Electronic Direct Marketing and the Privacy Bee around it.  

Electronic Direct Marketing and the Privacy Bee around it.  

Article by Tsaaro

7 min read

Electronic Direct Marketing and the Privacy Bee around it.  


EDM marketing, also known as electronic direct marketing, is a tactic used by companies to create a subscriber database to communicate with specific potential clients through both online and offline channels in order to foster personal connections, generate leads, and boost sales. 

EDM marketing, in its most basic form, aims to spread your messaging to the targeted audience across a variety of marketing channels, including print, SMS, and social media among them. Email is the primary channel used in EDM marketing. 

In direct marketing, a target is identified as an individual, and the marketer makes an effort to either promote or persuade the individual to seek more data about a product or service. Direct marketing includes additional promotional content in addition to promoting a product or service. 

GDPR and e-Privacy Regulation: 

Email marketing and newsletter distribution are staples of the internet marketing world. The basic rule that states processing is forbidden but based on the possibility of authorization also holds true for personal data used to send emails.  

The General Data Protection Regulation (GDPR) only permits processing if the data subject has given consent or if there is another legal justification. The General Data Protection Regulation explicitly says in Recital 47 that processing personal data for direct marketing purposes is a legitimate interest of the controller and is subject to the law. 

The new e-Privacy Regulation, which is presently being considered by lawmakers, is meant to support, supplement, and add to the GDPR’s standards. Its geographical scope is identical to that of the GDPR in that it extends outside the EU to cover any data collected from data subjects in EU nations by international organizations. It also applies to any electronic direct marketing. 

Businesses that receive direct marketing are just as protected under the new regulations as regular customers are. Despite not falling under the e-Privacy Regulation’s purview, mail marketing is covered under the GDPR. The GDPR is also in line with the penalties and consequences for violation.  

When conducting direct marketing communication, the GDPR imposes some basic criteria that necessitate complete compliance with the following: 

  1. Principles of lawfulness, justice, and openness
  2. Principle of purpose limitation and the idea of data reduction
  3. The idea of accuracy
  4. Principles of integrity and confidentiality
  5. Fulfilment of rights of data subjects


  1. Principles of lawfulness, transparency, and fairness:

Fairness of the processing is predicated on the fact that the data subject is informed about how personal data is processed, as well as how it is retained, utilized, and gathered, allowing them to make an educated decision about whether to opt in. A smart approach to fully share that information is through privacy policies and cookie policies. 

Any information provided to the data subject must comply with the concept of transparency and be brief, clear, and understandable. 

CONSENT and LEGAL INTEREST are the two most significant legal basis with regard to lawfulness. 

Requirement of Consent: 

Obtaining valid consent prior is a crucial component of every direct marketing strategy. The new e-Privacy Regulation and the GDPR’s strengthened consent regulations support stronger requirements and a higher bar for marketers to clear before obtaining consent. 

In addition to these stricter requirements, the consent rule’s application has been expanded to encompass more technologies, such as the transmission of private messages via social media platforms, instant messaging, webmail or collectively known as Over-the-Top (or “OTTs”) communication services. 

For these kinds of app initiatives, marketers may have previously used implied permission as a way to deliver direct marketing without obtaining approval. The new requirements include that permission must be freely provided, precise, informed, and an unmistakable declaration of the person’s preferences.  

A definite, active action must be taken to indicate consent to the processing of personal data. There is a need for greater controls over records of consent due to new accountability requirements, including the capacity to prove that a person has consented and that the consent is easily identifiable from other topics. 

However, there is a “soft opt-in” exemption to obtain consent that permits an entity to send direct email marketing if: 

1) They obtained the recipient’s contact information during the sale of a good or service to that person (or, under the e-Privacy Directive, only in connection with the sale’s negotiation);  

2) They are only advertising their own similar goods and services (not those of a third party or group company); 

3) They provided the recipient with a straightforward option to decline or opt out of receiving the direct email marketing, both at the time they initially collected the recipient’s contact information. 

Legitimate Interest: 

Processing is required to further the legitimate interests of the data controllers or those of a third party. The data subject’s basic rights and freedoms, which call for the protection of personal data, especially if the person is a child or a juvenile, are above such interests. 

According to the GDPR, processing personal data for direct marketing purposes can be justified by legitimate interest. 

Right to object: 

The data subject shall have the right to object to such processing at any time, whether with regard to original processing or future processing. 

Article 21 of GDPR states that the right to object to the processing of personal information about data subjects for direct marketing purposes exists in cases where personal information is processed for such purposes. If the data subject uses its right to object to the processing for such purposes, the personal information will no longer be used for such purposes.  

Despite the fact that opt-in consent is not required before sending marketing emails, the GDPR requires that the recipient always have the choice to stop receiving them. 

  1. Principle of purpose limitation and data reduction:

Purpose limitation refers to the idea that you can only gather and use personal information for particular, legal purposes. Personal data must be adequate, relevant, and restricted to what is necessary for connection to the object for which they are processed, according to Article 5(1)(c) of the GDPR. In other words, firms should only gather the information that is really necessary and only store it for as long as it is genuinely required.  

In order to adhere to the data minimization principle, one must determine the minimal amount of personal information required to meet the data collection’s objectives and gather appropriate, relevant, and essential data. According to the accountability principle, one must be able to show that you have the necessary procedures in place to guarantee that you only gather and store the personal data you require. 

  1. Principle of data accuracy:

At the basic level, compliance entails:  

  1. Making sure that the information on hold is true and not misleading in a way that might harm the data subject; and 
  2. Making an effort to keep personal information updated when practical and appropriate.
  3. Examining any challenges to the correctness of personal data and correcting or deleting as appropriate. 
  4. Making prompt attempts to rectify or delete personal data when errors are found.


  1. Principles of integrity and confidentiality:

Being trusted fundamentally requires confidentiality. In accordance with GDPR Principles, controllers and processors are required to establish adequate technological and organizational measures to safeguard the security of personal data, including protection against unauthorized or illegal processing, accidental loss, deletion, or damage. There is a legitimate expectation of security that when data subjects provide their personal information, only the necessary individuals will have the access to that information. 

  1. Fulfilment of rights of data subjects:

The GDPR provides a variety of equally significant and intricate rights for data subjects. Organizations’ data processing operations will be impacted by the fulfillment of such rights (this also includes processing activities for the purpose of marketing). Despite the fact that marketing duties often do not include fulfilling data subject rights, there are few instances where they do. 


By returning an opt-out from such communications to the sender, unsolicited direct marketing material can be stopped. The communication received should have included a method for accomplishing this. Asking the company in question for an explanation if one is unsure about the source of the information.  

How the privacy experts at Tsaaro can assist:  

Experts at Tsaaro will help with compliance with the GDPR so that: 

1) It will be protected from severe fines for non-compliance. 

2) Aids in boosting the confidence of investors and customers in your company. 

Tsaaro will make sure that your organization complies with all legal requirements and has the greatest technological and physical infrastructure. 

Tsaaro also offers tailored programs to each of our clients so they can include cost-effective data protection by design and default into all of their business operations. 

 It will be made sure that your organization complies fully with the lawful processing of personal data, the creation of privacy and cookie policies, DPIAs, ensuring that data subjects’ rights are not violated, and the 72-hour notification of data breaches to the authorities. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them