Czech Data Protection Authority issues warning on marketing communications, consent, and databases acquired from third parties

In its recent statement, the Czech Data Protection Authority (the "DPA") warns that many distributors of unsolicited communications do not comply with law when using contact details in databases acquired from third parties, which seems to be a rather common trend for marketing and PR companies who are constantly look at increasing audiences. The problem is that such companies are unable to prove consent of a particular person to such communications, whether by email or telephone. The DPA also states that it continues to look intensively at this within its inspections.


What is the issue?

Under the current Czech legislation, electronic contact details may be used for marketing communications only with users’ prior consent (opt-in), or where statutory conditions are met and electronic contact details of existing customers are used for direct marketing of similar goods/services with an option to reject in each particular communication (opt-out). Usually, the opt-out option cannot be relied on where databases are acquired from third parties.

According to the DPA, in the case of complaints of data subjects and subsequent enforcement, entities that use databases acquired from third parties invoke either a laconic declaration of the provider on the legality of the transmitted database, or an accompanying general consent with marketing communications.

However, consent must be freely given, specific and an informed indication of will of a person towards the distributor of marketing communications in order to enable the distributor to use the person’s electronic contact details for marketing communications. It must be apparent from the consent who grants it, to whom it is granted and for what purposes. The consent must be granted prior to sending marketing communications and must be verifiable. Consent cannot be granted generally to indeterminate range of entities (distributors of marketing communications) and for indeterminate offers.

The DPA warns that distributors of marketing communications are obliged to prove consent of clearly identified persons with marketing communications. Furthermore, the text of consent must authorise the relevant distributor and also define the subject matter of marketing communications. On the other hand, the consent does not necessarily need to be in writing and it does not need to be proven for how long it is granted as it must be possible to withdraw it in each particular communication.

Who is a “distributor” of marketing communications?

The DPA states that the actual sender as well as the entity that gives instructions for such sending or concludes the contract for the purpose of such sending should be considered as distributors of marketing communications. It has previously held that both the sender and the entity in whose favour the marketing communications are sent are liable for distribution of marketing communications. It is therefore very clear that professional marketing companies, call centres and similar companies, as well as their clients, can expect higher scrutiny from the DPA when it comes to this issue.

What are the consequences?

The DPA repeatedly states that it is highly unlikely that there is a database that would comply with the requirement of informed consent. The burden of proof in relation to granted consents is on the distributor of marketing communications. If it is not able to comply with this obligation, it will lead to liability for an administrative offence pursuant to the Certain Information Society Services Act which may be subject to a fine of up to CZK 10 million (approx. EUR 392,619). It is not possible to avoid such liability with a reference to a mere declaration of the database provider. And with the upcoming GDPR as well as likely adoption of the ePrivacy Regulation in future, this bar will raise dramatically.

There is also an important note for marketing companies. In a recent case mentioned in the DPA’s Annual Report for 2017, the inspected company purchased a database of email contacts from a third party and used two other companies for distribution of marketing communications. The marketing companies were aware of the contract between the inspected company and the database provider. The DPA stated, inter alia, that marketing companies, as professionals in their field, should have identified from the contract between the inspected company and the database provider that the contract did not authorise any of them to distribute marketing communications. The DPA imposed fines on the inspected company and two marketing companies.

Leave a Reply