Data Protection in Albania

Electronic marketing

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

Electronic and direct marketing under the Data Protection Law

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

The consent of the data subject

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

Electronic and direct marketing under the Electronic Communications Law

Last modified 28 January 2025

Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up customer and prospect files must only collect the data necessary to conclude commercial transactions. It must:

collect the consent of e-consumers prior to the collection of data;
guarantee the security of information systems and the confidentiality of data;
comply with the relevant legislative and regulatory provisions.

Last modified 20 January 2025

The dissemination of electronic communications for advertising purposes is generally subject to the prior express consent of its recipient (opt-in) and to prior notification to APD.

Entities may process personal data for electronic marketing purposes without data subject consent in specific circumstances, notably:

When advertising is addressed to the data subject as representative employee of a corporate person, and
When advertising communications are sent to an individual with whom the product or service supplier has already concluded a transaction, provided an opportunity to refuse consent was expressly provided to the customer at the time of the transaction at no additional cost.

Last modified 30 December 2021

Electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject rights.

Last modified 28 January 2025

There is no regulation. However, it is advised to obtain user consent, such as through appropriate disclaimers.

Last modified 20 January 2025

National Ordinance Person Registration

N/A

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

Last modified 10 February 2025

The sending of electronic marketing (referred to as "commercial electronic messages" in Australia) is regulated under the Spam Act 2003 (Cth) (“Spam Act”) and enforced by the Australian Communications and Media Authority ("ACMA").

Under the Spam Act, a commercial electronic message (which includes emails and SMS's sent for marketing purposes) must not be sent without the prior opt-in consent of the recipient. In a Statement of Expectations released by ACMA on 1 July 2024, ACMA recommends obtaining express consent based on clear terms and conditions which are accessible to recipients at the time of seeking consent, such as via filling in a form, ticking a box on a website, over the phone or face to face.

In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a functional unsubscribe facility to enable the recipient to opt out of receiving all future electronic marketing. The facility should not require customers to log into accounts or charge customers a fee to unsubscribe. Requests to unsubscribe must be processed within 5 business days.

A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly consequences, with repeat offenders facing penalties of up to AUD$2.2 million (using current penalty units) per day.

Last modified 20 January 2025

EU regulation

The GDPR applies to most electronic marketing activities, as these will involve use of personal data ( eg, an email address which includes the recipient's name). The most relevant legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR apply, and marketing consent forms will need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State, provides for specific rules on electronic marketing (including circumstances in which consent must be obtained). The ePrivacy Directive is yet to be replaced by a Regulation. However, it is currently uncertain when this is going to happen. In the meantime, Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

The GDPR or DSG do not specifically address (electronic) marketing, however, the use of personal data for marketing purposes is clearly within their scope. It is arguable that the processing of personal data of the existing customers within the scope of the business is permissible for marketing purposes, and this has become common practice in Austria. For persons who are not yet customers, the consent of the data subjects is generally required.

Electronic marketing is also regulated by the Austrian Telecommunications Act (Telekommunikationsgesetz 2021, 'TKG'). Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful, if the sending is for direct marketing purposes. No consent is required if the data has been obtained in the course of the sale of goods or provision of services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of his or her personal data and the recipient has not previously declared, by requesting to be entered on to the relevant list (maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR)), that they do not want to be contacted.

Austria regulation

The GDPR implementation Acts do not provide any amendments or derogations in respect of electronic marketing. However, electronic marketing was and still is separately regulated in Austria in the Telecommunications Act (Telekommunikationsgesetz 2021, TKG), Section 174, which implements the ePrivacy Directive.

Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful insofar as the message is sent for direct marketing purposes. Explicit consent is not required where (1) the data have been obtained in the context of the sale of goods or provision of services; (2) the electronic marketing concerns same or similar goods or services of the sender; (3), the recipient is able to decline easily and with no costs for the use of his or her personal data for electronic marketing, both when the data are collected as well as with each message received ('opt-out'), and the recipient has not previously declared, by requesting to be entered on to the relevant lists (the "Robinson lists", maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) and the Austrian Chamber of Commerce (WKO)), that he or she does not want to be contacted.

Last modified 20 January 2025

No consent of a recipient is required for e-mail marketing, provided only that service providers must establish a registration system for persons who wish to opt out from receiving marketing materials, and comply with such system.

Last modified 15 February 2022

Data subjects have the right to prohibit processing for the purposes of direct marketing by way of Section 11 DPA. Though DPA provides that ‘direct marketing’ includes direct mailing, it also applies by extension to electronic marketing and newsletters. In order to prohibit such processing a data subject may make a written request to the data controller to cease using any data that has been kept for the purpose of direct marketing. The data controller then has no more than forty days to either erase or cease using the said data and notify the data subject in writing accordingly.

Last modified 28 January 2025

Under the PDPL, data controllers must notify the data subject when data is collected directly or indirectly of whether data will be used for direct marketing purposes. Notice is important because it alerts data subjects of their right to object to any direct marketing relating to their personal data.

Last modified 20 January 2025

There is no regulation on electronic marketing.

Last modified 3 January 2024

There are no specific laws in respect of these matters.

Last modified 28 January 2024

Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law) and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).

According to the general rule of the Advertising Law it is not allowed to use in advertising names, pseudonyms, images or statements of citizens of the Republic of Belarus without their consent or the consent of their legal representatives.

Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications, email) can be performed only with the consent of respective subscriber or addressee. Such consent can be made as a text document, including document in electronic form. The consent also can be a part of an agreement for telecom services. In this case subscriber or addressee must be informed about her / his right to demand stopping placing (distributing) advertisement to her / him, which shall be specifically confirmed by the subscriber (addressee).

The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand within one work day from receiving the demand.

Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect their rights in court proceedings.

According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be distributed in mass media as a general rule only with consent of such person or his/her authorised representative. As an exception, distribution in the media of information messages and (or) materials prepared using audio or video recording, filming or photo of an individual without her / his consent is allowed only if measures are taken against the possible identification of this individual by unauthorized persons, and also provided that the dissemination of these information messages or materials does not violate the constitutional rights and freedoms of the individual and is necessary to protect public interests (except to criminal investigations or court proceedings).

Last modified 20 January 2025

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Belgium regulation

The Data Protection Act applies to most electronic marketing activities, as there is likely to be processing of personal data involved (e.g. an email address is likely to be ‘personal data’ for the purposes of the Data Protection Act). The Data Protection Act does not contain additional rules to the GDPR for the use of personal data for the purposes of electronic marketing.

However, specific rules are set out in the Belgian e-commerce legislation (Book XII of the Code of Economic Law) regarding opt-in requirements:

These rules apply to all ‘electronic messages’, such as emails and text messages (Short Message Systems or SMS). Other types of electronic communication such as instant messaging and chat may also fall within the scope of these rules depending on the specific context. This covers not only clear promotional messages, but also newsletters and similar communications. Indeed, any form of communication intended to directly or indirectly promote goods, services, the image of a company, organisation or person which/who exercises a commercial, industrial or workmanship activity or regulated profession falls within the scope of these rules.
As a general principle, the prior, free, specific and informed consent of the recipient of the message must be obtained (‘opt-in principle’).
Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:
- the electronic marketing message is sent to existing customers of the service provider, or
- the electronic message is sent to legal persons (e.g. to a general email address such as [email protected]).

These exceptions are subject to compliance with strict conditions.

Furthermore, all electronic messages must contain a clear reference to the recipient's right to opt out, including means to exercise this right electronically.

Neither the Data protection Act nor the DPA Act include specific provisions on electronic marketing.

The Data Protection Authority has adopted specific guidelines regarding direct marketing¹.

Footnotes

1. Data Protection Authority, Recommendation on the processing of personal data for direct marketing purposes (No. 1-2020, 17 January 2020).

Last modified 31 December 2024

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name).

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 245 of the Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin).

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 334 of the Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin.

The data subject has the right to object at any time to the use of his / her personal data for such marketing.

This right to object must be explicitly brought to the attention of the data controller.

However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data subject.

Last modified 20 January 2025

PIPA requires organisations to comply with requests from individuals that they cease, or not begin, use of their personal information for the purposes of advertising, marketing or public relations.

The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May 2000 and came into force on 3 July 2000 (Standard). The definition of "e-commerce service provider" is "a person who uses electronic means in providing goods, services or information" while an "intermediary" (with respect to an electronic record) means "a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services with respect to that electronic record". The Standard set out certain "Safe Harbour Guidelines" which included certain privacy requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for the purposes of sending bulk, unsolicited electronic records.

Last modified 28 January 2024

There are no specific laws addressing electronic marketing.

Last modified 24 January 2022

Personal Data Protection Act BES

N/A.

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

Last modified 10 February 2025

Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he could be held responsible.

Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions, unless it obtains explicit consent from the user to whom such data relates.

Last modified 20 January 2025

Marketing by means of electronic communication is governed by the Electronic Communications and Transactions Act – Act No 14 of 2014 (“ECTA”).

An originator, who carries out marketing by means of electronic communication must provide the addressee with the originators’ identity and contact details including the place of business, e-mail, addresses and telefax number, as well as a valid and operational opt-out facility from receiving similar communications in future, and additionally, the identifying particulars of the source from which the originator obtained the addressee’s personal information.

In terms of the ECTA, unsolicited commercial communication must only be sent where the opt in requirement has been met and this includes:

the addressee’s email address and other personal information was collected by the originator of the message in the course of a sale or negotiations for a sale;
the marketing relates to similar products or services;
when the personal information and address was collected by the originator, the originator offered the addressee the opportunity to opt-out, free of charge except for the cost of transmission, and the addressee declined to opt- out; and
the opportunity to opt-out is provided with every subsequent message.

Failure to provide the addressee with an optional opt-out facility is an offence which is punishable by a fine not exceeding BWP 10 000, or to imprisonment for a term not exceeding five years, or to both. Furthermore, an originator who persists in sending unsolicited commercial communications to an addressee who has opted-out from receiving such through the originator’s opt out facility commits an offence and is liable to a fine not exceeding BWP 50 000, or to imprisonment for a term not exceeding eight years, or to both.

Also noteworthy is the DPA requirement that where personal data is processed for direct marketing purposes, the data controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to the processing of the personal data. A data controller who processes the data despite the objection made by the data subject, commits an offence which is punishable by fine not exceeding BWP 500 000 or to imprisonment for a term not exceeding nine years, or to both.

Last modified 20 January 2025

Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case:

the data subject’s consent, or
the controller’s legitimate interest.

Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer requests (i.e., offering an opt-out option to electronic marketing).

Last modified 28 January 2024

The DPA applies to “direct marketing”, which is the communication, by whatever means, of any advertising or marketing material that is directed to particular individuals and therefore includes electronic marketing.

Prior express consent is not required for the purposes of direct marketing. However, a data subject has an unconditional right to require the date controller to stop, or not to commence, the processing of any of their personal data for the purposes of direct marketing (i.e., an “opt-out” right).

Last modified 28 January 2025

No legal requirement to have privacy policies.

Last modified 3 January 2024

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Bulgaria regulation

The Personal Data Protection Act does not introduce any rules relating specifically to e-marketing. As the legal grounds for processing of personal data under the GDPR are also applicable in the area of e-marketing, the explicit consent of the data subject is likely to be the most suitable ground for the purposes of e-marketing. In certain cases, such processing may also be justified by legitimate interest — according to Recital 47 of the GDPR, direct marketing could be based on legitimate interest, to the extent that: (i) it is targeted only to existing customers; and (ii) the customers can reasonably expect to receive direct e-marketing communications. Still, the possibility to rely on legitimate interest for the purposes of e-marketing would need to be assessed on a case-by-case basis.

In addition, although the repeal of the provision of the Personal Data Protection Act regulating the right of the data subject to object to any data processing for the purposes of direct marketing and does not explicitly refer to the respective provision of the GDPR, following the direct effect of the regulation, data subjects shall still be entitled to object before the data controller or the data processor to their personal data being processed for the purposes of e-marketing.

The Bulgarian Electronic Communications Act explicitly requires, when it comes to direct marketing to natural persons, the opt-in mechanic to be mandatorily applied. After the natural person's consent is provided, the person shall always be given the opportunity to opt out from the direct marketing network and refuse his / her personal data to be further processed for such purposes.

Last modified 27 December 2024

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name).

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 49 of law No. 045-2009/AN of November 10, 2009 regulating electronic services and transactions in Burkina Faso and Article 14 of the personal data Act).

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 20 of the Personal Data Act.

The data subject has the right to object at any time to the use of his / her personal data for such marketing.

This right to object must be explicitly brought to the attention of the data controller.

However, the data controller may not respond favourably to a request to exercise the right to object if it demonstrates the existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data subject.

Last modified 20 January 2025

There are no specific electronic marketing requirements in Burundi.

Last modified 17 January 2024

Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the individual has not previously exercised his / her opt-out right. Electronic marketing in Cambodia is subject to the general laws relating to digital marketing issues including:

Law on Consumer Protection, which prohibits "unfair practices" in relation to consumer transactions. Unfair practices include unfair sales; bait advertising; unfair solicitation sales; demanding or accepting payments without intention to supply goods or services per the purchase order; making a false claim or representation of some business activity; coercion by force and mental threats; pyramid schemes; selling goods bearing a false trade description; and any other unfair practices.
Law Concerning Marks, Tradenames and Acts of Unfair Competition, is relevant to comparative advertising. The following acts are considered acts of unfair competition: all acts that create confusion with the establishment, the goods, or the industrial, commercial or service activities of a competitor; false allegations in the course of trade of such a nature as to discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and indications or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing process, characteristics, suitability for their purpose, or quantity of the goods.
Telecommunications Law, which prohibits all activities against the principles of fair, free, equal, and effective competition.
Other regulations on the Management of Advertisement on Website, Social Network, Mass Media and Mobile Phone Operators.

Last modified 20 January 2025

Articles 32 of Law No 2010/021 of 21 December 2010 on electronic commerce in Cameroon of states that All service providers are required to store and preserve the Data relating to any commercial transaction made electronically in accordance with applicable laws, regulations.

Further, direct prospecting by means of an automated calling machine, a fax machine or an electronic mail using, in any form whatsoever, the contact details of a natural or legal person who has not expressed his prior consent to receive direct prospecting by this means is prohibited (art. 7 (1)).

Last modified 6 January 2025

Electronic marketing is governed by both Canadian Privacy Statutes (as discussed ‎above), as well as Canada’s Anti-Spam Legislation (CASL).‎

CASL is a federal statute which prohibits sending, or causing or permitting to be sent, a commercial electronic message (defined broadly to include text, sound, voice, or image messages aimed at encouraging participation in a commercial activity) unless the recipient has provided express or implied consent and the message complies with the prescribed content and unsubscribe requirements (subject to limited exceptions).

What constitutes both permissible express and implied consent is defined in CASL and its regulations. For example, an organization may be able to rely on implied consent when there is an “existing business relationship” with the recipient of the message, based on:

A purchase by the recipient within the past two years, or
A contract between the organization and the recipient currently in existence or which ‎expired within the past two years

CASL also prohibits the installation of a computer program on any other person's ‎computer system, or having installed such a computer program to cause any electronic ‎messages to be sent from that computer system, without express consent, if the ‎relevant system or sender is located in Canada. In addition, the Act contains anti ‎phishing provisions that prohibit (without express consent) the alteration of transmission ‎data in an electronic message such that the message is delivered to a destination other ‎than (or in addition to) that specified by the sender.‎

CASL also introduced amendments to PIPEDA that restrict 'address harvesting', or the ‎unauthorized collection of email addresses through automated means (i.e., using a ‎computer program designed to generate or search for, and collect, email addresses) ‎without consent. The use of an individual’s email address collected through address ‎harvesting also is restricted.‎

The Canada’s Competition Act was also amended to make it an offence to provide false or ‎misleading representations in the sender information, subject matter information, or ‎content of an electronic message.‎

CASL contains potentially stiff penalties, including administrative penalties of up to ‎CA$1 million per violation for individuals and CA$10 million for corporations (subject to a ‎due diligence defense). CASL also sets forth a private right of action permitting ‎individuals to bring a civil action for alleged violations of CASL (CA$200 for each ‎contravention up to a maximum of CA$1 million each day for a violation of the ‎provisions addressing unsolicited electronic messages). However, the private right of ‎action is not yet in force, and there is currently little expectation that it will ever come into force.‎

Last modified 26 January 2023

Law 132/V/2001 provides an opt-in right for direct marketing communications. Moreover, both Law 132/V/2001 and the Data Protection Law grant data subjects the right to object to unsolicited communications, at his/her request and free of any costs, to any data processing in relation to marketing activities.

Last modified 16 January 2025

The DPA applies to most electronic marketing activities as these will involve some use of personal data (e.g., an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent or the legitimate interests of the data controller. Where consent is relied upon, the strict standards for consent under the DPA are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to require a data controller at any time to cease (or not to begin) processing their personal data for the purposes of direct marketing (which includes direct electronic marketing).

Last modified 28 January 2025

Sending of marketing communications is forbidden on principle unless the recipient agrees to it.

Also, there are specific cases under which prior approval is not required:

the recipient’s information was collected directly from him, in accordance with the provisions of the Act;
the recipient is already a customer of the company, the marketing messages relate to products or services that are similar to those previously provided, and the recipient is given the possibility of objecting to all messages sent to him;
if it clearly explained to the Data subjects where their data is collected that they have right to object, free of charge, to the processing of their Personal Data for electronic marketing;
when the electronic marketing concerns the data of legal personals which are not constitute personal data.

(Article 49 of Act No. 008/PR/2015 on electronic transactions)

Breach of the provisions of Personal Data Act including breach of electronic marketing provisions are subject to following administrative sanctions by ANSICE:

A warning to the data controller who does not comply with the obligations arising from the Law;
A formal notice to put an end to the breaches concerned within the time limit which it fixes;
Penalties in accordance with the observed shortcomings;
Interruption of treatment for a maximum of three years;
Blocking for a maximum of three months of certain processed personal data; or
Temporary or permanent prohibition of processing contrary to the provisions of the Act.

In addition, a judge can take the following sanctions in case of violation of provisions of Act No. 008/PR/2015 on electronic transactions including on its provisions relating to electronic marketing:

Imprisonment from between 1-10 years; and
Fines between XAF 1 million to XAF 5 million.

