The Spanish Data Protection Agency (AEPD) has recently issued guidance on users' rights regarding nuisance marketing calls under the new Spanish General Telecommunications Act 11/2022 (GTA). The guidance states that controllers may rely either on consent or legitimate interests when making marketing calls.
The guidance is particularly important for companies that make marketing calls considering that the AEPD has been ramping enforcement in this area. In this post we discuss some of the main aspects of the guidance.
Data protection in nuisance calls
The GTA protects end-users' privacy and personal data in relation to nuisance marketing calls (Article 66 GTA). End-users have the right not to receive marketing calls unless they have given prior consent or another lawful basis applies under the General Data Protection Regulation (GDPR).
This has only recently been introduced to the GTA, as the former law only mentioned end-users’ right to object to marketing calls.
The AEPD issued guidance as to the criteria to be applied for interpreting the new limitations on marketing calls set forth in the GTA.
Lawfulness - consent and legitimate interest
The GTA sets forth that end-users have the right not to receive marketing calls unless they have given prior consent or another lawful basis applies under the GDPR (Article 6(1)).
According to the guidance, consent and legitimate interests are the only appropriate lawful bases to carry out marketing calls. Performance of a contract (Article 6(1)(b) GDPR) does not apply because the processing is not necessary to execute the contract. Similarly, other lawful bases (e.g. public interests or legal obligation) would not apply.
Consent
The AEPD sets out that, to be considered valid, end-users' consent must comply with the provisions of the GDPR and the Spanish Data Protection Act (i.e. be freely given, specific, informed, unambiguous, and revocable).
It is prohibited to make marketing calls to randomly generated numbers without prior consent.
Legitimate interest
According to the AEPD:
- Legitimate interest – Controllers must conduct and document legitimate interest assessments (LIA) for each category of data subjects before making marketing calls based on legitimate interests.
- Soft opt-in rule – The AEPD presumes that the data processing is lawful where there is a prior contractual relationship with the user. This presumption holds as long as the controller has lawfully obtained the contact details and uses them for marketing calls related to similar products or services initially contracted. However, communicating personal data to other entities within the group of undertakings for marketing purposes requires the user's specific prior consent.
- Reasonable expectation – If there is no contractual relationship, prior request, or interaction with the end-user within the last year, the AEPD will not presume there is a reasonable expectation from data subjects.
- Transparency – Controller must meet GDPR’s transparency obligations and explicitly mention data subject's right to object to marketing calls, at the latest, in the first communication (Article 21(4) GDPR).
Additional safeguards
The AEPD sets out that controllers must implement additional safeguards to comply with data protection principles when carrying out marketing calls, such as recording calls for accountability purposes, transparency measures, and compliance with data subject rights.
If you would like to hear more about cold calls or spam texts, reach out to us!