One of the points of the „E-mail marketing 2010” Conference was a presentation devoted to the issue of cooperating with e-mail marketing agencies, in terms of entrusting the processing of personal data. The presenter, Michał Sztąberek, the president of iSecure Sp. z o.o., was speaking about a number of concerns, including the way the data administrator should collect natural persons’ data, which will later be used for marketing purposes (as well as to send business information to the obtained e-mail addresses). Among the key issues, the following elements were mentioned:
- collecting a clear permission for the processing of personal data for marketing purposes (one that is not a part of other declaration),
- recording the permission for evidential purposes (especially in relation to the use of an e-mail address to send business information to it),
- collecting personal data within limits that are essential (adequate) to achieve the marketing aim.
The second part of the presentation pointed out the most important questions related to creating an agreement on entrusting the processing of data, mentioned in article 31 of the Personal Data Protection Act. During the presentation, it has been emphasised that only such an agreement formally authorises an e-mail marketing agency to process personal data entrusted to it by the personal data administrator in order to implement services provided by the agency.
As it was pointed out at the session, the most significant components of the entrustment agreement are:
- identifying the purpose of data processing (the purpose is identified by the data administrator, and the agency providing its services is bound by it),
- indicating the range of the processed data (the data administrator determines what categories of data will be processed by the e-mail marketing agency on the basis of the contract),
- commitment of the e-mail marketing agency to take the necessary organisational and technical measures which will ensure security of the entrusted data (e.g. the agency has the duty to tick to a security policy, instructions on how to manage the information system serving for personal data processing, logical protection that is relevant to threats, e.g. firewalls on servers, encoding data that is processed on laptops and notebooks).
Useful optional provisions that should be included in this type of agreement have also been identified. Among them, the speaker has mentioned e.g.
- a precise definition of responsibilities of both parties of the agreement on entrusting data processing,
- issues connected with the way of transmitting data and deleting the data when the cooperation is terminated,
- the fact that the data administrator can guarantee control rights for himself, in relation to implementation of the provisions of Personal Data Protection Act by the agency.