(Article 168 of Act No. 008/PR/2015 on electronic transactions)

Last modified 6 January 2025

Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided that the requirements mentioned in the 'Collection and Processing' section have been fulfilled.

However, any person may require that his/her information be deleted for such purposes, either permanently or temporarily.

The Chilean Consumer Protection Act (Law 19,496/1997 on the protection of consumer rights) defines 'advertising' as the communication that the provider of goods or services send to the public by any means, in order to inform and motivate the purchase goods or services. It also indicates that all promotional or advertising communication must indicate an expeditious way in which the recipients can request the suspension of the promotional communication (opt-out). After a consumer has exercised his opt out right, the sending of new communications is prohibited. In case of promotional or advertising communication sent by e-mail, the communication must also indicate the subject matter or theme and the identity of the sender.

Last modified 28 January 2023

Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such messages either at the time their electronic address / mobile phone number was collected or at a later time.

Specific information must be stated in each electronic message: for example, the identity of the entity sending the message, and a mark identifying "Guang gao" (which means advertisement in Chinese) or "AD" on a direct marketing message.

There are also specific rules applicable to direct marketing by text messages (SMS), and certain specific prescribed information must be provided to data subjects at the time their mobile phone number was collected or prior to sending direct marketing text messages.

Last modified 20 January 2025

Law 527 of 1999 (Law 527) regulates e-commerce and electronic marketing, but there is no specific regulation regarding data privacy on electronic marketing. In any case, the Data Subject's consent is required for marketing, whether electronic or not and the processing of any personal data for this purpose shall be in accordance with Law 1581.

Last modified 28 January 2024

The data must be collected lawfully, fairly, and for specific, explicit, and legitimate purposes (Article 15 of the Law on the Protection of Personal Data).

The data subject may freely object to the use of their data for prospecting activities, including electronic marketing, in accordance with Article 30 of the Law on the Protection of Personal Data. This right must be explicitly brought to the attention of the data subject.

However, the data controller may refuse an objection if there are compelling legitimate reasons justifying the processing, as provided in Article 30 of the Law on the Protection of Personal Data.

Last modified 6 January 2025

General rules of data protection will apply. There is little to no regulation of electronic marketing.

Notwithstanding the above, the Telecommunications Act set the scope and the mechanisms of regulation for telecommunications (including e-marketing), by describing the data subject’s rights, interests and privacy protection policy. Therefore, pursuant to such Act, marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the data subject. If such companies do not comply with such condition, they might be sanctioned with a fine that can be between 0,025% and 0,5% of the income of the company of the last fiscal year.

Last modified 28 January 2025

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Electronic marketing is regulated by the DP Law. A data controller has to inform a data subject in advance on intention to collect and process his/her data for marketing purposes. A data subject can decline to give his / her consent for the respective processing. However, even if a data subject consents to the particular processing for the respective purposes, the processing is allowed only for as long as the data subject does not oppose the same (opt-out provisions are commonly used in consent forms).

Croatia regulation

The Act does not contain any special electronic marketing requirements other than those prescribed by the GDPR. It sets the consent age limit for offering of information society services to children to 16.

Last modified 16 January 2025

Natural and legal persons that provide goods and services for digital media are obliged to develop a technically safe environment for commercial transactions in which they operate, in accordance with current legislation.

Last modified 16 February 2022

National Ordinance Personal Data Protection

N/A.

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

Last modified 10 February 2025

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The Regulation of Electronic Communications and Postal Services Law of 2004 (112(I)/2004) as amended (the "Electronic Communications and Postal Services Law") will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg, an email address is likely to be personal data for the purposes of the Electronic Communication and Postal Services Law).

Section 106 of the Electronic Communications and Postal Services Law states the following:

The use of automatic calling machines, fax, or electronic mail, or SMS messages, for the purposes of direct marketing, may only be allowed in respect to subscribers or users who have given their prior consent
Unsolicited communications for the purposes of direct marketing, by means other than those referred to in (1) above, are not allowed without the consent of the subscribers or users concerned
The rights referred to in (1) and (2) above shall apply to subscribers who are natural persons. The Commissioner of Electronic Communications and Postal Regulation, may, after consultation with the Personal Data Commissioner, issue orders to safeguard that legitimate interests of legal persons, regarding unsolicited communications, are adequately protected. In 2005, the Commissioner of Electronic Communications and Postal Regulation issued the 2005 Order regarding Safeguarding the Interests of Legal Persons in relation to Unsolicited Communications, by virtue of which the protection from unsolicited communications for the purposes of direct marketing has been extended to legal persons as well
Notwithstanding (1) above, in cases where a natural or legal person obtains from its customers contact details for electronic mail, in the context of the sale of a product or a service, the same natural or legal person may use these electronic details for direct marketing of its own similar products or services, provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of their electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use, and
Electronic mail sent for direct marketing must not disguise or conceal the identity of the sender or the person on whose behalf and / or for the benefit of the communication is made, or without a valid address to which the recipient may send a request that such communication cease.

Last modified 21 February 2022

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

When dealing with e-marketing, it is necessary to bear in mind that it is quite strictly regulated in terms of Act No. 480/2004 Col. on Certain Services of Information Society ("CSIS") as well as other previously mentioned regulations (esp. the Data Protection Directive and the Act) and partially also by the Act No. 127/2005 Coll., on electronic communications (“AOC”), being further described in the Online Privacy section.

CSIS states that before sending an e-mail containing marketing information, the consent of the receiver must be obtained (so called "opt-in" principle). In some cases, such as e-marketing sent to existing customers of the sender, the consent of the customer is implied until it is withdrawn (so called "opt-out" principle). Furthermore, each such message must contain clear and visible information that any further sending of such e-mails can be rejected by the receiver together with the sender's contact information and information on whose behalf the e-mail is being sent. Last but not least, each such e-mail must be clearly tagged as a commercial message.

In order to maintain e-marketing as an effective tool, its sender should operate with good-quality databases, which enable a direct targeting of the relevant message. The sender should ensure, in particular, that:

he will duly obtain the right to use the database for e-marketing purposes; and also that
personal data in the database were lawfully obtained and can be lawfully disposed of by the database owner.

When processing personal data for marketing databases, it is necessary to abide strictly by the Act. All rules described above apply to e-marketing respectively.

Last modified 16 January 2024

Not applicable.

Last modified 6 January 2025

EU regulation

The GDPR applies to most electronic marketing activities, as these involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

In general, unsolicited electronic marketing requires prior opt-in consent. The opt-in requirement is waived under the ‘same service / product’ exemption. The exemption concerns marketing emails related to the same products / services as previously purchased from the sender by the user provided that:

the user has been informed of the right to opt out prior to the first marketing email;
the user did not opt out; and
the user is informed of the right to opt out of any marketing email received. The exemption applies to electronic communication such as electronic text messages and email but does not apply with respect to communications sent by fax.

Direct marketing emails must not disguise or conceal the identity of the sender.

Denmark regulation

The GDPR applies to electronic marketing activities involving usage of personal data (e.g. an email address which includes the recipient's name).

A company disclosing the personal data or processing the personal data on behalf of another company for marketing purposes, must prior hereto ensure that the data subject has not declined receiving marketing material by registering as such in the Danish Central Office of Personal Registration.

Further, specific rules on electronic marketing (including circumstances in which consent must be obtained) are regulated in Directive 2009/136/EC (the ePrivacy Directive), as transposed into the local laws of each Member State. In Denmark, the ePrivacy Directive has among other things been implemented in the Danish Marketing Practices Act.

Under the Danish Marketing Practices Act, a trader must not approach anyone by means of electronic mail, an automated calling system or a facsimile machine (fax) for the purposes of direct marketing unless the natural person concerned has given his prior consent. The trader must allow free and easy revocation of the consent.

Notwithstanding the above, a trader that has received a customer's electronic contact details in connection with the sale of products may market similar products to that customer by electronic mail, provided that the trader has clearly and distinctly given the customer the opportunity, free of charge and in an easy manner, of declining this both when giving his contact details to the trader and in all subsequent communications.

The ePrivacy Directive is to be replaced by the ePrivacy Regulation, a change which was forecast for spring 2018, however, now postponed indefinitely. From the wording of the latest draft, we can expect a significant toughening of the online and direct marketing landscape and, predictably, a convergence with the provisions in the GDPR.

Last modified 16 January 2025

Sending commercial or promotional communications via electronic mail is regulated by SPAM Law 310-14. Law 310-14 requires the consent of the recipient in order to deliver commercial communications, unless an exception to said consent requirement is expressly provided by law.

Law 310-14 provides that:

The word 'Publicity' (Publicidad) must be included in the subject field of the email
Commercial communications must include an email address or other similar mechanism which allows the recipient to send a message indicating their desire to stop receiving such communications (opt-out)

Last modified 28 January 2025

There is no specific regulation regarding data treatment on electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject rights.

Last modified 28 January 2025

Pursuant to Article (17) of the Law, any electronic communication for the purpose of direct marketing to the data subject shall be prohibited unless the following conditions are met:

consent is obtained from the data subject;
the communication includes the identity of its creator and sender;
the sender has a valid and complete address to be contacted at;
the purpose is clearly indicated as being for direct marketing; and
clear and uncomplicated mechanisms are set to allow the data subject to refuse the electronic communication or to withdraw his/her consent to receive such communication.

Further, Article (18) of the Law, provides that the sender of any electronic communication for direct marketing purpose shall undertake to do the following:

specify a defined marketing purpose;
not to disclose the contact details of the data subject; and
maintain electronic records evidencing the consent of the data subject to receive electronic marketing communication and any amendments thereof, or their non-objection to its continuity for a duration of three (3) years from the date of sending the last communication.

Last modified 19 January 2024

Electronic Marketing is not specifically regulated; however, false/misleading advertisement is punishable as stated in El Salvador’s Consumer Protection Act.

Last modified 28 January 2024

Not regulated by the personal data protection law. However, art. 22 of the Internet Communication Law Num. 1/2017 dates January is to the effect that commercial electronic communications such as adverts and promotions must conform with the data protection laws in relation to the abstention, creation and maintenance of files. More also, data used for such purposes must be clear and identifiable.

Last modified 6 March 2025

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Electronic marketing is regulated by the Electronic Communications Act. As a general rule, the data subject must be able to consent to the electronic marketing. The requirements for this consent depend on whether the addressee is a natural or a legal person, and whether there is an existing client relationship between the parties. Real time non-automated phone calls and regular mail are not considered electronic marketing under Estonian law.

The customer consent must be obtained separately from other terms of the contract between the parties – i.e. it cannot be obtained in the standard terms presented to the customer (eg, 'By accepting these terms you agree to receive our commercial communications at the email address provided to us'). In practice, a checkbox separate from the acceptance of the standard terms is often used to obtain this consent.

An opt-in consent is required if the addressee is a natural person, except in the case of an existing client relationship, where opt-out is permissible. The message itself must always include information to clearly determine the person on whose behalf the marketing is sent, clearly distinguishable direct marketing information and clear instructions on how to refuse to receive further direct marketing (eg, an unsubscribe link).

Reliance on an opt-out (for natural persons) in the framework of existing client relationships is subject to the following additional requirements:

the same entity has obtained the contact details in the course of a sale;
the direct marketing is in respect of similar goods or services;
the recipient was given a possibility to opt out at the collection of his / her personal data;
the message must include information to clearly determine the person on whose behalf the marketing is sent; and
the message must include clearly distinguishable direct marketing information and the recipient is given a simple means in each subsequent email to opt out/unsubscribe.

If the addressee is a legal person, the opt-out system is applicable. There is no need to obtain a prior consent for direct marketing, but:

the message must include information to clearly determine the person on whose behalf the marketing is sent;
the message must include clearly distinguishable direct marketing information; and
the recipient is given a simple means in each subsequent email to opt out / unsubscribe.

Last modified 16 January 2025

Electronic Transaction Proclamation No.1205/2020 backed by Electronic Signature Proclamation No.1072/2018 regulate aspects of electronic marketing in addition to general contract law and commercial law provisions.

Last modified 12 January 2023

None.

Last modified 31 January 2023

No applicable laws.

Last modified 3 January 2024

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Finland regulation

The Act on Electronic Communication Services regulates direct marketing by electronic means in Finland. The Data Protection Ombudsman is the supervising authority also in compliance issues with the Act on Electronic Communications Services’ provisions concerning direct marketing.

Direct marketing to natural persons is only allowed by means of automated calling systems, facsimile machines, or email, text, voice, sound or image messages and only if the natural person has given his / her prior consent to it. Direct marketing using other means is allowed if the natural person has not specifically forbidden it. If, however, a service provider receives an email address, number or other contact information in relation to the sale of product or service, the service provider may normally use this contact information to directly market the service providers own products or services belonging to the same product group or that are otherwise similar to the natural person in question. The natural person must be able to easily and at no charge unsubscribe from or prohibit any direct marketing and the service provider must clearly inform the natural person of that possibility.

A service provider may use direct marketing with legal persons (businesses) unless they have specifically prohibited it. As with natural persons, legal persons must also be able to easily and at no charge unsubscribe from/prohibit any direct marketing and the service provider must clearly inform the legal person of that possibility. In addition, telecommunications operators and corporate or association subscribers are entitled, at a user’s request, to prevent the reception of direct marketing.

The Data Protection Ombudsman and the Finnish Customer Marketing Association have given their interpretations on B2B direct marketing using a legal person’s general contact information, such as an email address (e.g. [email protected]). If the B2B direct marketing is sent to a legal person’s employee’s personal work email ([email protected]), the person’s prior consent is required unless the marketed product or service is substantially related to the person’s work duties based on the person’s job description.

Email, text, voice, sound or image message sent for the purpose of direct marketing must be clearly and unmistakably be recognized as direct marketing. It is forbidden to send such a direct marketing message that:

disguises or conceals the identity of the sender on whose behalf the communication is made;
is without a valid address to which the recipient may send a request that such communications be ended;
solicits recipients to visit websites that contravene with the provisions of the Consumer Protection Act 20.1.1978/38 (Kuluttajansuojalaki).

If any processing of personal data is involved in the electronic direct marketing, the provisions of the applicable data protection laws (such as the Finnish Data Protection Act and the GDPR) will also apply.

Last modified 4 January 2023

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (eg. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The Law does not contain explicit provisions with respect to electronic marketing. However, Article L. 34-5 of the French Postal and Electronic Communications Code regulates electronic marketing in France. The CNIL has issued guidelines on the basis of this provision.

The CNIL distinguishes between B2B and B2C relationships. In any event, all electronic marketing messages must specify the name of the advertiser and allow the recipient to object to the receipt of similar messages in the future.

Electronic marketing to consumers (B2C)

Electronic marketing activities are authorised provided that the recipient has given consent at the time of collection of his / her email address.

Electronic marketing in France

On the basis of its annual dawn raid program for 2022, the CNIL issued several sanction decisions for lack of valid consent from data subjects for direct marketing purposes, including when purchasing data from data brokers. Note that in 2024 a new priority topic for the CNIL has been to ensure that customers’ consent has been obtained before any data collected in the context of a loyalty scheme is re-used for marketing purposes.

This principle does not apply when:

the data subject is already a customer of the company and if the marketing messages sent pertain to products or services similar to those already provided by the company; or

Electronic marketing in France

Note that the CNIL considers that the creation of an account does not mean that a data subject will necessarily purchase products or services from the company. The CNIL considers that in the absence of a purchase, the company cannot purposefully invoke the benefit of the soft opt-in exception created by article L. 34-5 of the French Postal and Electronic Communications Code.

the marketing messages are not commercial in nature.

In any event the data subject, at the time of collection of his / her email address, must be informed that it will be used for electronic marketing activities, and be able to easily and freely object to such use.

Electronic marketing to professionals (B2B)

Electronic marketing activities are authorized provided that the recipient:

has been informed, at the time of collection of his / her email address, that such data will be used for electronic marketing activities; and
is able to easily and freely object to such use.

Electronic marketing in France

The message sent must relate to the data subject’s professional activity. Please note that email addresses such as [email protected] are not subject to the requirements of prior consent and the right to object.

Last modified 5 January 2025

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name).

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 37 of Law No. 025/2021 of 28/12/2021 regulating electronic transactions in the Gabonese Republic).

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article73of the Personal Data Act.

The data subject has the right to object at any time to the use of his / her personal data for such marketing under Article 60 of the Personal Data Act.

This right to object must be explicitly brought to the attention of the data controller.

However, in accordance with article 60 of the aforementioned law, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data subject.

Last modified 6 January 2025

The Data Protection Law defines direct marketing as the direct and immediate delivery of information to a data subject by telephone, mail, email or other electronic means to generate and maintain interest in, sell and / or support a natural and / or legal person, product, idea, service, work and / or initiative, as well as image and social issues.

Furthermore, the Law stipulates that irrespective of the ground for collecting / obtaining data and their accessibility, data may only be processed for direct marketing purposes with the consent of the data subject.

Also, in addition to the name, surname, address, telephone number and e-mail address of the data subject, other data shall be processed for direct marketing purposes with the written consent of the data subject.

Prior to obtaining the data subject’s consent and when carrying out direct marketing, the controller / processor shall inform the data subject, in clear, simple and understandable language, of his / her right to withdraw his / her consent at any time and of the mechanism / procedure for exercising this right.

The controller / processor shall be obliged to terminate the processing of data for direct marketing purposes within a reasonable period after receiving an appropriate request from the data subject, but no later than 7 working days. To ensure that this obligation is met, the controller / processor shall have an obligation to provide information on the withdrawal of consent by the data subject.

The controller / processor shall ensure that the data subject has the possibility to request that the processing of data for direct marketing purposes be terminated in the same form in which the direct marketing is carried out, or to determine other available and adequate means to request the termination of the processing. The means referred herein to request the termination of data processing for direct marketing purposes shall be simple. In addition, the data subject shall be provided with a clear and easily understandable instruction on the use of the means. No fee or other restriction shall be imposed on the data subject for exercising the right to withdraw consent.

In the case of direct marketing, the burden of proof for the existence of the data subject’s consent, the simplicity of the means of objection, and the ease of understanding, accessibility and adequacy of instructions on the use thereof shall lie with the controller and / or processor. The controller / processor shall record and keep the date and fact of the data subject’s consent to the processing of data concerning him / her and the withdrawal of such consent for the duration of the direct marketing and for 1 year after the direct marketing has been discontinued.

