In Bancomail, compliance with regulations is fundamental, which is why we have always been committed to know and respect the current and applicable regulations for the protection of the contacts in our Database.
Doing our work requires the maintenance of a risk-free Database. To do so, we have - since 2001 - scrupulously followed every indication of the law, even when the national legislation was conceived on the traditional world with little or no reference to the world of the Web and the community was only a sketch.
With the GDPR, the legislators have finally conceived modern legal texts aimed at the Digital world.
Nevertheless, due to the intrinsic nature of laws and regulations, many actors in the consulting field have been limited to fearing high and generalized risks without carefully analyzing the context in which the Direct Marketing world finds itself in the light of this new Regulation.
Together with our Legal department and in agreement with the most authoritative players in the Direct Marketing industry, we have conducted and we currently update a specialized and scrupulous analysis of the GDPR regulatory framework for our field.
The research reveals that GDPR not only does not limit the general operativity, but expands and contextualizes it with precision. Bancomail procedures and types of data processed are therefore compliant with the GDPR.
Below is an excerpt from our analysis.
Today, the Bancomail Database contains more than 8,000,000 of company records, associations and freelancers. Inside the Database there are 2 cases/types of data:
It represents 75% of the total records in our Database: companies, associations and entities with various corporate group forms and generic contact data (eg: info @) or department (es .: marketing @, sales @, etc.).
These subjects are excluded from the protection of the Regulation on the basis of Recital 14 of the same that we fully report:
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
However, for ethics and greater guarantee - although this exclusion from the treatment protection was already included in the previous legislations - we have always assured to these subjects the Universal Rights (information, verification, updating and removal). We will continue to do so also with the GDPR.
In the same virtuous and strategic view, we advise our customers to use the same type of approach, ensuring the recipients proper information and rights.
It is a much less frequent case in our Database, but existing. Contact data that incidentally identifies the "natural person" can appear according to two patterns:
While in the first case, the person is clearly identified by the company to which it is related; the second case collects mostly freelancer, professionals or self-employed people who use, albeit for business purposes, contact details that clearly identify the "natural person" even beyond his professional role.
In both cases the arguments are two and equally relevant:
If the email address (or the name and surname, the charge, etc.) have been conferred by the subject, indicating them as contact data for their business activity, this precise action brings them in the exclusion of Recital 14.
If instead (beyond the intentions of the transferor) you want to consider these data as referring to the "Natural Person", the right to treatment is assured by two other Law Statements: 47 and 70.
Particularly, the 47 states, as a conclusion:
The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Thus, if the direct marketing aims to legitimate interest, the processing of this type of data is allowed. In this case, the interested party's assertion of the rights is no longer a choice but an obligation. This means to inform the recipient about the data treatment and its purposes by ensuring the exercise of the rights.
Transmitting the disclosure could be the occasion in which to present your activity and the object of the eventual promotion.
DPO: despite the Regulation does not oblige us to do so, we are providing a Data Protection Officer for the supervision of all the procedures relating to the data processing and the detection of any critical issues.
LIA: it's an internal audit ("Legitimate Interest Assessment") that serves to put on paper and archive the evaluation made by the Databale and DPO team, regarding our and our customer's legitimate interest.
This document takes into account an objective "balance test", to verify that individual interests do not prevail over ours.
TRACKING: since the birth of Bancomail, we have created routines to track the data we provide. Every single record contains all the data on the retrieval (date, source, etc) and the references (name and time) of those to whom we have provided it.
This approach is very important for a full compatibility with the Regulation.
ISO 27001: even if not strictly related to the Regulation, our company is adopting the ISO 27001 Certification for the management of information security. In this respect, our systems have been at the forefront for years, applying advanced data protection technologies.
The analysis shows that the GDPR provisions not only do not constitute a problem for our customers and marketers, but - in many points - clarify and expand the possibilities related to direct marketing by opening roads previously, due to regulatory deficiencies, stucked in the gray area.