Nederlands
English

home

Search

Newsletter

Back to Newsletter February 2009

On 3 December 2008 the Dutch Independent Post and Telecommunications Authority (Onafhankelijke en Post en Telecommunicatie Autoriteit ("OPTA")) and the Dutch Data Protection Authority (College Bescherming Persoonsgegevens ("CBP")) jointly ended the existing insecurity and ruled on the 'tell-a-friend' systems. In this ruling, OPTA and the CBP deem the offering of 'tell-a-friend' systems to be lawful, if certain conditions are met. In this article we will list the conditions under which 'tell-a-friend' systems can be offered lawfully.

'Tell-a-Friend' Systems?
A 'tell-a-friend' system denotes a means or method that is used to persuade an internet user on a website to pass on a message to friends and relations. This may concern various messages: interesting vacancies, news facts or an invitation to play a game. A related form of marketing is 'viral marketing'.

The 'tell-a-friend' systems which are being offered online can have various shapes and the systems can also be implemented in various ways. That is why OPTA and CBP have limited their ruling to the 'tell-a-friend' systems that meet the following cumulative conditions:

1. first, an internet user passes the e-mail address of a third party (relation or friend) on to the controller of the website by simply entering the e-mail address on the website of the data controller, and
2. the controller then sends an e-mail to the provided e-mail address or e-mail addresses.

(Un)lawfulness of the 'Tell-a-Friend' Systems
In view of the fact that the above-mentioned 'tell-a-friend' systems constitute a form of electronic communications within the meaning of the Dutch Telecommunications Act (Telecommunicatiewet ("Tw")), the provisions of Sections 11.7 and 11.8 of the Tw must be complied with. The 'tell-a-friend' systems are furthermore a processing of personal data that must meet the provisions of Sections 6, 7, 8, 9 and 13 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens ("Wbp")).

(Un)lawfulness Pursuant to the Tw
Pursuant to Section 11.7 of the Tw, the unsolicited sending of e-mails for commercial, non-commercial or charitable purposes is not allowed without the demonstrable, prior consent of the recipient. The relations and friends to whom unsolicited messages are sent through 'tell-a-friend' systems have not given their demonstrable, prior consent. As a result, the messages that have been sent through such a 'tell-a-friend' system are, in principle, a violation of the ban on spam of Section 11.7 of the Tw.

Although the 'tell-a-friend' systems in principle constitute a violation of the ban on spam of Section 11.7 of the Tw, OPTA and the CBP think that the 'tell-a-friend' systems are nevertheless lawful under certain conditions. In this respect, OPTA and the CBP have an eye for the difference between commercial and personal communication. 'Tell-a-friend' systems are in the gray area between personal and commercial communication.

Pursuant to the joint standpoint of OPTA and the CBP, a controller of a website may indeed offer 'tell-a-friend' systems lawfully if the provider:

1. only plays a facilitating role; and
2. because it concerns communications of a mainly personal nature.

The following three conditions must be met for the communication to be regarded as communication of a mainly personal nature:

1. the communication takes place entirely at the internet user's own initiative. The controller of the website does not hold out the prospect of any (chance of) reward or other advantage, neither to the sender nor to the recipient.
2. it must be clear to the recipient who the initiating internet user of the e-mail is. This gives the recipient the possibility to tackle the initiator.
3. the internet user must have the opportunity to read the entire message that is sent in his or her name before he or she decides to send it, in such a way that he or she can take responsibility for the contents of the message.

(Un)lawfulness Pursuant to the Wbp
In order to be able to generate messages through 'tell-a-friend' systems, a processing by the provider of the system of the e-mail addresses of the recipients is required in any case. In most cases these e-mail addresses are personal data within the meaning of the Wbp. In Section 1 under a of the Wbp, personal data are defined as any information relating to an identified or identifiable natural person. In most cases a person can be identified by means of an e-mail address, with the exception of functional e-mail addresses (for instance info@cbpweb.nl). In view of the fact that there is processing of personal data, this processing must comply with the requirements of the Wbp.

Lawful and careful processing
For instance, Article 6 of the Wbp provides that the personal data shall be processed in accordance with the law and in a careful manner. In this respect, the concept of "law" also refers to the Tw. Because the sending of e-mails by means of 'tell-a-friend' systems is in principle in conflict with the Tw, the processing of e-mail addresses is unlawful under the Wbp too, unless the e-mail is sent mainly for personal purposes and therefore qualifies as a communication of a mainly personal nature (see above).

Purposes and grounds
In addition, the controller may only collect the personal data for well-defined, explicitly described and legitimate purposes (Section 7 of the Wbp) and the controller must have a ground for the processing (Section 8 of the Wbp). According to the joint ruling of OPTA and the CBP, the controller who is offering a 'tell-a-friend' system does not have a justified purpose for the collection of the e-mail addresses of the recipients. The controller does not have a basis either for processing the personal data for the benefit of sending the unsolicited e-mails.

When is a 'tell-a-friend' system considered lawful under the Wbp?
In view of the above, in their ruling OPTA and the CBP have listed the conditions under which the 'use' of the personal data of the recipients by the controller who is offering the 'tell-a-friend' system is still lawful under the Wbp.
These conditions are:

1. the controller may only use the personal data entrusted to him by the sender (in this case the internet user) for sending a (one-off) message of a mainly personal nature (see above).
2. the controller may not store the personal data of the addressees, or process these data in any other way. Consequently, sending a reminder to the addressees is not allowed either.
3. moreover, the controller shall take the required technical and organizational measures to protect personal data against loss or unlawful processing. For instance, the provider of a 'tell-a-friend' system must take the necessary measures to protect the system against abuse, such as the automated sending of spam.

Conclusion
The ruling of OPTA and the CBP has ended the prevailing legal uncertainty about whether or not the nature of 'tell-a-friend' systems is lawful. For practice this implies that many website holders will have to verify whether their 'tell-a-friend' system meets the above-mentioned conditions. If a 'tell-a-friend' system does not meet this condition in the future, our expectations are that OPTA and the CBP will enforce the law at some point in time.

Hester de Vries
Tel: +31 20 5506 657

E-mail: hester.de.vries@kvdl.nl





Nicole Wolters Ruckert
Tel: +31 20 5506 646
E-mail: nicole.wolters.ruckert@kvdl.nl