Gibraltar: Data Protection & Cyber Security

The In-House Lawyer Logo

This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Gibraltar.

This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

    The EU General Data Protection Regulation (2016/679) (GDPR), came into force on 25 May 2018 and is directly applicable in all EU member states, including Gibraltar. It is a wide ranging regulation designed to protect the privacy of individuals in the European Union (EU) and give them control over how their personal data is processed, including how it’s collected, stored and used.

    The Gibraltar Data Protection Act 2004 (DPA) aligns with, and supplements, the GDPR in Gibraltar.

    The Communications (Personal Data and Privacy) Regulations 2006 (the Privacy Regulations), which transposes the Privacy and Electronic Communications Directive (2002/58) aims to protect privacy in the electronic communications sector.

    These laws are enforced by the Gibraltar Regulatory Authority (GRA) as the supervisory authority in Gibraltar.

  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

    Data protection officers (DPO) need to be registered with the GRA. A DPO is a senior position within an entity (paragraph 11 below clarifies when the appointment of a DPO is mandatory).

    The DPO is responsible for:

    • assisting the entity in monitoring internal compliance with GDPR requirements;
    • informing and advising the entity on its data protection obligations;
    • providing advice regarding “data protection impact assessments” (DPIA); and
    • acting as the entity’s contact point for data subjects and the supervisory authority.

    In order to register with the GRA the DPO must complete and submit a “Data Protection Officer Notification Form” to the GRA.

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

    GDPR draws a distinction between “personal data” (i.e. PII) and “special categories of personal data” (i.e. sensitive PII). Personal data means any information relating to a data subject. A data subject is a natural person who can be identified by reference to an identifier (i.e. a name, an identification number, location data, an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

    Sensitive PII includes personal data revealing:

    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs or trade union membership;
    • genetic data;
    • biometric data for the purpose of uniquely identifying a natural person;
    • data concerning health; or
    • data concerning a natural person’s sex life or sexual orientation.
  4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

    The processing of PII is prohibited unless there is a lawful basis for it. Article 6(1) of GDPR sets out the lawful bases for processing PII as follows:

    • explicit consent has been given by the data subject;
    • the processing is necessary for a contract with the individual, or because they have asked for specific steps to be taken before entering into a contract;
    • the processing is necessary to comply with the law (not including contractual obligations);
    • the processing is necessary to protect the vital interests of the data subject or another person;
    • the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law; or
    • the processing is necessary for the data controller’s or data processor’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests especially where there data subject is a child.

    The fair practice principles for the processing of PII (Article 5(1) of GDPR) are as follows:

    • data shall be processed fairly and lawfully;
    • data shall be obtained only for one or more specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose;
    • data shall be adequate, relevant and not excessive in relation to the purpose for which it is processed;
    • data shall be accurate and, where necessary, kept up to date;
    • data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes. This is commonly accepted as 6 years but there is no firm rule on this point;
    • data shall be processed in accordance with the rights of data subject.

    Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of data and against accidental loss or destruction of, or damage to, data.

    Data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of data.

  5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

    Consent is one of the lawful bases for processing PII: it is defined as any “freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her" (Article 4(11), GDPR).

  6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

    Processing sensitive PII is allowed in the following circumstances (per Article 9(2) of the GDPR):

    • when explicit consent has been given by the data subject;
    • when processing is necessary for the following purposes:
      • in carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment and social security and social protection law (in so far as it is authorised by EU or national law);
      • in pursuance of national law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
      • in protecting the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
      • in the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
      • in pursuance of reasons of substantial public interest, on the basis of EU or national law. The data processing needs to be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
      • in the event that processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, or in respect of the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or national law or pursuant to contract with a health professional;
      • in the public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or national law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
      • in archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of GDPR or as in accordance with EU or national law but which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
    • when the processing is carried out by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes. The data processing must be undertaken in the course of the entity’s usual activities and must be subject to appropriate safeguards, including that the sensitive PII is not disclosed outside that body without the consent of the data subject; or
    • when the processing relates to sensitive PII which is made public by the data subject.

