GDPR Frequently Asked Questions
GDPR, or General Data Protection Regulation, can be confusing for many, but it’s important for all. Jan Wieczorkiewicz, LINK Mobility’s own DPO (Data Protection Officer), says, “GDPR requires constant change from business owners, but having the right mindset towards data protection helps to future proof a business.”
1. How can our clients unsubscribe from the recipient database? It’s easy to do from a regular e-mail newsletter, but what about an SMS newsletter?
The right to be forgotten is one of the rights granted to consumers by GDPR. The recipient of marketing messages who is subscribing to an SMS or e-mail newsletter should be informed about possible (and easy) ways to opt-out.
The customer could also sign up for the newsletter SMS on the brand’s website. In this situation, the customer should go back to the brand’s webpage and click “unsubscribe.”
Furthermore, any recipient of communication can get in touch using your brand’s contact form, email, telephone, or social media pages to request to delete or modify the data.
The sender of the message must accept this request and designate (as necessary) a Data Policy Officer (DPO) who is responsible for the entire process of collecting, securing, and processing personal data in the company.
Learn more about SMS as a tool to communicate with customers.
2. Does each entity have to designate a Data Policy Officer (DPO)?
Below are the specific rules regarding DPOs:
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.
Source: Article 37 EU GDPR “Designation of the data protection officer”
3. Can I use my database which was collected before May 25, 2018?
Yes—if it has been collected in accordance with the previous local requirements and based on the following principles:
Lawfulness, fairness, and transparency
Integrity and confidentiality
It must also fulfill the information obligations to which each personal data administrator is obliged (see more on this in the next question).
4. Do I have to collect the consents again after the implementation of GDPR?
As in the previous question — there is no need to collect new consents if they were compliant with the previous legal requirements. However, it is necessary to provide the recipient with the following information in the form of a clause:
Data of the Personal Data Protection Officer (if the designation in a given enterprise is necessary)
The purpose of data processing and the legal basis
Information about the right to oppose or withdraw consent
Data source, if you collect it from other entities,
To whom you intend to share data, information on whether data is transferred to third countries and international organizations
The planned period of data storage
Information about the rights of a natural person
The right to lodge a complaint with a supervisory authority
Information on whether data will be processed in the form of profiling
Information on whether the provision of data is voluntary or mandatory, whether it is a condition for the conclusion of the contract and what are the consequences of not submitting data.
5. Could you provide the correct example of data processing consent for marketing purposes?
I consent to the processing of my personal data for marketing purposes. The administrator of personal data is LINK Mobility Group AS, with registered office in Oslo, Norway. The data will be processed for marketing purposes via SMS. The Service Recipient has the right to access and correct his data and the right to demand discontinuation of processing as well as the right to object to the processing of data for the above purpose.
6. Is it possible to use SMS notifications sent, for example, from an online store, to gather consent to the sending of marketing content?
Yes, when providing information about the status of the order, you can ask the customer if he or she also wants to receive marketing messages in the future.
Use LINK Conversations to get in touch with customers and obtain consent.
In the case of e-commerce, one way to build a base is to place the SMS sign-up button next to the where a customer places an order.
Remember that in exchange for leaving the data, it is also worth rewarding customers with an additional discount or a free delivery.
You can offer discounts and rewards to customers with LINK Coupon.
7. What SMS content can I send to the customer to confirm that he will continue to receive messages from us?
Here are some examples of what to say after a customer signs up or if they’re leaving your webpage:
– Thanks for signing up for our newsletter! You’ll be the first to receive information about upcoming promotions and events. Stay tuned!
– Great to have you with us! We still want to provide you with knowledge of garden furniture. If you want to receive messages from us, answer “YES” to this SMS.
– We’re sorry to see you go! Stay informed about upcoming promotions by signing up to the newsletter at LINK.
8. What are some examples of messages explaining how to opt-out from SMS notifications?
– Remember that at any time you can opt out of receiving content by clicking: unsubsc.me/XYZ
– To unsubscribe from our newsletter, please visit: unsubscribe link
– You can unsubscribe at any time from receiving text messages at: unsubsc.me/XYZ. We’ll miss you!
– I hope you enjoy receiving messages from us. Don’t give us up! If you’d still like to unsubscribe, you can do so here: unsubsc.me/XY
9. What features should the consent expressed by the user have?
For the database to be created, the client must be asked for permission to process the data. Remember, this is after presenting the data subject with the information clause in accordance with the requirements of GDPR. At this point, there are specific GDPR requirements, namely the points out that the consent must be:
Conscious, specific, unambiguous
Written in simple, understandable language
Related to the company’s information policy
Explicit, i.e. it can not raise doubts that it has been expressed
Associated with a specific purpose of processing – precisely defines what is involved and what is the timeframe for the duration of consent
Possible to withdraw – the client can at any time ask to remove his consent from the database (and the withdrawal of consent must be as easy as the expression)
If the activity concerns minors – the consent of the legal guardian is required (in the case of children under 16 years of age, as children aged 16 and over may give their consent to the processing of personal data, Member States may reduce this age limit to 13 years).
Have more questions? Don’t hesitate to contact us.