GDPR and Marketing — How to Run Profiling, Remarketing, Newsletter, and Lead Generation in Compliance With the Law

Digital marketing runs on personal data — from email addresses in newsletter databases, through cookies tracking website behaviour, to advanced profiling and remarketing. Each of these elements is subject to the GDPR, and errors in their use are among the most frequently sanctioned violations — both by UODO and by European supervisory authorities (particularly the French CNIL).

At the same time, marketing is an area where the line between what is permitted and what violates the GDPR can be thin. Consent or legitimate interest? When is profiling permissible, and when does it require a DPIA? Can you email people from a purchased database? Does remarketing require consent?

This article answers these questions step by step — with references to the GDPR, the Polish Telecommunications Act, the Electronic Services Act, UODO decisions, and EDPB guidelines.

Newsletter and Email Marketing — Rules

The newsletter is the most commonly used marketing tool and simultaneously one of the most frequent sources of GDPR violations.

Legal Basis

Consent (Article 6(1)(a) GDPR) — the primary legal basis for newsletters directed at new subscribers. Consent must meet Article 7 GDPR requirements: freely given, specific, informed, unambiguous, and withdrawable.

Additionally, sending commercial information by electronic means requires consent under Article 10 of the Electronic Services Act and Article 172 of the Telecommunications Act. In practice, this means a dual consent requirement — for data processing (GDPR) and for marketing contact (Electronic Services Act + Telecommunications Act). These can be combined in a single statement, provided it is clear and specific.

Exception — marketing to existing customers: Article 10(2) of the Electronic Services Act permits sending commercial information without additional consent, provided all of the following conditions are simultaneously met: contact details were obtained in connection with a sale of a product or service, the information concerns similar products or services from the same controller, the customer was informed of and given the opportunity to object, and the customer has not objected.

This is a limited exception requiring careful analysis. Under the GDPR, the legal basis for such marketing is the controller’s legitimate interest (Article 6(1)(f) GDPR), supported by a documented balancing test (LIA).

Practical Requirements

Opt-in mechanism: Consent checkbox unchecked by default. Specific wording: “I want to receive a newsletter with information about new services and legal articles to the email address provided.” Consent for the newsletter must not be bundled with other consents (e.g., terms and conditions).

Double opt-in: Recommended practice — after sign-up, the user receives an email with a confirmation link. Protects against false subscriptions and serves as evidence of consent.

Unsubscribe link: Every email must contain a visible “Unsubscribe” link. Withdrawal must be as easy as giving consent. After clicking “unsubscribe,” data must be promptly removed from the mailing list.

Consent documentation: The mailing platform (Mailchimp, GetResponse, etc.) must store evidence of consent: date, consent text, IP address, method (single/double opt-in). This is crucial in the event of a UODO audit.

Most Common Mistakes

Sending newsletters to people who did not consent — e.g., to databases acquired from conferences, business cards, or purchased lists.

Pre-ticked checkbox — invalid under CJEU Planet49 ruling.

Missing or hard-to-find unsubscribe link.

Bundling newsletter consent with terms acceptance.

No way to withdraw consent — or withdrawal requires sending an email, calling, or filling in a form.

Continued sending after withdrawal — even one email after unsubscribing is a violation.

Purchased Databases — Is It Legal?

Buying email or phone databases for marketing is one of the most common and riskiest mistakes:

GDPR perspective: The individuals in the purchased database did not consent to data processing by the buyer. The seller may have had consent — but that consent covers processing by the seller, not by the buyer. The buyer is a new controller and needs their own legal basis.

Electronic Services Act perspective: Sending commercial information requires the recipient’s consent — and that consent must refer to the specific sender. Consent given to the database seller does not authorise the buyer to make contact.

Telecommunications Act perspective: Article 172 requires the end user’s consent for marketing contact via telecommunications terminal equipment (email, phone, SMS).

Conclusion: Using a purchased database for cold emailing or cold calling is generally illegal — violating the GDPR, the Electronic Services Act, and the Telecommunications Act simultaneously. UODO has intervened in such cases on multiple occasions.

Exception — B2B contact: Contacting individuals representing companies (e.g., directors, managers) for B2B marketing purposes is subject to debate. Some supervisory authorities accept legitimate interest as a basis if the contact concerns the person’s professional activity and is proportionate. However, this requires a careful LIA and respect for the right to object.