    Where data is processed under one of the exceptions in Article 9(2) of GDPR (above) the data processed must be proportionate to the aim pursued, it must be permitted by EU or national law, the essence of the right to data protection must be respected and suitable and specific measures to safeguard the fundamental rights and the interests of the data subject must be provided for.

    Unless PII is processed in accordance with Article 6(1) or 9(2) of GDPR in the case of sensitive PII, it is prohibited. There is, however, no category of PII which is prohibited from collection.

  7. How do the laws in your jurisdiction address children’s PII?

    Article 8(1) of GDPR states that a child of at least 16 years of age can consent to the processing of his/her personal data (in relation to information society services). Where the child is under 16 processing shall be lawful only if that consent is authorised by the child’s legal guardian.

  8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

    Data controllers and data processors are required to keep records of their data processing activities.

    Article 30(1) of GDPR states that each data controller (or the data controller’s representative if applicable), shall maintain a record of processing activities under its responsibility, including:

    • the name and contact details of the data controller and, where applicable, the joint data controller, the data controller’s representative and the data protection officer;
    • the purposes of the processing;
    • a description of the categories of data subjects and of the categories of personal data;
    • the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
    • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
    • where possible, the envisaged time limits for erasure of the different categories of data; and
    • where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of GDPR.

    Article 30(2) of GDPR states that each data processor and, where applicable, the data processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a data controller, containing:

    • the name and contact details of the data processor or data processors and of each data controller on behalf of which the processor is acting, and, where applicable, of the data controller’s or the data processor’s representative, and the data protection officer;
    • the categories of processing carried out on behalf of each data controller;
    • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of GDPR, the documentation of suitable safeguards; and
    • where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of GDPR.
  9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

    In the event that a data controller undertakes a DPIA and its results indicate that the proposed processing of data puts the rights and freedoms of data subjects at high risk of being breached, the data controller must consult with the GRA (Article 36(1) of GDPR).

  10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

    A DPIA is carried out by the data controller and is required in the following circumstances:

    • when undertaking a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
    • processing on a large scale of special categories of data referred to in Article 9(1) of GDPR, or of personal data relating to criminal convictions and offences referred to in Article 10 of GDPR; or
    • a systematic monitoring of a publicly accessible area on a large scale (e.g CCTV monitoring of a public place).

    A DPIA is typically carried out as follows (Article 35(7) of GDPR):

    • producing a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller;
    • undertaking an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
    • undertaking an assessment of the risks to the rights and freedoms of data subjects that might arise as a result of the proposed processing of data; and
    • implementing measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.
  11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

    The GRA has established a public register of DPOs in accordance with DPA section 138.

    An entity is required to appoint a DPO where:

    • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
    • the core activities of the data controller or the data processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
    • the core activities of the data controller or the data processor consist of processing on a large scale of special categories of personal data or personal data relating to criminal convictions and offences;
    • it is a law enforcement entity and must appoint a DPO as required by the EU Law Enforcement Directive.

    GDPR Article 39 states that the DPO shall have at least the following tasks:

    • to inform and advise the data controller or the data processor and the employees who carry out processing of their obligations pursuant to GDPR or the Member State’s data protection provisions;
    • to monitor compliance with the GDPR and other applicable data protection provisions, and with the policies of the relevant data controller or processor, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
    • to provide advice where requested as regards the DPIA and monitor its performance;
    • to cooperate with the GRA; and
    • to act as the contact point for the GRA on issues relating to processing, and to consult, where appropriate, with regard to any other matter. In Gibraltar this would be the GRA.
  12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

    Article 13 of GDPR provides that where personal data relating to a data subject is collected from the data subject, the data controller shall, provide the data subject with all of the following information:

    • the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
    • the contact details of the DPO, where applicable;
    • the purposes of the processing for which the personal data is intended as well as the legal basis for the processing;
    • where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the data controller or by a third party;
    • the recipients or categories of recipients of the personal data, if any;
    • where applicable, the fact that the data controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission.