Also, E-Commerce Law of Georgia stipulates that unwanted commercial communication (whereas commercial communication is defined as “the offering or communication of goods and / or services via electronic means, which directly or indirectly promotes the goods, services, and / or the reputation of a natural or legal person”) shall be subjected to the provision regulating direct marketing within the Data Protection Law.

Last modified 6 January 2025

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is likely to be replaced by a regulation (the so called ePrivacy Regulation), but it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

In general, unsolicited electronic marketing requires prior opt-in consent. The opt-in requirement is waived under the ‘same service / product’ exemption. The exemption concerns marketing emails related to the same products/services as previously purchased from the sender by the user provided that:

the user has been informed of the right to opt-out prior to the first marketing email
the user did not opt-out, and
the user is informed of the right to opt-out of any marketing email received. The exemption applies to electronic communication such as electronic text messages and email but does not apply with respect to communications sent by fax.

Direct marketing emails must not disguise or conceal the identity of the sender.

Germany regulation

Like the GDPR, the German BDSG also does not provide for any specific provisions regarding marketing. The use of electronic communication for the purpose of direct marketing as currently regulated in ePrivacy Directive has been transposed into German law and is implemented in Section 7 of the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – "UWG") As emphasized by the German Authorities (in their guidelines on direct marketing), processing of personal data for the purpose of marketing communication which is in breach of Section 7 UWG also constitutes a breach of the GDPR as it does not follow a legitimate purpose.

When using electronic communication for direct marketing, prior consent is generally required, cf. Section 7 (2) no. 1, 2 UWG, the standard for this being the so-called double opt-in process. According to Article 6 (1) a) GDPR as well as according to established German case law, data subjects must always give consent for a specific processing purpose. This means that the person to be contacted needs to know (1) from whom (meaning which specific entity or entities), (2) for which specific products and services he / she will receive marketing offers and (3) by which means (e.g. email or telephone).

The German lawmaker has also transposed the ‘same service / product’ exemption into Section 7 UWG. Based on Section 7 (3) UWG, direct marketing can be based on the exemption if the following prerequisites are met:

the recipients electronic mail address was obtained from the sender in connection with the sale of goods or services;
the sender uses the address for direct advertising of his own similar goods or services (no cross-selling permitted);
the recipient has not objected to this use; and
the recipient is clearly and unequivocally advised, upon the collection of the address as well as each time it is used, that he or she can object to such use at any time, without costs arising by virtue thereof, other than transmission costs pursuant to the basic rates.

Last modified 16 January 2025

The Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the purpose of direct marketing without the prior written consent of the data subject. However, there are no specific provisions that relate to electronic marketing specifically.

Last modified 19 January 2024

The Gibraltar GDPR applies to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing is consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the Gibraltar GDPR are to be noted, and marketing consent forms invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local law under the Communications (Personal Data and Privacy) Regulations 2006 (the Regulations). EU Member States are supposed to replace the ePrivacy Directive with a Regulation. However, there is still no certainty when this is going to happen. Should this happen, Gibraltar will likely need to adopt any such legislation into its own domestic law.

In the meantime, Gibraltar GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the Gibraltar GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive have been replaced with the Gibraltar GDPR standard for consent.

The Regulations apply to most electronic marketing activities. The Regulations do not prohibit the use of personal data for the purposes of electronic marketing but provides individuals with the right to ‘opt-out’ for direct marketing purposes.

There are a number of different opt-out schemes / preference registers for different media types. Individuals (and, in some cases, corporate subscribers) can contact these schemes and ask to be registered as not wishing to receive direct marketing material. If advertising materials are sent to a person on the list, sanctions can be levied by the Information Commissioner.

The Regulations also prohibit the use of automated calling systems without the consent of the recipient and the use of unsolicited electronic communications (i.e. by email or SMS text) for direct marketing purposes is also prohibited without prior consent from the consumer unless:

the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing;
the marketing relates to offering a similar product or service; and
the consumer was given a means to readily 'opt out' of use for direct marketing purposes both at the original point where their details were collected and in each subsequent marketing communication.

Each direct marketing communication must not disguise or conceal the identity of the sender and include the 'unsubscribe' feature referred to above.

The restrictions on marketing by email / SMS only applies in relation to individuals and not where marketing to corporate subscribers.

Last modified 19 January 2024

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State.The ePrivacy Directive is to be replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Electronic marketing is regulated by Law 3471/2006 ‘for the protection of personal data and privacy in electronic communications’ (the 'Law’), in combination with the general provisions of Law 2472/1997 ‘for the protection of individuals from the processing of personal data’ (the 'Data Protection Act’).

According to the provisions of article 11 of the Law, data processing for electronic marketing purposes is allowed only upon the individuals’ prior express consent. The said article prohibits the use of automated calling systems for marketing purposes to subscribers that have previously declared to the public electronic communications services providers ('CSPs') that they do not wish to receive such calls in general. The CSPs must register these declarations for free on a separate publicly accessible list.

Personal data (such as e-mail addresses) that have been legally obtained in the course of sales of products, provision of services or any other transaction may be used for electronic marketing purposes, without the receiver’s prior consent thereto, provided that the receiver of such email has the possibility to 'opt out' for free to the collection and processing of his / her personal data for the aforementioned purposes.

Direct marketing emails or advertising emails of any kind are absolutely prohibited, when the identity of the sender is disguised or concealed and also when no valid address, to which the receivers can address requests for the termination of such communications, is provided.

Greece regulation

Electronic marketing is regulated by Law 3471/2006 ‘for the protection of personal data and privacy in electronic communications’, in combination with the provisions of GDPR and the Greek Data Protection Law, as appropriate.

According to article 11 of Law 3471/2006, data processing for electronic marketing purposes is allowed only upon the individuals’ prior express consent. The said article prohibits the use of automated calling systems for marketing purposes to subscribers that have previously declared to the public electronic communications service providers ('CSPs') that they do not wish to receive such calls in general. The CSPs must register these declarations for free on a separate publicly accessible list.

Where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services, without prior consent, provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

Last modified 16 January 2025

According to the Law of Acknowledgment of Electronic Communications and Signatures, Decree 47-2008 of the Congress of the Republic, electronic marketing is not considered E-Commerce, yet it is considered a communication and an electronic communication as it contains an exposition, statement, claim, advice, request, or offer and the acceptance of an offer, in relation to the construing or execution of a contract.

If any such communication is not addressed to a particular person but it is a general communication, according to Art. 25 of the aforementioned law, it shall be deemed an offer.

Protection to the consumer in E-Commerce and E-Marketing or E-Advertisement is addressed in Art. 51 of the aforementioned law, compelling the originators of such communications to act in an equitable manner and to fully comply with the offered matters and not to engage into false, deceitful, fraudulent or disloyal business practices.

Last modified 21 December 2021

Direct marketing by electronic means to individuals and organisations is regulated by the European Communities (Implementation of Privacy) Directive (Guernsey) Ordinance 2004 ("e-Privacy Ordinance").

Following the implementation of the DPL 2017, minor and consequential changes were made to the e-Privacy Ordinance, which is intended to sit alongside the DPL 2017.

In this regard, neither the e-Privacy Ordinance nor the DPL 2017 prohibit the use of personal data for the purposes of electronic marketing provided that individuals have the right to prevent the processing of their personal data (i.e. a right to 'opt out') for direct marketing purposes.

As such, the e-Privacy Ordinance still reflects the e-Privacy Directive and, for example, prohibits the use of automated calling systems without the consent of the recipient. Furthermore, unsolicited emails can only be sent without consent if:

the contact details have been provided in the course of a sale or negotiations for a sale
the marketing relates to a similar product or service, and
the recipient was given a simple method of refusing the use of their contact details when they were collected.

The identity of the sender cannot be concealed in direct marketing communications sent electronically (which is likely to include SMS marketing).

These restrictions only apply in respect of individuals and not where corporations are sent marketing communications.

Last modified 16 January 2025

Law L/2016/035/AN on electronic transactions in the Republic of Guinea provides that any advertisement, whatever its form, as soon as it is accessible or likely to be accessible by electronic communications, must be clearly identified as an advertisement. It must also allow the identification and identifiability of the natural or legal person on whose behalf it is made.

Advertisements and notably promotional offers, such as discounts, premiums or gifts, as well as competitions or promotional games, sent by electronic mail, must be clearly, precisely and unequivocally identifiable on the subject of the mail as soon as they are received by the addressee or, if technically impossible, in the body of the message.

The conditions for taking advantage of promotional offers, as well as for participating in promotional courses or games, when offered by e-mail, should be clearly specified and easily accessible to the public.

Pursuant to Law on electronic transactions in the Republic of Guinea, direct marketing by sending messages through an automatic calling machine or SMS, fax or e-mail or any other electronic means of communication using, in whatever form, the contact details of a natural person who has not expressly given his or her prior consent to receive direct marketing through these channels or means is prohibited.

However, direct marketing by e-mail, regardless of the means used, is permitted if:

The contact details of the recipient of the mail have been collected, with full knowledge of the facts, directly from him/her;
The direct prospecting is addressed to subscribers or customers of a natural or legal person whose details have been collected with their full knowledge of the facts, for similar products and services that it offers them.

Last modified 20 December 2021

The Decree on data privacy requires the user’s consent whereas Article 438 (2) of the 2020 Penal Code only specifies that the person needs to opt-out. Given that the Decree on personal data is a specific legislation on data privacy, we recommend having the user consent prior to collecting his data.

The Penal Code, adopted in 2020, was initially set to come into force 24 months after its adoption, introducing comprehensive provisions to address crimes in the digital domain. However, these provisions are not yet in effect, as the implementation of the reformed Penal Code has been postponed indefinitely. A commission was supposed to review the text following concerns raised by various sectors. To date, no commission has been appointed, leaving the unreformed Penal Code in effect. The current Penal Code lacks provisions addressing crimes in the digital domain or data protection matters. Consequently, the provisions of the 2020 Penal Code remain under review and are anticipated to come into force in the near future.

Last modified 16 January 2025

There is no law or regulation that specifically regulates electronic marketing.

Last modified 10 February 2025

Specific provisions of the Ordinance govern the use and sharing of personal data for the purposes of direct marketing (meaning the offering, or advertising the availability of goods, facilities or services, or the solicitation of donations or contributions for charitable, cultural, philanthropic, recreational, political or other purposes), when such marketing is conducted through "direct marketing means" (being the sending of information or goods, addressed to specific persons by name, by mail, fax, electronic mail or other means of communication; or making telephone calls to specific persons).

The direct marketing provisions generally require data users who wish to use personal data for the data user's own direct marketing purposes to obtain prior consent from the data subject for such action and notify the data subject as follows:

that the data user intends to use the individual's personal data for direct marketing;
that the data user may not so use the personal data unless the data subject has received the data subject's consent to the intended use;
the kind(s) of personal data to be used;
the class(es) of marketing subjects (i.e. goods / services to be marketed) in relation to which the data is to be used; and
the response channel through which the individual may, without charge, communicate the individual's consent to the intended use.

Furthermore, if the consent was given orally, data users have the additional obligation to send a written confirmation to the data subject confirming the particulars of the consent received.

The direct marketing provisions generally require data users who wish to share personal data with a group company or a third party for direct marketing purposes (e.g. for joint marketing, or in connection with a sale of a marketing list) to obtain their prior written consent and to notify the data subject as follows:

that the data user intends to provide the individual's personal data to another person for use by that person in direct marketing;
that the data user may not so provide the data unless the data user has received the individual's written consent to the intended provision;
that the provision of the personal data is for gain (if it is to be so provided);
the kind(s) of personal data to be provided;
the class(es) of persons to which the data is to be provided;
the class(es) of marketing subjects (i.e. goods / services to be marketed) in relation to which the data is to be used; and
the response channel through which the individual may, without charge, communicate the individual's consent to the intended use.

When data users use personal data for the purposes of direct marketing for the first time, they must inform the subjects that they may opt out at any time, free of charge. In practice, it is common for subsequent direct marketing communications in Hong Kong to contain unsubscribe functions, not just in the first message.

Hong Kong's anti–spam framework is set out in the Unsolicited Electronic Messages Ordinance (Cap. 593), under which three types of Do–Not–Call (DNC) registers are maintained, namely the DNC for fax, short messages and pre–recorded telephone messages. Person-to-person telemarketing calls are not regulated by this framework.

In 2019, a legislative proposal was published to implement the new DNC to provide an "opt out" framework to permit recipients to request to stop receiving person‑to‑person telemarketing calls. At the time of writing, the relevant bill has not yet been announced.

Last modified 20 January 2025

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg, an email address is likely to be ‘personal data’ for the purposes of the Act).

Also, pursuant to Act No. XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, unless otherwise provided by specific other legislation, advertisements may be conveyed to natural persons by way of direct contact (hereinafter referred to as ‘direct marketing’), such as through electronic mail or equivalent individual communications only upon the express prior consent of the person to whom the advertisement is addressed. The request for the consent may not contain any advertisement, other than the name and description of the company.

The statement of consent may be made in any way or form, on condition that it contains the name of the person providing it, and – if the advertisement to which the consent pertains may be disseminated only to persons of a specific age – his place and date of birth, furthermore, any other personal data authorized for processing by the person providing the statement, including an indication that it was given freely and in possession of the necessary legal information.

The statement of consent may be withdrawn freely any time, free of charge and without any explanation. In this case all personal data of the person who has provided the statement must be promptly erased from the records and all advertisements must be stopped.

Pursuant to Act No. C of 2003 on Electronic Communications (‘EC Act’), applying automated calling system free of any human intervention, or any other automated device for initiating communication in respect of a subscriber for the purposes of direct marketing, providing information and market research shall be subject to the prior consent of the subscriber. Furthermore, providers of electronic communications services shall not apply automated calling system free of any human intervention, or any other automated device for initiating communication in respect of a subscriber for the purposes of public opinion polling if the user opposes it (opt-out system).

Last modified 11 January 2024

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Based on the Electronic Communications Act No. 70/2022 the use of electronic communications systems, including for email and other direct marketing, is only allowed if a subscriber has given prior informed consent.

If the email address has been obtained in the context of the sale of a good or service, the controller may use it for direct marketing of the controller’s own goods or services to customers who have not objected to receiving email marketing from the controller, provided the customers are given the opportunity, free of charge, to object to such use of their email address when it is collected and each time a message is sent.

Further, all marketing emails must include the name and address of the party responsible for the marketing.

Last modified 16 January 2025

Under the DPDP Act, Data Principals have the right to withdraw their consent and restrict their personal data from being processed by an entity for specified purposes such as email marketing. Furthermore, Data Fiduciaries are required to refrain from engaging in tracking or behavioral monitoring of children, as well as from conducting targeted advertising aimed at children.

However, in a related development, the Food Safety and Standards Authority of India (FSSAI) has made it mandatory for E-commerce FBOs (Food Business Operators) to obtain a license from the Central Licensing Authority. E-commerce FBO means any Food Business Operator carrying out any of the activities under section 3(n) of Food Safety & Standards Act, 2006, through the medium of e-commerce. Interestingly, section 3(n) covers the entire food chain as it defines “food business” as any undertaking, whether for-profit or not, and whether public or private, carrying out any of the activities related to any stage of manufacture, processing, packaging, storage, transportation, distribution of food, import and includes food services, catering services, sale of food or food ingredients. Similarly, another set of legal Rules being referred as “E-commerce & the Legal Metrology (Packaged Commodities) Amendment Rules, 2017,” effective from January 1, 2018, has made it mandatory for e-commerce entities to ensure mandatory declarations about the commodity displayed on the digital and electronic network used for e-commerce transactions.

The consumer protection regime in India was recently overhauled by way of enactment of the Consumer Protection Act, 2019 (notified in July 2020) (CPA 2019). Under CPA 2019, sellers and service providers have the obligation to, among others, not engage in unfair trade practices including by way of misleading advertisements. Further, Consumer Protection (E-Commerce) Rules, 2020 (E-Commerce Rules) have been notified under the CPA to regulate e-commerce entities in India. An ‘e-commerce entity’ has been defined to mean any person who owns, operates, or manages digital or electronic facility or platform for electronic commerce, but does not include a seller offering his goods or services for sale on a marketplace e-commerce entity. E-commerce entities are required to set up a proper grievance redressal mechanism and consumer complaints should be acknowledged by the grievance officer within a stipulated timeline. E-commerce entities are further required to, among others, provide information in relation to refund, exchange, warranty, delivery, mode of payment, fees and charges, grievance process and other relevant information on their platform. The price (total and a break-up) of goods or services should be mentioned clearly and misleading advertisements and misrepresentations are prohibited.

In June 2022, the Central Consumer Protection Authority (CCPA), issued Guidelines on Prevention of Misleading Advertisements and Endorsements for Misleading Advertisements, 2022 (the Guidelines). The Guidelines lay down the conditions for non-misleading and valid advertisements and conditions for bait advertisements. The Guidelines prohibit surrogate advertising, and also lay down conditions for advertisements targeted at children. Moreover, the Guidelines lay down the duties of manufacturers, service providers, advertisers, and advertising agencies.

In November 2023, the CCPA further issued Guidelines for Prevention and Regulation of Dark Patterns, 2023 (Dark Pattern Guidelines) to restrict the use of dark patterns or manipulative practices by online platforms in designing their user interface and user experience that impair user autonomy, influence decision making, and work to the detriment of users. The Dark Pattern Guidelines apply to sellers, advertisers, and all platforms that systematically offer goods and services in India. The Dark Pattern Guidelines list certain specified dark patterns that are prohibited, including practices such as false urgency, subscription trap or confirm shaming.

Further, the National Do Not Call (NDNC) Registry is effectively implemented by the Telecom Regulatory Authority of India (TRAI). TRAI has also established the Telecom Commercial Communication Customer Preference Portal, i.e. a national data base containing a list of the telephone numbers of all subscribers who have registered their preferences regarding the receipt of commercial communications. Telemarketing companies may lose their license for repeated violation of DNC norms.

Last modified 6 January 2025

The PDP Law and the General Data Protection Regulations do not specifically address electronic marketing.

