The NAIH Decision and the Tasks of Companies in Direct Marketing Data Processing


The NAIH decision and the GDPR direct marketing rules provide important legal guidance for companies. The NAIH decision regarding direct marketing data processing emphasizes, for example, that every data processing consent must comply with GDPR direct marketing rules and must specify which marketing channels will be used for contacting the individual. The consent for marketing channels according to GDPR rules also requires that separate consent is necessary for each channel, such as for telephone marketing or Facebook and Google ads. Considering the NAIH decision on telephone marketing GDPR, companies must review the legal requirements of Facebook Google advertisement consent under GDPR to avoid rule violations.

Additionally, according to the NAIH data protection decision 2025, companies must ensure that their data processing information is always in compliance with the GDPR requirements for the availability of information offline and online, meaning that it must be accessible through all communication channels. In terms of direct marketing GDPR consent channels, the consent for each channel must be treated separately, and the possibility of a contractual basis for direct marketing must also be considered. Companies must also keep in mind the obligation to delete data under the NAIH decision for direct marketing data processing, especially if they cannot ensure the proper consent for their marketing activities. The data protection NAIH decision on direct marketing clearly outlines the conditions under which companies can comply with GDPR requirements, including data subject consent for direct marketing GDPR requirements and the proper handling of GDPR marketing channel consent.

A company processed contact data for thousands of affected individuals without providing proper prior information, specific purposes, and valid legal grounds. The NAIH (National Authority for Data Protection and Freedom of Information) instructed the company to delete the contact data used for direct marketing, for which they could not obtain valid, new consent, or for which they did not have another GDPR-compliant legal basis for processing (such as contractual contact).

This decision is particularly important because the NAIH comprehensively addressed the issue of how many different consents are needed when a company engages in direct marketing through multiple channels.

Based on the NAIH’s findings, companies engaged in direct marketing must urgently review their data processing information, consents, and telephone scripts to ensure compliance with the authority’s expectations. Below, we summarize the NAIH’s key findings and the tasks assigned to companies:

  • Separate consent for each purpose and channel: Every data processing consent must specify through which marketing channel the individual wishes to receive communications. The term “electronic communication only” is too vague. The individual must be given the option to agree only to certain methods, such as by post, telephone, or email, or combinations thereof. Furthermore, it must also be ensured that the individual can consent separately to specific purposes. Companies must therefore review their consent forms, especially the number and phrasing of checkboxes.
  • Separate consent required for Google and Facebook ads: For direct outreach, such as through Google and Facebook ads, separate consent is required. Additionally, information must be provided about the use of similar automated advertising systems. Companies must review their data processing information and consent forms accordingly.
  • Specific information required for the direct marketing purpose: The purpose of processing contact data must not be too general, such as “receiving further attractive offers.” The direct marketing purpose must be clear, such as ensuring the individual receives advertisements for products from either the company or third parties through a specific channel. Any unusual conditions, such as the role of foreign data processors and their precise role in data processing, must also be highlighted. Companies must consider this when modifying their data processing information.
  • The information must be made properly available: The data processing information must be provided to individuals in a manner that aligns with the communication channel used. In offline communication, it is not enough to only provide online access, as some affected individuals may not have internet access or may not easily find the information when placing orders by mail or phone. Companies must review how they ensure the accessibility of their information.

Adhering to these measures ensures that your company complies with GDPR requirements.

Need more valuable information?
Subscribe to our newsletter.
If you need assistance, please contact us. Feel free to reach out with your questions.

Segítünk kérdései megválaszolásában!

Ha kérdése merült fel a cikkben olvasottakkal kapcsolatban, ügyvédi irodánk szakértői örömmel segítenek Önnek.
Lépjen velünk kapcsolatba még ma!
  • Katona és Társai Ügyvédi Társulás
  • H-1106 Budapest, Tündérfürt u. 4.
  • +36 1 225 25 30 Fax: +36 1 225 2539
  • info@katonalaw.com

Katona és Társai Ügyvédi Társulás
H-1106 Budapest, Tündérfürt u. 4.
Tel: +36 1 225 25 30 Fax: +36 1 225 2539
central@katonalaw.com

Facebook Twitter Linkedin

© KATONA & PARTNERS – Katona és Társai Ügyvédi Társulás – Minden jog fenntartva!
A honlapon található képi és szöveges tartalmak bármilyen célú felhasználása engedélyhez kötött!