    Article 14 of GDPR provides that where personal data has not been obtained from the data subject, the controller shall provide the data subject with the following information:

    • the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
    • the contact details of the DPO, where applicable;
    • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients of the personal data, if any;
    • where applicable, that the data controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission.
  13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

    GDPR requires the contracting data controller or data processor to ensure that any person or entity engaged to carry out functions on their behalf adheres to the requirements of GDPR. This must be done by way of a written contract which sets out the responsibilities and obligations of each party. Minimum contract terms are set out in point 14 below.

  14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

    Article 28(3) of GDPR states that as a minimum, any such contracts with data providers shall stipulate in particular that the data processor:

    • processes the personal data only on documented instructions from the data controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or national law to which the data processor is subject; in such a case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
    • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
    • takes all measures required pursuant to Article 32 of GDPR;
    • respects the requirements under GDPR for engaging another data processor;
    • assists the data controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the data processor;
    • deletes or returns, at the choice of the data controller, all the personal data to the data controller after the end of the provision of services relating to processing, and deletes existing copies unless EU or national law requires storage of the personal data; and
    • makes available to the data controller all information necessary to demonstrate compliance with the obligations laid down in this Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.
  15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

    The transfer of PII outside the jurisdiction is prohibited unless the following conditions apply:

    • there exists a lawful reason for processing the PII under Article 6 or Article 9 of GDPR; and
    • the Commission has decided that the recipient jurisdiction ensures an adequate level of data protection (Article 45(1) of GDPR), or the appropriate safeguards as set out in Article 46(2) of GDPR have been met; or
    • one of the following exceptions set out in Article 49(1) of GDPR apply:
      • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject;
      • the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request;
      • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another party;
      • the transfer is necessary for important reasons of public interest;
      • the transfer is necessary for the establishment, exercise or defence of legal claims;
      • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
      • the transfer is made from a register which according to EU or national law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest but only to the extent that the conditions laid down by EU or national law for consultation are fulfilled in the particular case.

    Regulator notification/authorisation is not required for such transfers.

  16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

    Article 32(1) of GDPR provides that data controllers and data processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.

    In the case of automated processing, each data controller and each data processor must, following an evaluation of the risks, implement measures designed to:

    • prevent unauthorised processing or unauthorised interference with the systems used in connection with it;
    • ensure that it is possible to establish the precise details of any processing that takes place;
    • ensure that any systems used in connection with the processing function are used properly and may, in the case of interruption, be restored; and
    • ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
  17. Does your jurisdiction impose requirements of data protection by design or default?

    Article 25(2) of GDPR provides that data controllers must implement appropriate technical and organisational measures which are designed to implement the data protection principles in an effective manner; and to integrate into the processing itself the safeguards necessary for that purpose.

    Data controllers must also implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

  18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

    Article 4(12) of GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

  19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

    The data controller is under a legal obligation to notify the GRA of security breaches when the breach is likely to result in a risk to the rights and freedoms of the data subjects. The data controller has a maximum of 72 hours after becoming aware of the data breach to make the report.

    Individuals only have to be notified if adverse impact is determined. In addition, the data processor will have to notify the data controller without undue delay after becoming aware of a personal data breach unless the data controller has implemented appropriate technical and organisational protection measures that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.

  20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

    Individuals (data subjects) have the following rights under GDPR:

    • to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed.  Where personal data is being processed, the data subject shall have the right to access that personal data and to know the purpose for the processing of that data, who are the recipients of that data and for how long it is envisaged that that data will be kept; ;
    • to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement;
    • to have information about him or her erased on one of the following grounds:
      • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
      • the data subject withdraws consent and where there is no other legal ground for the processing;
      • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
      • the personal data has been unlawfully processed;
      • the personal data has to be erased for compliance with a legal obligation in EU or national law to which the data controller is subject; or
      • the personal data has been collected in relation to the offer of information society services;
    • to object to direct marketing;
    • to restrict the processing of their information where one of the following conditions apply:
      • the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
      • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
      • the data controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or
      • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject;
    • to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and shall have the right to transmit that data to another data controller without hindrance from the data controller to which the personal data has been provided.
  21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?

