Back to the list

Has data protection failed in Estonia?

Author: Karolin Kondrat

GDPR (General Data Protection Regulation) came with a hooray in May and caused somewhat an avalanche of permission emails as businesses started to ask for their client’s consent to process personal data. Firms also gave notice of their privacy policies changing. Five months later the burning situation of data protection has cooled down. Or maybe it has just been forgotten…

But GDPR is alive and kicking, and companies must make sure that their customer’s personal data processing is legal. Most of the companies are doing well and have adapted the set rules. But, there are also those who (at least it seems so) don’t care and have done nothing to protect the personal data.

Direct marketing messages are okay, but…

We noticed recently that one of the well known local company is, quite literally, spamming our mailboxes. So, we started to wonder at the office, how come we’ve made it to their lists in the first place? And even more so – why are we still receiving letters even after we’ve left the lists on several occasions.  

GDPR doesn’t mean that sending direct marketing messages via email or text message is forbidden. No, it’s still very much allowed. But first, you must check if you, as a company, hold the right to do so.

In general, you need the person’s permission to send them marketing messages. Luckily Estonian Data Protection Inspectorate has created an easy-to-use questionnaire to help to check that permission. For example, one of the clauses is that one must be able to revoke the permission at any time, and it must be as easy as giving it.

The electronic communication law stipulates that a person can be sent direct marketing messages if they have previously bought products or services from the company. But, only when the buyer is sent marketing messages of the same products or services. The electronic communication law requirements must be complied with. One of the factors here is that the buyer is given a clear option to refuse every time that his or her data is being processed, i.e., a possibility to unsubscribe.

The nuances of the case mentioned at the beginning of the article are unclear to my colleagues and me though. How come we are on their lists as no one has asked for our permission? Maybe we have taken part in their marketing events and bought something, such as a ticket? In that case, the buyer would be the company and it would be alright to send us direct marketing messages, i.e., upcoming marketing conferences and other similar events. But, why are we receiving invitations to logistics seminars? Is it the same product or service we’ve bought from them before? I don’t think so.  

How many times I have to unsubscribe to really unsubscribe?!

Okay, so I got a letter about a logistics seminar. The best option would be to leave the list because it’s just not my thing. On top of that, the same evening, I receive a book club newsletter from the same company… Doesn’t GDPR say that revoking the permission or refusing to receive marketing messages must be easy? Why do I have to leave all the lists one by one? And, how do I make sure I have left all of the unwanted lists?

This particular situation makes me think ‘has GDPR failed in Estonia?’ Can companies twist the laws in this manner? Maybe the attitude of the Estonian Data Protection Inspectorate plays a role in here as well. Their aim is to be a mere counselor when need be. The Parliament has not yet adopted the new law, so the inspectorate is conducting supervision according to the current law.

It’s quite a mess here in e-Estonia! At the same time, there have been some juicy fines elsewhere in Europe. For example, Heathrow Airport got a 120 000 pound fine for inadequate data protection. The fact that the new data protection environment feels milder in Estonia (at the moment) doesn’t give the right to the companies to look past the law.

Transparency in data protection = bigger trust

TrustArc’s research shows that the primary motivator for conducting data protection is meeting clients expectations, not the fear of fines or court cases. The three main motivators have to do with trust; the anxiety got the fourth place. The same research showed that companies who have taken on data protection, see a positive impact on their businesses as a result. Regardless of the strict requirements, 65 percent of the companies who took part in the research said so.

Estonian companies should have the same kind of attitude. Data protection, GDPR, is not an obstacle; it’s a possibility. A way to be more transparent in your actions and plans, and grow your trust amongst your clients. It’s a possibility to send people precise info, what they want and need.

Let’s go back to the case mentioned earlier. You can see that their data protection seems to be alright, it seems to be legal – all necessary data protection documents are there and accessible. On the other hand, it’s not enough just having the correct documentation; you also need to implement it. Firstly, they could have added me only to their marketing events list, not all the lists. And, secondly, even when they did add me to their lists on some legal ground, it should be easy for me to leave. By spamming me and making it nearly impossible to leave their lists, they did not earn my trust — quite the opposite.

It’s understandable that GDPR is a new thing for all of us. If it seems to be too complicated, don’t hesitate to ask for help. Get in contact if you need to comply with your web page and marketing activities with the data protection laws.


PS. The author of blog post is Karolin Kondrat.