4.2 Surveillance & Direct Marketing

Key Takeaways

  • CCTV of identifiable individuals needs a lawful basis (usually Article 6(1)(f) legitimate interests), transparency signage, proportionate scope, and short retention
  • Direct marketing combines GDPR with the ePrivacy Directive 2002/58/EC, so electronic marketing usually needs prior opt-in consent with a narrow soft opt-in for existing customers' similar products
  • Data subjects have an absolute right under Article 21(2) to object to direct marketing at any time, with no balancing test
  • Solely automated decisions with legal or similarly significant effects, including some profiling, are restricted by Article 22
  • Most cookies and similar tracking technologies require prior informed consent under ePrivacy Article 5(3); strictly necessary cookies are exempt
Last updated: June 2026

Surveillance Under the GDPR

Video surveillance (CCTV) of identifiable people is personal data processing and needs a lawful basis. In most private-sector cases that basis is Article 6(1)(f) legitimate interests, which requires a documented three-part balancing test: (1) a real legitimate interest (security, theft prevention), (2) necessity (no less intrusive option), and (3) balancing against the rights and reasonable expectations of those filmed.

The EDPB Guidelines 3/2019 on video surveillance stress that footage must be limited to the area and purpose actually needed — pointing a camera at a public pavement or a neighbour's garden is disproportionate.

Controllers must provide layered transparency: a first-layer warning sign at the monitored area (identifying the controller, purpose, and how to get more information) plus accessible second-layer information meeting Articles 13 and 14. Footage retention should be short — the EDPB cites a guideline of typically a few days, with anything beyond about 72 hours needing specific justification. Large-scale monitoring of public areas or systematic monitoring may trigger a mandatory DPIA under Article 35.

CCTV requirementSource
Lawful basis (usually legitimate interests)Art 6(1)(f)
Documented balancing testEDPB 3/2019
Warning sign + layered noticeArts 12-14
Minimised field of view and retentionArt 5(1)(c),(e)
DPIA for systematic monitoringArt 35(3)(c)

Location and Communications Data

Location data and traffic data generated through electronic communications services are governed by the ePrivacy Directive 2002/58/EC in addition to the GDPR. Under the Directive, providers may generally process traffic data only for limited purposes such as billing, interconnection payments, fraud detection, and network security, and must erase or anonymise it once no longer needed. Location data that is not traffic data (for example precise positioning) typically requires prior consent or robust anonymisation, and the subscriber must be able to withdraw consent and temporarily switch off processing.

The key exam point is layering and lex specialis: ePrivacy contains more specific rules for the communications sector, while the GDPR supplies the general principles and definitions (and provides the consent standard ePrivacy borrows). Where ePrivacy is silent, the GDPR fills the gap; where it speaks, it takes precedence. When a scenario involves telecom metadata, app location tracking, or device fingerprinting, both frameworks apply simultaneously.

Quick Distinctions

  • Traffic data = data processed to convey a communication or bill for it (numbers dialled, duration, data volume).
  • Location data = data indicating geographic position of terminal equipment, beyond what is strictly traffic data.
  • Content = the substance of the communication, given the highest protection and confidentiality.

The proposed ePrivacy Regulation would modernise these rules but, as of 2026, has not been adopted, so the 2002/58/EC Directive as amended (notably by 2009/136/EC) still governs.

Direct Marketing Rules

Direct marketing sits at the intersection of the GDPR and the ePrivacy Directive, and the exam reliably tests which channel triggers which rule.

Marketing channelDefault rule
Email / SMS / automated callsPrior opt-in consent (ePrivacy Art 13)
Email to existing customers, similar productsSoft opt-in (no fresh consent)
Live (human) telephone callsNational rules; often opt-out registers
Postal mailUsually Art 6(1)(f) legitimate interests (GDPR)
  • Electronic marketing (email, SMS, automated calling systems) generally needs prior opt-in consent under ePrivacy Article 13.
  • The narrow soft opt-in lets a business email existing customers about its own similar products or services, where contact details were obtained during a sale or negotiation and an easy opt-out is offered in every message and at the point of collection.
  • Postal marketing typically relies on legitimate interests under the GDPR, since ePrivacy does not impose an opt-in for ordinary mail.

Crucially, Article 21(2) GDPR gives every data subject an absolute right to object to processing for direct marketing at any time, including profiling related to it. There is no balancing test: once they object, Article 21(3) requires the controller to stop processing the data for marketing immediately, and the right must be brought to the data subject's attention clearly and separately at first communication (Article 21(4)).

Profiling and Article 22

Profiling is defined in Article 4(4) as any form of automated processing that uses personal data to evaluate certain personal aspects, such as predicting performance at work, economic situation, health, preferences, interests, reliability, behaviour, location, or movements.

Article 22(1) gives data subjects the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them. "Solely" means no meaningful human involvement — a rubber-stamp does not count as human review (EDPB/WP29 Guidelines on automated decision-making, WP251).

The exceptions in Article 22(2) are narrow and exhaustive:

  1. Necessary for a contract between data subject and controller (22(2)(a));
  2. Authorised by Union or Member State law with suitable safeguards (22(2)(b));
  3. Based on the data subject's explicit consent (22(2)(c)).

Where exception (a) or (c) applies, Article 22(3) requires safeguards: at minimum the right to human intervention, to express a point of view, and to contest the decision. Solely automated decisions cannot normally use special category data unless 9(2)(a) explicit consent or 9(2)(g) substantial public interest applies, plus suitable safeguards (Article 22(4)).

Worked Example

An automated online credit application that rejects a consumer with no human review produces a legal/similarly significant effect and falls within Article 22 — the lender needs a 22(2) basis and must offer human review. By contrast, ordinary ad targeting usually does not reach the threshold, but the EDPB notes targeted advertising can if it has similarly significant effects (for example exploiting vulnerabilities or affecting access to essential services).

Cookies and the ePrivacy Directive

The rule driving modern cookie banners is ePrivacy Directive Article 5(3): storing information on, or gaining access to information already stored in, a user's terminal equipment requires prior informed consent, unless the storage/access is strictly necessary to provide a service the user explicitly requested.

Cookie / technologyConsent needed?
Strictly necessary (load balancing, login session, shopping cart)No (exempt)
Functional / preferencesDebated; often consent-based
Analytics / measurementYes (limited exemptions argued nationally)
Advertising / cross-site trackingYes
Social media plug-ins setting third-party cookiesYes

Consent must meet the GDPR Article 4(11) standard, so pre-ticked boxes and "continue to browse" implied consent are invalid. The CJEU confirmed this in Planet49 (C-673/17, 2019): a pre-checked box does not constitute valid consent, and users must be told cookie duration and third-party access. Orange Romania (C-61/19, 2020) reinforced that a pre-ticked box places the burden on the controller and cannot show active, unambiguous consent.

Practical compliance points the exam rewards: consent must be as easy to withdraw as to give, "reject all" should be as accessible as "accept all", and consent must be obtained before non-essential cookies are set. As of 2026 the proposed ePrivacy Regulation has not replaced the Directive, so 2002/58/EC as amended still governs cookies and electronic marketing across the EEA, supplemented by national implementing laws.

Test Your Knowledge

An online retailer collected a customer's email during a purchase and now wants to email them about a comparable product. Which rule most directly allows this without fresh opt-in consent?

A
B
C
D
Test Your Knowledge

Under the GDPR, what is distinctive about a data subject's right to object to direct marketing?

A
B
C
D