Harris Kyriakides
Harris Kyriakides

Cyprus Commissioner for Personal Data Protection issues a notice regarding direct marketing communications

Posted on 22 April 2024 | 4 mins read

In light of increased complaints regarding unsolicited SMS and email advertising messages, the Cyprus Commissioner for Personal Data Protection (the Commissioner) affirms the legal requirements for businesses engaging in direct marketing communication.

The governing law

The General Data Protection Regulation (the GDPR) applies to any electronic marketing activities that involve the use of personal data. However, as the Commissioner points out, direct marketing communication is permitted in the event that the recipients, have consented to receiving the communication. Where consent is relied upon by a business, the standards that must be present are strict, including the option to object or ‘opt-out’ of receiving the communication at any time.

In Cyprus, specific rules on electronic marketing, including the particular circumstances in which consent must be obtained, are found in the Law on Electronic Communications and Postal Services Regulation of 2004 (112(I)/2004) as amended (the Law).

Consent

Direct electronic marketing communication is only permitted where the recipient has previously consented to it (i.e. has ‘opted in’). Consent should be affirmative, informed, freely given and unambiguous. Additionally, it should be communicated by the recipient of advertising himself and not by a third party. The recipient retains the right to withdraw his consent at any point.

Accordingly, the Commissioner points out the implication of the requirement that direct marketing communication by means of SMS or email, where the SMS or email itself requests the recipient’s consent, is against the Law.

There is an exception to the consent requirement. In the context of existing customer relationships, a business or individual may have acquired the electronic contact details (e.g. email) of its clients, for the offering of similar products or services. In that case, the business/individual may use the acquired electronic contact information for the purposes of direct marketing of similar products or services. Nevertheless, the existing customer must be given a clear and unambiguous opportunity to refuse the usage of his electronic contact details for direct marketing purposes. This opportunity should be offered free of charge, both when the business/individual collects the customer’s contact details and whenever the business/individual sends to the customer electronic communication for marketing purposes. It must be easy for the customer to refuse the usage of his contact details for direct marketing purposes.

The sender of the communication should thus be able to prove either:

  • when and how he acquired the recipient’s consent (that meets the GDPR conditions for consent); or
  • that there exists an existing customer relationship with the recipient and that the recipient has not refused the usage of his electronic contact details for direct marketing purposes.

‘Opt-out’ rights

Secondly, the Law sets out a requirement for senders that they must provide recipients with the opportunity to ‘opt-out’ of future direct marketing communication free of charge and at any time. Where the communication is conducted by means of email, the relevant email must include an email address which recipients can get in touch with to opt-out. Where the communication is conducted by means of SMS, the SMS sent must include a toll-free number to stop receiving messages with instructions on how they can make the request. The sender must respect the recipient’s request to opt-out, even if the sender subsequently adopts a different means of direct electronic communication

Contact information

Finally, the Commissioner clarified two types of contact information which cannot be utilised for direct marketing purposes:

  • contact information that is freely available to the public (for example, because it is posted on the internet); and
  • contact information which is randomly produced (for example, through the use of a random phone number generator software).

Why does this matter?

SMS and email marketing is becoming ever more popular with businesses both in Cyprus and in the global market. It enables companies to reach a broader audience and advertise new products and discounts. Yet, the legislative framework surrounding such forms of direct marketing communication is rightly strict and the risk associated with its improper use is considerable.

Businesses must develop a marketing strategy that demonstrates respect to the opt-in and opt-out requirements, and provide existing customers with the opportunity to refuse (further) use of their contact details for marketing purposes.

By Evangelia Tsintza

For more information, please visit our website microsite on Data Protection & Cyberlaw or send your queries to [email protected].