Code of Practice for NORDMA

The Norwegian Direct Marketing Association (NORDMA) seeks to maintain an effective and reliable system of self-regulation. These regulations (Code of Practice) shall fulfil reasonable requirements and expectations that consumers and companies have with respect to the practices of the industry and of NORDMA’s members.

NORDMA’s Code of Practice sets ethical and technical standards for members’ practices. It is a condition of membership of NORDMA that members comply with the Code of Practice drawn up by NORDMA.

The Code of Practice has been developed in collaboration with the law firm Deloitte Advokatfirma:

• 1. BACKGROUND
• 2. TERMS
• 3. AREA OF APPLICATION
• 4. PROCESSING OF PERSONAL DATA FOR DM
• 5. OBLIGATIONS OF CONTROLLERS
• 6. SPECIFICALLY CONCERNING PROCUREMENT OF PERSONAL DATA
• 7. COMMUNICATIONS FROM THE CONTROLLER
• 8. ADDRESS BROKERING
• 9. COMMUNICATIONS FROM THE DATA SUBJECT
• 10. OBJECTIONS
• 11. COMPLIANCE AND CONTROL

1. BACKGROUND
1.1 Brief presentation of NORDMA

The Norwegian Direct Marketing Association, hereinafter NORDMA, is a non-profit association and shall promote the interests of its members and all forms of Direct Marketing (hereinafter DM) in Norway.

NORDMA shall work actively for a positive development of, and information concerning, DM, including being the standard-setter for ethical and professional quality requirements.

NORDMA represents chiefly those industries that directly or indirectly have Direct Marketing channels as their primary marketing channels.

1.2 Background for the work of establishing the Code of Practice

The Personal Data Act (Act relating to the processing of personal data) with Regulations regulates all use of personal data in Norway. The Norwegian law is based on Directive 95/46/EC ”on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. In the law and in the directive, industries are urged to draw up special codes of practice for use within the individual industries. NORDMA’s Code of Practice regulates specifically the processing of personal data connected with marketing.

FEDMA (Federation of European Direct Marketing) has drawn up a “European code of practice for use of personal data in direct marketing”. The Norwegian Code of Practice is based on this, although adapted to conditions in Norway. In certain cases, Norway’s Marketing Control Act regulates circumstances relating to the processing of personal data. The Code of Practice is in accordance with the Marketing Control Act and has incorporated matters related to the processing of personal data.

1.3 The objects of the Code of Practice

The objects of the Code of Practice are:

• To create confidence that members of NORDMA are using personal data in marketing in a responsible and lawful manner
• To attend to the needs of direct marketers to be able to reach out to relevant recipients, while safeguarding the recipient’s right of personal protection
• To provide guidelines and guidance to direct marketers as to how they shall and should use personal data in their marketing activities.

1.4 Relationship with the Personal Data Act

The Personal Data Act regulates all use of personal data. The Act regulates all processing of personal data, and makes specific requirements of the controller responsible for processing the data and with respect to the rights of the data subject. Breach of the Personal Data Act can result in sanctions, see the Act, sections 46-49. The Norwegian Data Inspectorate enforces breaches of the Personal Data Act.

To the extent that breach of the Code of Practice also implies breach of the Personal Data Act, this will be regulated by the Personal Data Act and enforced by the Data Inspectorate. In the case of breach of the Code’s provisions that go beyond the Personal Data Act, this may result in sanctions from the industry’s own bodies. See more about this under paragraph 11.

2. TERMS
Direct Marketing (DM): Communication aimed at individuals using, for example, e-mail, SMS, telephone, letter, fax, etc., for the purpose of offering or marketing a product or a service. Either promoted by the marketer itself, or by others on the marketer’s behalf.

Personal data: Data, information or opinions which can be linked directly or indirectly to individuals.

Anonymous information, i.e. information that cannot be traced back to an individual, falls outside this regulation.

Sensitive personal data: Data concerning

• racial or ethnic origin, or political opinions, philosophical or religious beliefs,
• the fact that a person has been suspected of, charged with, indicted for or convicted of a criminal act,
• health,
• sex life,
• trade union membership.

Direct marketer: The person or persons who address individuals directly for the purpose of marketing or selling their product.

Data subject: The person to whom personal data may be related.

Controller: The person who determines the purpose of the processing of personal data and which means are to be used.

Processor: The person who processes personal data on behalf of the controller.

Child: A person under 15 years of age.

Parents: The parents or legal guardians of a child.