    Individuals’ rights are enforced by the GRA and can also be exercised through the judicial system. An individual can claim compensation for breach of their rights under the DPA. Whilst damage must have been caused, it can be “non-material damage” which includes distress.

  22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

    As described in point 21 above, data protection is enforced by the GRA. The GRA is empowered to fine data controllers and data processors up to 4% of its annual global turnover or €20 million (whichever is higher). Data controllers and data processors are entitled to appeal such penalty to the courts. Equally, a complainant who is dissatisfied with how the GRA addresses their complaint can seek redress through the courts.

  23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

    In addition to the derogations and exceptions already mentioned in points 4 and 6 above, Part 5 and Part 6 of Schedule 2 of the DPA sets out numerous further exceptions and derogations relating to freedom of expression for the following purposes:

    • academic purposes;
    • journalism;
    • artistic; and literary purposes and
    • research; and statistical purposes.

    The exceptions and derogations allow the processing of personal data where such processing is being carried out with a view to publication of journalistic, academic, artistic or literary material by a person and the data controller reasonably believes that the publication of the material would be in the public interest.

    The exceptions for research and statistical purposes can apply if personal data is being processed for:

    • scientific or historical research purposes; or
    • statistical purposes.

    It does not, however, apply to the processing of personal data for commercial research purposes such as market research or customer satisfaction surveys.
    When applicable the exceptions exempt the data controller from the GDPR’s provisions on:

    • the right of access;
    • the right to rectification;
    • the right to restrict processing; and
    • the right to object.

    The GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.  The exceptions, however, only apply as follows:

    • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
    • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms;
    • if the processing is not likely to cause substantial damage or substantial distress to an individual;
    • if the processing is not used for measures or decisions about particular individuals, except for approved medical research; and
    • as regards the right of access, the research results are not made available in a way that identifies individuals.
  24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

    The Privacy Regulations govern the use of cookies by Gibraltar-based service providers. The rules in force in Gibraltar are essentially that cookies can only be placed on computer equipment where the individual has given consent. Before giving consent, the individual must be provided with clear and comprehensive information about the purposes of the storage of, or access to, that information.

    In addition to the Privacy Regulations, service providers must comply with the requirements as to the protection of personal data as set out in GDPR, such as Article 6, which sets out the provisions for the lawful processing of personal data (even that obtained by way of cookies).

    Further, Article 7 of GDPR gives the data subject the right to withdraw consent for the processing of data gathered through the use of cookies..

  25. Please describe any laws addressing email communication or direct marketing?

    Privacy Regulations on unsolicited electronic marketing provides that a party may not transmit marketing material unless the individual receiving it has previously notified the sender that he or she consents to receiving it (i.e. he or she has ‘opted-in’).

    There are limited circumstances in which a service provider can send unsolicited electronic marketing communications to an individual where there has been deemed to be a type of implied consent, also referred to as a ‘soft’ opt-in.  These are as follows:

    • the direct marketer has obtained the contact details of the individual in the course of the negotiations or sale of goods or services;
    • the direct marketing relates to similar goods or services to those purchased by the individual; or
    • the direct marketer gives an individual a simple means at the time the data is collected, free of charge, to opt-out of the use of his or her data for direct marketing purposes.

    Whether the opt-in has been explicit or soft, in each subsequent direct marketing email to an individual, the service provider must provide an option to opt out of future marketing emails (e.g. by way of an unsubscribe link).

    Whilst Article 21(2) and (3) of GDPR gives the data subject the right to object to the processing of personal data for direct marketing purposes, the data controller only has to stop processing for marketing purposes - the data controller can still process the data for other purposes (e.g. for the performance of a contract).