibility to analyse your data processing activities and choose the right basis. If you are unsure which of the lawful grounds listed in the GDPR apply to you, please consult with your legal advisers to ensure processing activities are properly justified. It is important to remember that the GDPR enshrines the principle of ‘accountability’ which means that you must be able to demonstrate compliance, so diligent record keeping is vital to support these justifications.
Consent means that the relevant individual has freely given their clear, explicit consent to the processing of their personal data for a specific purpose.
When you review your subscriber list you should consider whether express consent was given and whether it is still valid. Valid consent under the GDPR:
- must be freely given; this means giving people genuine ongoing choice and control over how you use their data
- should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise and easy to understand, user-friendly and on a positive ‘opt-in’ basis as opposed to a pre-ticked box or ‘opt-out’.
- must specifically detail the controller’s name, the purposes of the processing and the types of processing activity.
Make sure you keep records to evidence consent – who consented, when, how, and what they were told.
Examples of express consent include:
- Opt-in via a web or online form, provided the opt-in box is not pre-selected by default
- An offline form is completed that clearly indicates that the individual may be added to your email marketing subscriber list and they have expressly indicated their willingness to receive such emails
- Giving you their business card; provided that 1) you have explicitly indicated that by giving you their business card they are agreeing to being added to your email marketing subscriber list; or 2) they added their business card to a container or pile that clearly indicated that by adding such business card they are agreeing to being added to your email marketing subscriber list. In either event, you must transparently communicate the basis of your processing via communication of your privacy notice.
- Providing you with other express written permission to be added to your email marketing subscriber list prior to you contacting them via email.
There may be instances where reliance can be placed upon your legitimate interests with subscribers and a ‘soft opt-in’ can be established.
Legitimate interest may be relied upon if the marketing to be carried out is in the legitimate interests of your own business or of a third party, which could include software vendors, where there are reasonable grounds that the individual would expect the processing and there is likely to be a minimal impact on privacy. The EU Commission has confirmed that processing of personal data for direct marketing purposes can be regarded as being carried out for a legitimate interest provided that all of the necessary criteria has been met.
To rely on legitimate interest as grounds for lawful processing, you will need to conduct and keep a record of your legitimate interest assessment. The Information Commissioner’s Office website has a sample legitimate interest assessment template you can use as a guide.
Once you have established and recorded your justification for legitimate interest as grounds for lawful processing, you can review your subscriber list to determine whether any of the email addresses meet the soft opt-in criteria.
Soft opt-in applies to existing customers only (not prospective customers). To be eligible for inclusion under soft opt-in, the email address must have been obtained in the course of a sale of a product or service to that person.
There are no legal time limits enforced regarding soft opt-in, but as a guide, purchases made within six to 24 months of the date of the review could be considered a reasonable timeframe. Remember there must be a reasonable expectation that the subscriber would consent to receive the marketing emails.
My business is not located in the EU. Does the GDPR still apply to me?
- are a business established in the EU
- offer goods or services to people in the EU or monitor the behavior of people in the EU
- process the personal information of people in the EU.
Even if the GDPR does not apply to your business, you still have an obligation to comply with local privacy laws and ensure you obtain the necessary consents from your subscribers in relation to the personal information you collect.
Additional information or resources on your local privacy obligations:
Can I use third-party or purchased lists?
It is a breach of OneAffiniti’s terms and conditions to use third-party lists that do not meet the GDPR’s lawful basis for collection requirements or the consent requirements of local privacy laws.
I want to join the program, but I am worried about the GDPR
- your subscriber lists comprises individuals for whom there is a lawful basis for collection
- you have the adequate disclosures in your privacy notice
- you know what to do if you receive a privacy request or complaint
- You have appropriate technical and organizational measures in place.
See partner obligations for more details.
What is the difference between a data controller and processor and which one applies to me?
What do I do if I get a privacy complaint or request?
Do you share my subscriber list with sponsors?
What information do you share with sponsors?
What information do you share with third parties?
This is a general guide to some of the requirements of GDPR. This guide does not constitute legal advice or a statement of the steps that you should take to ensure your own compliance, and you agree not to rely on the information provided herein for your own compliance. For complete advisory information, please review the UK Information Commissioner’s Office website – Guide to GDPR. If you have additional questions we encourage you to seek the advice of a legal or privacy professional.
Please note, under your service agreement with OneAffiniti, you are wholly responsible for providing, and certifying the lawfulness, of the email addresses of your customers.