3. SCOPE OF APPLICATION
3.1 Processing of personal data

Processing of personal data means all use of personal data for a particular purpose. This may be collection, manipulation, storage or disclosure or a combination of such uses.

The term ”processing” used in the Code of Practice will be the same as that used in the Personal Data Act.

3.1.1 The scope of the Code of Practice

The Code of Practice regulates specifically the use by direct marketers of customer data, membership data or data concerning others who will be natural recipients of DM. Any other use of personal data carried out by the controller, outside of processing of personal data, falls outside the regulation by the Code of Practice.

3.2 Transfer of personal data to other countries

Personal data may only be transferred to states which ensure an adequate level of protection of the data, cf Personal Data Act section 29. In practice this means states that have implemented Directive 95/46/EC, states within the EU or states that have implemented equivalent rules. If the state to which the data is desired to be transferred cannot ensure an adequate level of protection of the data (i.e. does not have adequate legislation), personal data may nevertheless be transferred if the data subject has consented to the transfer. In addition, the Personal Data Act regulates certain other circumstances under which transfer is permissible, cf the Act, section 30.

Personal data may notwithstanding be transferred to the USA if the recipient undertakes to comply with the requirements laid down in the Safe Harbour agreement. Safe Harbour is an agreement drawn up between the EU and the USA to facilitate the lawful transfer of personal data to the USA.

Alternatively, a standard agreement drawn up by the EU can be used for transfers of personal data (to countries outside the EU/EEA). These agreements ensure that the recipient undertakes its responsibilities with respect to the personal data received which are approximately the same as those in the requirements laid down in the Directive. In order for personal data to be legally transferred to other countries, it requires the disclosure of the data to be lawful under the Personal Data Act, hereunder that the controller under the Personal Data Act section 8 is permitted to disclose the personal data.

4. USE OF PERSONAL DATA FOR DM PURPOSES
4.1 Responsibility for use of personal data

4.1.1 Controller

The controller is the person who is legally liable for fulfilling the obligations that the enterprise has under the Personal Data Act. The liability rests with the enterprise, and is not attached to a job. The liability is concurrent with whoever is considered to have the procedural capacity to sue and be sued under the Norwegian Dispute Act. In practice, this means the top management of the enterprise concerned. The day-to-day responsibility for implementation can be delegated to other individuals within the organisation. The responsibility implies a duty to ensure that all the requirements in the Personal Data Act are fulfilled and are regularly followed up.

4.1.2 Processor

The processor is the person who processes personal data on behalf of the controller. In order for the controller to lawfully transfer the personal data to a processor, a written agreement must be set up. The agreement shall contain a definition of what the processor can use the material for, as well as an assurance from the processor that he or she has taken the necessary security measures, see Personal Data Act section 13 and Regulations.

4.2 Central processing in DM

There follows below an exemplification of the most common forms of personal data processing used in Direct Marketing. They can of course vary from member to member, and the exemplification will therefore not be exhaustive.

As an appendix to the Code of Practice, a schematic overview is provided of typical forms of processing accompanied by a number of general comments.

4.2.1 Entry into agreements

In its relationship-building with the data subject, the controller often includes a number of different types of agreement. This may be the establishment of a customer relationship, membership agreement or other type of agreement based on some kind of offer from the controller and an acceptance from the data subject.

The performance of the agreement with the data subject often means processing the data subject’s personal data (customer data, membership data, etc.).

The statutory authority to use personal data in order to perform the agreement is provided in the Personal Data Act section 8 a.

What the data may be used for, and for how long etc., is determined on the basis of an interpretation of the agreement entered into between the controller and the data subject. The use of stored personal data in a manner not regulated in the agreement requires the consent of the data subject.

4.2.2 Marketing communications

Marketing communications may in this connection be divided into two categories: communications addressed to established customers and communications addressed to potential new customers, including address brokering.

Established customers

Marketing aimed at established customers will in most cases be considered to be part of the contractual obligation that the controller has vis-à-vis the customer. Such communications will in most cases be considered to have a legal basis in the customer agreement, see Personal Data Act section 8 a. An interpretation of the customer agreement will be decisive in the case of a dispute.

Any assessment of which data relating to the customer may be used must be based on what is objectively justified in order to perform the contractual obligations, or what the customer has consented to.

Marketing of the controller’s own products is chiefly considered to constitute performance of the contractual obligation. If marketing nevertheless clearly falls outside the agreement, the use of information for this purpose must be based on the customer’s consent.

