The GDPR states: "At the point of first communication with individuals, you must inform them of their right to object on “grounds relating to his or her particular situation” including:
processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
direct marketing (including profiling); and
processing for purposes of scientific/historical research and statistics."
Our interpretation is that this does not include order processing and providing quotes where asked for (which have a legal basis of "contract").
Identifying "Points Of First Contact" & Adding Your Notice
Point of first communication on your website will be via forms including:
- Contact forms
- Newsletter sign up forms
- Custom forms you have created
You will need to:
Review which forms you have on the site which will be a point of first contact and for each of them either:
- Add some page content explaining the right to object; or
Add a new field labelled “Your right to object” with a field type of “HTML Page” and the ID of a page set up previously in Page Manager containing your text on the right to object.
Review all system pages related to email content via Page Manager filtering with the word ‘email’. Work through the list and amend the ones appropriate to your site to include text in the email footer regarding the right to object. The following pages will definitely need to be changed:
If you decide to include Prospect Manager email communications, go into User Manager and edit all admin user details to include the right to object text in the email signature.
What To Do Once You Receive An Objection
Direct marketing has to stop immediately from when the objection is received.
Edit the user record in User Manager and untick "Subscribe to emails" so they do not receive any further marketing emails from you.
What To Do Once You Have Accepted The Objection
Follow the instructions given in Right To Restrict Processing
You may need to keep your own record that you have received and actioned the request as part of your company’s procedures and on your suppression list if the user has restricted data processing. If you add or import user data, make sure you suppress re-adding or altering someone who has requested restricted processing.