Have We Given Our Youth for GDPR?


Old News, New Rules

Although first mentioned back in 2016, the Regulation came into effect in the European Union countries in 2018. In addition to GDPR privacy updates, email marketing implements each change. If you thought it through and made the decision to comply with GDPR, you’ve done the right thing.

And How Did the Companies Prepare?

Until recently, there were different ways of building newsletter databases. From gathering emails by offering a free download to users, building a database of customers who’ve visited online shops, to adding contacts from participant lists of conferences, training courses or seminars, plus there have been cases of illegal practices, i.e., selling and buying contacts.

In the last month, we’ve received various emails from companies asking for permission to keep sending us their newsletters in the future. If the databases were collected legally, in compliance with the new GDPR regulation (users provided their email addresses or gave consent to receive updates about products or services that may interest them; there’s a legitimate interest in contacting them), it’s not necessary to ask for user permission to keep them in the mailing list. It is recommended to send users a “reminder” about what data we have about them, how and why we use and store them, and it’s always good to provide the possibility of opting out from the list.

Depending on the email collection method, some companies only sent a notification, others asked for new user consent to keep them on the list, and there were companies that segmented their recipients from scratch. There were some that deleted their mailing databases out of fear, being aware they’re not GDPR compliant. Here are a few examples of good and bad practises.

Samsung – Stay in the Loop

Even though the company doesn’t usually send many newsletters, they sent mobile users an email highlighting the updated privacy rules (http://www.samsung.com/hr/info/privacy/). But they forgot to include the opt-out option, so users cannot unsubscribe from the list by themselves, plus the message was sent from “no-reply@m4.email.samsung.com” address that doesn’t accept replies. So users were left with no options or insights about which data the company stores about them…

My job

Newsletter example where company sends a notification saying that handling personal data has always been compliant with GDPR, offering the link to Terms of Use, including the option to edit your profile and choose what info you want to receive and how often. But there is no „Sign out“ link, so deactivating the newsletter requires visiting the web page.


Newsletter example that includes all required info and options. This company has gathered personal data from its users in the correct and legitimate way from the start, so there was no need for asking permissions.


We believe that IKEA has been taking care about correct data gathering, processing and storing, so their newsletter doesn’t ask for permission. Instead, users were provided with the link to the updated Privacy Policy, as well as their user profile in case they wanted to edit it. Unsubscribing via newsletter is not possible – you have to do it on your profile.


The newsletter is humorous in tone, but is it legitimate? It invites the users not to do anything if they want to stay on the mailing list. The other option is to unsubscribe using the button in the bottom. If the email addresses have been collected in compliance with GDPR so far, this could do. If not, the practice is not GDPR-compliant because users cannot passively give the permission for data usage.

Culture trip’s

Another company that only sent the updated Privacy Policy to its users. If the email database was previously built in compliance with GDPR, this notification is enough for users.


Wizz provided users with a newsletter asking for permission to keep them on the list, but the content doesn’t specify if the company only asks for consent or user segmentation, which doesn’t comply with GDPR request for clear communication with users. In addition to a clumsy “subscribe” option, users are provided with the link to the updated Privacy Policy.


Unfortunately, another bad example of user notification. Instead of asking for user permission to keep them on the list, there was an “unsubscribe” option in case users didn’t want to receive the newsletter anymore. Newsletter ends with a really weird “we apologize for GDPR spam”.


A clear newsletter with info about what the users receive and how they can change it. There is a link to data update and Privacy Policy, and newsletter provides the email address the users can use for potential questions. The company was clearly taking care about properly handling personal user data and their usage.

Just a Little More Time

As far as Serbia is concerned, we still have to wait for harmonization of laws with EU regulations and GDPR, when we’ll see how it will be applied in practice.

By: Lidija Mirić, Account Manager, Pioniri Zagreb