Potential customers

Other customer recruitment will otherwise mainly consist of communications aimed at completely new customers or at previous customers. In the case of potential customers, data may be used concerning the customer’s name, address, telephone number, gender and date of birth under the Personal Data Act section 8 f, provided that the relevant information is given. See also paragraph 7 concerning communications from the controller and paragraph 10 concerning data subjects’ objections (“opt outs”).

Whether or to what extent data concerning previous customers/members can be used, must be assessed on the basis of the relationship surrounding the termination/conclusion of the customer relationship. If the customer clearly expresses a wish not to receive, or to opt out of receiving subsequent communications, that must be registered in the marketer’s internal register of addresses. The use of other data concerning potential customers must as a main rule be based on the consent of the data subject.

Address brokering is specifically regulated in paragraph 8 below.

4.2.3 Preparation of statistics

Information that cannot be traced back directly or indirectly to identifiable private individuals is not regulated by the Personal Data Act. The preparation of statistics will in the majority of cases be included in this.

The use of statistical material, for example basic district data, for marketing purposes will nevertheless fall within the Personal Data Act if the statistical data can be related to identifiable persons. Communications based on statistical information can as a main rule be made with statutory authority in the Personal Data Act section 8 f, provided that the statistical information does not actually say anything about the person to whom the information relates.

In most instances, such application will involve the use of a personal profile, and require information to be given as mentioned in paragraph 7 relating to personal profiles.

4.2.4 Fulfilment of statutory requirements

Data originally collected for use in customer processing is in some instances regulated further by special legislation. Statutory requirements may include a requirement to process some data that would not otherwise be necessary or there may be a requirement to store information longer than necessary for the original purpose.

Processing of data in order to fulfil statutory requirements is permitted under the Personal Data Act section 8 first paragraph. Relevant requirements relating to customer information are:

• Requirements in the Accounting Act
• Regulations on delivery of tax statements concerning gifts to certain voluntary organisations
• The Anti-Money Laundering Act

5. OBLIGATIONS OF THE CONTROLLER
5.1 Fundamental principles for processing personal data for marketing purposes

All processing of personal data performed for marketing purposes shall be reasonable and lawful at all times on the basis of what the processing builds on.

The controller shall ensure that a clear and specific purpose is provided for the collection of personal data. Data which are processed shall be used only for purposes that are objectively justified by the activities of the marketer. The use of personal data for marketing of the controller’s own products lies within these limits.

The controller shall consider whether the personal data to be used is sufficient and relevant to achieve the given purpose. The data shall not be stored longer than necessary for the purpose. Personal data may not be used subsequently for purposes that are incompatible with the original purpose of the collection, without the consent of the data subject.

5.2 Obligation to give notification and to obtain a licence

The controller shall notify the Data Inspectorate before processing personal data, see Personal Data Act section 31. If sensitive personal data are to be used, application shall be made for a licence for such use, see Personal Data Act section 33.

The use of customer data for administrative purposes and for executing customer obligations is exempt from the obligation to give notification and to obtain a licence which is laid down in the Regulations to the Personal Data Act sections 7-7 and 7-14. Sales support registers shall be notified to the Data Inspectorate.

5.3 Internal control

The controller shall establish and maintain ”…such planned and systematic measures as are necessary to fulfil the requirements laid down in or pursuant to this Act…”, see Personal Data Act section 14.

The internal control requirements impose on the controller a duty to establish a management system, or quality system, with the aim of ensuring that the enterprise fulfils all the requirements it is required to fulfil in the Personal Data Act.

A management system will normally comprise management, organisation, measures, follow-up and documentation. The type of measures required are provided in the Regulations to the Personal Data Act section 3-1.

5.4 Information security

The controller shall by means of planned, systematic measures ensure satisfactory data security in connection with the processing of personal data, cf Personal Data Act section 13. The enterprise shall initiate security measures in accordance with the risk to which the personal data are exposed. More detailed requirements as to the management system required for information security are provided in the Regulations, Chapter 2.

The internal control requirements and the requirements with respect to information security should be viewed in context, so that a management system is established to fulfil the provisions in both sections 13 and 14 of the Personal Data Act.

6. MORE ON THE COLLECTION OF PERSONAL DATA
6.1 Collection of personal data from the data subject

When personal data are obtained from the data subject, the controller shall ensure that it is done in a proper and ethical manner, and that the data subject is sufficiently informed in accordance with the law and the ethical guidelines for the industry.