Similar with other processing activities of personal data, a legal basis shall be available for conducting (electronic) marketing activities (e.g. consent of the personal data subject).

It is interesting to note that one of the reasons for the introduction of the right to withdraw consent under the PDP Law was to enable personal data subjects to avoid (further) personal data breach occurrences which have emerged due to, among others, direct marketing practices.

Last modified 20 January 2025

There is no specific electronic marketing law in Iran. However, under the Charter of Citizen’s Rights, operators must obtain addressee consent before sending any advertisement. Personal cell phones are considered as a private zone. Sending any unwanted advertisements, or spam, is against the law.

Last modified 23 May 2019

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The ePrivacy Regulations implement the anti-spam rules set out in Article 13 of the Privacy and Electronic Communications Directive 2002/58/EC (as amended by the Citizens’ Rights Directive). These regulations came into effect on 1 July 2011. Electronic mail includes text messages (SMS), voice messages, sound messages, image messages, multimedia message (MMS) and email messages.

Direct marketing emails can generally only be sent to users with their prior consent. A limited exemption is available for direct marketing emails sent to existing customers promoting other products or services similar to those previously purchased by that consumer (such emails can only be sent for 12 months, the customer must have been given the opportunity to object when the details were collected and the product or service being marketed must be a product or service offered by the person with the existing relationship with the customer). B2B direct marketing emails can generally be sent unless the recipient has informed the sender that it does not consent to the receipt of such messages.

The identity of the sender must not be disguised or concealed and the recipient must be offered an opt-out.

Direct marketing calls (excluding automated calls) may be made to a landline provided the subscriber has not previously objected to receiving such calls or noted his or her preference not to receive direct marketing calls in the National Directory Database.

Direct marketing calls cannot be made to a mobile phone without prior consent.

One cannot send a direct marketing fax to an individual subscriber in the absence of prior consent. One can send such a fax to a corporate subscriber unless that subscriber has previously instructed the sender that it does not wish to receive such communications or has recorded a general opt-out to receiving such direct marketing faxes in the National Directory Database.

Breach of these anti-spam rules is a criminal offence. On a summary prosecution (before a judge sitting alone) a maximum fine of EUR 5,000 per message sent can be handed down. On conviction on indictment (before a judge and jury) a company may be fined up to EUR 250,000 per message sent and an individual may be fined up to EUR 50,000 per message.

Ireland regulation

The GDPR applies to most electronic marketing activities, as these will typically involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47 of GDPR). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (“ePrivacy Directive”), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation though there remains uncertainty at an EU level as to when this legislation will be passed. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

In Ireland, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“ePrivacy Regulations”) implement the rules on electronic direct marketing set out in the ePrivacy Directive.

Direct marketing emails (which includes SMS and other text, voice, sound or image messages) can generally only be sent to users with their prior (opt-in) consent.

Two exemptions are available whereby emails can be sent on an opt-out basis:

Customer exception

Direct marketing emails may be sent on an opt-out basis to an existing customer promoting similar products or services to those purchased by that customer. Such emails can only be sent for 12 months from the date of sale to the customer, the customer must be given the opportunity to object both (1) when the details were collected, and (2) in each marketing message. Moreover, the product or service being marketed must be a product or service offered by the person with the existing relationship with the customer.

B2B exception

Business to business ("B2B") direct marketing emails can generally be sent unless the recipient has informed the sender that it does not consent to the receipt of such messages. To qualify for the B2B exception, an email address must reasonably appear to the sender to be an email address used mainly by the recipient in the context of their commercial or official activity and the marketing message must relate solely to that commercial or official activity.

Last modified 17 January 2025

Unsolicited marketing is regulated under the Communications Law (Telecommunications and Broadcasting), 1982 (the 'Anti Spam Act'). The Anti Spam Act prohibits, subject to certain exceptions, advertising by means of automated dialing, fax or text messages without first obtaining the recipient's initial opt-in prior consent; all such communications also must contain an optout / unsubscribe option.

Furthermore, the PPL governs the possession and management of databases intended for direct mailing service and imposes restrictions in connection therewith, including a database registration requirement specifying the purpose of direct mailing and specific recordkeeping requirements. Moreover, the IPA Guidelines No. 2/2017 impose additional requirements intended for direct mailing services, which, inter alia, include specific notice obligations such as indication of database information, sources and an initial opt-in requirement.

Additionally, the said IPA Guidelines govern direct marketing services which, inter alia, require specific opt-in consents and notice requirements.

In 2020, the Knesset approved Amendment 61 to the Consumer Protection Law, 5571-1981 ("Consumer Protection Law") which proposed to establish an opt-out arrangement for telephone marketing calls, known as "Do not call me" database, so that such calls could be held unless a consumer refused through active registration in the database. Consumers are able to register their phone numbers in the "Do Not Call Me" database from December 12, 2022.

Last modified 25 December 2024

The GDPR and the Privacy Code apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). As further analyzed below, under Section 130 of the Privacy Code, the legal basis for electronic marketing is consent. The strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The Privacy Code (Section 130) does not prohibit the use of personal data for the purpose of electronic marketing, but it requires the prior informed consent (opt-in) from the recipient of the communication. The use of automated calling or communications systems without human intervention for the purposes of direct marketing or for sending advertising materials, or else for carrying out market surveys or interactive business communication, as well as electronic communications performed by e-mail, facsimile, MMS or SMS-type messages or other means shall only be allowed with the contracting party’s or user’s consent. Such consent shall be recorded with reference to its date and the person giving it in order to be used as evidence of the consent.

Separate consents shall be required for the registration to a website and the opt-in to the delivery of marketing communications, however the data subjects may be required to provide a unique marketing consent covering the different marketing practices (e.g. marketing via SMS, email, telephone, market surveys, etc.) performed through the collected data, provided that such practices are outlined in the information notice provided to data subjects.

An additional separate consent shall be required for the transfer of collected personal data to third parties for marketing purposes. Said third party shall also be identified at least on the basis of its category of operation and provide an information notice to data subjects before the delivery of marketing communications.

Where a data controller uses, for direct marketing of his own products or services, electronic contact details for electronic mail supplied by a data subject in the context of the sale of a product or service, said data controller may fail to request the data subject’s consent, on condition that the services are similar to those that have been the subject of the sale and the data subject, after being adequately informed, does not object to said use either initially or in connection with subsequent communications. The data subject shall be informed of the possibility to object to the processing at any time, using simple means and free of charge, both at the time of collecting the data and when sending any communications for the purposes here referred.

Electronic marketing communications shall clearly identify the sender and provide to the recipient all necessary information in order for him / her to eventually refuse the delivery of the direct marketing material (opt-out).

The possibility for the recipient to opt-out from marketing communication services must be guaranteed both during the first contact with the recipient and during any following communications.

Marketing communications by way of non-automated telephone calls are permitted provided that either:

the data subject has given his prior consent, if there is an ongoing relationship that has not expired for more than 30 days; or
the number (that can now also be a mobile number) of the data subject is included in the telephone directory and (s)he has not entered in a public opt-out register ("Registro delle Opposizioni") and opted out from being contacted for marketing purposes.

Law 11 January 2018, no. 5 provides stringent rules on telemarketing, including, amongst others, the withdrawal from all consents previously given in case of enrolment in the Registro delle Opposizioni, save for consents provided based on contractual arrangements in place or expired less than 30 days before the enrolment, and the prohibition to communicate, transfer or disseminate personal data related to data subjects registered in the Registro delle Opposizioni for advertising or sales purposes or for the purposes of carrying out market research or commercial communications not related to the activities, products or services offered by the data controller.

On March 24, 2023 the Garante approved a Code of Conduct for telemarketing and teleselling activities (Codice di condotta per le attività di telemarketing e teleselling), which is a self-governance instrument that contributes to the correct application of telemarketing regulations and to the dissemination of consumer protection principles and measures among call centres and other operators in the sector. This Code of Conduct applies to all operators that carry out activities of promotion and / or offer of goods and services by telephone to persons on Italian territory that can adhere to it on a voluntary basis. The Code of Conduct envisages several obligations - not strictly related to personal data protection – to which those engaged in telemarketing / teleselling activities must comply with, such as (i) register with the Register of Communications Operators ("ROC") and use only the numbers registered with the ROC; (ii) notify the Italian Ministry of Economic Development, Ministry of Labor, National Labor Inspectorate and the Italian Data Protection Authority in case of relocation to a non-EU country (and inform the user at the beginning of the call); and (iii) present the calling line using an appropriate prefix code (or using a number without a code as long as it is registered with the ROC and can be redialed).

The above mentioned privacy provisions apply also to communications sent through private messages on social networks and through Voip. On the contrary, should the data subject be a follower of a social network page, it may be implied that the data subject has consented to the delivery of marketing communications of the page. Marketing messages concerning a given brand, product or service as sent by the company managing the relevant social network page may be considered to be lawful if it can be inferred unambiguously from the context or the operational arrangements of the relevant social network, also based on the information provided, that the recipient did intend in this manner to also signify his / her intention to consent to receiving marketing messages from the given company. However the delivery of marketing communications shall stop when the data subject unregisters from the page.

The Privacy Code provisions relating to marketing and commercial communications make reference to the ‘contracting party’s and user’s consent’ rather than to the ‘data subject’s consent’, referring both to individuals and companies.

Last modified 16 January 2025

The Act on Specified Commercial Transactions ("ASCT") and the Act on the Regulation of Transmission of Specified Electronic Mail ("Anti-Spam Act") regulate the sending of unsolicited electronic commercial communications.

Under the ASCT, which focuses on internet-order services, a seller is prohibited from sending email or fax advertisements to consumers unless they provide a prior request or consent (i.e. an opt-in requirement). The seller is also required to retain the records that show consumers' requests or consents to receive email or fax advertisements for 3 years for email advertisements and 1 year for fax advertisements after the last transmission date of an email or fax advertisement to the consumer.

If a seller has breached any of these obligations regarding email advertisements, such seller will be potentially subject to fine of up to JPY 1,000,000.

Under the Anti-Spam Act, which broadly covers commercial emails (e.g. an invitation email from a social network service), there are several regulations on sending email advertisements as follows:

the sender must retain records evidencing there was a request or consent to receive emails at least for 1 month after the last date the seller sent an email to the recipient;
for-profit entities or individuals engaged in business sending any email to advertise their own or another’s business must obtain a request or consent to receive emails from intended recipients unless the recipient falls under certain exceptions (e.g. there is a continuous transaction relationship between a sender and a recipient) in the Anti-Spam Act;
an email is required to include a sender’s email address or a URL so that recipients can send opt-out notices to the sender; and
senders must not send emails to randomly generated email addresses (with the hope of hitting an actual email address) for the purpose of sending emails to a large number of recipients.

The relevant ministry may order a sender to improve the manner of email distribution if the sender violates the requirements noted above. If the sender violates an order issued by the ministry (other than one related to the retention obligation), the sender is subject to imprisonment for up to 1 year or a fine of up to JPY 1,000,000. In addition, the entity will be subject to fine of up to JPY 30,000,000 if an officer or an employee of the entity commits any violation mentioned above. If the sender violates an order issued by the minister with respect to the retention obligation, the sender will be potentially subject to fine of up to JPY 1,000,000. In addition, the entity will be subject to fine of up to JPY 1,000,000 if an officer or an employee of the entity commits the violation mentioned above.

Last modified 20 January 2025

The DPJL applies to most electronic marketing activities, as they involve some use of personal data (e.g. an email address that includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller.

Where consent is relied upon, the strict standards for consent under the DPJL apply, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the checking of an unchecked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 36 DPJL).

Last modified 16 January 2025

The e-Procurement Instructions of 2018 mandates the use of JONEPS (Jordan Online E-Procurement System) in the implementation of public procurement.

The user of the system means the government entity, government unit, or interested party that submitted an application for registration on the electronic system and was approved by the electronic system manager.

The instructions explicitly state that the user of the system shall maintain the confidentiality of the information available in the system and take all necessary precautions and measures that would prevent the leakage of any information to any person, including the following:

Prevent the disclosure of information to persons who are not authorised to view or disclose it, and apply the highest levels of privacy, confidentiality, security and transparency of information.
Maintaining the security and integrity of data from alteration or modification by any party that does not have the authority to do so.

Additionally, the tenderer shall provide security controls to protect the system and devices, such as using anti-virus programs, using strong and modern programs and programs to detect intrusions from people or programs, and constantly updating information security programs.

Finally, the user of the system must use the system in a safe and sound manner, and it bears responsibility for any wrong use by it or by its users.

Last modified 11 January 2024

The Law on Online Platforms and Online Advertising provides for certain requirements for personal data protection in relation to the use of online platforms (websites, messengers, etc.) and online advertising.

In particular, it prohibits the profiling of the online-platform’s users for the purposes of targeted advertising if such profiling is based on race or nationality, political opinions, biometric or personal data, or information about the users’ health. Profiling is defined as a set of algorithms aimed at determining the preferences and (or) interests of users.

Last modified 4 February 2025

Section 37 of the Act

The use of personal data for commercial purposes is prohibited unless the person undertaking this processing:

has sought and obtained express consent from a data subject; or
is authorized to do so under any written law and the data subject has been informed of such use when collecting the data from the data subject.

The General Regulations states that a data controller or data processor is considered to be using personal data for commercial purposes if the personal data of a data subject is used to advance commercial or economic interests, including inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, property, information or services, or enabling or effecting, directly or indirectly, a commercial transaction.

The General Regulations further include circumstances where the personal data is used for direct marketing through:

sending of a catalogue through any medium addressed to a data subject;
displaying an advertisement on an online media site where a data subject is logged on using their personal data; or
sending an electronic message to a data subject about a sale, or other advertising material relating to a sale, using personal data provided by a data subject.

An exception to direct marketing restrictions is provided where the personal data is not used or disclosed to identify or target a particular recipient.

Personal data other than sensitive personal data is only permitted to be used for direct marketing where:

the data controller or data processor has collected the personal data directly from the data subject;
a data subject is notified that direct marketing is one of the purposes for which personal data is collected;
the data subject has consented to the use or disclosure of the personal data for the purpose of direct marketing;
the data controller or data processor provides a simplified opt-out mechanism for the data subject to request not to receive direct marketing communications; or
the data subject has not made an opt-out request.

The Cabinet Secretary in charge of information, communication and technology may, in consultation with the DPC, develop guidelines on the commercial use of personal data.

Last modified 6 February 2025

LPPD applies to direct marketing activities and to automated decision-making including profiling. LPPD allows data controllers to use personal data obtained from publicly accessible sources or within the framework of lawful performance of activities for the purposes of providing goods, services, employment or temporary performance of tasks, using postal services, telephone calls, e-mails or other telecommunication means (Article 73 (1)). With regards to direct marketing, the data controllers may only use the following personal data( Article 73 (2)):

personal name
permanent or temporary address
telephone number
e-mail
fax number.

Other data may be processed only based on the data subject’s consent (Article 73 (2)).

A data subject is entitled to object at any time, the use of his/her personal data for the purposes of direct marketing (Article 74). The objection of the data subject must be submitted in writing, and within eight (8) days of receiving the objection, the controller must cease to use such personal data (Article 74 (1)).

Last modified 4 February 2025

No specific provisions.

Last modified 4 February 2025

Sending of electronic communications for advertising is generally subject to prior express consent of the recipient.

Last modified 4 February 2025

The Decision on Protection of Consumers Using Telecommunications and Internet Services (2020) regulates unsolicited commercial communications (e.g. phone calls or messages) to consumers, with the following restrictions:

such calls and messages are prohibited from 8:00 to 17:00, Monday to Friday;
no more than 10 unsolicited commercial communications are allowed per month, per individual;
no more than two unsolicited commercial communications are allowed per day.

The decision provides that any individual or legal entity intending to use unsolicited commercial communications for their goods or services must receive the consent of the telecommunications or internet service provider of the prospects they plan to call. The decision does not offer guidance on how the relevant service provider’s consent may be obtained. Rather, the decision requires the telecommunications and internet service providers to ensure that unsolicited commercials communication are made by authorized persons. In addition, the decision delegates these providers to monitor the distribution of unsolicited commercial messages, thereby ensuring that these limits are not breached.

Consumers who receive unsolicited commercial communications can file a complaint with the MPT and resolve subsequent disputes with the relevant service provider. The decision also notes that consumers can voice complaints or seek guidance via one of the following official hotlines:

1510 – Ministry of Industry and Commerce;
1516 – Prime Minister’s Office;
156 – National Assembly.

The Ministry of Industry and Commerce’s website is also expected to become an available channel for complaints in the future.

Last modified 8 January 2025

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The Personal Data Protection Law does not specifically address (electronic) marketing. However the use of personal data for marketing purposes falls within the scope of the law. The provisions on electronic marketing are also included in the Law on Information Society Services, which requires prior express consent of the person before using his or her contact information (e.g. email address, phone number) for electronic marketing purposes. This is also stressed in the guidelines provided by DSI.

According to the provisions of the Law on Information Society Services no consent is required if the data has been obtained in the course of the sale of goods or provision of services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of his or her personal data and the recipient has not previously declared that he or she does not want to be contacted.

The Electronic Communications Law contains procedures for submitting and reviewing complaints which states that the end user has the right to submit any complaints regarding the provision of the electronic communications services (thus also possibly any data protection issues), firstly, to the relevant electronic communications merchant and afterwards to the Public Utilities Commission (Article 44 of the Electronic Communications Law.

Latvia regulation

The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding electronic marketing.

Last modified 4 February 2025

It is forbidden to communicate unsolicited marketing and advertising emails (SPAM) using a real person's name and address, unless that person has consented to such type of advertising, except for cases where the sender of the unsolicited advertisement has legally obtained the address of such individuals through a previous engagement with them.

The Law provides that any individual shall have the right to object to the processing of their personal data for legitimate reasons, including to the collection and processing of personal data for marketing/promotion purposes (exceptions apply).

Last modified 21 December 2022

Under section 50 of the DP Act, direct marketing is defined in as a communication by whatever means of any advertising or marketing material which is directed to particular data subjects.

A data subject is entitled any time to require the data controller to cease, or not to begin, processing of personal data in respect of which he is the data subject for the purposes of direct marketing.

Last modified 20 December 2021

Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register, correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any other person”. However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply to disclosure:

Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
For the purpose of any criminal proceedings in Liberia or elsewhere;
For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding in Liberia or elsewhere; or
Under the direction or order of a court.

