Lawful Christmas greetings in the UK

Sending Christmas greetings – whether by e-mail or post – is a tradition for many companies and is part of good manners. In these increasingly difficult economic times, Christmas greetings are even more important to maintain business and customer relationships.

But beware: When you send out Christmas greetings, you are processing personal data. Therefore, as when sending newsletters or other information, the United Kingdom General Data Protection Regulation (UK GDPR) must be observed.

In addition, the UK regulations governing marketing must be taken into account, namely the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). The coming reform of the UK data protection law next year also sees the fines for breaches of the PECR being raised. Breaches of the PECRs rules shall be fined in accordance with the UK GDPR and Data Protection Act 2018, meaning that fines of up to £17.5 million or 4% of a business’s global turnover for breaches of certain regulations under PECR are possible. Currently fines are capped at £500,000.

So, consider this year´s Christmas greetings a last test run to get everything in order before sending out next year´s Christmas greetings as a non-conformity next year may be very costly.

Marketing regulations

In the UK direct marketing is regulated by the PECR which define all direct marketing as, “the communication (by whatever means) of advertising or marketing material which is directed to particular individuals”.

Christmas greetings thus count as direct marketing in the UK. Below we shall explain how you may send Christmas greetings in a compliant manner.

Christmas greetings by e-mail

Consent is required in terms of Art. 6 (1) (a) UK GDPR from the recipient in order to send them direct marketing messages, such as Christmas greetings, by means of e-mail. It is therefore recommended to send Christmas greetings directly by e-mail as part of an existing newsletter in order to avoid the need for separate consent for Christmas greetings.

Alternatively, the PECR provide for a so-called soft opt-in by the recipient. The soft opt-in applies to existing customers and is an exception to the general prohibition against direct marketing via e-mail. Marketing e-mails may be sent to existing customers if:

  • the contact details of the recipient have been obtained in the course of a sale (or negotiations for a sale) of a product or service to that person;
  • the e-mails are only marketing the company´s own similar products or services;
  • the recipient is given an opportunity to refuse or opt-out of the marketing, when their contact details are collected and in every received marketing e-mail thereafter; and
  • the recipient has not objected to the marketing.

When sending Christmas greetings via e-mail based on a soft-opt in, the legal basis for processing the personal data is your legitimate interest according to Art. 6 (1) (f) UK GDPR. The legitimate interest can be demonstrated by Regulation 22 of the PECR. If the conditions of the soft-opt in are not met, it is highly recommended to send the Christmas wishes by newsletter (if consent has been given) or by post.

Christmas greetings by post

No consent from the recipient is required for sending Christmas greetings by post. Sending by post is permissible if there is a legitimate interest in accordance with Art. 6 (1) (f) UK GDPR for the data processing and the rights and freedoms of the data subjects do not prevail.

As stated above already, Christmas mail serves to maintain business and customer relations, something in which companies have a legitimate interest. A balancing of the conflicting interests will therefore regularly turn out in favour of the company responsible.

However, one should screen the addresses to see whether any of them are registered with the Mailing Preference Service (MPS). If so, these addresses do not wish to receive unsolicited advertising material by mail, including Christmas cards. These addresses should not be contacted.

General marketing rules under the UK GDPR

Information duties also apply to Christmas greetings

Regardless of whether you send your Christmas greetings by e-mail or post, you must always inform about the data processing when the data is collected (Art. 13 UK GDPR). Therefore, at the first customer contact, the use of the provided data for sending Christmas greetings should be pointed out and the customer sufficiently informed. Remember to attach the necessary information to the Christmas greetings via a link or QR code, for example.

Right of objection

In addition, the responsible company must inform the customer about the right to object within the meaning of Art. 21 (2) UK GDPR within the information letter / privacy policy at the time of the first communication both by e-mail and by post, if not earlier. If the customer has objected to the use of his/her data, they may no longer be sent a Christmas greeting.

Right of withdrawal

If you use the legal basis of consent, i.e. if you send your Christmas greetings as part of a newsletter or have obtained consent for sending Christmas greetings by e-mail, it is also essential to refer to the right to withdraw the consent given when contacting the customer. It is important that the withdrawal is no more complicated than the giving of the consent. One possibility is to provide an unsubscribe link in the footer of the e-mail.

Conclusion: Christmas greetings are to be handled like direct marketing communications

Whether sending out Christmas greetings in your company, always observe the regulations of the UK GDPR and the marketing regulations on sending out direct marketing communications. Above all, remember to provide your privacy policy and information in accordance with Art. 13 UK GDPR. Then nothing will stand in the way of a peaceful Christmas.

Secure your business

Receive flexible support for your data protection teams and officers in companies and corporations.