The controller shall give the data subject the following basic information:

• the controller’s name, address and telephone number,
• the purpose(s) of collecting the personal data,
• whether the data will be disclosed and, if so, the identity of the recipient, including whether the data will be brokered
• that the provision of data is voluntary.

This information shall be given to the data subject each time information is collected and at the time when the data is actually collected. Exceptions can be made if the mentioned information is clearly evident from the context or the data subject has already been informed.

In addition, the controller shall ensure that the data subject receives information concerning:

• the right to demand access to data about the data subject,
• the right to erase or rectify incorrect data about the data subject,
• the right to object to or opt out of receiving marketing communications from the controller,
• the right to demand that information be erased for marketing communications.

This information shall be given upon collection of the personal data, unless this is impossible or disproportionately difficult. Exceptions are possible in cases where there is little space or in marketing by telephone. In these cases, the data subject shall either be referred to where such information may be found or must be told when the information will be sent to the data subject.

6.2 Collection of personal data from others than the data subject

When personal data are collected from sources other than the data subject, the controller shall on his own initiative inform the data subject of:

• the type of data that have been collected
• where the data have been obtained from, and
• provide information as mentioned under subparagraph 6.1.

Information must be provided as soon as the data have been obtained. It is sufficient to give the data subject information the first time data are obtained, if information is provided that similar data will also be obtained subsequently.

If the controller is to communicate with the data subject on the basis of the material obtained, the information may be given at the time the controller communicates with the data subject.

6.3 Processing of sensitive personal data

The controller shall show discretion in processing sensitive personal data.

In connection with marketing and/or customer- and membership administration, sensitive data shall only be processed if necessary out of consideration for the data subject and the data subject has consented to such processing.

Processing of sensitive data may be relevant in connection with membership of voluntary organisations, and in certain customer registers. Sensitive data shall never be disclosed to others or used in marketing aimed at the data subject, unless the data subject has consented to such use.

Processing of sensitive data concerning children may only be effected with the consent of the parents.

6.4 Processing of personal data concerning children

In marketing aimed at children, particular care shall be taken in connection with processing their personal data.

Minors who have reached the age of 15 can as a main rule consent to the collection and use of their own personal data. In the case of children under 15, the consent of the parents must be obtained.

For the purpose of administering competitions, contact data, i.e. name, address, telephone number and e-mail address, may be processed with the consent of children who are also under 15. In order for a minor under the age of 15 to give his or her consent, the competition must be designed for the relevant age group, data must only be used for the purpose of administering the competition, and the data must be erased when the competition is concluded. Information in accordance with the rules of the Personal Data Act shall be provided on the basis of the age group the marketer is addressing.

7. COMMUNICATIONS FROM THE CONTROLLER
7.1 Communications by post

In postal communications aimed at customers (active, passive or prospective customers), the controller is required to notify the customer of the identity of the person who has provided the personal data on which the communication is based. This is laid down in the Personal Data Act section 26, 4th paragraph.

The name must be provided, as well as other relevant contact data.

Reference is otherwise made to paragraph 6 above concerning the obligation to provide information when data is collected from the data subject.

7.2 Communications by telephone

In communications by telephone, the telesalesperson shall introduce himself or herself, and state on whose behalf they are calling and the purpose of the call. He or she shall further request permission to continue the call. Upon request the data subject shall be informed as to who provided the personal data on which the call is based, the identity of the controller and which data have been used, and information shall also be provided about the data subject’s right to object to or opt out of his or her personal data being used in direct marketing.

For further regulation, please refer to NORDMA’s ”Authorisation scheme for companies that operate telemarketing activities” and the separate Code of Practice developed for telemarketing (TM) companies.

7.3 Communications by electronic methods

It is prohibited to send advertising by e-mail or by SMS without obtaining the consent of the data subject. The same applies to marketing by means of fax, automatic calling systems (answer machines) or other method of communication that does not permit individual communication.

If consent has been obtained and this type of communication can be made lawfully, when making the communication the data subject shall be provided with the information stated in subparagraph 7.1, or shall be informed as to where the information can be obtained.

7.4 Use of personal profiles

When a marketing communication is addressed to the data subject on the basis of a personal profile, information shall be provided concerning:

• the identity of the controller
• which type of data have been used
• where the data have been obtained.

This ensues from the Personal Data Act section 21.

A personal profile consists of:

Composite data which are ”intended to describe behaviour, preferences, abilities or needs”. Data comprising only the name and address will as a main rule not be defined as a personal profile. A personal profile must be a composite of more data than this. Which additional information is required must be determined in each individual case.