Last modified 23 February 2024

There is no specific law governing electronic marketing.

Last modified 18 January 2024

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Electronic marketing to individuals in Lithuania must only be conducted in accordance with the Data Protection Law, the Electronic Communications Law and the Law on Advertising of the Republic of Lithuania (Advertising Law).

General requirements for direct marketing:

The recipient (either natural person or legal person) has given his prior consent (under Lithuanian law, an opt-in principle applies, ie, the customer should actively express his willingness to receive commercial communication);
The recipient’s consent must be obtained separately from other terms of the contract between the parties;
Consent cannot be obtained in the standard terms presented to the recipient (eg, “by accepting these terms you agree to receive our commercial communication to the email provided to us”). The consent must stand separately from other contractual terms, so that the data subject has an actual possibility to choose whether he or she wants to receive commercial communication from the company or not;
The company must ensure that recipients have been given a clear, free-of-charge and easily realizable possibility not to give their consent or refuse giving their consent for the use of this data for the above-mentioned purposes at the time of collection of the data and, if initially the recipient has not objected against such use of the data, at the time of each
offer.

No direct marketing should be carried out where the contact has requested not to receive unsolicited direct marketing.

Exemption: if the company has obtained electronic contact details in the process of selling a product or a service, it is allowed to use these details for direct marketing provided that the recipient (either natural person or legal person) is given an opportunity to refuse such marketing; this opportunity shall continue to be offered with each message.

Additional requirements under the Advertising Law:

Direct marketing must be clearly recognizable as a commercial communication;
The person on behalf of whom this commercial communication is distributed must be clearly identified;
The content of the offer and conditions regarding receiving of the service must be formulated clearly and precisely.

Each marketing communication is a separate violation, for which a penalty of up to EUR 3,000 may be imposed.

Lithuania regulation

As mentioned above, the Data Protection Law provides a definition of direct marketing and prohibits the processing of personal code for direct marketing purposes.

Last modified 3 February 2025

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing is permissible only in respect of subscribers who have given their prior consent.

Where a supplier obtains from its customers their electronic contact details for electronic mail, in the context of the sale of products or services, that supplier may use those electronic contact details for direct marketing of its own similar products or services provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.

The transmission of unsolicited communications for purposes of direct marketing by means other than those referred to in the previous paragraphs shall be permissible only with the prior consent of the subscriber concerned.

Luxembourg regulation

No specific provisions in the applicable local law.

Last modified 4 February 2025

Under the Law, data subjects have the right to object, upon their request and free of charge, to the processing of their personal data for direct marketing purposes, to be informed before their personal data is disclosed or used by third parties for the purpose of direct marketing and to be expressly offered, also free of charge, the right to object to such disclosure or use.

Last modified 19 December 2023

The Data Protection Law and the Malabo Convention do not provide specific restrictions on the use of electronic marketing. However, the data subject has a right to opt out of allowing their personal data to be used for marketing purposes without providing any reason.

Last modified 4 February 2025

The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that a data subject may, at any time by notice in writing to a data controller, require the data controller at the end of such period as is reasonable in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. 'Direct marketing' means the communication by whatever means of any advertising or marketing material that is directed to particular individuals.

Pursuant to PCP 01/2020, the Commissioner is considering issuing a guideline to data controllers on the mechanism of digital and electronic marketing. The Commissioner has sought feedback on a proposed requirement on data controllers to provide a clear mechanism for data subjects to unsubscribe from online services and the elements to be considered in preparing the guideline on processing personal data in digital and electronic marketing.

The Commissioner is also considering issuing a guideline on the implementation of direct marketing for data controllers. Feedback from the public is sought as to whether a proposed data controller is allowed to make the first direct marketing call to the data subject, the use of the 'opt-out' method, and the important elements to be considered in the preparation of such guideline.

Last modified 20 January 2025

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Malta regulation

The Act applies also to most electronic marketing activities since in the course of such activities, it is likely that ‘personal data’ as defined above (including email) will be ‘processed’ as understood by the Act. In relation to direct marketing (even electronic), consent may be revoked at will by the data subject(s).

The controller is legally bound to inform the data subject that he or she may oppose such processing at no cost.

Apart from the Act, the ‘Processing of Personal Data (Electronic Communications Sector) Regulations’ (Subsidiary Legislation 586.01 issued under the Data Protection Act 2018) (the Electronic Communications Regulations) address a number of activities relating specifically to electronic marketing.

In the case of subscriber directories, the producer of such directories shall ensure (without charge to the subscriber) that before any personal data relating to the subscriber (who must be a natural person) is inserted in the directory, the subscriber is informed about the purposes of such a directory of subscribers and its intended uses (including information regarding search functions embedded in the electronic version of the directories). No personal data shall be included without the consent of the subscriber. In furnishing his consent the subscriber shall determine which data is to be included in the directory and is free to change, alter or withdraw such data at a later date. The personal data used in the directory must be limited to what is necessary to identify the subscriber and the number allocated to him, unless the subscriber has given additional consent authorizing the inclusion of additional personal data.

The Electronic Communications Regulations also deal with the issue of unsolicited communications. A person is prohibited from using any publicly available electronic communications service to engage in unsolicited communications for the purpose of direct marketing by means of:

An automatic calling machine
A facsimile machine
Email

to a subscriber, irrespective of whether such subscriber is a natural person or a legal person, unless the subscriber has given his prior explicit consent in writing to the receipt of such a communication.

By way of exception to the above (informally known as the ‘soft opt-in’ rule), where a person has obtained from his customers their contact details for email in relation to the sale of a product or a service, in accordance with the Act that same person may use such details for direct marketing of its own similar products or services. However, the customers must be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic contact details when they are collected and on the occasion of each message where the customer has not initially refused such use.

In all cases the practice of, inter alia, sending email for the purposes of direct marketing, disguising or concealing the identity of the sender or without providing a valid address to which the recipient may send a request that such communications cease, shall be prohibited.

The Act does not change the position under the previous Data Protection Act (Chapter 440) and does not introduce derogations from the provisions of the GDPR in this regard. The proposed ePrivacy Regulation would need to be analyzed separately.

Last modified 18 January 2024

The Act regulates direct marketing, which is defined as the communication of any advertising or marketing material which is directed to any particular individual. The definition also encompasses electronic marketing.

The data subject may object to the processing of his or her personal data for purposes of direct marketing, including profiling to the extent relevant. Where a data subject objects to processing, his or her personal data may no longer be processed for that purpose. This right to object shall be explicitly brought to the attention of the data subject.

Last modified 6 January 2025

Email marketing constitutes personal data processing and is subject to the Law, including applicable notice and consent requirements.

Last modified 28 January 2024

The Law regarding information society services dated July 22, 2004 provides for certain legal requirements for distribution of commercial electronic messages in the area of electronic commerce. In particular:

commercial electronic messages are allowed only subject to the preliminary consent of a subscriber or addressee to receive such messages;
the recipient shall have easy access to information regarding the individual or legal entity sending the message;
commercial electronic messages regarding sales, promotional gifts, premiums etc. shall be unequivocally identified as such and the conditions for receiving of such promotions shall be clearly stated to avoid their ambiguous understanding.

Last modified 16 January 2025

Prior to implementing any electronic marketing activity the CCIN must be notified, as electronic marketing activities may use personal data. The DPL does not prohibit the use of personal data for the purpose of electronic marketing per se. However, when implementing electronic marketing activities a company must respect the provisions of Articles 1, 10-1, 10-2 and 14 of the DPL.

The automated or non-automated processing of personal data must not infringe the fundamental rights and freedoms enshrined in Title III of the Constitution.

When marketing, personal data must be:

Collected and processed fairly and lawfully;
Collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes;
Adequate, relevant and not excessive in relation to the purposes for which it is collected and / or further processed;
Accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified;
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Processing of personal data must be justified by one of the following bases:

By consent from the data subject(s);
By compliance with a legal obligation to which the data controller or their representative is subject;
By it being in the public interest;
By the performance of a contract or pre-contractual measures with the data subject;
By the fulfillment of a legitimate motive on the part of the data controller or their representative or by the recipient, on condition that the interests or fundamental rights and freedoms of the data subject are not infringed.

Data subjects from whom personal data is collected must be informed of all of the following:

The data controller’s identity and, if applicable, the identity of their representative in Monaco;
The purpose of processing;
The obligatory or optional nature of replies;
The consequences for data subjects of failure to reply;
The identity of recipients or categories of recipients;
Their right to oppose, access and rectify their data;
Their right to oppose disclosure to and use of personal data by a third party, or the disclosure for the purposes of the third party’s commercial use, including marketing.

Last modified 6 February 2025

There are no specific provisions under the Data Protection Law or other Mongolian laws regulating electronic marketing communications. It is important to point out, however, that, according to the Data Protection Law, all processing of consumer Personal Data (which includes the collection, storage and making available to the public) can only occur upon the appropriate legal basis for such purpose and permission provided by the Data Owner.

Last modified 16 January 2025

Electronic marketing is not governed by the DP Law. Nevertheless, this law does govern protection of personal data used in direct marketing. In that regard, the law requires that data subjects have to be provided with a possibility to object to the processing of their personal data for direct marketing purposes prior to the commencement of the respective processing. Regarding the use of sensitive personal data in direct marketing, it is explicitly prescribed that a data subject's consent is a requirement for the respective processing.

Although not governed by the DP Law, there are other regulations which govern electronic marketing, including the Law on Electronic Trade ('Official Journal of the Republic of Montenegro', no. 80/04 and 'Official Journal of Montenegro', nos. 41/10, (…), 56/13) ('ET Law'). In this respect, one of the most important rules prescribed by the ET Law is the rule that any sending of unsolicited commercial messages is not allowed unless prior consent of the recipients of the respective marketing is obtained. It is strictly forbidden to send any marketing messages to individuals who have indicated that they do not want to receive such (i.e. opted-out) (and a service provider who sends unsolicited commercial messages is required to establish and maintain a record of individuals who opted-out). A violation of the respective rules is subject to liability, with fines ranging from EUR 500 to EUR 17,000 (for a legal entity) and ranging from EUR 100 to EUR 1,500 (for a responsible person in a legal entity). For particularly serious violations or repeated violations, an order banning or suspending the business activity (lasting from three months to six months) may be imposed on an entity responsible for the respective violations).

Last modified 16 January 2025

Direct marketing by means of an automated calling machine, a fax machine, email or a similar technology, which uses, in any form whatsoever, an individuals' data without their express prior consent to receive direct prospecting is prohibited.

However, direct marketing via email may be allowed if the recipient’s email address has been received directly from him / her.

In the absence of consent, unwanted emails can only be sent if all of the following conditions are satisfied:

The contact details were provided in the course of a sale

The marketing relates to a similar product

The recipient was given a method to opt out of the use of their contact details for marketing when they were collected

Last modified 18 January 2024

The rules applicable to electronic advertisement and marketing are provided under the Advertisement Code (Decree no. 38/2016, of August 31) and the Electronic Transactions Law (Law no. 3/2017, of January 9).

Under the Electronic Transactions Law, express consent from a recipient is required prior to sending direct marketing communications via automated dialing systems, fax machines and email, unless one of the following applies

If the sender obtained the contact details of the recipient during the sale or negotiations for the sale of a product or service to the recipient;
The direct marketing refers to similar products or services to those of the recipient;
At the moment of initial collection of the data, the recipient was offered the option to refuse of use of his contact details, and decided not to refuse;
If the recipient did not refuse the use of its data in any subsequent communications.

Under the Advertisement Code, electronic marketing messages should be clearly identified and include sufficient information, so as to allow the common recipient to easily understand all of the following:

The nature of the message;
The advertiser;
The promotional offers, such as discounts, prizes, gifts and promotional contests and games, as well as the conditions to which they are bound (if applicable).

All direct marketing message must provide recipients with information about how to opt out of further marketing communications, as well as the identity details of the source from which the contact details of the consumer have been obtained.

Last modified 16 January 2025

There is no specific law. However, electronic marketing would generally be governed by the Competition Law (2015), the Consumer Protection Law (2019), E-Commerce Guidelines (2023) and Order for Online Sales Business Registration 2023.

Last modified 18 December 2024

There are no electronic marketing regulations.

Last modified 18 January 2024

The matters related to marketing are regulated by the Advertisement Act and Advertisement Regulation. The definition as provided under the Advertisement Act also includes inter alia advertisement done through electronic medium, online or social media.

Advertisement-oriented SMS or Email cannot be sent to any person without obtaining the said concerned person’s consent.

Last modified 20 January 2025

EU regulation

The GDPR applies to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted.

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Netherlands regulatino

Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act (Tw). The first paragraph of Article 11.7 of the Tw is the rules for telemarketing that does not involve human intervention. These so-called automatic systems for transmitting commercial, idealistic or charitable communications may only be used if the consumer has given his prior consent. As of 1 July 2021, the Dutch Telecommunications Act changed. As a main rule, also for telemarketing with human intervention, the opt-in system will be used.

New legislation

The ePrivacy Regulation is a proposed regulation governing the use of electronic communication services within the European Union and is intended to replace the Directive on privacy and electronic communications (Directive 2002/58/EC). In addition to the GDPR, the ePrivacy Regulation represents a core element of EU-level data protection. On 10 February 2021, the Council of the European Union ('the Council') published a new legislative proposal, thereby launching negotiations between the Council, the European Parliament and the European Commission.

In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Last modified 18 January 2024

The Act does not differentiate between the collection of and use of any personal information for electronic marketing or other forms of direct marketing.

The Unsolicited Electronic Messages Act 2007:

prohibits unsolicited commercial electronic messages (this include email, fax, instant messaging and text messages of a commercial nature – but do not cover Internet pop-ups or voice telemarketing) with a New Zealand link (messages sent to, from or within New Zealand);
requires consent (which can be express, reasonably inferred, or deemed) from the recipient prior to sending commercial electronic messages;
requires commercial electronic messages to include accurate information about who authorised the message to be sent;
requires a functional unsubscribe facility to be included so that the recipient can instruct the sender not to send the recipient further messages; and
prohibits using address-harvesting software to create address lists for sending unsolicited commercial electronic messages.

The Marketing Association of New Zealand has a code of practice for direct marketing which governs compliance by members of the principles of the code. The code establishes a ‘Do Not Call’ register to which anyone not wanting to receive any direct marketing can register.

Last modified 24 January 2025

The data files destined to the sending of advertising, promotions, offers and direct sale of products, goods and services or other analogous activities can only incorporate personal data with the consent of the owner, or when the data appears in publicly accessible sources.

The sending of advertising and promotions, through electronic means, must offer the possibility to the recipient of personal data to express their refusal to continue receiving advertising and promotional content of goods and services or, where appropriate, revoke their consent in a clear and free manner.

Companies or institutions that engage in electronic marketing, advertising and promotional content must be protected by means of a contract that establishes that the personal data contained in a data file has been obtained with the unequivocal and informed consent of the owners or that it has been obtained from publicly accessible sources.

Last modified 28 January 2024

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name).

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 58 of Law No.2018-45 of July 12, 2018 on the regulation of electronic communications in Niger).

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 28 of the Personal Data Act.

The data subject has the right to object at any time to the use of his/her personal data for such marketing.

This right to object must be explicitly brought to the attention of the data controller.

Last modified 6 January 2025

The NCC Regulations provide that no licensee shall engage in unsolicited telemarketing unless it discloses:

At the beginning of the communication, the identity of the licensee or other person on whose behalf it is made and the precise purpose of the communication. During the communication, the full price of any product or service that is the subject of the communication must be specified.
The person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or other supply of any product or service within seven (7) days of the communication, by calling a specific telephone number (without any charge, and that the Licensee shall specifically identify during the communication) unless the product or service has by that time been supplied to and used by the person receiving the communication.

Licensees are required to conduct telemarketing in accordance with any "call" or "do not call" preferences recorded by the consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued by the Commission or any other competent authority.

Direct Marketing

The Data Protection Act provides that where personal data is processed for direct marketing purposes, the data subject will have the right to object at any time, to the processing of such data. When the data subject objects, the personal data shall no longer be processed for such purposes.

Internet Service Providers (ISP)

The NCC Legal Guidelines for Internet Service Providers (ISP) provides that Commercial Communications ISPs must take reasonable steps to promote compliance with the following requirements for commercial email or other commercial communications transmitted using the ISP's services:

The communication must be clearly identified as a commercial communication.
The person or entity on whose behalf the communication is being sent must be clearly identified.
The conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be clearly stated.

Promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly stated. Persons transmitting unsolicited commercial communications must take account of any written requests from recipients to be removed from mailing lists, including by means of public opt-out registers in which people who wish to avoid unsolicited commercial communications are identified.

Advertising

The Advertising Regulatory Council of Nigeria Act 2022 (ARCON Act) is the apex law regarding advertising and marketing communications in Nigeria; its scope covers both terrestrial and online advertisements. The Nigerian Code of Advertising Practice Sales Promotion and Other Rights / Restrictions on Practice (5th Edition) which continues in force under the ARCON Act, provides that all advertisements and marketing communications directed at the Nigerian market using the Internet or other electronic media must comply with the following requirements:

The commercial nature of such communications must not be concealed or misleading, it should be made clear in the subject header.
Terms of the offer should be clear and devices should not be used to conceal or obscure any material factors, such as price or other sales conditions likely to influence customer decisions.
The procedure for concluding a contract should be clear.
Due recognition must be given to the standards of acceptable commercial behavior held by public groups before posting marketing communications to such groups using electronic media.
Unsolicited messages should not be sent except where there are reasonable grounds to believe that consumers who receive such communications are interested in the subject matter or offer.
All marketing communications sent via electronic media should include a clear and transparent mechanism enabling consumers to expressly opt-out from future solicitations.
Care should be taken to ensure that neither the marketing communication, or applications used to enable consumers to open marketing or advertising messages, interfere with consumers normal use of electronic media.
Customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted or required by the NCC or other applicable laws or regulations.

Last modified 18 January 2025

Under the DP Law, personal data may be processed for electronic (direct) marketing purposes including profiling to the extent connected to the direct marketing only with the data subject’s explicit consent to such processing. The data subject has the right to withdraw his or her consent at any time.

