- Back to Data Protection
- GDPR Overview
- Key GDPR Changes
- Data Protection Notices
- UCC's GDPR Project
- Individual Rights
- Data Security Breaches
- Privacy by Design & Default
- Data Protection Impact Assessments (DPIA's)
- Frequently Asked Questions
- Training and Resources
- Contact Information
Marketing Data Protection FAQs
This page is a summary guide to some of the most common Data Protection questions relating to Marketing raised by UCC staff. For more detailed advice, please refer to the data protection webpages (see www.ucc.ie/en/gdpr and www.ucc.ie/en/ocla/comp/data/)
- What is Direct Marketing?
- What do I need to do if I want to capture people’s information using an online form?
- Should the data protection notice appear before users fill out the form?
- Can I use a pre-ticked box for consent?
- Is a statement of submission sufficient or do I need an opt-in box as well?
- Do I need to include a link to UCC’s website privacy statement on data collection forms?
- Can I use layering for displaying the Data Protection Notice?
- Is “please tick here if you do not wish to receive such communications” still ok?
- Can I still use an external marketing company to capture people’s information in an on-line form?
- Is there anything I should add to forms on e-shots and e-zines for people signing up?
- Is there a limit on what information I can ask people for?
Direct marketing is broadly defined as sending information about future events, or newsletters or other information promoting an activity, product or service to individuals and specific rules apply if this is sent electronically and to people that the University does not have an existing relationship with (this will usually apply to third parties such as prospects, customers and visitors).
A Data Protection Notice should be provided at the point at which the data is collected from a person (e.g. when they are completing an online form). See Data Protection Notice Procedure and template for further information.
Yes. The Data Protection Notice must appear before the user submits their information.
No. Consent now requires a positive opt-in. You cannot use any method of default consent, including pre-ticked boxes.
It should be clear to the individual that by submitting their details they are consenting to their data being used in a particular way (set out in your data protection notice). This may take the form of a “submit” or “opt-in”/tick box.
Yes. For example, you could have a three layered approach to supplying the Data Protection Notice:
- Headline question (“how will we use the information about you?”)
- Collapsible info about processing and sharing
- Hyperlink to the full Data Protection Notice
If it is the first communication you have with people (i.e. the point at which you are collecting personal data) then you must seek positive opt-in consent. Thereafter, once you have consent, you must offer an unsubscribe option.
Yes, but there should be a contract in place clarifying the roles of both UCC and the marketing company (e.g. is the external marketer a data controller or processor, and which party is obtaining the necessary consent(s) to permit the activity take place). A data protection notice will need to be provided to the data subject to let them know what data was received from the external marketer (see Data Protection Notice Procedure and template).
Data minimisation is a key data protection principle. i.e. You can only capture as much personal data as you need to support the stated purpose in the Data Protection Notice. E.g. if the stated purpose is to send e-mails about future courses then you do not need to capture the individual’s phone number.
- Do I need to include a link to UCC’s website privacy statement on email communications?
- If a subscriber opts out of communications with a particular school/unit, does that impact on other schools?
- If a subscriber opts in to receive information through two channels of communication, if they opt out of one can we still use the other?
- Can we share conference attendees’ details with other conference attendees?
- Can I send press releases to journalists whose contact details are available on-line?
- What are the social media management implications under GDPR?
- Are there any changes to cookies and google analytics?
- Where can I get further information?
No. The website privacy statement only refers to interactions that users have with the UCC website. However, you do need to include a data protection notice or a link to one.
You must make it clear in the unsubscribe declaration exactly what the person is unsubscribing from. E.g. “If you no longer wish to receive emails from the School of X, please click the unsubscribe button below”.
Yes, as long as the unsubscribe declaration made it clear what they were unsubscribing from.
They should be notified in advance via a data protection notice. Attendees should be asked if they wish to opt-in to share their details with other attendees.
These are unsolicited messages so you must include an option for them to unsubscribe each time you email them.
Data protection notices will need to be provided to people if you collect and process information from their social media page (see Data Protection Notice Procedure).
The law around cookies remains the same – you must notify people if you are using them – see UCC’s Cookie Statement
The Data Protection Commission provides further information on its website. See
For information on form handling and the CMS see https://www.ucc.ie/en/dewg/resources/forms/