Companies engaged in lead prospecting and direct marketing in Europe must comply, on the one hand, with the General Data Protection Regulation (GDPR) and the ePrivacy Directive (2002/58/EC), both applicable to all EU Member States, members of the EFTA (Iceland, Liechtenstein, Norway, and Switzerland), and, in practice, to four microstates (Andorra, Monaco, San Marino, and Vatican City) that maintain open borders with the Schengen Area.
Each country, such as Spain, also has its own legislative nuances which may impose stricter requirements. For example, we will see that in Spain, cold prospecting of individuals to offer energy services is not permitted.
On the other hand, in the post-Brexit United Kingdom, the applicable legislation includes the UK GDPR (as enacted by the European Union (Withdrawal) Act 2018), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003, which implement the rules of the ePrivacy Directive regarding electronic communications.
Moreover, the European GDPR establishes an extraterritorial scope: any company — even if not based within the EU — that offers goods or services to individuals in the EU or monitors their online behaviour must comply with it, and risks fines of up to 4% of their global annual turnover or €20 million, whichever is higher.
