Data and personalisation Duval Union Academy breakfastsessions.be 9 June 2016

Sirius LegalData and personalisationBreakfastsessions.be 9 June 2016

Real Time Marketing!

Trigger Based

Marketing!

2016’s Marketing buzz…

Data and personalisationBreakfastsessions.be 9 June 2016

Personalisation!




“dynamic, personalized content delivered across channels.”

“dynamic personalization”

“commercial and communication activities based upon the measurement of relevant and identifiable changes in a customer's individual needs”

“trigger or event is defined as a detectable change in an Individual’s circumstances


Translated into Legal Speak

Measuring and defining triggers requires data

Gathering data = privacy law and cookie law


Current Privacy Law

Based on EU Directive 95/46/ECTransferred –differently- into national law by each member stateSet of rules dates back to ninetiesBased on location of company and/or serverAt the time most elaborate and progressive set of rules in the world


Current Privacy Law

Definition of personal data is very largeCfr B2B vs B2CECJ May 2016: Even dynamic IP address Browser history –information on social media – payment history…

Impact on data collection for personalised action is considerable


Impact on Personalisation, Real Time ad Trigger Based

All personalised, real time or trigger based action is based on data and profiling

Data collection is core – Same discussion as “previous” hype Big data

Considerable impact of privacy lawAlmost all available data is ‘personal data’


Impact on Personalisation, Real Time and Trigger Based

Almost all available data is ‘personal data’Classic data sources: “public data” – statistical data – private dataFact that data is publicly available or accessible does not in itself justify collection & treatmentCfr: data available online remains “personal” dataEven at first sight “statistical” info (cfr heatmapping) can be “personal” data


Impact on Personalisation, Real Time and Trigger Based

Birthday – marriage – major life eventOrder history – content of basket – heatmapping on sitePayment historyBrowser historyDemographic dataInfo on hobbies, preferences, interests, …

if linked, even indirectly, to individual = Are all –protected- personal data


Current Privacy Law

Actually straight and simple:

Basic rule = prior “opt-in” for all processingOr implicite opt-in if “legitimate grounds” for processing“Free and informed” opt-inTransfer of data to third party = additionnal opt-in

Cfr. Analytics tools, apps, cookies, database enrichment through mailings and actions, …: always opt-inCfr. also social media content



Prior opt-in is not always presentExisting client relationship vs. Prospects

“Legitimate grounds”Law does not define “legitimate grounds” (Privacy Commission: “cfr CRM”)Justification for profiling = compare interests of profiler and data subject

Information duty: client should know what data is being processed and why


Current Privacy Law

Rights of data subjectsopposition – access – correction – information

Obligations of data processorInformation – opt-in – data security – (export)

Information duty: client should know what data is being processed and why


Future Privacy Law

2016 – 2017

Regulation instead of Directive – 1 law for 28 states

Work in progress since 2012Agreement reached in December 2015Signature in April 2016Into force May 2018


Future Privacy Law

Heavily influenced by consumer protection activists in EPResult:Consumer friendly, but serious restraints for direct marketing sector, e-commerce sector and especially personalisation, real time and trigger based marketing and (big) data processing

Full trainings by Sirius Legal to follow this fall


For all services offered in EU (even free services)Direct marketing can be a legitimate interestInformation obligation (icons)Right not to be submitted to profilingRight to object to processing for DM purposeWarning obligations in case of data breachRight to be forgottenConsent for children“Data protection by design”“Data protection officer” Sanctions: up to 4% of yearly turnover or 20 million euro

Future Privacy Law



Right not to be submitted to profiling

“right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects concerning him or her.”



Right to object to further processing

“Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”


Impact on Personalisation Real Time ad Trigger Based

Consent for children

The regulation requires parental consent for individuals of less than 16 years.

Member States are allowed to foresee other limits between the age of 13 and 16.


Prepare for the new Regulation

Follow up on discussion (eg through our website www.siriuslegal.be)Start review vendor contracts (in view of data security obligation) Start to prepare for full update of policies, contracts, business processesPut in place data breach notification procedureAppoint (temporary) data security officerPut in place impact assessment and/or risk analyses policyCreate compliance statements for annual business reportsTrain staffSit back and wait for final text of regulation for final details…


Sirius LegalMedia & advertisement lawIP lawInternet & e-commercePrivacy & cookiesGambling lawTravel & consumer protectionCommercial contractsCorporate tax labour real estate

[email protected]@BartVdBrandeLinkedin.com/in/bartvdb