COMPLIANCE OF SMS AND EMAIL MARKETING UNDER GDPR AND CYPRUS LAW

1. INTRODUCTION

This article provides a comprehensive analysis of the regulatory framework governing SMS and email marketing within the European Union, with a specific focus on the Republic of Cyprus. It outlines the key legal obligations for organisations engaging in direct marketing via electronic communications and offers practical guidance for compliance with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), Cyprus Law 125(I)/2018 (implementing GDPR), and Cyprus Law 112(I)/2004 (implementing the e-Privacy Directive 2002/58/EC). The article also considers emerging regulatory developments, such as the proposed e-Privacy Regulation, and related frameworks like the Digital Services Act (DSA) and Digital Markets Act (DMA), which may indirectly impact marketing practices. It concludes with a Frequently Asked Questions (FAQ) section addressing common compliance queries and recommended practices to ensure robust adherence to the law.

2. RELEVANT LEGISLATION

2.1 General Data Protection Regulation (GDPR)

The GDPR applies to the processing of personal data, including for marketing purposes, by controllers or processors established in the EU or targeting EU data subjects (Article 3). It establishes principles of data protection (Article 5), lawful bases for processing (Article 6), and obligations regarding consent (Article 7), transparency (Articles 12–14), and data subject rights (Articles 15–22).

2.2 Law 125(I)/2018 – Cyprus Implementation of GDPR

Cyprus’s Law Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data (125(I)/2018) supplements the GDPR. It empowers the Office of the Commissioner for Personal Data Protection with enforcement, investigatory, and supervisory authority, while specifying local procedures and sanctions for non-compliance.

2.3 Law 112(I)/2018 – Regulation of Electronic Communications

The Regulation of Electronic Communications and Postal Services Law (112(I)/2004) implements the e-Privacy Directive (2002/58/EC) in Cyprus. It governs the use of electronic communications for direct marketing, mandating prior consent for marketing to natural persons, ensuring sender transparency, and providing opt-out mechanisms (Article 13).

2.4 Proposed e-Privacy Regulation

As of April 9, 2025, the e-Privacy Regulation, intended to replace the e-Privacy Directive, remains in draft form. If adopted, it may introduce stricter rules on consent, tracking technologies, and unsolicited communications. Organisations should monitor updates via the European Data Protection Board (EDPB) or the Cyprus Commissioner.

2.5 Other Relevant Frameworks

  • Digital Services Act (DSA): Regulates online intermediaries, potentially affecting marketing platforms’ transparency and accountability obligations.
  • Digital Markets Act (DMA): Impacts large digital gatekeepers, which may influence marketing practices for organizations relying on such platforms.

3. LEGAL REQUIREMENTS FOR DIGITAL MARKETING

3.1 Lawful Basis – Consent as the Standard

Under Article 6(1)(a) GDPR and Article 13 of the e-Privacy Directive (implemented by Law 112(I)/2004), marketing via SMS or email generally requires the prior consent of the data subject. Unlike general data processing, legitimate interest (Article 6(1)(f) GDPR) is not a valid basis for unsolicited electronic communications, as confirmed by EDPB guidance and supervisory authority decisions (e.g., France’s CNIL).

3.2 Valid Consent under Article 7 GDPR

Consent must meet the following criteria:

  • Freely given: Without coercion or as a condition for unrelated services.
  • Specific: Targeted to a defined marketing purpose (e.g., separate consent for SMS, email, or campaign types).
  • Informed: Individuals must understand the scope and consequences of consent, supported by clear privacy notices.
  • Unambiguous: Requires an active opt-in (e.g., ticking an unchecked box; pre-ticked boxes or silence are invalid).
  • Granular: Consent must be distinct for different processing activities (e.g., promotional vs. informational marketing).

The data controller bears the burden of proving valid consent (Article 7(1) GDPR). Per EDPB Guidelines 05/2020 on Consent, consent cannot be bundled with terms of service or other purposes.

3.3 “Soft Opt-In” Exception

A limited exception to prior consent exists for existing customers under Article 13(2) of the e-Privacy Directive and Law 112(I)/2004, provided:

  • Contact details were obtained during a prior sale or transaction.
  • Marketing relates to similar products or services.
  • The individual was offered a clear, cost-free opt-out at the time of data collection and in each subsequent message.
  • The individual has not opted out.

This applies only to natural persons, not legal entities, and does not extend to prospecting or third-party-acquired contacts. Cyprus’s Commissioner may interpret “similar products/services” narrowly, requiring careful application.

3.4 Transparency and Privacy Notices

At the time of data collection, organisations must provide clear, concise, and plain-language privacy notices (Articles 12–14 GDPR), including:

  • Identity and contact details of the controller.
  • Purpose and lawful basis for processing (e.g., marketing via consent).
  • Data subject rights (e.g., access, erasure, objection).
  • Data retention periods.
  • Recipients of the data (e.g., marketing platforms).
  • Information on international data transfers, if applicable.