The data subject is entitled to exercise his or her right to object at any time to processing of his or her personal data for such marketing. In situations where the data subject objects to the processing, the personal data shall no longer be processed for such purposes.

Last modified 17 January 2024

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g., an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Pursuant to the Marketing Control Act (LOV-2009-01-09-2, Nw: Markedsføringsloven) section 15, it is prohibited in the course of trade, without the prior consent of the recipient, to send marketing communications to natural persons using electronic methods of communication which permit individual communication, such as electronic mail, telefax or automated calling systems (calling machines).

Prior consent is however not required for electronic mail marketing where there is an existing customer relationship and the contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate to the trader’s own goods, services or other products corresponding to those on which the customer relationship is based.

At the time that the electronic address is obtained, and at the time of any subsequent marketing communication, the customer shall be given a simple and free opportunity to opt out of receiving such communications.

‘Electronic mail’ in the context of the Marketing Control Act means any communication in the form of text, speech, sound or image that is sent via an electronic communications network, and that can be stored on the network or in the terminal equipment of the recipient until the recipient retrieves it. This includes text and multimedia messages sent to mobile telephones.

Direct marketing emails must not conceal or disguise the identity of the sender. If the email is unsolicited, it shall clearly state that the email contains a marketing message upon receipt of the message (The Norwegian E-Commerce Act (LOV-2003-05-23-35), Nw: Ehandelsloven, section 9).

Last modified 16 January 2025

The legislation at present does not provide a comprehensive framework to regulate electronic marketing and the processing or transmission of any personal data as a result of electronic marketing. Section 25 of PECA 2016 however prohibits any person from engaging in spamming (including transmission of harmful, fraudulent, misleading, illegal or unsolicited information), though it may be noted that the aforementioned prohibition is only applicable where such spamming is done by a person for a wrongful gain.

Pursuant to the provision of PECA 2016 on spamming, PTA has restricted promotional text messages from telemarketing firms, which now have to provide the recipient with an option to unsubscribe in the promotional message.

Last modified 4 January 2024

Law No. 51 of July 22nd, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”), and its bylaws establish in the Executive Decree No. 40 of May 19, 2009 (“Decree 40”) and Executive Decree No. 684 of October 18, 2013 (“Decree 684”) regulate the electronic documents and electronic signatures, as well as the rendering of data storage services, and the certification of the electronic signatures, and adopts other dispositions for the development of e-commerce. It establishes that Companies that sell goods or services in Panama, through the Internet, will be subject to the other provisions of national legislation that apply to them based on the activity they develop, regardless of the use of electronic means for their realization.

With respect to email advertising, Panamanian law requires that all such emails:

State that they are commercial communications
Include the name of the sender
Set forth the mechanism through which the recipient may choose not to receive any further communications from the particular sender

These requirements apply to other promotional offers as well.

Further, although opt-out tools are not prohibited, the client's initial opt-in consent is specifically required if an entity wishes to use the client's email for advertising purposes. Further, although no specific prohibition has been enacted with respect to the use of information for online advertising, obtaining the customer's consent is always preferable.

Last modified 28 January 2024

The Electronic Commerce Law requires that all marketing communications and promotional offers:

state that they are commercial communications;
include the name of the sender; and
provide a mechanism through which the recipient may choose not to receive any further communications from the particular sender.

Additionally, the communication shall state that the recipent's private data was obtained without violating privacy rights.

Electronic Marketing is also subject to general marketing and advertising related provisions of the Consumer’s Protection Law.

Last modified 28 January 2025

The PDPL does not expressly regulate electronic marketing. However, the PDPL does apply to electronic marketing activities if personal data is processed as a result.

If consent is obtained through electronic media, the notice requirements can be met by publishing accessible and identifiable privacy policies with the relevant consent language and mechanism. The PDPL establishes the possibility of obtaining express consent by presenting the option to agree with the privacy policies in clickable ways (eg, by clicking, ticking a box).

Written consent may be provided by other options, including:

Through an electronic signature
A written document possible to read or print
A mechanism or procedure that allows one to identify the subject and to receive his consent through a written text
A pre-established text as long as it is easily visible, legible and written in simple language

The laws governing electronic signatures are:

Law N° 27291
The Digital Certificates and Signatures Law (Law N° 27269)
Supreme Decree N° 052-2008-PCM

Note that expressing the will in any of the regulated forms does not eliminate the other requirements of consent referring to that consent must be informed, and freely given.

According to the article 58.1 of Consumer Protection Code Law N° 29571, the following commercial activities require prior, informed, express and unequivocal consent to promote products and services:

Use of call centers
Use of telephone call systems
Bulk text messages or
emails Telemarketing services

As to date, it is permitted to obtain personal information from public sources or by licit means in order to contact the data subjects to get their consent for the aforementioned commercial activities. Notwithstanding the foregoing, whenever the data subject does not grant its consent for commercial activities, it must not be contacted again for those purposes. Furthermore, easily accessible and free mechanisms must be implemented to allow the data subjects to revoke their consent for the commercial purposes.

However, a bill has been proposed, which would modify the aforementioned article 58.1, so that advertising could only be sent to consumers who request to receive such and grant the sender unequivocal, free, informed and express consent to be contacted for marketing purposes. So, a data subject’s information (i.e. telephone numbers and e-mails) could be used for marketing purposes only if the data subject has consented to be contacted by the sender for marketing purposes.

Last modified 26 January 2023

In 2008, the Department of Trade and Industry, the Department of Health, and the Department of Agriculture issued a joint administrative order implementing the Consumer Act of the Philippines (Republic Act No. 7394) and the E-Commerce Act (Republic Act No. 8792). The Joint DTI-DOH-DA Administrative Order No. 01 (the ‘Administrative Order’) provides rules and regulations protecting consumers during online transactions, particularly on the purchase of products and services. It covers both local and foreign-based retailers and sellers engaged in e-commerce.

The Administrative Order particularly requires retailers, sellers, distributors, suppliers or manufacturers engaged in electronic commerce with consumers to refrain from engaging in any false, deceptive and misleading advertisement prohibited under the provisions of the Consumer Act of the Philippines.

In line with the Administrative Order’s provision on fair marketing and advertising practices, retailers, sellers, distributors, suppliers or manufacturers engaged in electronic commerce are mandated to provide:

fair, accurate, clear and easily accessible information describing the products or services offered for sale such as the nature, quality and quantity thereof;
fair, accurate, clear and easily accessible information sufficient to enable consumers to make an informed decision whether or not to enter into the transaction; and
such information that allows consumers to maintain an adequate record of the information about the products and services offered for sale.

A data subject must be provided with specific information regarding the processing of his personal data for direct marketing. In fact, the data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing.

In 2022, the NPC, together with other government agencies, issued Joint Administrative Order No. 2022-01 or the Guidelines for Online Businesses Reiterating the Laws and Regulations Applicable to Online Businesses and Consumers (the “Guidelines”). The Guidelines define the responsibilities of online sellers, merchants, or e-retailers under the Act, and seeks to ensure privacy protection and transparency, legitimate purpose and proportionality in data collection and processing.

Last modified 20 January 2025

EU regulation

Electronic marketing activities are subject to the regulation of Polish data protection law, i.e. the Electronic Communication Act.

The processing of personal data for its own marketing purposes by a data controller (as well as other companies from the group) may be based on Article 6 sec. 1(f) of the GDPR, i.e. the legitimate interests of the data controller, and it does not require separate consent. However, the data subject may always object to such processing. Nevertheless, if marketing activities relate to products and services of third parties, prior consent for such processing is necessary.

Poland regulation

The issue of consent for electronic marketing is governed by Article 398 of the Electronic Communications Act. Under this provision, it is prohibited to use:

automatic calling systems; or
telecommunication terminal equipment, in particular in the use of interpersonal communication services,

for the purpose of sending unsolicited commercial information, including direct marketing, to a subscriber or end-user unless prior consent has been given.

The subscriber or end-user can also give consent by providing an electronic address that identifies them. (Article 398(2) Electronic Communications Act).

The collection of marketing consents according to the Electronic Communications Act consists of obtaining express and informed consent from the person concerned before the entity decides to do things such as send messages about special offers or telephone contact for marketing purposes. The person from whom consent is collected must give it themselves, e.g. by clicking a checkbox or answering ‘yes’ to a communication. Consent cannot be selected by default. It is worth mentioning that the existing consents remain valid - if the manner of giving consent complies with the conditions set out in the enacted Electronic Communications Act. Such a condition is that the collected consents comply with the provisions on personal data protection (Article 400 of the Electronic Communications Act). This means that existing consents must comply with the conditions set out in the GDPR:

they must be given knowingly and voluntarily;
must cover a specific purpose;
can be withdrawn;
must be specific and indicate the channel of future communication with the customer (e.g. SMS, telephone, email), the purpose and the entity to which the consent was given).

The consent to direct marketing and to the sending of unsolicited commercial communications should be separate from consent to the processing of personal data.

Last modified 16 January 2025

EU regulation

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation. In February 2021, the Council of the European Union agreed on a draft Regulation, opening the trilogue phase. It is uncertain how long this phase will last and the ePrivacy Regulation is not expected to enter into force before 2023, therefore it will not be applicable until at least 2025. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Portugal regulation

As established under Law 41/2004, of 18 August (as amended), sending unrequested communications for direct marketing purposes to natural persons is subject to express prior consent of the subscriber or user (that is, the opt-in rule applies). This includes use of automated calling and communications that do not rely on human intervention automatic call devices, fax or electronic mail, including SMS, EMS, MMS and other similar applications.

As regards direct marketing communications to legal persons, these are allowed insofar as opt-out is offered. Legal persons may refuse future communications and request registration in the non-subscribers list.

This does not prevent the supplier that has obtained its clients’ data and contacts in connection with the sale of a product or service to use such data for direct marketing of its own products or services or products or services similar to the ones provided.

Nevertheless, the supplier shall ensure that these clients are given the opportunity to object to the use of such data, free of charge, clearly and explicitly, and in an easy manner, at the time of the respective collection, and on each message (when the client did not opt-out initially upon collection of the data).

Moreover, sending electronic mail for direct marketing purposes via email where the identity of the sender is disguised or concealed, as well as where there is no valid means of contact to send a request to stop these communications or encouraging recipients to visit websites that violate these rules is strictly forbidden.

Last modified 17 January 2024

Unsolicited direct marketing is prohibited under the Data Protection Law, which requires prior consent to send electronic marketing communications (including by wired or wireless communication). The consent of the data subject must be affirmative, explicit and unambiguous. Indirect or implied consent by means of pre-ticked boxes may be deemed invalid.

All electronic marketing communications must include the identity of the sender and an indication that it is sent for the purpose of direct marketing. The message must include an address that can easily be reached and must enable the recipient to send a message requesting the sender to stop the electronic communication and enable the recipient to withdraw the consent at any time.

Last modified 17 January 2024

Immediately upon collecting personal data, the DPL requires data controllers to provide data subjects who they have collected personal data from, with, among other things, any further information to the extent necessary. This includes information on whether the personal data will be used for direct marketing purposes.

If the personal data has not been obtained from the data subject, the data controller or their representative must at the time of undertaking the recording of personal data or within a reasonable period no longer than 30 days after obtaining the personal data (taking into account the circumstances in which data are processed) – or if it is envisaged that the personal data will be disclosed to a third party, no later than when the personal data is first recorded or disclosed – provide the data subject with, among other things, information regarding whether the personal data will be used for direct marketing purposes.

A data subject has the right to object at any time to the processing of their personal data for direct marketing purposes. In which case, the personal data must no longer be processed for such purposes.

Last modified 17 January 2024

Regulated by separate law.

Last modified 23 February 2024

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time.

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC ("ePrivacy Directive"), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced by references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Romania regulation

The processing of personal data for electronic marketing purposes is regulated under Law no. 506/2004, on the processing of personal data in the electronic communications sector implementing Directive 2002/58/CE ("Law no. 506/2004").

According to this law, it is forbidden to send commercial communications by using automatic call and communication systems that do not require the intervention of a human operator, by fax or by electronic mail or any other method employing publicly available electronic communications services, except where the subscriber or user of a publicly electronic communications service has expressly consented in advance to receive such communications.

However, in cases where a natural or legal person has directly obtained the email address of a client upon the sale or provision of a product or service, the natural or legal person may use the respective address for the purpose of sending commercial communications regarding similar products or services, provided that clients are clearly and expressly offered the possibility to oppose by way of an easily accessible and free-of-charge method, not only when the email address is collected but also with each commercial communication received, in a case where the customer has not initially objected.

Last modified 17 January 2024

Processing of personal data for directly contacting data subjects for purposes of sales and marketing is allowed only with the consent of the data subject. In addition to the consent requirement under personal data rules, electronic marketing activities are regulated by the Law “on Advertising” No. 38-FZ dated 13 March 2006. The Advertising Law features an Anti-Spam rule under which the distribution of advertising through telecommunications networks, in particular, through the use of telephone, facsimile and mobile telephone communications, is allowed only with the consent of party receiving the advertising. The advertiser bears the burden of proof to show that consent was received. Consent to receive advertising may be revoked at any time, and the advertiser is obligated to immediately cease distribution of the advertising upon such revocation.

Last modified 17 January 2024

The Data Protection Law provides for the data subject right to object to the processing of his/her personal data for direct marketing purposes including profiling to the extent that it is related to such direct marketing (article 19).

The ICT Law provides that a person who sends unsolicited commercial communications to a consumer, provides the consumer with the option to cancel the subscription to the mailing list of that person and identify particulars of the source from which that person obtained the consumer's personal information, upon the request of the consumer (article 168).

The ICT Law also provides that a person is not allowed to transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail where (article 223):

the identity of the person who has sent the communication has been disguised or concealed;
an address to which the recipient of the communication may send a request that such communication ceases has not been provided.

Sending unsolicited commercial communication to consumer is sanctioned by an administrative fine of between RWF 50,000 and RWF 500,000.

The Cyber Crime Law establishes spamming as a criminal offence (article 37). The Cyber Crime Law defines spamming as any intentional and without authorisation from a competent organ sending of unsolicited messages repeatedly or to a large number of persons by use of a computer or a computer system. Spamming also include the use of a computer or a computer system, after receiving a message, to retransmit such a message to many persons or retransmit it several times to a person who doesn’t need it.

The penalties for this offence are an imprisonment term of 3 months to 6 months and a fine of RWF 300,000 to RWF 500,000 (article 37).

The prosecution of spamming offence is however instituted only upon complaint of the offended person (article 37).

Last modified 17 January 2024

There are specific rules in KSA relating to the use of personal data for marketing purposes. The PDPL and its Implementing Regulations contain various conditions around when personal data may be processed for the purposes of direct marketing. Additional requirements may also apply in certain contexts – for example, in the context of e-commerce activity.

Last modified 23 February 2024

According to Article 47, in Senegal it is prohibited for anyone to carry out direct marketing using any means of communication in any form whatsoever, of the data for a staff of a natural person who has not expressed his consent prior to receiving such surveys.¹ It is important to note that Article 47 does not differentiate between the means of marketing but prohibits all direct marketing that lacks prior consent.

Article 16 of the Senegalese Electronic Transactions Law² provides more specific regulations on the marketing of data. The following are prohibited:

direct marketing by sending a message by means of an automated calling machine, a fax machine or an e-mail using, under whatever form the contact details of a natural person who has not expressed its prior consent to receive direct surveys.
The exception to this, is if the recipient’s details have been collected directly from in accordance with the provisions of the Law on the Protection of Personal data or on the occasion of a sale or supply of services, the direct marketing concerns similar products or services provided by the same natural or legal person, and if the consignee is offered, expressly and unambiguously, the possibility to oppose, without cost, except those related to the transmission of the refusal and in a simple way, to the use of its coordinates when they are collected and whenever an email from propsection is specifically addressed to said person.
However, in any case, it is prohibited to issue, for direct marketing purposes, messages via automatic calling machines, faxes and emails, without indicating valid details to which the addressee could usefully forward a request to cease the use of their information for marketing.

Footnotes

1: 2008-12 of 25 January 2008 on the Protection of Personal Data, Articles 47
2: Senegalese Electronic Law

Last modified 23 February 2024

Electronic marketing is only mentioned in the DP Law in the context of the data subjects' right of complaint. The rules on this subject are envisaged by the Law on Electronic Trade ('Official Gazette of the Republic of Serbia', nos. 41/2009, 95/2013 and 52/2019), EC Law (as defined above in the section on Breach Notification), the Law on Advertising ('Official Gazette of the Republic of Serbia', nos. 6/2016 and 52/2019) and the Consumer Protection Law (Official Gazette of the Republic of Serbia, no. 88/2021) (together, the "Relevant Legislation").

In brief, based on the Relevant Legislation, electronic marketing is only allowed if it is covered by an explicit, prior consent of the person to whom the respective marketing is directed. Additionally, recipients should always be:

Clearly informed of the identity of the sender and commercial character of the communication (this information should be provided in the Serbian language prior to commencing the marketing).
Provided with a way to opt out of future marketing messages, at any time and free of charge.

For the sake of completeness, it should be noted that, under the most recent changes from July 2019 of the aforementioned Law on Electronic Trade, the same principle that previous consent is necessary for electronic marketing, i.e. for electronic commercial communication, remained, but it is also envisaged now that certain types of electronic communication shall not be regarded as commercial communication and, consequently, should not be subject to previous consent. Such exempt communications include (1) providing information which enables direct access to business activities of a particular entity such as information on its e-address or e-mail and (2) providing information on a particular entity's goods, services or business reputation if such information is obtained by research or in some other similar way and if it is provided free of charge.

Finally, it is also envisaged by the new Serbian Consumer Protection Law, as referred to above, which became applicable (with the exception of some of its provisions) on 20 December 2021, that it is forbidden to make phone calls and/or send messages by phone to any individuals/consumers whose phone numbers are inscribed in the register of consumers who do not want to receive calls and/or messages as a part of a promotion and/or sales by phone. This register shall be public in its part relating to the phone numbers and date of the inscription in the register. It should also be noted that, regardless of the inscription in this register, consent of a consumer for direct marketing provided to a particular entity/trader before or after the inscription in the register, remains valid until its withdrawal made in line with the DP Law.

