Personal Data Protection and GDPR Compliance
A Legal Framework for Data Protection and Electronic Marketing – Key Regulations and Obligations
Data protection and compliance with regulations are the foundation of secure and transparent communication in the digital world. Our cross-channel platform, enabling interaction with customers in many countries, requires special attention to adherence to applicable legal regulations.
This section will present key aspects of GDPR and other regulations concerning data protection and electronic marketing that directly impact the use of our service. Compliance with these rules not only ensures legal conformity but also supports building trust and security in relationships with recipients in different parts of the world.
Key Legal Regulations
1. GDPR (General Data Protection Regulation) – EU / (RODO - Poland)
The General Data Protection Regulation (GDPR) is an EU regulation that establishes a global standard for data privacy protection. It requires explicit consent for data processing, ensures the right to be forgotten, imposes an obligation for timely data breach notification, and establishes basic personal data safeguards. In Poland, GDPR provisions are supplemented by national regulations that specify and implement EU laws.
Key aspects of GDPR:
Explicit consent for data processing.
The right to be forgotten (permanent data deletion).
Obligation to report data breaches.
Safeguarding of personal data.
2. Act on Combating Abuse in Electronic Communication (Poland)
Effective from September 25, 2023, the Act on Combating Abuse in Electronic Communication introduces significant regulations concerning communication security. According to Art. 14, public entities may only commission the sending of short text messages (SMS) to an SMS service integrator listed in the register maintained by the President of the Office of Electronic Communications (UKE). Our company, Vercom S.A., is on this list.
To counter threats such as spoofing and smishing, public entities are obliged to use email secured with SPF, DKIM, and DMARC mechanisms:
SPF (Sender Policy Framework) – an email sender authentication mechanism that prevents sender domain spoofing.
DMARC (Domain-based Message Authentication, Reporting and Conformance) – a protocol enabling domain owners to protect against email spoofing.
DKIM (Domain Keys Identified Mail) – a method of cryptographically signing emails, securing their content against alteration during delivery.
Additionally, email service providers serving public entities must offer the possibility of using multi-factor authentication (MFA), which further strengthens user account protection. In the My settings -> 2FA settings section, you can check if two-factor authentication is enabled for your account. More information: 2FA Settings
3. Regulation on Privacy and Electronic Communications ("Cookie Law") – EU & UK
The ePrivacy Regulation, also known as the "Cookie Law," governs the use of cookies and other tracking technologies in the European Union and the United Kingdom. It requires user consent for placing cookies on their device, except for cookies essential for the website's operation.
Key aspects of ePrivacy:
Consent for the use of cookies.
Exceptions for essential cookies.
Transparency in informing about used tracking technologies.
4. Global E-mail Marketing Regulations (Overview)
Different countries have varying laws regulating e-mail marketing. Below are key regulations in selected regions.
🇺🇸 United States – CAN-SPAM Act & TCPA
CAN-SPAM Act: Defines rules for sending commercial emails. It gives recipients the right to opt-out of receiving messages and imposes strict penalties for violations.
TCPA (Telephone Consumer Protection Act): Regulates text messages and telephone calls.
🇨🇦 Canada – CASL (Canada’s Anti-Spam Legislation) One of the world's strictest anti-spam laws. It requires explicit consent for sending commercial electronic messages.
🇦🇺 Australia – Spam Act (2003) Requires recipient consent and an option to unsubscribe. Violations can result in penalties of up to AUD 2.1 million.
Other selected regulations:
🇬🇧 PECR (Privacy and Electronic Communications Regulations) – UK: Supplements the UK GDPR, regulating, among other things, the use of cookies and electronic marketing.
🇸🇬 PDPA (Personal Data Protection Act) – Singapore: Defines rules for the collection, use, and disclosure of personal data.
🇧🇷 LGPD (Lei Geral de Proteção de Dados) – Brazil: Introduces comprehensive personal data protection rules, modeled on GDPR.
🇿🇦 POPIA (Protection of Personal Information Act) – South Africa: Regulates the processing of personal data in South Africa.
🇮🇳 DPDPA (Digital Personal Data Protection Act) – India: Modern personal data protection laws in India.
🇯🇵 APPI (Act on the Protection of Personal Information) – Japan: Data protection regulations in Japan.
🇨🇳 PIPL (Personal Information Protection Law) – China: Imposes strict limitations on personal data processing.
Company Responsibilities for Regulatory Compliance
Companies using our omnichannel platform and processing personal data have a number of obligations arising from data protection laws, such as GDPR. Ensuring compliance with regulations not only minimizes legal risk but also builds customer trust. Below are key requirements that must be met.
Transparency Companies must clearly inform users about the purposes of data processing, its recipients, and their rights. The privacy policy should be written in an accessible way so that users can easily understand how their data is used.
Data Security Appropriate technical and organizational measures must be implemented to protect data against unauthorized access, loss, or destruction. Regular security updates, penetration tests, and incident monitoring increase the level of protection.
Data Minimization Data processing should be limited to what is necessary for the specified purposes. Data that is no longer needed should be deleted according to the retention policy.
Maintaining a Record of Processing Activities (ROPA) Every company processing personal data should document its processes, including data categories, processing purposes, and recipients.
Breach Notification In the event of a personal data breach, it must be reported to the relevant supervisory authority within the prescribed period. If the breach poses a high risk to the individuals whose data is affected, they must also be informed.
Managing Consents and Recipient Rights
Unsubscribing and Consent Management
Ease of Opting-out from Communication: Users should be able to easily unsubscribe from marketing communications. Opting-out should be possible with a single click (one-click unsubscribe).
Consent Management: Companies should maintain a record of granted consents, allow users to review them, and easily withdraw them. The process of withdrawing consent should be as simple as granting it.
Monitoring Regulatory Compliance
Maintaining Logs Recording key data processing activities, such as data access, modifications, and security incidents.
Generating Reports Regular reporting on regulatory compliance, including analysis of security breaches and user requests regarding their data.
Regular Audits Conducting internal and external audits to verify compliance with regulations. Analysis of logs and reports to identify potential risks and implement corrective actions.
Documentation
Companies should maintain up-to-date documentation regarding their privacy policy, data processing procedures, and implemented security measures.
Last updated