Six months after implementation of the European Union’s General Data Protection Regulation (“GDPR”),¹ many charitable organizations are still struggling with compliance. Our pro bono clients frequently ask whether consent is now required to send solicitations or communications via email to donors or potential donors. Before addressing that discrete question, here are some key GDPR principles that apply to non-profit organizations:
What is personal data? Personal data encompasses any information that may directly or indirectly identify an individual (for example, a name is a direct identifying element, while a date of birth, email address, phone number, home address, or photo is an indirect identifying element).² Personal data also includes information about the characteristics of an individual (hobbies for instance), opinions of a person, and online identifiers (cookies, IP address). Because the definition of personal data is so broad, all charitable organizations process personal data.
What is data processing?³ Processing is defined very broadly in the GDPR and includes the collection, recording, storage, adaptation, use, erasure, and mere consultation of personal data.
When does the GDPR apply?⁴
Under the GDPR, the fact that an organization may or may not require payment in exchange for its goods and services is irrelevant. It is therefore applicable to charitable organizations that process personal data if these organizations:
- Are established in the European Union (EU)⁵, or
- Are not established in the EU, if they offer goods and/or services to EU-based individuals, or if it monitors the behaviour of EU-based individuals⁶.
Organizations not established in the EU that fall under the scope of the GDPR because of the data they process need to comply with the GDPR only with respect to the processing of the data of EU-based individuals. Therefore, they do not need to extend their GDPR compliance policies to the processing of the data of non-EU based individuals.
Data concerning their donors and potential donors is among the personal data most commonly processed by charitable organizations. However, the answer as to whether consent is needed before sending email solicitations is not in the GDPR, but in an older regulation, the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications (known as the ePrivacy Directive).⁷
Direct marketing under the ePrivacy Directive is allowed only if the individuals receiving the communication have given their prior consent. The ePrivacy Directive allows for an exception to this requirement: organizations do not have to obtain consent when communicating with an individual if the services or products advertised in the communication are similar to those that the individual has purchased in the past. Because this exception rarely applies to charitable organizations, as they typically are not in the business of selling products or services, they are left with the obligation to obtain consent—a task that can be particularly challenging.
To be validly obtained, consent has to be specific, informed, freely given, and must be an unambiguous indication of the individual’s agreement to the processing of his or her personal data. Pre-marked boxes on donation forms indicating consent are therefore insufficient.
When analyzing their database, many charitable organizations conclude that they cannot adequately substantiate consent from all donors and potential donors. Accordingly, if they wish to continue sending emails to these individuals without risking penalties from an EU data protection authority, the only solution is to carry out a campaign seeking consent from these individuals.
Unfortunately, the response to this type of campaign is generally fairly low, and the contact databases of the concerned charitable organizations may be significantly reduced as a result. Additionally, this substantially impacts their ability to raise funds.
As communications sent by regular mail do not fall under the ePrivacy Directive, and therefore do not require consent, this explains why many European-based charitable organizations still spend significant resources sending regular mail to donors and potential donors.
To learn more about the GDPR, please visit: https://www.proskauer.com/themes/gdpr
¹ Regulation (EU) 2016/679.
² GDPR, Article 4(1).
³ GDPR, Article 4(2).
⁴ For further details on Article 3 of the GDPR regarding the territorial scope of the GDPR, please refer to the guidelines published by the European Data Protection Board (EDPB) on November 16, 2018 (EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (November 16, 2018) – https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf).
⁵ GDPR, Article 3(1).
⁶ GDPR, Article 3(2).
⁷ https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN. The ePrivacy Directive is expected to be replaced by the ePrivacy Regulation in 2019. For more information, please refer to the the EU Commission website: https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation