The Danish DPA regulates marketing via electronic means:
- A data subject has the right to object to the processing of his/her personal data for direct-marketing purposes. If the data subject makes such an objection, personal data may no longer be used for this purpose. This also applies to profiling.
The data controller shall, irrespective of whether or not the data subject objects to the processing, ensure that the data subject has not refused inquiries for marketing purposes.
- A data controller must not disclose or process personal data of a consumer to or on behalf of another company for direct marketing without the consumer’s explicit consent pursuant to Section 10 of the Marketing Practices Act.
This prohibition does not apply to “general customer information“ used to create customer categories (for example, consumers interested in cars or clothes) and to see if the requirements in the GDPR are met. The GDPR states that processing can take place to pursue legitimate interests of the controller or third party, if such interests are not overridden by the interests of the data subject. The data controller must ensure that the consumer has not refused marketing requests via the Danish CPR-register. General customer information does not include detailed information about the consumer’s consumption habits, such as a car financing or product purchase.
Sensitive information must never be processed for such purposes.
Personal data processed for marketing purposes must always comply with the general principles of the GDPR and other rules, stated in the Marketing Practices Act and required by the Danish Business Agency (Erhvervsstyrelsen).
Additionally, the Danish Marketing Practices Act must be followed when contacting an individual, especially regarding the prohibition against sending unsolicited email marketing (SPAM).
