GDPR in SMS Marketing – Frequently Asked Questions [FAQ]

Many months have passed since the introduction of the new regulation. Although there are many materials to make the implementation easier, we still receive questions about GDPR in the context of SMS marketing. In this FAQ we have collected and responded to the most frequently discussed issues.

How can our clients unsubscribe from the recipient database? It’s easy to do from a regular e-mail newsletter, how about the SMS newsletter?

Remember that one of the rights granted to consumers by GDPR is the right to be forgotten. The recipient of marketing messages, subscribing to an SMS or e-mail newsletter, should be informed about possible (and simple) ways of opting-out.

Therefore we have created a new feature – Opt-out SMS. It allows you to add a personalized link that allows you to opt-out of receiving messages. All you need to do is find the SMS in your inbox and click on the link to unsubscribe from the database. All unsubscribed contacts will be automatically excluded from future campaigns.

Opt-out SMS feature by SMSAPI
One tap is enough to manage your subscription

The customer could also sign up for the newsletter SMS using the widget. In this situation, he or she should go back to the brand’s website, find the widget and click “unsubscribe”. Find an example below:

Newsletter SMS used by TEDxKatowice
Opting-out of Newsletter SMS widget

There are also other ways—any recipient of communication can report using the contact form, email, telephone or fan page request to delete or modify the data.

The sender of the message must accept this request and designate (if necessary) a Data Policy Officer (DPO) who is responsible for the entire process of collecting, securing and processing personal data in the company.

Does each entity have to designate a Data Policy Officer (DPO)?

1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10.

Article 37 EU GDPR “Designation of the data protection officer”

Can I use my database which was collected before May 25, 2018?

Yes—provided that it has been collected in accordance with the previous local requirements and based on the principles:

  • lawfulness, fairness, and transparency,
  • purpose limitation,
  • data minimization,
  • accuracy,
  • storage limitation,
  • integrity and confidentiality,
  • accountability.

The second condition is to fulfill the information obligations to which each personal data administrator is obliged — more on this in the next question.

Do I have to collect the consents again after the implementation of GDPR?

As in the previous question — there is no need to collect new consents if they were compliant with the previous legal requirements. However, it is necessary to abide by the information obligation, that is, to provide the recipient with the following information in the form of a clause:

  • administrator data,
  • data of the Personal Data Protection Officer (if the designation in a given enterprise is necessary),
  • the purpose of data processing and the legal basis,
  • information about the right to oppose or withdraw consent,
  • data source, if you collect it from other entities,
  • to whom you intend to share data, information on whether data is transferred to third countries and international organizations,
  • the planned period of data storage,
  • information about the rights of a natural person,
  • the right to lodge a complaint with a supervisory authority,
  • information on whether data will be processed in the form of profiling,
  • information on whether the provision of data is voluntary or mandatory, whether it is a condition for the conclusion of the contract and what are the consequences of not submitting data.

Could you provide the correct example of data processing consent for marketing purposes?

I consent to the processing of my personal data for marketing purposes. The administrator of personal data is LINK Mobility Poland Sp. z o.o., with registered office in Gliwice (44-117) ul. Toszecka 101. The data will be processed for marketing purposes via e-mail and SMS. The Service Recipient has the right to access and correct his data and the right to demand discontinuation of processing as well as the right to object to the processing of data for the above purpose.

Exemplary consent for marketing purposes

Is it possible to use SMS notifications sent, for example, from an online store, to gather consent to the sending of marketing content?

Yes, on the occasion of providing information about the status of the order, you can ask the customer if he or she also wants to receive text messages with marketing content in the future.

You can include a link to subscribe to the newsletter (the customer can also share an email address and preferences) or use the virtual mobile number (2-Way SMS) — an online store customer can write to the message “YES” and be automatically saved to the client’s database in SMSAPI Customer Portal.

In the case of e-commerce, there are many opportunities to build a base: from placing the SMS Newsletter widget to the checkbox at the time of placing an order (configuration available in every e-commerce software) or just using the virtual mobile and interacting with the customer.

Remember that in exchange for leaving the data, it is also worth rewarding customers with an additional discount or a free delivery.

What SMS content can I send to the customer to confirm that he will continue to receive messages from us?

– Thank you for signing up for our newsletter. From now on you’ll be the first to receive information about upcoming promotions and events. Stay tuned!
– Great to have you with us! We still want to provide you with knowledge of garden furniture. If you want to receive messages from us, answer “YES” to this SMS
– You will not leave us, will you? Let us inform you about upcoming promotions, sign up to the newsletter at www.cut.li/newslettersmsxyz

Exemplary SMS content

What are exemplary messages informing about the possibility to opt-out from SMS notifications?

– Remember that at any time you can opt out of receiving content by clicking: unsubsc.me/XYZ
– To unsubscribe from our newsletter, please visit: www.wyp.is/XYZ
– You can unsubscribe at any time from receiving text messages at: unsubsc.me/XYZ. Remember that we will miss you!
– I hope you enjoy reading text messages from us. We will be sad if you give up. Still, you can do this here: unsubsc.me/XY

Exemplary SMS content

What features should the consent expressed by the user have?

In order for the database to be created, after presenting the data subject with the information clause in accordance with the requirements of the GDPR, the client must be asked for permission to process the data. At this point, the GDPR puts specific requirements, namely the legislator points out that the consent must be:

  • conscious, specific, unambiguous,
  • written in simple, understandable language,
  • related to the company’s information policy,
  • explicit, i.e. it can not raise doubts that it has been expressed,
  • associated with a specific purpose of processing – precisely defines what is involved and what is the timeframe for the duration of consent,
  • voluntary,
  • possible to withdraw – the client can at any time ask to remove his consent from the database (and the withdrawal of consent must be as easy as the expression)
  • if the activity concerns minors – the consent of the legal guardian is required (in the case of children under 16 years of age, as children aged 16 and over may give their consent to the processing of personal data, Member States may reduce this age limit to 13 years).

Do you have more questions? Do not hesitate to ask your account manager.