The three parties most closely involved in address trading are the information owner (the seller), the information purchaser and the list broker. As the name suggests, the list broker is a go-between or mediator who brings together supply and demand in selected address information. The information owners sell the information in their client management database, usually in the form of address lists. In most cases, this information is intended for use on only one occasion. The information owners will wish to know in advance exactly what the address lists are to be used for. Sometimes a company will appoint a 'list manager' to maintain contact with other companies who may be interested in the information they possess. It is possible that one and the same company will act as both list manager and list broker. The information purchaser buys address lists in order to conduct a direct marketing activity.
The Personal Data Protection Act (Wet bescherming persoonsgegevens) requires each of these three parties to ask themselves a particular question.
- The information owner who wishes to make address lists available to others must ask whether it is indeed permissible to do so for direct marketing purposes.
- The list broker must establish his exact legal position, as this will determine his further rights and responsibilities.
- The information purchaser must ask himself how he can fulfil all the requirements of the Personal Data Protection Act.
The information owner
A company may sell the addresses in its customer database to other companies, for direct marketing activities. According to the Personal Data Protection Act, the purpose for which the information is to be used must not conflict with that for which it was originally obtained. In legal terms, this is known as the 'purpose limitation principle'. What conditions must the information owner fulfil when selling addresses? First, it must produce a detailed statement of the purpose for which addresses are to be used. It must also notify the customers of this purpose. If passing on the addresses is 'compatible' with the purpose for which they were originally obtained, it is permissible to do so provided all other requirements of the Personal Data Protection Act are fulfilled.
If the company has not specified the purpose for which addresses have been obtained, or if the proposed transfer is not clearly compatible with the original purpose, the transaction must be examined to establish that there is no conflict of interests. The Act lists a number of points to be considered.
One important aspect is the criteria used to select a 'target group' of customers, such as age, area or income level. Such information affects the nature and the sensitivity of the information. Even where only names and addresses are supplied, any selection applied will affect the degree to which the customer's privacy can potentially be invaded. Some selection criteria will have a greater effect than others. To approach someone as 'one of the richest people in the country' with advertising material for an investment fund is rather more intrusive than, say, a general mailshot sent to women between 25 and 50 announcing a new magazine for working women.
Other points which affect compatibility include the relationship between the purpose for which the information was originally obtained and that for which it is now to be used, the consequences of any transaction for the customers themselves, the manner in which addresses were originally obtained and the measures (such as the customer's right to object to information being passed on) which the information owner has adopted to safeguard his customers' privacy. The result of the compatibility test, when conducted thoroughly, will determine whether a transaction involving the addresses is permissible under the current circumstances.
The list broker
The list broker must be aware of the role he is playing within the transaction, since this will determine the rules which apply to him. The legal position of the list broker is determined by the activities he undertakes. In certain situations, the Personal Data Protection Act will not apply to the list broker at all. For example, if he is dealing in aggregated information concerning the nature of address lists, and those lists then pass directly from the information owner to the information purchaser, the list broker is not actually dealing in personal data and the Act does not apply to him.
However, in most cases the Personal Data Protection Act will cover the list broker's activities. The degree to which it applies, and the rules which govern the broker's dealings, will depend on whether he can be regarded as the legal controller for the information at any stage. This will be the case if he conducts any activities which fall outside the direct instructions issued to him by the information purchaser, whereupon the broker will be subject to the same rules and regulations as the other parties involved.
In most cases, the list broker is acting on behalf of the company which wishes to obtain the address lists. Legal responsibility then remains with that company, being his controller. The broker is responsible for the conscientious performance of his instructions, but cannot be held accountable for the safe custody of the information itself. Unlike the information purchaser, he is not required to provide any information regarding the use of the information unless his contract with the controller states otherwise. There must always be a written contract between the broker and the information purchaser establishing the exact division of responsibility for the information.
The information purchaser
It is the information purchaser's responsibility to tell customers that he has obtained their addresses and to inform them exactly what he intends to do with those addresses. Under the Personal Data Protection Act, he is required to do so immediately upon receipt of the address lists, unless those concerned have already been informed (by the original information owner). In theory, this means that the information purchaser must send a letter to the customers on the list informing them that he intends to send them another letter containing advertising material. This is clearly an unworkable situation.
The Dutch Data Protection Authority accepts that the requirement to inform customers immediately is not a 'reasonable expectation' in the legal sense, and the Personal Data Protection Act does allow this step to be postponed. The information purchaser is not absolved of this responsibility altogether, but is permitted to inform customers that he has obtained their personal data at the same time as he sends the advertising material itself. It is in the interests of all concerned if the relevant mailshot is sent as soon as possible following receipt of the address lists.
For both the public and the companies dealing in addresses, it is important that the requirements of the Personal Data Protection Act are observed in full. This is mutually beneficial: the customer then knows exactly what is being done with his personal information, while the businessman is assured of satisfied customers.