7.5 Dispatch of material on behalf of others

This means instances in which a controller uses his customer or membership register for the purpose of dispatching marketing material to market products or services other than his own.

Inserts in newspapers, membership magazines, etc. are not counted as direct marketing of third party products. Dispatch of material on others’ behalf is counted as own processing. Marketing of third party products does not as a main rule require the consent of the data subject, but must have statutory authority in the Personal Data Act section 8 f. In the event of such communications, the controller must ensure that the data subject is notified of the following:

• that the dispatch is not incompatible with the original purpose of the processing (cf Personal Data Act section 11 c)
• that the data have been updated (cleaned) against the marketer’s internal register of addresses
• that the data have been updated (cleaned) against the Central Marketing Exclusion Register.

Information to the data subject may be included in an agreement or contract if this forms the basis for a customer relationship. If consent has been obtained for the dispatch of third party products, the obligation to update or clean the data will not apply. Consent can be obtained in an agreement or contract entered into with the customer or member.

8. ADDRESS BROKERING
8.1 Definitions

Address brokering means that a controller rents out his list of addresses to another controller in order that the recipient may use the list for sending out marketing material. The parties may use an address broker who will assist with implementing the dispatches, and ensure that the requirements laid down in the Personal Data Act are fulfilled with regard to updating or cleaning the data and so on. The marketing may be by means of mailing or telephone.

8.1.1 The parties

Owner: is the owner of the address lists. The owner is the controller for the lists, and must have a basis for processing in order to rent out the lists. The main rule is that list rental can have statutory authority in the Personal Data Act section 8 f, if the other conditions below are fulfilled.

Lessee: is the purchaser (lessee) of the lists. The lessee is the controller with respect to use of the addresses and must have a basis for processing them. The processing basis will as a main rule have statutory authority in the Personal Data Act section 8 f, if the other conditions below are fulfilled.

Address broker: The person who receives a file containing addresses from the owner and manages the dispatch on the lessee’s behalf. The broker shall ensure that the lists of addresses are updated or cleaned against the Central Marketing Exclusion Register, the Register of Deceased Persons and any local marketing exclusion registers. The address broker is to be considered as the processor, cf Personal Data Act section 15. The address broker may not use material in any way other than that agreed with the owner.

8.1.2 Registers that may be brokered

Only customer- and membership registers may be brokered, unless the data subject has given his or her consent. The data that may be disclosed are name, address, telephone number and date of birth, as well as information about where the list has been obtained, i.e. information as to whether the data subject is a member or a customer.

Other data may be used with the consent of the data subject. E-mail addresses may not be brokered without the consent of the data subject, cf Marketing Control Act section 2b

8.2 Other obligations to which the controller is subject

Prior to dispatch, addresses shall be updated or cleaned against the marketer’s internal register of addresses and the Central Marketing Exclusion Register, cf Personal Data Act section 26. The lessee is responsible for ensuring that this obligation is complied with. The owner shall notify customers/members that the data may be passed on to third parties before lawful disclosure may take place. Information concerning this may be included in membership conditions, etc.

The information shall comprise the purpose of using the personal data, which personal data will be used, and the right to object to or opt out of the use of personal data by third parties. The owner of the lists will have a duty of information under the Personal Data Act section 19, while the lessee will as a main rule have a duty of information under the Personal Data Act section 20. The lessee may fulfil the duty of information upon dispatch, cf Personal Data Act section 20 second paragraph.

The address broker may perform the duty of information for the lessee is this is agreed.

The dispatch shall be marked with the source of dispatch, cf Personal Data Act section 26 second paragraph. If the dispatch involves the use of personal profiles under the Personal Data Act section 21, information must also be provided as to what type of data have been used.

The lessee may only use the material for two mailings/telesales calls during a 30-day period. Both the owner and the lessee shall notify the Data Inspectorate prior to processing addresses in address brokering, cf Personal Data Act section 31.

9. COMMUNICATIONS FROM THE DATA SUBJECT
9.1 Right of access

Any person who so requests has the right to be informed of the kind of processing of personal data a controller is performing, cf Personal Data Act section 18. In addition, data may be demanded as mentioned in section 18, first paragraph of the Act. If the person concerned is a registered data subject, in addition to the general information the person requesting right of access can demand the following information if he or she is registered at the controller:

• descriptions of the categories of personal data concerning the data subject that are processed
• the security measures implemented in connection with the processing insofar as such access does not prejudice security.

If the data subject so requests, the information shall be furnished in writing, cf Personal Data Act section 24.

