Last year the new Spanish General Telecommunications Act (“LGT”), implementing the European Electronic Communications Code, was finally published. The LGT regulated, among other activities, how to carry out commercial communications through the telephone. The Act granted a year for companies to adapt to provisions therein (which elapsed just a few days ago – at the end of June).
IIn this context, just days before reaching the deadline, the Spanish Data Protection Authority (or Agencia Española de Protección de Datos in Spanish / AEPD) issued a decision (Circular 1/2023, de 26 de junio, sobre la aplicación del artículo 66.1.b) de la Ley 11/2022, de 28 de junio, General de Telecomunicaciones) on how the relevant provisions on commercial communications carried out by telephone should be construed (and also published a report and a brief explanation on the same topic). More specifically, the AEPD sets out the criteria that they will follow with regard to individuals’ right not to receive unwanted calls for commercial communication purposes.
Note that this decision only regulates the phone-based marketing itself and not previous data processing activities, such as obtaining the contact data, the profiling of individuals, enriching data bases, etc. These data processing activities will be subject instead to general GDPR rules.
We summarize below some of the key elements to be borne in mind by companies which carry out marketing via telephone (or are considering it):
When is prior consent NOT required?
The LGT establishes final users’ right not to receive unsolicited calls for commercial communication purposes unless prior consent or other valid lawful bases apply under the GDPR.
The AEPD’s decision clarifies that the only alternative to consent (in terms of legal bases) is legitimate interest. As a result and similar to the legal regime of commercial communications by electronic means, the AEPD includes a rebuttable presumption (iuris tantum) for cases in which it is possible to rely on this legitimate interest to make marketing calls (and, therefore, to avoid consent).
Consent will then not be required (in principle) when the following conditions concur (cumulatively): (i) there is a prior contractual relationship, (ii) contact details of the recipient have been lawfully collected; (iii) commercial communications concern products or services of the calling entity (i.e. excluding products from other companies of the group); and (iv) such products or services are similar to those that were initially contracted with the customer being called.
The AEPD goes one step further than the applicable regulation for e-marketing and clarifies requirement under (i) above. In particular, it states that legitimate interest will not be presumed in the case of former customers who have not made any prior request or interaction to the calling entity during the past year, particularly when such processing would result in a loss of control of the recipient over his / her data.
Although this could be a risky approach, considering how the AEPD tends to construe individuals’ rights, it is important to remember that the above are just presumptions of lawfulness (iuris tantum). That is, they do not prohibit other scenarios which could be based on legitimate interest as long as the particular circumstances permit it, and it is properly documented in the pertinent balancing test. Moreover, even in cases where the presumption of lawfulness applies, controllers still need to carry out a legitimate interest assessment.
When is prior consent required?
The AEPD clarifies the cases in which consent will be required (excluding legitimate interest):
- Calls made to randomly generated numbers – The AEPD finds that it would not be possible to carry out a proper balancing test without knowing who the affected data subject would be.
Interestingly, the AEPD also notes that calling just to ask for consent is also prohibited.
- Calls to users listed in subscriber directories require that individuals have previously given consent for their data to be used for commercial purposes, and such consent must be expressly stated in the corresponding directories.
- For sharing data with third parties (including entities within a business group) for commercial communication purposes.
It is worth highlighting that the AEPD states in its report that the Autocontrol Code of Conduct – approved by them – should be modified to erase a reference to the possibility of sharing personal data between companies of the same group for marketing purposes.
Please note that automated calls or fax messages without human intervention (machine-to-person) still require consent (i.e. this has not changed).
Additional Remarks
- Where no explicit consent has been obtained, general do-not-call lists (e.g. the Robison List) must be checked.
- Where consent is required, it must meet all GDPR requirements (i.e. it must be informed, unambiguous, freely given, specific and expressly granted). Where consent is not required, companies have to rely on their (or a third party’s) legitimate interest as a legal basis to process the personal data (meeting GDPR requirements including the legitimate interest balancing test).
- In all cases, general information and transparency duties and data protection rights under the GDPR will apply.
- Processing of personal data re. (i) employees of companies, when the recipient of the call is the company and not the employee him/herself, (ii) liberal professions (e.g. doctors, lawyers); and (iii) entrepreneurs, can be grounded on the company’s legitimate interest in contacting for business purposes.
- Information must be provided upon the start of the call including (i) the identity of the caller (or the person on behalf of whom the call is carried out); (ii) the commercial purpose of the same; and (iii) the possibility of withdrawing consent or exercising the pertinent opt-out to not receive further marketing calls.
- Any indication by recipient of the call against receiving the same should be construed as a consent withdrawal or the exercise of the right of objection.
- The decision also foresees the recording of the calls in order to be able to prove appropriate compliance with the obligations above (as well as the applicable data protection regulation).
Authored by Santiago de Ampuero, Juan Ramón Robles and Clara Lázaro