Annex No. 1 – Recommendations for the implementation by the personal data controller

Below are recommendations for implementation by the personal data controllers (i.e. entrepreneurs) in the area of personal data protection and protection of data subjects (i.e. their customers) against unsolicited commercial communications on their part.
 

It is always necessary to ensure that personal data (including those processed in commercial communications and cookies) are processed on the basis of the applicable and most appropriate legal grounds, ensuring the legality processing.
 

The following sections of this Annex are therefore designed in a way that the appropriate legal ground for the processing is identified and that any specifics of processing in relationships between the controller and the data subject are described.
 

This information is not a legal advice, but only basic informative recommendations for persons processing personal data. Completeness or correctness of this information is not guaranteed.

Part A – Personal data

In the areas of “general” processing of personal data, i.e. not in connection with the sending of the Commercial Communications or with the collection of so-called cookies (see below), the general rules on the processing of personal data apply.
 

In order for personal data to be processed in accordance with the laws on personal data protection, it is necessary to:
 

  1. define the purpose and means of the processing (depending on the particular case);
  2. define the legal ground on which the processing will be based (in particular the performance of a contract with the data subject, or if the processing cannot be subsumed under performance of a contract, the legal ground would be the legitimate interest of the controller, or if the previous two legal grounds cannot be used, the consent to the processing of personal data will be a legal ground for the processing);
  3. fulfil any additional obligations associated with the appropriate legal ground (assessment of the legitimacy of the interest in the case of processing on the basis of a legitimate interest, information about the possibility to withdraw consent, etc.);
  4. fulfil the information obligation towards the data subject (see below); and
  5. fulfil other general obligations with regards to the processing of personal data (in particular keeping the relevant documentation, defining the organisational and technical measures for the protection of personal data, etc.).

Legal grounds for the processing

Primarily, all processing of personal data relating to the business activity of the controller will be performed on the basis of performance of the contract with the data subject (processing necessary for the sale of goods and provision of services)
 

For sending of commercial communications (which is not a processing necessary for the performance of the contract), which will be identical for all data subjects or defined on the basis of the transaction history of the data subjects, a legitimate interest of the controller may be used. The legal ground of legitimate interest is also used for processing of cookies (although it will probably be necessary to obtain an explicit consent in the future). On the other hand, in the case the performing advanced analytics or other personal data operations that by their nature differ from plain “direct marketing” was to be performed, it would be necessary to obtain the prior consent of the subject to processing of personal data for these purposes – such consent may for example be a condition for inclusion into controller’s discount or loyalty program.
 

However, it is necessary to point out that the boundary where only legitimate interest can be used instead of consent to processing is not clearly defined (it depends on the reasoning and justification of such processing by the controller) and it cannot be guaranteed that certain processing could be performed on the basis of a legitimate interest.


In any case, the data controller must inform the subject about obtaining his or her personal data, irrespective of the legal basis used for processing (performance of the contract, legitimate interest of the controller, consent of the subject). If the consent is used, provision of the consent cannot be enforced.

Content of the information obligation

Where personal data are collected from data subjects, data subjects must be informed of the following:
 

  1. the identity and the contact details of the controller and, where applicable, of the controller's representative;
  2. the contact details of the data protection officer, where applicable;
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (in this case the performance of the contract, the legitimate interest or the consent of the data subject);
  4. legitimate interest of the controller (in the case of processing based on legitimate interest);
  5. the recipients or categories of recipients of the personal data, if any, i.e. in this case the processor;
  6. the period for which the personal data will be stored;
  7. the existence of the right to request from the controller the access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  8. the right to withdraw consent to processing (in the case of processing based on consent);
  9. the right to lodge a complaint with a supervisory authority;
  10. where applicable, the fact that the controller intends to transfer personal data to a third country and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  11. the fact that the processing of the data is necessary for entering into a contract (in the case of processing necessary for performance of the contract);
  12. the fact that automated decision making, including profiling, as referred to in Article 22 (1) and (4) of the GDPR is performed and, at least in these cases, the meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In the case where processing is based on the legitimate interest of the controller, the data subject has to be explicitly informed, clearly and separately from any other information, about the right to object to the processing.


Please note that the rights of data subject include, for example, the right to request from the controller access to personal data relating to the data subject, their rectification, erasure or restriction, and the right to object to processing. It is always necessary to appropriately respond to a request by the data subject to exercise these rights. Under specific conditions, for example, it may be necessary to terminate the processing of the personal data for certain purposes or to completely erase the personal data.

Part B – Commercial Communications

In relation to the sending of commercial communications, it is necessary to ensure compliance with the laws on personal data protection and the general regulation on sending commercial communications.
 

Regarding the laws on personal data protection, the forms of processing of personal data are in this context the act of sending a commercial communication to the subject’s e-mail address as well as all previous and subsequent analyses of the behaviour and possible demographic characteristics of the subject, including the collection of data itself (both based on information from the subject or on its tracking on the website).
 

All these forms of processing mentioned above, however distinct from each other, are directed towards one common goal, namely marketing communication in relation to the subject. For this reason, it is useful not to divide this purpose to base it on a common legal ground (the combinations of personal data obtained for different purposes is very problematic). An appropriate legal ground may be the legitimate interest of the controller in supporting his/her business and addressing the subjects (its customers), or the subject’s consent in the case of a more advanced analysis of the behaviour of data subjects and the monitoring of their behaviour.
 

The following consequences are associated with using the legitimate interest:
 

  1. the duty to internally assess the legitimacy of interest and to have such assessment available;
  2. the obligation to inform data subjects; and
  3. the right of the data subject to object to the processing and the obligation of the controller to explicitly inform the data subject about that right.

Furthermore with regard to the general regulation on sending commercial communications, which is aimed at preventing the sending of  unsolicited commercial communications, it can generally be noted that in order to ensure compliance with the applicable legislation, relatively strict conditions have to be met. Therefore, it is not possible to send to data subjects:
 

  1. any unsolicited messages sent by the e-mail and / or SMS to the recipient without complying with applicable legal requirements, i.e. in practice especially without its prior consent obtained through the double-opt in method (by filling in the form on the website and at the same time by confirming the interest in sending these commercial communications through clicking on a link in an e-mail or through sending a verification SMS);
  2. any commercial communications that do not contain the mandatory content of the commercial communication in the article “Compulsory Content of Communications” of the Terms and are not in compliance with the article “Conditions for provision of Mailkit Service” of the Terms;
  3. any commercial communications in the case, where the data subject has refused to use its data for the purpose of sending business messages or after the subject has refused to consent to use of its electronic contact for the purposes of sending commercial communications or the subject has informed the controller that he or she does not agree with any further sending of commercial communications;
  4. any commercial communications when it relates to products or services that are not provided by the controller or which are not similar to the products or services in connection with the sale of which the controller has obtained an e-mail address or telephone number of the subject, unless the subject has given a prior consent.

Part C – Cookies

At the moment, cookies can be processed in opt-out mode. This means that it is possible to store them in the end device of the subject and further process them without the explicit consent of the data subject, but the data subject must be informed of this fact and allowed to refuse such processing without any significant deterioration of the service (or its parts, which are not dependent on cookies).
 

In the case of cookies the above-described rules on objections to processing apply accordingly, including the “do not track” requests. However, an implementation of the opt-in mode in the future is considered.
 

In the case that cookies are eligible to be assigned to an identifiable data subject (e.g. when monitoring registered data subjects), the laws on personal data protection also apply. It is then necessary to comply with all obligations relating to the protection of personal data (Part A), including the legal ground for processing, fulfilment of the duty to inform and handling the “do not track” requests.​​