In Bancomail, compliance with regulations is fundamental, which is why we have always been committed to know and respect the current and applicable regulations for the protection of the contacts in our Database.
Doing our work requires the maintenance of a risk-free Database. To do so, we have - since 2001 - scrupulously followed every indication of the law, even when the national legislation was conceived on the traditional world with little or no reference to the world of the Web and the community was only a sketch.
With the GDPR, the legislators have finally conceived modern legal texts aimed at the Digital world.
Nevertheless, due to the intrinsic nature of laws and regulations, many actors in the consulting field limit themselves to fearing high and generalized risks without carefully analyzing the context in which the Direct Marketing world finds itself in the light of this new Regulation.
After an accurate analysis of the GDPR policy, and based on our legal office opinon as well as of the majour Direct Marketing players, we concluded on the one hand that we collect and manage our data in compliance with the GDPR policy, on the other hand that GDPR policy doesn't limit the general use of our data but extends and contextualizes it with precision.
Below is an excerpt from our analysis.
Today, the Bancomail Database contains more than 8,000,000 of company records, associations and freelancers. Includes 3 cases/types of data:
It represents 75% of the total records in our Database: companies, associations and entities with various corporate group forms and generic contact data (eg: info @) or department (es .: marketing @, sales @, etc.).
These subjects are excluded from the protection of the Regulation on the basis of Recital 14 of the same that we fully report:
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
However, for ethics and greater guarantee - although this exclusion from the treatment protection was already included in the previous legislations - we have always assured to these subjects the Universal Rights (information, verification, updating and removal). We will continue to do so also with the GDPR.
In the same virtuous and strategic view, we advise our customers to use the same type of approach, ensuring the recipients proper information and rights.
An example of a less frequent case in our Database would be: Company Ltd with given email email@example.com. In this case the arguments are two and equally relevant:
If the email address (or the name and surname, the charge, etc.) have been conferred by the subject, indicating them as contact data, the same action includes them in the exclusion of Recital 14.
If instead (beyond the intentions of the transferor) you want to consider these data as referring to the "Natural Person", the right to treatment is assured by two other Law Statements: 47 and 70.
Particularly, the 47 states, as a conclusion:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Thus, if the direct marketing aims to legitimate interest, the processing of this type of data is allowed. In this case, the interested party's assertion of the rights is no longer a choice but an obligation. This means to inform the recipient about the data treatment and its purposes by ensuring the exercise of the rights.
Transmitting the disclosure could be the occasion in which to present your activity and the object of the eventual promotion.
It's a quite frequent type of record in our database. Most of these are Freelancers in single form (therefore not legal person) who have names and contact details that clearly identify the "physical person", beyond the "business" role when this one acts as a professional.
It would be easy to argue that, as indicated/given by the subject in a spontaneous way, these data can be attributed to case 1, but it's a non-convincing way.
It would be much more convincing to refer to the Recitals of the previous case (47 and 70) and, particularly, to the reference of the "Legitimate Interest" for direct marketing purposes.
Also in this case, diclosure and rights are mandatory, but you have the chance to present your business and the object of a possible promotion.
DPO: despite the Regulation does not oblige us to do so, we are providing a Data Protection Officer for the supervision of all the procedures relating to the data processing and the detection of any critical issues.
LIA: it's an internal audit ("Legitimate Interest Assessment") that serves to put on paper and archive the evaluation made by the Databale and DPO team, regarding our and our customer's legitimate interest.
This document takes into account an objective "balance test", to verify that individual interests do not prevail over ours.
TRACKING: since the birth of Bancomail, we have created routines to track the data we provide. Every single record contains all the data on the retrieval (date, source, etc) and the references (name and time) of those to whom we have provided it.
This approach is very important for a full compatibility with the Regulation.
ISO 27001: even if not strictly related to the Regulation, our company is adopting the ISO 27001 Certification for the management of information security. In this respect, our systems have been at the forefront for years, applying advanced data protection technologies.
As we can see, the introduction of the GDPR doesn't constitute a problem for our customers and for marketers in general, but - in many ways - it clarifies and widens the possibilities related to direct marketing by opening paths (eg possibility for the transfer of data from the internal "contacts") that previously, due to regulatory deficiencies, were not reachable.