INSIGHT
event, it would be advisable, accurate and
advantageous for operators to review and
update, if necessary, their affiliate T&Cs
to set out the fact that the affiliate will be
a data controller in respect of processing
personal data and driving traffic towards
the operator’s site/app.
Another consideration for operators
and affiliates in relation to GDPR is how
an affiliate, as a controller, complies with
the GDPR. GDPR retains much existing
data protection law but also brings about
new righ ts, new obligations and stricter
compliance requirements for those areas
that are carried over. Some of the key
provisions for an affiliate to comply with
under GDPR are:
● ● Transparency
Personal data should be processed
in a fair, lawful and transparent manner
(Article 5(1)(a)). This includes providing
individuals whose personal data is
being processed with certain information
about how their data will be processed
and their rights regardless of whether
the controller collects personal data
directly (Article 13) or from a third
party (Article 14).
● ● Accountability
Controllers shall be responsible for
and able to demonstrate compliance
with the GDPR principles (Article 5(2)).
● ● Demonstration of consent
Where processing is based on
consent, the controller shall be able
to demonstrate the data subject gave
their consent (Article 7(1)).
● ● Right to object to marketing
Where personal data is processed for
direct marketing purposes (including
profiling related to direct marketing),
individuals shall have the right to
object at any time (Article 21(2)).
● ● Record of processing
Each controller shall keep a record of
its processing activities (Article 30(1)).
This also applies to processors
(Article 30(2)). The records should
contain information about the purposes
of the processing, the categories of
data subjects, the recipients of such
personal data and a general description
of the technical and organisational
measures in place to keep personal
data secure.
As these provisions will apply to
operators, it makes sense that operators
should consider being more specific
in their affiliate T&Cs and in any due
diligence they carry out over affiliates.
A compliance warranty in respect of
applicable data protection laws may cover
all aspects but it does not demonstrate
much thought by either party in relation
to data protection. A warranty that
affiliates shall comply with all data
protection laws, including (without
limitation) those listed above would
demonstrate the operator’s commitment
to ensuring that its affiliates are compliant
with GDPR as well as both parties’
desire to process personal data lawfully
and fairly. Moreover, the accountability,
demonstration of consent and record
of processing provisions mean that
operators could be including a right to
request written evidence of an affiliate’s
compliance with GDPR. This will
allow operators to easily identify those
affiliates who take their data protection
obligations seriously and, more generally,
their legal obligations.
The final point to note on affiliates
is that much of what they do will
constitute direct marketing, particularly
those that send out text messages and
emails. Direct marketing is governed
marketing only where the person has
given their consent, that the affiliate
is able to demonstrate such consent,
that opt-out/unsubscribe options are
included in all direct marketing, and
that opt-out/unsubscribe options are
respected. As mentioned, it is the
operators whose brand regulators and
individuals will be most familiar with
that increases the chance of claims/
investigations being brought against an
operator for the actions of affiliates.
GDPR will affect operators and
affiliates and will bring about changes
that both will need to consider in
respect of their relationship. It is highly
likely that operators should be updating
their affiliate T&Cs to include stricter
measures on affiliates complying with
GDPR and marketing legislation.
In addition, however, operators should
be mindful to not simply rely on
contractual protection with affiliates.
Affiliates should be monitored and
due diligence carried out where possible.
GDPR actually offers operators more
scope to easily carry out diligence of
its affiliates given the accountability
requirements that will be imposed
on affiliates and this is something
operators should be looking to take
advantage of.
“Given the role of affiliates and their use of operators’
brands, it is vital that operators ensure that their affiliates
are sending direct marketing only where the person
has given their consent”
by separate legislation in the UK
(the Privacy and Electronic
Communications Act 2003) and this
is being revised across the EU by the
ePrivacy Regulation (currently in draft
form). The current law and the draft
new law require consent to be obtained
prior to sending unsolicited direct
marketing. In addition to this, there are
rights under this legislation (as well as
GDPR) to allow recipients of direct
marketing to object. Given the role of
affiliates and their use of operators’
brands, it is vital that operators ensure
that their affiliates are sending direct
PATRICK RENNIE of
Wiggin LLP provides
clients with commercial
advice in the media, sports,
computer games, technology
and gambling sectors, ranging
from entrepreneurial high-growth
businesses to major multinational
brands. He holds the Practitioner
Certificate in Data Protection, and
is one of only a few candidates to
achieve a ‘pass with distinction’.
iGB Affiliate Issue 66 DEC 2017/JAN 2018
43