Last modified 17 January 2024

Although not specifically provided for in the Act, the latter will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (for instance, an email is likely to be considered as personal data for the purposes of the Act).

Last modified 17 January 2024

The data protection principles in the Act apply to any marketing activities (including electronic marketing) which involve the collection, use or disclosure of personal data.

In addition, any organization or person that wishes to engage in any telemarketing activities will need to comply with the "Do Not Call" provisions under the Act. Generally, a person or organization who wishes to send marketing messages to a Singapore telephone number should first obtain the clear and unambiguous consent of the individual to the sending of the messages to such Singapore telephone number. The consent must:

be evidenced in written or other form so as to be accessible for subsequent reference;
not be a condition for supplying goods, services, land, interest or opportunity; and
not be obtained through the provision of false or misleading information or through deceptive or misleading practices.

In the absence of such consent, organizations must check and ensure that the telephone number is not on a Do-Not-Call register maintained by the Commission (“DNC Register”). There are also other requirements, including a duty to identify the sender of the marketing message and provide clear and accurate contact information, as well as a duty not to conceal the calling line identity of any voice calls containing such marketing messages. An individual may at any time apply to the Commission to add or remove his Singapore telephone number on the DNC Register.

Further, the current Act provides the role of “checkers” which are entities that provide information for gain on whether a Singapore telephone number is listed in the DNC Register for the purposes of another organization’s obligations under the Act. It imposes obligations on third party checkers, and checkers will be liable for DNC infringements resulting from any erroneous information provided by them.

The Act will apply to marketing messages addressed to a Singapore telephone number in the following circumstances:

The sender of the marketing message is present in Singapore when the message was sent.
The recipient of the marketing message is present in Singapore when the message is accessed.

Electronic marketing activities are also regulated under the Spam Control Act 2007 ("SCA"), to the extent that such activities involve the sending of unsolicited commercial communications in bulk by electronic mail or by SMS or MMS to a mobile telephone number.

The DNC provisions under the current Act include a prohibition on sending messages to telephone numbers generated or obtained through dictionary attacks (generating telephone numbers by combining numbers into numerous permutations) or address-harvesting software. Related amendments to the SCA to prohibit sending unsolicited electronic messages to instant messaging accounts are also in force.

The Commission issued the revised Advisory Guidelines on the Do Not Call Provisions on February 1, 2021.

Last modified 23 January 2025

National Ordinance Personal Data Protection

N/A.

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

Last modified 10 February 2025

With effect as of 1 February 2022, the electronic marketing is regulated by the Act No. 452/2021 Coll. on Electronic Communications, as amended (the “Act”). With the effectiveness of the Act, the former regulation, i.e. Act No. 351/2011 Coll. on Electronic Communications, as amended, has been repealed.

The Act transposed Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing a European Electronic Communications Code into the Slovak law.

The Act introduced new requirements for obtaining consent and conditions for conducting direct marketing including its definition.

According to the Act, the direct marketing means any form of presentation of goods or services in written or oral form, sent or presented through a publicly available service directly to one or more subscribers or users.

The Act stipulates that the use of automatic call and communication systems without human intervention, fax, e-mail and SMS and MMS message service is permitted towards the subscriber or user only with his / her prior demonstrable consent obtained before contacting the subscriber or user. For the purposes of obtaining prior consent, the use of automatic calling and communication systems without human intervention, fax, electronic mail and short message service is prohibited.

Consent that meets the requirements of Article 4 (11) GDPR is considered to be demonstrable consent for the purposes of direct marketing. The person to whom such consent was granted is obliged to keep a durable medium on which the demonstrable consent of the subscriber or user is recorded for a period of at least four years from the withdrawal of the consent by the subscriber or user. When obtaining the consent of the subscriber or user, the person carrying out direct marketing is obliged to indicate the way in which the consent can be easily revoked.

The subscriber or user can at any time withdraw the previous consent or object to the call for the purpose of direct marketing or obtaining consent. The person to whom such consent has been revoked or to whom the call has been objected is obliged to demonstrably confirm to the subscriber or user the revocation of such consent or the acceptance of the objection to the call no later than 30 days after the date of revocation of consent or the receipt of the objection to the call and to keep the confirmation of the revocation of the consent or the acceptance of the objection to the call on a durable medium for a period of at least four years from the withdrawal of consent or call objections.

The Act introduced also the list of the phone numbers, which will be held by the Office for Electronic Communications and Postal Services and which will include the phone numbers stipulated by subscribers or users for the purpose of expressing disagreement with the call for direct marketing purposes and for verifying the listing of a telephone number or group of telephone numbers by the person carrying out direct marketing in the list of telephone numbers (the “list”).

For the purposes of direct marketing, any call is prohibited if the subscriber or user has:

provided a phone number in the list; or
objected to such calls to the person for whose benefit direct marketing is carried out (this does not apply if the subscriber or user revoked the objection to calls for the purposes of direct marketing to the person for whose benefit direct marketing is carried out or granted his / her consent in the time after the last update of the phone number in the list).

The prior consent of the recipient of electronic mail, SMS and MMS message service is not required if it is a direct marketing of a person's own similar goods and services, and if his / her contact details for the delivery of electronic mail, SMS and MMS message service were obtained by the same person in connection with the sale of goods or services, or if it is direct marketing addressed to the published contact details of subscriber or user who is a natural person - entrepreneur or legal entity. The recipient of electronic mail, SMS and MMS message service must be given the opportunity to simply and free of charge at any time to refuse such use of the contact data at the time of their acquisition and with each delivered message if he / she has not previously refused such use. It is forbidden:

to send electronic mail from which the identity and address of the sender is unknown, to which the recipient can send a request to stop sending such messages; and
to encourage visitors to visit a website in violation with a special regulation.

Last modified 17 January 2024

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47 GDPR). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3) GDPR).

As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Direct marketing by means of electronic communications is regulated by the Consumer Protection Act (Zakon o varstvu potrošnikov, Official Gazette 130/22), the Electronic Commerce Market Act (Zakon o elektronskem poslovanju na trgu, Official Gazette 96/09 as amended from time to time and in force), the Electronic Communications Act (Zakon o elektronskih komunikacijah, Official Gazette no. 130/22) and ZVOP-2.

The consent of an individual is required for the purposes of electronic marketing. Direct marketing is allowed where the "similar service / product" exemption applies, however customers must be given clear and distinct opportunity to refuse the use of their electronic mail address at the time of the collection of these contact details, and on the occasion of every message in the event that the customer has not initially refused such use. Additionally, the sending of electronic mail for the purposes of direct marketing, which disguises or conceals the identity of the sender, or is sent without a valid address, is prohibited.

Last modified 17 January 2024

Direct marketing by means of unsolicited electronic communications is regulated by POPIA whereby the opt-in regime has taken effect. Accordingly, under POPIA, the processing of a data subject's personal information for the purposes of direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has given its consent, or the email recipient is an existing customer of the responsible party. A responsible party may only approach a data subject once in order for the data subject to opt in to receive marketing information. The Regulations to POPIA contain a prescribed form to be used when seeking this opt-in.

When sending emails to a data subject who is an existing customer:

the responsible party must have obtained the details of the data subject through a sale of a product or service;
the marketing should relate to its own similar products or services; and
the data subject must have been given a reasonable opportunity to opt out, free of charge, of the use of its personal information for marketing when such information was collected and on each occasion that marketing information is sent to the data subject, if the data subject has not initially refused the use of the personal information for electronic marketing purposes.

Direct marketing that is not by electronic communications (i.e. telephone or in-person marketing) continues to be regulated by the Consumer Protection Act, which requires the consumer to have an opportunity to opt out of receiving direct marketing.

Last modified 17 January 2024

Under the Act on the Promotion of Information and Communications Network (the “Network Act”), anyone who intends to transmit an advertisement by electronic transmission media must receive the explicit consent of the individual, but if the individual either withdraws consent or does not give consent, then an advertisement for profit may not be transmitted.

In addition, the transmitter of advertisement information for profit must disclose the following information specifically within the advertisement:

The identity and contact information of the transmitter; and
Instructions on how to consent or withdraw consent for receipt of the advertisement information.

A person who transmits an advertisement shall not take any of the following technical measures:

A measure to avoid or impede the addressee's denial of reception of the advertising information or the revocation of his consent to receive such information;
A measure to generate an addressee's contact information, such as telephone number and electronic mail address, automatically by combining figures, codes, or letters;
A measure to register electronic mail addresses automatically with intent to transmit advertising information for profit, and various measures to hide the identity of the sender of advertising information or the source of transmission of an advertisement.

Last modified 20 January 2025

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, since the AEPD defends the viewpoint that e-Marketing laws are more specific than GDPR/NLOPD and shall prevail on the latter when data protection and e-marketing elements do concur (a problem that would not be present when marketing deliverables are provided off electronic channels, in which case other legal bases for processing, like the legitimate interest of the sponsor could be considered again). Where consent is relied upon, AEPD claims that the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is expected to be replaced very soon by a EU-level Regulation, whose drafting procedures are nearly finalised. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive shall be replaced, the AEPD claims, with the GDPR standard for consent.

Electronic Marketing is regulated in Spain specifically by the Spanish Act on the Information Society Services and e-Commerce 34/2002 ('LSSI'). The general principle is that deliveries of electronic marketing materials are lawful only if they have been explicitly authorised in advance by the recipients (authorisation that is required not just for individuals, but also where the recipient is a legal entity, broadening here the scope of Spanish Data Protection Act). An exception to this general principle applies to deliveries to clients when the materials refer to products/services that are equal or similar to the ones sold to them in the past by the company sponsoring the advertisement.

Electronic publicity shall:

be clearly marked as such by means of the terms PUBLI or PUBLICIDAD placed inside the subject line,
allow the recipient to opt-out at all times, even at the time of registration, and
clearly identify the sponsor of the delivery. It is the sponsor of the delivery, not the electronic publicity company that shall be held liable in case of enforcement. Opt-out shall include an email address when the publicity was delivered by email too. Opt-out procedure shall be simple and free for the recipient of the publicity.

Enforcement shall include, inter alia, fines that, in most cases, shall be between EUR 30,000 and EUR 150,000.

The NLOPD states that databases containing the identification details of those data subjects who have expressed their opposition to receiving commercial communications may be created (the so-called “Robinson’s Lists”). These databases must be reviewed by the entities sending commercial communications (the access details to these databases will be published by the AEPD) unless the relevant data subjects have previously granted their consent to receiving such commercial communications.

Finally, it shall also be taken into account that that the NLOPD permits processing activities where the purpose is to avoid sending commercial communications to those data subjects who have expressed their opposition to receiving them.

Last modified 22 January 2024

The data protection principles enshrined in the PDPA apply in relation to any electronic marketing activity carried out using personal data.

In addition, if direct marketing messages are to be sent using electronic or any other means, the controller must first obtain consent from the data subject prior to sending such message, which are identified as ‘solicited messages’ under the law.

Therefore, unlike the GDPR, legitimate interests cannot be used as the legal basis for processing personal data in sending electronic marketing messages to data subjects.

Consent under the PDPA is required to be freely given, specific, informed and unambiguous indication in writing or by affirmative action. The conditions governing consent under the PDPA set out that:

the controller should be able to demonstrate that consent was obtained from the data subject;
if consent is provided in a written form which also concerns other matters, the request for consent should be clearly distinguishable;
the performance of a contract should not be conditional on a data subject’s consent to processing his personal data that is not necessary for the same; and
the data subject must be informed, before they give consent, that they may withdraw consent at any time.

Additionally, when sending solicited messages, the controller should:

provide the data subject information on how they may opt out of receiving such messages, free of charge; and
inform the data subject of the nature of the message, to whom it is intended, and the identity of the controller or the third party on whose behalf the controller is disseminating the message.

The PDPA also allows the Authority to introduce rules, codes or prefixes that controllers should adopt to identify different categories of solicited messages. However, given that the law is in its transitional stage, such rules have not yet been introduced.

The aforesaid restrictions on marketing would not apply where marketing is aimed at corporate subscribers.

Last modified 3 January 2024

EU regulation

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive 2002/58/EC (“ePrivacy Directive”), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

Sweden regulation

There is no provision in the Data Protection Act which particularly concerns the processing of personal data in relation to electronic marketing.

There is, however, other legislation in Sweden (such as the Marketing Act (2008:486) that regulates electronic marketing in Sweden.

Under the Marketing Act, unsolicited automated electronic marketing (by inter alia email) to natural persons generally requires prior consent. It is, however, allowed to conduct email marketing to natural persons without prior consent provided that the person has not objected to such, if the trader has received the email address of the individual in connection with sales of a similar product. In these cases, the addressee must be given the option to opt out of marketing both when the email address is collected and subsequently along with each marketing email.

The Marketing Act also states that, in the case of email marketing, the email message must always contain a valid address to which the recipient can send a request for the marketing to cease. This applies to marketing to natural persons as well as to legal entities.

Note that certain provisions relating to electronic marketing under Swedish law may be amended in the future due to the upcoming ePrivacy Regulation which will become immediately enforceable as law in all EU member states.

Last modified 22 January 2024

Electronic marketing practices must comply with the provisions of the Swiss Federal Act Against Unfair Competition (UCA).

With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated calls and fax messages), the UCA generally requires prior consent by the recipient, i.e., 'opt-in'. As an exception, mass advertisings may be sent without the consent of the recipient:

If the sender received the contact information in the course of a sale of his/her products or services;
if the recipient was given the opportunity to refuse the use of his/her contact information upon collection (opt-out); and
if the mass advertising relates to similar products or services of the sender.

In addition, mass advertising emails must contain the sender’s correct name, address and email contact and must provide for an easy-access and free of charge ‘opt-out’ from receiving future advertisements.

The UCA generally applies to business-to-consumer as well as to business-to-business relationships, i.e., mass advertisements sent to individuals and to corporations are subject to the same rules.

Direct marketing by telephone is not per se impermissible in Switzerland as long as it is not done in an aggressive way (e.g., by repeatedly calling the same person). However, the UCA prohibits direct marketing by telephone:

If the recipient is not listed in the Swiss telephone directory or if the recipient is listed in the Swiss telephone directory, but has indicated that he/she does not wish to receive advertising from persons with whom he/she has no business relationship; or
if the caller is not calling from a telephone number that (i) is listed in the Swiss telephone directory, (ii) is shown when calling, and (iii) he/she is entitled to use.

In order to enforce the above criteria, the UCA not only sanctions the violation of these principles, but also the use of information that has been obtained in violation thereof (e.g. someone using the information obtained from non-compliant call centres). An intentional violation can be sanctioned with a custodial sentence of up to three years or a monetary penalty.

In addition to the rules of the UCA, the general data protection principles under the DPA also apply with regard to electronic marketing activities, e.g., the collection and maintenance of email addresses or processing of any other personal data.

Last modified 22 August 2023

If a data collector wishes to use a data subject’s personal data for the purpose of direct marketing whether electronic or otherwise, such data collector is required to give the data subject a privacy notice (see Collection and Processing).

If a data subject requests the data controller to cease direct marketing, the data collector must stop using the data subject’s personal data for marketing.

In this regard, when a data collector uses personal data of a data subject to conduct marketing for the first time, the data collector must advise the data subject that they have the right to require cessation of the marketing and provide the data subject with information as to how to exercise such right. Also, the data collector must bear the cost of the first cessation request (e.g. by providing a toll-free line to call or a stamped pre-addressed envelope for return mail).

Last modified 18 December 2023

The Law of Tajikistan 'On Electronic Commerce' was recently adopted. This provides comprehensive legal regulation on digital commerce, establishing clear rules for electronic trading participants, including requirements for information support, procedures for transaction execution, data security, and liability of the parties.

Last modified 27 January 2025

The PDPA refers to regulations to be made relating to commercial use of personal data. It provides that a data subject can enter into a contract with a data controller for the processing of his / her personal data for pecuniary benefits or request a data controller to cease using his / her personal data for direct marketing in accordance with procedures to be set out in regulations to be made under the PDPA.¹

The PDPA Regulations entitle a data subject to request a data controller or processor to erase or destroy the personal data held by them if the processing of such data is for commercial purposes and the data subject is unwilling for his data to be used commercially.² Where processing of personal data is by automated means for the purpose of evaluating matters related to a data subject or is likely to constitute the sole basis for any decision which significantly affects the subject, a data controller must also notify a data subject of the logic involved in that decision and their right to object to the use of their personal data in commercial advertisements.³

As advised above, the PDPA requires data controllers and processors to process personal data for the specific purpose for which it has been collected (Please refer to our advice on Collection Processing of Data above on the requirements to be complied with by the data controllers and data processors while using personal data). This implies that a person cannot use personal data obtained under the PDPA for commercial use, including electronic marketing, except with the consent from the data subject unless such use is authorised under any written law in Tanzania and the data subject has been informed of such use at the time the data was collected.

Further, financial services providers are prohibited from sharing consumers’ information with a third party for any purpose, including electronic marketing, unless such information is used for the purpose that is consistent with the purpose for which it was originally collected, and the prior written consent of the affected consumer has been obtained before such information is used for any promotional offers.⁴

Footnotes

1: Section 35 of the DPA
2: Regulation 17(d) of the PDPA Regulations
3: Section 33(1)(c) of the PDPA and regulation 19(2)(e) of the PDPA Regulations
4: Regulation 39(b) and (c), Financial Consumer Protection Regulations

Last modified 25 January 2024

Under the PDPA, data subjects have the right to object to direct marketing (whether or not electronic). Therefore, Data Controllers must ensure that there is an opt–out function implemented throughout the entire processing period.

Last modified 6 January 2025

None.

Last modified 15 February 2022

The DPA has no specific provision regarding electronic marketing.

However, Section 58 of the Electronics Transaction Act (not yet in force) requires that anyone performing the following acts shall provide the consumer with a clearly specified and easily activated option to opt out of receiving future communications:

Sending unsolicited commercial communications through electronic media to consumers in Trinidad and Tobago
Knowingly using an intermediary or a telecommunications service provider in Trinidad and Tobago to send unsolicited commercial communications
Sending unsolicited electronic correspondence to consumers while having a place of business in Trinidad and Tobago

Last modified 26 January 2023

Electronic Marketing is regulated under Tunisian Law by The Electronic Exchanges and Electronic Commerce Law n° 2000-83 enacted on August 9, 2000.

