Marketing Data Protection FAQs

This page is a summary guide to some of the most common Data Protection questions relating to Marketing raised by UCC staff. For more detailed advice, please refer to the data protection webpages (see www.ucc.ie/en/gdpr and www.ucc.ie/en/ocla/comp/data/) 

Collecting Data

  1. What is Direct Marketing?
  2. What do I need to do if I want to capture people’s information using an online form?
  3. Should the data protection notice appear before users fill out the form?
  4. Can I use a pre-ticked box for consent?
  5. Is a statement of submission sufficient or do I need an opt-in box as well?
  6. Do I need to include a link to UCC’s website privacy statement on data collection forms?
  7. Can I use layering for displaying the Data Protection Notice?
  8. Is “please tick here if you do not wish to receive such communications” still ok?
  9. Can I still use an external marketing company to capture people’s information in an on-line form?
  10. Is there anything I should add to forms on e-shots and e-zines for people signing up?
  11. Is there a limit on what information I can ask people for?

What is Direct Marketing?

Direct marketing is broadly defined as sending information about future events, or newsletters or other information promoting an activity, product or service to individuals and specific rules apply if this is sent electronically and to people that the University does not have an existing relationship with (this will usually apply to third parties such as prospects, customers and visitors).

What do I need to do if I want to capture people’s information using an online form?

A Data Protection Notice should be provided at the point at which the data is collected from a person (e.g. when they are completing an online form).  See Data Protection Notice Procedure and template for further information.

Should the data protection notice appear before users fill out the form?

Yes. The Data Protection Notice must appear before the user submits their information.

Can I use a pre-ticked box for consent?

No. Consent now requires a positive opt-in. You cannot use any method of default consent, including pre-ticked boxes.

Is a statement of submission sufficient or do I need an opt-in box as well?

It should be clear to the individual that by submitting their details they are consenting to their data being used in a particular way (set out in your data protection notice). This may take the form of a “submit” or “opt-in”/tick box.

Do I need to include a link to UCC’s website privacy statement on data collection forms?

Yes https://www.ucc.ie/en/it-policies/policies/privacy/

Can I use layering for displaying the Data Protection Notice?

Yes. For example, you could have a three layered approach to supplying the Data Protection Notice:

 

  1. Headline question (“how will we use the information about you?”)
  2. Collapsible info about processing and sharing
  3. Hyperlink to the full Data Protection Notice

Is “please tick here if you do not wish to receive such communications” still ok?

If it is the first communication you have with people (i.e. the point at which you are collecting personal data) then you must seek positive opt-in consent. Thereafter, once you have consent, you must offer an unsubscribe option.

Can I still use an external marketing company to capture people’s information in an on-line form?

Yes, but there should be a contract in place clarifying the roles of both UCC and the marketing company (e.g. is the external marketer a data controller or processor, and which party is obtaining the necessary consent(s) to permit the activity take place). A data protection notice will need to be provided to the data subject to let them know what data was received from the external marketer (see  Data Protection Notice Procedure and template).

Is there anything I should add to forms on e-shots and e-zines for people signing up?

A Data Protection Notice should be provided at the point at which the data is collected from a person. See Data Protection Notice Procedure and template for further information.

Is there a limit on what information I can ask people for?

Data minimisation is a key data protection principle. i.e. You can only capture as much personal data as you need to support the stated purpose in the Data Protection Notice. E.g. if the stated purpose is to send e-mails about future courses then you do not need to capture the individual’s phone number.

 

Managing Data

  1. Do I need to include a link to UCC’s website privacy statement on email communications?
  2. If a subscriber opts out of communications with a particular school/unit, does that impact on other schools?
  3. If a subscriber opts in to receive information through two channels of communication, if they opt out of one can we still use the other?
  4. Can we share conference attendees’ details with other conference attendees?
  5. Can I send press releases to journalists whose contact details are available on-line?
  6. What are the social media management implications under GDPR?
  7. Are there any changes to cookies and google analytics?
  8. Where can I get further information?

Do I need to include a link to UCC’s website privacy statement on email communications?

No. The website privacy statement only refers to interactions that users have with the UCC website. However, you do need to include a data protection notice or a link to one.

If a subscriber opts out of communications with a particular school/unit, does that impact on other schools?

You must make it clear in the unsubscribe declaration exactly what the person is unsubscribing from. E.g. “If you no longer wish to receive emails from the School of X, please click the unsubscribe button below”.

If a subscriber opts in to receive information through two channels of communication, if they opt out of one can we still use the other?

Yes, as long as the unsubscribe declaration made it clear what they were unsubscribing from. 

Can we share conference attendees’ details with other conference attendees?

They should be notified in advance via a data protection notice. Attendees should be asked if they wish to opt-in to share their details with other attendees.

Can I send press releases to journalists whose contact details are available on-line?

These are unsolicited messages so you must include an option for them to unsubscribe each time you email them.

What are the social media management implications under GDPR?

Data protection notices will need to be provided to people if you collect and process information from their social media page (see Data Protection Notice Procedure).

Are there any changes to cookies and google analytics?

The law around cookies remains the same – you must notify people if you are using them – see UCC’s Cookie Statement

Where can I get further information?

The Data Protection Commission provides further information on its website.  See

https://www.dataprotection.ie/docs/DIRECT-MARKETING-A-GENERAL-GUIDE-FOR-DATA-CONTROLLERS/905.htm

For information on form handling and the CMS see  https://www.ucc.ie/en/dewg/resources/forms/

 

Office of Corporate and Legal Affairs

1 st Floor, East Wing, Main Quadrangle,

Top