Profiling in Marketing — When Is It Permissible?

Profiling is any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person (Article 4(4) GDPR). In a marketing context, profiling includes: customer segmentation (age, location, purchasing behaviour), product recommendation systems, marketing scoring (assessing a customer’s purchase potential), content and ad personalisation, remarketing (displaying ads based on previous behaviour), and dynamic pricing (different prices for different users based on their profile).

Legal Basis for Marketing Profiling

Legitimate interest (Article 6(1)(f) GDPR) — Recital 47 GDPR expressly states that direct marketing may constitute a legitimate interest. Marketing profiling may rely on this basis, but requires a documented LIA and respect for the absolute right to object (Article 21(2) GDPR).

Consent (Article 6(1)(a) GDPR) — required when profiling is more invasive (e.g., combining data from multiple sources, creating detailed psychographic profiles) or involves cookies (ePrivacy).

Article 22 GDPR (automated decision-making) — if profiling leads to automated decisions with legal or similarly significant effects (e.g., automatic credit refusal, discriminatory dynamic pricing), additional requirements apply: explicit consent, contract performance, or legal provision as a basis, plus the right to human intervention, to express a view, and to contest the decision.

Profiling Obligations

The privacy notice must inform about profiling, its logic, and consequences (Article 13(2)(f) GDPR).

The individual has the right to object to marketing profiling — the objection is absolute (Article 21(2) GDPR).

A DPIA is required if profiling is carried out on a large scale or involves special category data.

Include profiling in the ROPA as a separate processing activity.

Remarketing and Retargeting — Legal Requirements

Remarketing (displaying ads to people who previously visited your website) relies on marketing cookies and tracking pixels (Facebook Pixel, Google Ads remarketing tag). Requirements:

Consent for marketing cookies — remarketing requires cookies, and marketing cookies require prior consent (ePrivacy Directive, Article 173 of the Telecommunications Act). The cookie banner must offer the option to refuse, and remarketing scripts must be blocked until consent is obtained (prior blocking).

Google Consent Mode v2 — if you use Google Ads remarketing, you must implement Google Consent Mode v2, which adjusts Google tag behaviour based on the user’s cookie banner decision.

Facebook Pixel / Meta Pixel — Meta requires advertisers to ensure user consent before activating the Pixel in the EEA. Configuration: the Pixel fires only after consent for marketing cookies is obtained.

Privacy notice — must inform about remarketing, the technologies used (cookies, pixels), data recipients (Google, Meta), and data transfers to the US.

Processing agreement / joint controllership — the relationship with Google and Meta requires an appropriate agreement. Meta requires a Joint Controller Agreement for certain advertising products.

Lead Generation — Forms, Landing Pages, Webinars

Acquiring leads (potential customers) is a key element of B2B and B2C marketing. GDPR requirements:

Contact form / enquiry form: Legal basis: controller’s legitimate interest (responding to the individual’s enquiry) — Article 6(1)(f) GDPR. Privacy notice — beneath the form or a link to the full privacy policy. Collect minimum data — a name and email are sufficient to respond to an enquiry. Do not request data “just in case.”

Landing page with webinar sign-up / e-book download form: Legal basis: consent (Article 6(1)(a) GDPR) — the person consents to data processing for participating in the webinar or receiving the material. If you also want to send a newsletter — you need separate consent (a separate checkbox). Do not make access to the material conditional on marketing consent — this violates the voluntariness requirement.

Business cards from conferences / trade shows: The mere receipt of a business card does not constitute consent to data processing. A business card is data provided in a professional context — you may contact the person regarding the matter discussed (legitimate interest), but you cannot automatically add them to a newsletter database. Newsletter subscription requires separate consent.

CRM and B2B contact databases: Storing business contact data (name, position, company, work email) is subject to the GDPR — this is personal data. Legal basis: legitimate interest (Article 6(1)(f)) — the business relationship, but with an information obligation (Article 14 GDPR — data from another source, if not collected directly from the individual) and the right to object.

Social Media Marketing and the GDPR

Operating social media profiles (Facebook, Instagram, LinkedIn, TikTok) involves personal data processing — both by the platform and by the profile administrator.

Joint controllership with the platform: The CJEU in the Wirtschaftsakademie case (C-210/16) held that the administrator of a Facebook fan page is a joint controller of data together with Meta. This means a company operating a Facebook profile bears responsibility for user data processing — including cookies, statistics, and profiling carried out by the platform.

