Implementing Regulation of PDPL Article 28 regulates how organizations (Controllers) may use personal data for direct marketing, advertising, or public awareness campaigns. It emphasizes the need for clear, informed consent from recipients and provides detailed rules on how communication for such purposes must be carried out.
Get clear consent before marketing. Allow easy opt-out. Respect recipient preferences.
Implementing Regulation of PDPL Article 28 (1)
Prior Consent Required
Controller shall obtain the Consent from the targeted recipient before sending advertising or awareness material in case of the absence of a prior interaction between the Controller and the targeted recipient.
Implementing Regulation of PDPL Article 28 (2)
Consent Conditions
Conditions for obtaining the targeted recipient’s consent for advertising or awareness materials shall be as follows:
a) Consent shall be given freely, and no misleading methods shall be used to obtain it.
b) Targeted recipient shall be enabled to specify the options related to advertising or awareness material subject to consent.
c) Consent of a targeted recipient consent shall be documented in a manner that can be verified in the future.
Without prejudice to the Telecommunication and Information Technology Act or any other related laws, before using communication methods for the purpose of sending advertising or awareness materials, including the post and email of the Data Subject, the Controller shall commit to the following:
Implementing Regulation of PDPL Article 28 (3) (a)
Sender Identity Clear
Clearly mention sender’s name without hiding their identity.
Implementing Regulation of PDPL Article 28 (3) (b)
Easy Opt-Out
Provide a mechanism that enables the Data Subject to opt out of receiving advertising and awareness materials when desired, and ensure that the procedures for opting out of receiving such materials are easy, straightforward, and at least as easy as the procedures for giving consent to receive them.
Implementing Regulation of PDPL Article 28 (3) (c)
Stop on Request
Stop sending advertising or awareness materials as soon as the target recipient requests it.
Implementing Regulation of PDPL Article 28 (3) (d)
Free to Opt-Out
The cessation of receiving advertising or awareness materials shall be free of charge.
Implementing Regulation of PDPL Article 28 (3) (e)
Evidence of Consent
Keep material evidence of consent from the targeted recipient to receive advertising or awareness materials.
Explanation of Implementing Regulation of PDPL Article 28
No unsolicited messages without opt-in:
Implementing Regulation of PDPL Article 28 (1) says, controllers must obtain prior consent from individuals before sending advertising or awareness messages, especially where no prior relationship exists.
Must be valid and verifiable:
Implementing Regulation of PDPL Article 28 (2) says, consent must be freely given, without manipulation. Individuals should be able to customize their preferences, and consent must be recorded for future proof.
No hidden senders allowed:
Implementing Regulation of PDPL Article 28 (3) (a) says, messages must clearly state the identity of the sender. The use of hidden IDs or spoofing is not allowed.
Let people unsubscribe easily:
Implementing Regulation of PDPL Article 28 (3) (b) says, individuals must be able to opt out of receiving marketing messages. The process should be as simple as giving consent.
Respect opt-out immediately:
Implementing Regulation of PDPL Article 28 (3) (c) says, once a person opts out, the Controller must stop sending messages without delay.
No fees to unsubscribe:
Implementing Regulation of PDPL Article 28 (3) (d) says, recipients should not be charged any fee to stop receiving marketing messages.
Keep records of agreement:
Implementing Regulation of PDPL Article 28 (3) (e) says, controllers must keep proof of consent for each recipient, showing that they agreed to receive marketing content.
