Implementing Regulation of PDPL Article 29 sets strict rules for using personal data in direct marketing. Controllers must secure informed consent before initiating direct outreach and ensure recipients have a simple, no-cost method to opt out at any time.
No consent. No marketing. Simple opt-out. Clear sender identity.
Without prejudice to the Telecommunication and Information Technology Act or any other related laws, before Processing Personal Data for Direct Marketing purposes, the Controller shall abide by to the following:
Implementing Regulation of PDPL Article 29 (1) (a)
Consent Before Marketing
Obtain consent from Data Subject in accordance with the provisions of Article (11) of this Regulation.
Implementing Regulation of PDPL Article 29 (1) (b)
Simple Opt-Out Mechanism
Provide a mechanism that enables the Data Subject to opt out of receiving marketing materials when desired, and ensure that the procedures for opting out of receiving such materials are easy, straightforward, and at least as easy as the procedures for giving consent to receive them.
Implementing Regulation of PDPL Article 29 (2)
Identify the Sender
When sending direct marketing materials to a Data Subject, the identity of the sending entity shall be clearly stated without any anonymisation.
Implementing Regulation of PDPL Article 29 (3)
Stop After Withdrawal
In case the Data Subject withdraws their consent for Direct Marketing, the Controller shall immediately stop sending related marketing materials without undue delay.
Explanation of Implementing Regulation of PDPL Article 29
Data Subject must agree:
Implementing Regulation of PDPL Article 29 (1) (a) says, before sending any direct marketing messages, the Controller must obtain clear, verifiable consent from the Data Subject. This consent must meet the requirements in Article 11 of the Regulation.
Unsubscribing must be easy:
Implementing Regulation of PDPL Article 29 (1) (b) says, the Controller must provide a way for Data Subjects to opt out of marketing communications, and this must be as simple as the opt-in process. No complicated steps are allowed.
No hidden marketing:
Implementing Regulation of PDPL Article 29 (2) says, every direct marketing message must clearly show the identity of the sender. Anonymized or hidden senders are prohibited.
Act without delay:
Implementing Regulation of PDPL Article 29 (3) says, once an individual withdraws consent, the Controller must immediately stop all direct marketing to that person. No delay or justification is allowed.