In practice: Meta provides a Joint Controller Agreement (Page Insights Controller Addendum). The company should accept this agreement and include information about joint controllership in its privacy notice.

Social media competitions: Organising competitions on Facebook/Instagram requires: a privacy notice for participants, competition rules, a defined legal basis (usually consent for data processing to participate), and deletion of participant data after the competition ends and prizes are awarded (unless the participant consented to further processing).

Ad targeting: Using ad targeting tools (Facebook Ads, LinkedIn Ads) relies on platform users’ personal data. The advertiser configures targeting parameters (age, location, interests), and the platform selects the audience. Legal basis on the advertiser’s side: legitimate interest (direct marketing). On the platform’s side: user consent (platform terms) or legitimate interest.

Custom Audiences (customer lists): Uploading email address lists to advertising platforms (Facebook Custom Audiences, LinkedIn Matched Audiences) for targeting ads to existing customers requires: a legal basis (legitimate interest + LIA), informing individuals about this processing in the privacy notice, a processing agreement or joint controller agreement with the platform, and secure transmission (hashing data before upload).

Telephone and SMS Marketing

Telephone and SMS marketing contact is subject not only to the GDPR but also to the Telecommunications Act:

Article 172 of the Telecommunications Act requires the prior consent of the subscriber or end user for using telecommunications terminal equipment (phone, SMS) for direct marketing purposes.

Objection registers: Before making a marketing call, check whether the number is on a marketing objection register.

Call recording: If you record telephone conversations with customers, this must be included in the privacy notice, and the person must be informed about recording at the start of the call.

Marketing and Children

Marketing directed at children is subject to special restrictions:

Article 8 GDPR — for information society services offered directly to a child, consent-based processing is lawful if the child is at least 16 years old (in Poland, this threshold is set at 16 by the Data Protection Act). Below this age, parental consent is required.

Profiling children — the EDPB in its profiling guidelines indicates that profiling children for marketing purposes is generally impermissible due to their particular vulnerability.

Behavioural advertising — targeting behavioural ads at children (based on profiling) is subject to particular regulatory criticism and may violate the GDPR.

Marketing Data Retention

Marketing data should not be stored indefinitely. Retention principles:

Newsletter: Until consent is withdrawn. After withdrawal — prompt removal from the mailing list.

Contact form data: A reasonable period — e.g., 12 months from the last contact.

Competition data: Until the competition ends, prizes are awarded, and the complaint period expires.

Cookie data: Depends on the cookie type — from session (session cookies) to 13 months (CNIL recommendation for analytics and marketing cookies).

CRM data (B2B contacts): For the duration of the active business relationship + a reasonable period after it ends (e.g., 3 years from the last contact — legitimate interest). After this period — deletion or re-obtaining consent.

Profiling data: A proportionate period — the more invasive the profiling, the shorter the retention period.

Checklist — GDPR in Marketing

1. Newsletter: checkbox unchecked by default, double opt-in, unsubscribe link in every email, consent documentation.
2. Do not buy databases for cold emailing — it is illegal.
3. Marketing cookies: prior blocking, banner with equivalent options, Google Consent Mode v2.
4. Profiling: disclose in privacy notice, respect objections, conduct DPIA at large scale.
5. Remarketing: activate pixels only after consent for marketing cookies.
6. Lead generation: separate marketing consent, do not bundle with content access.
7. Social media: accept the joint controller agreement, inform about platform cookies.
8. Custom Audiences: hash data before upload, disclose in privacy notice.
9. Telephone marketing: obtain consent under Telecommunications Act, check objection registers.
10. Retention: define marketing data retention periods, implement automatic deletion.
11. LIA: conduct a balancing test for marketing based on legitimate interest.
12. Privacy notice: include all marketing purposes, recipients, transfers, and profiling.
13. ROPA: include marketing processes as separate processing activities.
14. Training: train the marketing department on GDPR — they are the most frequent source of mistakes.

Need a GDPR Marketing Audit?

Marketing is the highest-risk GDPR area — cookies, newsletters, profiling, remarketing, social media — each element requires legal compliance. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct GDPR marketing audits — from cookies and consent banners, through newsletters and profiling, to social media and remarketing.