Beyond Legal #27: The marketing director who thought it was just an email list
It’s just an email list. I didn’t think we needed the Data Protection Leader to sign it off. — David M., former marketing director
I have lost count of how many times I have heard a version of this. The word “just” does a lot of work in many data protection scenarios. Just an email. Just a list. Just a campaign. Each “just” quietly removes one more layer of accountability until there is nothing left — no lawful basis, no records of processing, no data subject rights mechanism, and no documented decision that anyone ever made. Then something goes wrong, and everyone discovers that the GDPR does not recognise the word “just.”
David’s story #
David is a marketing director at a pan-European consumer goods company with a customer database of several million contacts across eleven member states. He joined the company just over three months ago. He is commercially astute and has a well-earned reputation for driving campaign performance. Previously, he had run marketing at a number of smaller companies. He had never once been asked to involve a Data Protection Leader in a campaign sign-off.
The campaign in question was a reactivation drive targeting lapsed customers who had not purchased in over two years. The contact list was pulled from the CRM. A third-party agency was brought in to enrich the list — appending demographic and behavioural data sourced from external data brokers. The campaign launched across email and SMS.
The Data Protection Leader — let’s call her Yuki — heard about the campaign in a team meeting, three days after launch.
She asked four questions: what lawful basis had been used to reprocess the data of lapsed customers for a new campaign purpose, whether the third-party agency had an Article 28 DPA in place, what the source of the appended data was and whether a lawful basis existed for its use, and whether a records of processing activities entry had been created for the campaign.
David’s answer, in effect, was that the campaign was already running and had worked well at his previous company.
What went wrong #
Several problems surfaced within weeks. The data broker the agency had used had sourced some of its data from a national health registry — meaning a portion of the appended data included inferred health indicators, which constituted special category data under Article 9. The campaign had processed that data without an Article 9 exemption and without a DPIA.
There was also the question of what the lapsed customers had ever been told. Because a portion of the campaign data had been obtained not from the data subjects themselves but from a third-party broker, Article 14 had been engaged from the moment the enrichment took place — and the one-month window to inform the affected individuals of the source, the categories of data, the purposes, and the lawful basis had closed weeks earlier without any notice being issued. The agency had not raised it, the CRM team had not flagged it, and David had not known the obligation existed.
Layered on top of all of this was ePrivacy. The campaign had gone out by email and SMS across eleven member states, and in most of those jurisdictions the national transposition of the ePrivacy Directive required prior opt-in consent for marketing messages to individuals, with only a narrow soft opt-in available for existing customers being marketed similar products. For contacts who had not purchased in over two years, that soft opt-in was, in several of those member states, no longer something the company could credibly rely on — and the analysis had never been done. Compounding everything, several recipients had exercised opt-out rights under previous campaigns, and those preferences had not been carried across when the list was built. When a cluster of complaints reached the Supervisory Authority, the combination of an ePrivacy failure at the point of sending, unlawful processing of special category data without a valid exemption, an unmet Article 14 obligation, and suppression failures made the investigation significantly harder to contain.
Yuki’s documentation showed she had not been consulted. David’s documentation showed nothing at all. He was let go before the regulatory process concluded — his shortest tenure as a marketing leader.
What lawful basis does direct marketing require under the GDPR? #
Direct marketing using personal data requires a valid lawful basis under Article 6 of the GDPR before any processing begins — not consent by default, but a basis that has been properly identified, assessed, and documented. For existing customers, legitimate interests under Article 6(1)(f) is often available, but requires a balancing test that takes into account the reasonable expectations of the data subjects and the nature of the data being used. For lapsed customers or contact lists enriched with third-party data, the analysis becomes significantly more complex — and where appended data includes health indicators or any other special category data under Article 9, the bar is substantially higher.
The point that inferred data could itself constitute special category data was no longer a matter of academic debate. In OT v Vyriausioji tarnybinės etikos komisija (C-184/20), decided in August 2022, the Court of Justice of the European Union had held that data from which special category information could be deduced — even indirectly — fell within the scope of Article 9 and required an Article 9(2) exemption in its own right. That ruling had closed off the argument, still occasionally heard in marketing teams, that “we didn’t collect health data, we just appended lifestyle indicators.” The data broker’s appended indicators, once they permitted health inferences about identifiable individuals, were Article 9 data — and the campaign had processed them without an exemption.
The Norwegian Data Protection Authority’s 2021 fine against Grindr — €6.5 million for sharing user data including sexual orientation with third-party advertisers without a valid lawful basis — established clearly that special category data processed without a valid Article 9 exemption carries maximum penalties under Article 83(5), not the lower tier. In October 2020, the Hamburg Data Protection Authority fined H&M €35.3 million for unlawfully processing sensitive personal data of several hundred employees — health information, religious beliefs, and family details — collected through return-to-work meetings and corridor conversations and stored in a shared network drive accessible to approximately fifty managers. The H&M finding is instructive for marketing teams specifically because the data was collected informally and stored without a documented processing purpose, in a system that nobody had registered as a processing activity. The supervisory authority found that a combination of unlawful collection, excessive access, and absence of any governance structure constituted serious violations of Articles 5, 6, and 9. The same three-failure pattern — no lawful basis, no records, no governance — appeared in David’s campaign.
What does a marketing director need to understand about the records of processing activities? #
Every processing activity involving personal data must be documented in the records of processing activities under Article 30 of the GDPR before the processing begins. For a marketing campaign, this means the campaign itself must have an entry — covering the purpose of the processing, the lawful basis relied upon, the categories of data subjects and personal data involved, the recipients and processors, and the retention period. A campaign that launches without a records of processing activities entry is not a minor administrative omission. It is evidence of a governance process that did not happen. When a Supervisory Authority investigates, the absence of records is not a neutral fact — it is a finding.
The challenge for today: Walk through your last three marketing campaigns. For each one, identify where the records of processing activities entry sits, who signed off the lawful basis, and whether any data enrichment from third parties was assessed before the list was built. If any of those answers require significant effort to find, you are looking at the gap.
For more on how third-party data relationships create compliance exposure, see Beyond Legal #24 on Article 28 processor agreements, and Beyond Legal #23 on what happens when lawful basis is treated as a formality.
Article references: Article 5(1)(a) (lawfulness, fairness, transparency), Article 5(2) (accountability), Article 6 (lawful basis), Article 9 (special categories of personal data), Article 14 (information where data not obtained from the data subject), Article 17 (right to erasure), Article 21 (right to object), Article 28 (processor obligations), Article 30 (records of processing activities), Article 35 (data protection impact assessment), Article 83(5) (fines for special category violations). Other instruments: ePrivacy Directive 2002/58/EC, as transposed into national law. Case law: CJEU, OT v Vyriausioji tarnybinės etikos komisija, C-184/20, 1 August 2022.
GDPR turns ten - this is a fictitious story part of a series of blog posts reminding us that data protection is not just an issue for the legal team. See Why the backstory of GDPR matters to read about some of the key dates and events.
Purpose and Means works with organisations on data protection strategy, governance, education and training — going beyond the legal text to focus on how things actually get done. If you’d like to discuss what this means for your company, book a call or explore our services.