Notices must be accessible at the point of collection (e.g., via a link in SMS or email footers).

3.5 Right to Object and Withdrawal of Consent

Under Article 21(2) GDPR, individuals have an absolute right to object to direct marketing at any time, overriding any lawful basis. Upon withdrawal of consent, marketing must cease immediately, and the individual’s data should be added to a suppression list to prevent further contact.

3.6 Opt-Out and Unsubscribe Mechanisms

Each marketing communication must include an easy, cost-free, and device-compatible opt-out mechanism:

  • Email: A visible, functional unsubscribe link.
  • SMS: A reply option (e.g., “STOP” or a shortcode).

Organisations must regularly test opt-out mechanisms to ensure compliance and avoid technical failures.

3.7 Data Minimisation and Storage Limitation

Per Article 5(1)(c) and (e) GDPR, organisations must:

  • Collect only necessary personal data for marketing (e.g., name, email, phone number).
  • Retain data only for the duration required for the purpose (e.g., until consent is withdrawn or the campaign ends).
  • Conduct periodic retention reviews and implement automated deletion processes to minimise risks.

3.8 Use of Marketing Platforms and Data Processors

When using third-party platforms (e.g., Mailchimp, HubSpot, SMS aggregators), organisations must:

  • Enter into a Data Processing Agreement (DPA) per Article 28 GDPR, outlining the processor’s obligations.
  • Conduct due diligence to ensure processors implement adequate technical and organisational measures (e.g., SOC 2 certification, ISO 27001 compliance).
  • Verify processors’ compliance with GDPR, especially for data storage or processing outside the EEA.

3.9 International Data Transfers

Transfers of personal data outside the European Economic Area (EEA) must comply with Chapter V GDPR. Acceptable safeguards include:

  • Adequacy decisions by the European Commission (e.g., EU-US Data Privacy Framework (DPF), adopted 2023).
  • Standard Contractual Clauses (SCCs) with a Transfer Impact Assessment (TIA) per Schrems II (2020) and EDPB Recommendations 01/2020.
  • Binding Corporate Rules (BCRs) for intra-group transfers.

Organizations must ensure data remains protected to EU-equivalent standards post-transfer, particularly for US-based platforms.

4. ENFORCEMENT RISKS

The Cyprus Commissioner for Personal Data Protection has extensive powers under Law 125(I)/2018 and GDPR, including:

  • Fines: Up to €20 million or 4% of global annual turnover (whichever is higher) for GDPR violations.
  • Corrective measures: Orders to cease processing, suspend data transfers, or implement compliance measures.
  • Investigations and audits: Including enforcement notices and reputational consequences.

For cross-border campaigns, the GDPR One-Stop-Shop mechanism (Article 56) may involve coordinated enforcement by multiple EU supervisory authorities, increasing risk for multinational organisations. Recent EU enforcement trends (e.g., fines by Spain’s AEPD or France’s CNIL) highlight significant penalties for unsolicited marketing or invalid consent.

5. ACCOUNTABILITY AND COMPLIANCE RECORDS

To demonstrate compliance with Articles 5(2) and 30 GDPR, organisations must maintain:

  • Records of consent: Including who consented, when, how, and what was consented to (e.g., timestamps, IP addresses, consent forms).
  • Processing activity records: Detailing purposes, categories of data, and recipients.
  • Data Protection Impact Assessments (DPIAs): Required for high-risk processing (e.g., profiling, large-scale campaigns).
  • Training records: Documenting staff awareness of GDPR and e-Privacy rules.
  • DPAs: Signed agreements with all processors.
  • Audit trails: For consent management and opt-out processes.

6. ADDITIONAL CONSIDERATIONS

6.1 B2B Marketing

GDPR applies only to personal data, not legal entities (e.g., info@company.com). However, if a corporate address identifies an individual (e.g., john.doe@company.com), GDPR and Law 112(I)/2004 consent requirements apply. Organisations should exercise caution to avoid unsolicited B2B communications.

6.2 Third-Party Data

Using purchased or third-party mailing lists is high-risk unless the provider can demonstrate GDPR-compliant, specific, and documented consent for marketing on the organisations behalf. A provenance report detailing consent collection is recommended; otherwise, avoid such lists.

6.3 Profiling and Tracking

Behavioural tracking, segmentation, or open/click tracking (e.g., via pixels or beacons) requires explicit consent under GDPR and e-Privacy rules. The draft e-Privacy Regulation (if adopted) may impose stricter requirements for such technologies.

6.4 Cookies in Emails

Tracking technologies embedded in emails (e.g., web beacons) require prior consent, similar to website cookies. Some EU regulators (e.g., Germany’s DSK) consider even basic open/click tracking as personal data processing, necessitating consent.