This law is quite comprehensive and regulates the main aspects of this field. For instance:

The preservation of the electronic document is as important as the preservation of the written document; and
Each person using an electronic signature device shall:
- Take minimum precautions to avoid illegitimate use of encryption elements or personal signature equipment; and
- Inform the electronic certification service provider of any fraudulent use of his electronic signature.

For matters concerning personal data that have not been regulated by this law, the general protection regime should be applied.

Concerning the exercise of digital advertising, Law n°2004-63 requires the consent of the person concerned. In this context, article 30 of the said Law provides that:

“It is prohibited to use the processing of personal data for promotional purposes unless the data subject, his heir or his tutor gives his explicit and specific consent. This consent shall be governed by the general rules of law. The provisions of article 28 of the hereby Act shall apply if the data subject is a child".

Last modified 27 January 2025

The Law on Regulation of Electronic Trade was published in the Official Gazette on November 5, 2014 (Electronic Trade Law). The Electronic Trade Law came into force on May 1, 2015. Secondary legislation (The Regulation on Electronic Trade) was published in the Official Gazette on August 26, 2015, and came into force on the same date.

Pursuant to the Electronic Trade Law, commercial electronic communications (electronic marketing) can only be sent by if prior consent (opt-in) has been obtained from recipients. Such consent may be obtained in writing or through means of electronic communication, although if the consent is taken in physical from, must contain the recipient's signature. Commercial electronic communications can be sent to craftsman and merchants without obtaining prior consent. The commercial electronic communication must comply with the consent obtained from recipients, and must contain the identity of the service provider, contact information (such as email, SMS, telephone number, fax number (depending on the type of commercial electronic communication)), and, if sent on behalf of a third party, information about that third party.

Pursuant to Regulation on Commercial Communication and Commercial Electronic Messages, a registry named Message Management System (“IYS”) is established on January 4, 2020. Pursuant to the Regulation, all entities that wish to send commercial electronic messages (SMS, E-mail or calls) must register with IYS.

Commercial electronic messages are defined as “messages sent to electronic communication addresses (including audio calls) of recipients, for the purpose of promoting or advertising a product, service or business, and / or to increase the reputation of such through content including a greeting or a wish”.

The deadline for the service providers with 150.000 or more collected opt-ins to register with the IYS was December 31, 2020. The deadline for the service providers with 149.999 or less collected opt-ins was 31.05.2021.

Failure to register the collected opt-ins to IYS will result in all opt-ins consents to be invalid.

As of registration, opt-in consents can be obtained in writing or in any other electronic medium via IYS. It is required to report opt-in consents (which were not obtained via IYS) to IYS within 3 business days as of obtaining. All opt-in consents which were not reported to IYS will be deemed invalid.

Also, recipients will be able to submit their opt-out requests via IYS. Opt-out requests (which are not received via IYS) must be reported to IYS within three (3) business days. Sending commercial electronic messages must be stopped within three (3) business days as of receiving the opt-out request of the recipient.

Please note that obtaining opt-in consent is not necessary for commercial electronic messages if it is sent to merchants and craftsmen. However, they should also be registered with IYS and, it required to be checked whether they exercise their right to opt-out.

Consumers have the right to refuse a commercial electronic communication, and the service provider is obliged to allow the free transmission of the refusal. Commercial electronic communications to the recipient must cease within three business days of the receipt of refusal. For 2024, non-compliance with opt-in requirements is subject to administrative fines up to TRY 71,880 (approx. € 1,955).

Since electronic marketing activities include more and more use of personal data, the Electronic Trade Law and the LPPD often may be implicated at the same time. The Personal Data Protection Board Decision dated October 16, 2018 numbered 2018/119 states that commercial electronic communications such as advertisement notifications and marketing telephone calls also fall within the scope of the LPPD. However, this decision raised some questions regarding the application and enforcement of the Electronic Trade Law and LPPD at the same time, especially in relation to fines which may be imposed twice both according to the LPPD and the Electronic Trade Law.

Last modified 27 January 2025

Article 5(8) of the Law of Turkmenistan ‘On Advertising’ prohibits distribution of any information protected by the law (including personal data) for advertising purposes.

Last modified 23 December 2022

According to Part 2 of the Commissioner’s Guidance, it is not always necessary to seek consent under the DPR to conduct direct marketing activities, such as sending marking emails. In many cases, it will be possible to rely upon legitimate interests (Section 5(1)(f) DPR) as the relevant legal basis for Processing. If relying on legitimate interests, it is important to ensure that individuals are given the right to object both at the point at which their Personal Data is collected for direct marketing purposes, and within each communication (for example, by way of an “unsubscribe link” in an email). A pre-ticked box may be sufficient when offering the right to object at the point of data collection.

Whenever are relying on legitimate interests as the legal basis for Processing for direct marketing, consider whether the legitimate interests in conducting the marketing are overridden by the interests or rights of the Data Subject. Depending on the context of the direct marketing activities (for example, if the content of those marketing communications relates to products or services which are sensitive in some way, such as health related services), there may be instances where it will not be appropriate to rely on this as the relevant legal basis and consent would be more appropriate. Controllers must also ensure that they continue to meet their obligation to comply with the principles of transparency and fairness under Section 4 DPR by clearly describing their direct marketing activities in the applicable privacy notice.

Last modified 9 January 2024

The DPL requires Controllers to provide Data Subjects with various pieces of information when they process their personal data (typically by way of a privacy notice, which must meet the detailed requirements set out Part 5 of the DPL), including whether the personal data will be used for direct marketing purposes.

Whilst consent is not expressly required (implying that one of the other legal bases can potentially be relied upon), Data Subjects do have the right to:

be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object to such disclosures or uses; and
where Personal Data is Processed for direct marketing purposes, object at any time to such Processing, including Profiling to the extent that it is related to such direct marketing.

(Article 34 DPL)

The Controller should also make clear in its Notification to the Commissioner that one of the purposes for which it Processes Personal Data is that of direct marketing.

Last modified 27 January 2025

The HDPR does not contain specific provisions relating to electronic or direct marketing.

Last modified 27 January 2025

There are no general laws in the UAE law covering electronic marketing, however the TDRA has issued a regulation governing telecommunications licensees' electronic communications with subscribers, as well as how they should monitor spam passing through their networks. As described in Collection & Processing, the PDPL also provides a right for Data Subjects to object to, or stop, the Processing of his / her Personal Data where it is being utilised for direct marketing purposes.

Article 6 of the Cyber Crime Law, Article 24.6 of the TDRA's Consumer Protection Regulation v2.0 are also worded widely enough to potentially apply to electronic marketing Article 4 of the Cabinet Decision No. 56/2024 On Regulating Telemarketing via Telephone Calls also requires consent be obtained prior to sending any electronic marketing sent via messages on social media platforms under the broad definition of 'Telemarketing Phone Calls'.

The TDRA's Unsolicited Electronic Communications Regulation states that telecommunications licensees are under a general obligation to put all practical measures in place to minimise the transmission of Spam having a UAE Link across their Telecommunications Networks, and where they are aware of Spam having a UAE Link sent to or from a particular Electronic Address, they must take all practical means to end the transmission of that Spam and to prevent the future transmission of such Spam. Spam is defined as Marketing Electronic Communications sent to a Recipient without obtaining the Recipient's Consent. Although the Unsolicited Electronic Communications Regulation is targeted and enforced against telecommunications licensees, it effectively puts an obligation upon the licensees to minimise and prevent Spam from being transmitted through their networks.

Federal Decree Law No 14 of 2023 On Trading by Modern Technological Means (“TMTM Law”) places further obligations on merchants who trade by modern technological means to protect consumer rights when conducting business.

Article 5 of the TMTM Law places the obligation on merchants to meet the conditions and requirements approved by the competent authorities regarding the advertising and marketing campaigns and the exchange of consumer data.

Article 6 of the TMTM Law provides consumers with the right to choose whether to receive advertising and marketing campaigns or not via phone calls, emails or social media platforms.

Last modified 27 January 2025

There is no electronic marketing regulation in Uganda.

Last modified 27 January 2025

The Law of Ukraine "On Electronic Commerce" dated September 3, 2015 provides for certain legal requirements for distribution of commercial electronic messages in the area of electronic commerce (i.e. electronic messages in any form, the purpose of which is to promote, directly or indirectly, goods, works, services, business reputation of a party engaged in a business or self-employed professional activity). In particular, commercial electronic messages shall be distributed only subject to the consent given by individual to whom such messages are addressed. At the same time, commercial electronic messages may be distributed to an individual without his / her consent only if such individual has an option to object to receiving such messages in future.

In addition, commercial electronic messages shall satisfy the following criteria:

Commercial electronic messages shall unequivocally be identified as such;
The recipient shall have easy access to information regarding the person sending the message as stipulated by the Law of Ukraine "On Electronic Commerce", in particular:
- full name of legal entity / individual and place of registration / residence;
- email / website of the online shop;
- registration number or tax ID number / passport details (for individuals);
- license data (in case if it is mandatory under the law);
- inclusion of taxes in calculation of the price of goods / services; and
- price of delivery of goods (in case if delivery is performed).
Commercial electronic messages regarding sales, promotional gifts, premiums and etc. shall be unequivocally identified as such and the conditions of receiving of such promotions shall be clearly stated to avoid their ambiguous understanding as well as shall comply with advertising legislation.

In addition, under the Law of Ukraine "On Electronic Communications" dated December 16, 2020, end-users may use telephone numbers or other network subscriber identifiers obtained by any person in the course of selling goods or providing services to send advertisements for the purpose of selling goods or services only with the consent of the end-user, including in electronic form, and if the recipient is given the opportunity to refuse the use of his or her data at any time, free of charge, in a simple and understandable manner.

Furthermore, distribution of spam is generally prohibited. Spam is defined quite broadly as more than five messages (electronic, text and / or multimedia messages) sent to one recipient without the recipient's prior consent.

Last modified 27 January 2025

The UK GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address which includes the recipient's name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict standards for consent under the UK GDPR are to be noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are found in the Privacy and Electronic Communications Regulations 2003 (as amended) (“PEC Regulations”). The PEC Regulations are derived from European Union Directive 2002/58/EC (ePrivacy Directive), which have been retained in UK law post-Brexit.

The PEC Regulations prohibit the use of automated calling systems without the consent of the recipient. The PEC Regulations also prohibit unsolicited electronic communications (ie by email or SMS text) for direct marketing purposes without prior consent from the consumer unless:

the consumer has provided their relevant contact details in the course of purchasing a product or service from the person proposing to undertake the marketing
the marketing relates to offering a similar product or service, and
the consumer was given a means to readily 'opt out' of use for direct marketing purposes both at the original point where their details were collected and in each subsequent marketing communication.

Each direct marketing communication must not disguise or conceal the identity of the sender and include the 'unsubscribe' feature referred to above.

The restrictions on marketing by email / SMS only applies in relation to individuals and not where marketing to corporate subscribers.

Enforcement of a breach of the PEC Regulations is dealt with by the ICO. The maximum fine for a breach of the PEC Regulations is GBP 500,000, which can be issued against a company or its directors. The ICO regularly issues fines for direct marketing violations, and it is not uncommon for these to be in the hundreds of thousands of pounds range.

Last modified 6 February 2025

The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.

Email

The CAN-SPAM Act is a federal law that applies labeling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. The FTC and state Attorneys General, as well as ISPs and corporate email systems can sue violators. Knowingly falsifying the origin or routing of a commercial email message is a federal crime.

Text Messages

Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send text messages to individuals, and, for marketing text messages, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any text messaging (marketing or informational) program needs to be carefully reviewed for strict compliance with legal requirements.

Calls to Wireless Phone Numbers

Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent is required to place phone calls to wireless numbers using any autodialing equipment, and, for marketing calls, express written consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action risk area, and any campaign or program that involves calls (marketing or informational) to phone numbers that may be wireless phone numbers needs to be carefully reviewed for strict compliance with legal requirements. The definition of autodialing equipment is generally considered to, broadly, include any telephone system that is capable of (whether or not used or configured storing or producing telephone numbers to be called, using a random or sequential number generator.

Telemarketing

Beyond the rules applicable to text messaging and calling to wireless phone numbers, there are federal and state telemarketing laws as well. Federal telemarketing laws apply to most telemarketing calls and programs, and state telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing, such as calling time restrictions, do-not-call registries, opt-out requests, mandatory disclosures, requirements for completing a sale, executing a contract or collecting payment during the call, further restrictions on the use of auto-dialers and pre-recorded messages, and record-keeping requirements. Many states also require telemarketers to register or obtain a license to place telemarketing calls.

Fax Marketing

Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient has not opted out of receiving fax advertisements and has provided their fax number ‘voluntarily,’ a concept which the law specifically defines.

The law also requires that each fax advertisement contain specific information, including:

A ‘clear and conspicuous’ opt-out method on the first page of the fax
A statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful, and
A telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week
Violations are subject to a private right of action and statutory damages, and thus pose a risk of class action lawsuits

Last modified 6 February 2025

The Act will apply to most electronic marketing activities, as these activities likely involve the processing and use of personal data (e.g. an email address is likely to be "personal data" for the purposes of the Act). The Act does not prohibit the use of personal data for the purposes of electronic marketing but grants personal data owners with the right to demand the elimination or blocking of their data from the data base.

Personal data can be used and processed for marketing purposes when it has been taken from public documents, when it has been provided by the personal data owner or when prior consent has been gathered.

Last modified 28 January 2024

The Law on Personal Data does not specifically regulate the use of personal data in electronic marketing. However, considering that the Law on Personal Data applies to any processing of personal data this Law will also cover processing of personal data in electronic marketing.

In addition to the above, the Law of the Republic of Uzbekistan No. ZRU-792 "On E-Commerce" dated 29 September 2022, effective from December 31, 2022, stipulates that the terms of use of personal data in e-commerce trading may be contractually agreed by e-commerce participants.

Lastly, the Law of the Republic of Uzbekistan No. ZRU-776 "On Advertisement" (new edition) adopted on 7 July 2022 and effective from September 9, 2022, introduced new rules for dissemination of advertisements via telecommunication networks. A prior consent of a person is now required for distribution of advertisements through telecommunication networks. Given that telecommunication networks are broadly defined by law, it is most likely that such networks also include Internet and, therefore, this rule shall also apply to distribution of advertisements via Internet.

Last modified 27 January 2025

Electronic Marketing is allowed, but any collection and processing of Personal Data must adhere to the previously explained general principles dictated by the TSJ.

Last modified 12 December 2022

According to Vietnam’s new anti-spam regulation (i.e. Decree No. 91/2020/ND-CP on anti-spam text messages, emails and calls), advertisements by text message, email and call may only be sent or made in compliance with specific requirements, notably including:

it is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Register;
for phone numbers not included in the Do-Not-Call Register, only one initial advertising registration message (i.e. a message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
if the user refuses to receive advertising messages after receiving the initial advertising registration message, no further advertising message is allowed;
immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages, email or calls to such user;
no more than three advertising messages / three advertising emails / one advertising call per day may be sent or made to the same user;
advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
advertising contents must comply with advertising laws.

Once again, the traders or organizations collecting and using the consumers’ personal information on E-commerce websites must have a specific mechanism for the information subjects to choose the permission or refusal of using their personal information in the cases of using personal information to send advertisements and introduce products and other commercial information.

Additionally, the organization shall not be allowed to hide their names or use unlawfully the name of others when sending advertisements via e-mail or text message. Specific information must be stated in each electronic message: for example, information about the advertiser and the advertising service provider, opt-out function (refusing acceptance of advertisements), and a label identifying “QC” or “ADV” [QC means Adv. in Vietnamese].

With regard to the method of advertising into Vietnam (i.e. to target Vietnam-based recipients), foreign organizations which do not operate in Vietnam (i.e. do not have commercial presence in Vietnam) but wish to advertise their products, goods, services and operation in Vietnam, are required to hire a Vietnam-based advertising service provider (a company with business lines of provision of advertisement) to conduct relevant advertising activities.

Last modified 20 January 2025

Electronic marketing is governed by the Electronic Communications and Transactions Act No. 4 of 2021 (the “ECTA’). The ECTA provides that a person marketing by means of electronic communication shall provide the addressee with:

the person’s identity and contact details including its registered office and place of business, email, contact and customer service number;
a valid and operational opt out facility from receiving similar communications in future;
the identifying particulars of the source from which the originator obtained the addressee’s personal information; and
applicable privacy and other user policies.

The ECTA also places restrictions in respect of unsolicited commercial communications to a consumer. The ECTA provides that a person may send one unsolicited commercial communication to a consumer, such commercial message can only be sent where the opt in requirement is met.

The ECTA further provides that an originator who sends unsolicited commercial communications to an addressee who has opted-out from receiving any further electronic communications from the originator through the originator’s opt out facility, commits an offence.

Last modified 27 January 2025

This is not addressed by the Act or the Regulations. However, obtaining user consent through appropriate disclaimers is recommended.

Last modified 27 January 2025

Quick links

Data Protection in Albania

Electronic marketing

Electronic and direct marketing under the Data Protection Law

The legitimate interests of the controller

The consent of the data subject

Electronic and direct marketing under the Electronic Communications Law

National Ordinance Person Registration

GDPR

EU regulation

Austria regulation

EU regulation

Belgium regulation

Footnotes

Personal Data Protection Act BES

GDPR

EU regulation

Bulgaria regulation

EU regulation

Croatia regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Denmark regulation

EU regulation

Finland regulation

Electronic marketing to consumers (B2C)

Electronic marketing in France

Electronic marketing in France

Electronic marketing to professionals (B2B)

Electronic marketing in France

EU regulation

Germany regulation

EU regulation

Greece regulation

EU regulation

Ireland regulation

Customer exception

B2B exception

Section 37 of the Act

EU regulation

Latvia regulation

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation

EU regulation

Netherlands regulatino

New legislation

Direct Marketing

Internet Service Providers (ISP)

Advertising

EU regulation

Poland regulation

EU regulation

Portugal regulation

EU regulation

Romania regulation

Footnotes

National Ordinance Personal Data Protection

GDPR

EU regulation

Sweden regulation

Footnotes

Email

Text Messages

Calls to Wireless Phone Numbers

Telemarketing

Fax Marketing

Continue reading