9.2 Rectification or erasure of deficient personal data

If following access or in some other way the data subject establishes that personal data are being processed which are inaccurate, incomplete or of which processing is not authorised, the data subject may demand that the data be rectified or erased, cf Personal Data Act section 27.

The data subject may demand that data be erased which are not necessary to carry out the purpose of the processing, cf Personal Data Act section 28.

With respect to the data subject’s right to object to or opt out of personal data being used for the purpose of direct marketing, see paragraph 10 below.

The controller should update or clean the marketing registers used for mailings by updating them against Statistics Norway’s register of deceased persons. In the event that mailings are notwithstanding dispatched to deceased persons, data shall be blocked or erased immediately upon receipt of communication from the deceased’s relatives.

9.3 Replies to enquiries

The controller shall reply to enquiries from the data subject as soon as possible and not later than 30 days from receipt of the enquiry, cf Personal Data Act section 16.

10. OBJECTIONS
10.1 Internal marketing registers

The data subject may object directly to the marketer to having his or her name used for direct marketing purposes. The marketer shall, in order to implement the data subject’s rightful objection, establish an overview of persons who have objected to their names being used for direct advertising purposes. Such objections shall apply irrespective of medium, i.e. mailings, telesales, etc.

Marketing by means of e-mail, fax or SMS requires the consent of the data subject, see subparagraph 7.3 above.

10.2 The Central Marketing Exclusion Register

Any person can by registering his or her name in the Central Marketing Exclusion Register at the Brønnøysund Register Centre object to having his or her name used for direct marketing purposes, irrespective of the medium.

Controllers who engage in direct marketing shall update or clean their register of addresses in relation to the Central Marketing Exclusion Register prior to sending out mailings to the data subject for the first time. The register shall subsequently be updated at least four times yearly. If the controller does not engage in direct marketing as frequently as four times yearly, the register shall as a minimum be updated once prior to each mailing.

The obligation to update does not apply to marketing of the products of controllers aimed at data subjects with whom the marketer has a current customer relationship.

10.2.1 What is meant by ”current customer relationship”

What is meant by ”current customer relationship” is not defined in the Personal Data Act. In some cases there is clearly an established current customer relationship, for example in instances where there is an agreement between the customer and the marketer.

In cases where the relationship is unclear, a specific assessment must be made taking into account the business, type of activity and customers’ expectations upon the establishment of contact between the data subject and the marketer. This means that each marketer must assess his customer relationships individually, particularly with the emphasis on what the customer expects and what is normal within the marketer’s business.

10.3 Practice in other countries

Under Directive 95/46/EC, Article 14 b, the data subject has the right to object, on request and without charge, to the processing of personal data relating to him which the controller anticipates being used by himself, or by third parties, for the purposes of direct marketing.

The right to object to the processing of personal data for the purposes of direct marketing at the controller has been implemented for all countries within the EU/EEA.

Most countries in the EU/EEA have also gradually acquired one or other form of central marketing exclusion register where objections can be registered. Practice differs with regard to whether the central government authorities or the national marketing association are responsible for keeping the central marketing exclusion register.

Norwegian marketers wishing to market their products in EU countries are required to update the lists they use against the current central marketing exclusion register in the country concerned.

For an updated overview of practice in each country, please refer to the website of FEDMA (Federation of European Direct Marketing) at www.fedma.org

11. COMPLIANCE AND CONTROL
11.1 Reactions to breach of NORDMA’s Code of Practice

The Board of NORDMA exercises continuous supervision to ensure that members comply with the requirements laid down in the Code of Practice as regards processing of personal data. If the Board finds that members are using personal data in contravention of the Code of Practice, the matter will be further investigated. If the investigation concludes that the member is in breach of the Code of Practice the matter will also be reported in NORDMA’s annual report, and publicised on NORDMA’s website. On the basis of the investigation, relevant action against the member company will be considered and, in the event of gross breach, or repeated breach of the rules, the member may be excluded as a consequence.

11.2 Complaints

Any person may lodge a complaint with the Board of NORDMA concerning a member company’s processing of personal data. To the extent the complaint involves breach of the Personal Data Act, the complaint will be passed on to the Data Inspectorate for further consideration.

NORDMA will keep a record of complaints received and make further investigations in cases where there appears to be clear breach of the Code of Practice. In cases where there is further investigation, the member company will be given the opportunity to provide further information in the case. Assessments carried out and sanctions imposed by NORDMA’s Board may be appealed to the Council of Ethics.