6.5 AI and Emerging Technologies

AI-driven marketing tools (e.g., predictive analytics, personalisation) may trigger Article 22 GDPR (automated decision-making), requiring explicit consent and DPIAs for large-scale or high-risk processing. Voice marketing (e.g., automated calls) is subject to the same consent requirements under Law 112(I)/2004.

6.6 Sector-Specific Rules

Certain sectors (e.g., healthcare, finance) face additional restrictions under EU regulations (e.g., Medical Devices Regulation, MiFID II) or Cyprus law. Organisations in these sectors should consult legal experts to ensure compliance.

7. RECOMMENDED PRACTICES

To ensure compliance and minimise risks, organisations should:

  • Conduct a data audit of all contacts, sources, and processing activities.
  • Implement granular opt-in mechanisms at all data collection points (e.g., website forms, purchase checkouts).
  • Maintain comprehensive, channel-specific privacy policies updated for each campaign.
  • Provide clear opt-out instructions in every message, tested for functionality.
  • Use a Consent Management Platform (CMP) to streamline consent collection, storage, and withdrawal.
  • Implement access controls, staff training, and internal response procedures for data subject requests.
  • Select secure, GDPR-compliant platforms with signed DPAs and verified security standards (e.g., ISO 27001).
  • Conduct regular compliance reviews, including DPIAs and TIAs, and consider legal consultation for new campaigns.
  • Adopt frameworks like ISO 27701 (privacy management) or IAB Europe’s Transparency and Consent Framework (TCF).
  • Perform penetration testing on marketing platforms to ensure data security.

8. CONCLUSION

SMS and email marketing in the EU, particularly Cyprus, is subject to stringent regulation under GDPR, Law 125(I)/2018, and Law 112(I)/2004. Compliance requires a valid lawful basis—typically consent—coupled with robust transparency, accountability, and opt-out mechanisms. Emerging technologies like AI and potential adoption of the e-Privacy Regulation necessitate ongoing vigilance. Non-compliance risks significant legal, financial, and reputational consequences, including fines, enforcement actions, and consumer distrust. Organisations must adopt proactive compliance strategies, maintain detailed records, and monitor regulatory developments to operate within legal boundaries.

APPENDIX: FREQUENTLY ASKED QUESTIONS (FAQ)

Q1: Can we email users who signed up for a newsletter but did not purchase?

  • A: Yes, but only if they provided explicit, GDPR-compliant consent for marketing communications.

Q2: Can we send marketing emails based on legitimate interest?

  • A: No, unsolicited electronic communications require consent under Law 112(I)/2004 and the e-Privacy Directive.

Q3: What about emails to corporate addresses (e.g., info@company.com)?

  • A: Permissible if no personal data is involved. If the address identifies an individual, GDPR and e-Privacy rules apply.

Q4: Can we use third-party mailing lists for campaigns?

  • A: Only if the provider demonstrates GDPR-compliant, specific consent for marketing on your behalf, ideally with a provenance report. This is rarely feasible, so avoid unless verified.

Q5: Are we allowed to use SMS for promotional campaigns?

  • A: Yes, with prior consent or under the soft opt-in for existing customers. Include a clear opt-out (e.g., “Reply STOP”).

Q6: What is a valid opt-out mechanism?

  • A: Clear, user-friendly, and functional across devices (e.g., unsubscribe link for emails, “STOP” reply for SMS).

Q7: What happens if someone withdraws their consent?

  • A: Marketing must stop immediately, and the individual’s data should be removed from active marketing databases and added to a suppression list.

Q8: Can we track open/click rates on emails?

  • A: Only with specific consent for tracking technologies (e.g., pixels, beacons), as required by GDPR and e-Privacy rules.

Q9: What if our email or SMS platform stores data outside the EU?

  • A: Ensure transfers comply with GDPR Chapter V (e.g., SCCs, EU-US DPF certification) and conduct a Transfer Impact Assessment.

Q10: Should we perform a DPIA before launching a campaign?

  • A: Yes, for campaigns involving profiling, tracking, large-scale data processing, or high-risk activities to demonstrate accountability.

Q11: Do we need to re-obtain consent for existing marketing lists post-GDPR?

  • A: Yes, if pre-GDPR consents do not meet GDPR standards (e.g., no proof of unambiguous opt-in). Otherwise, cease marketing to those contacts.

Q12: Can we use AI-driven marketing tools for personalization?

  • A: Yes, but only with explicit consent for profiling or automated decision-making (Article 22 GDPR) and a DPIA for large-scale or high-risk processing.

Q13: What steps should we take if the e-Privacy Regulation is adopted?

  • A: Review new requirements (e.g., stricter tracking rules), update consent mechanisms, and consult legal experts to align campaigns with the Regulation.

Q14: How can we build consumer trust in our marketing practices?

  • A: Use transparent, plain-language privacy notices, offer granular consent options, and ensure easy opt-outs to balance personalisation with consumer control.