GDPR, PECR... really? I have to comply with both?

Since the GDPR became law last month, there's still confusion surrounding the more specific terms of the PECR   

Here at Volcanic, we set out to make things a little clearer for the recruitment industry.

To give them their full title, the Privacy and Electronic Communications (EC Directive) Regulations 2003 - or the PECR - are derived from European law. They implement European Directive 2002/58/EC, also known as the e-privacy directive. 

The e-privacy directive sets out privacy rights on electronic communications. It recognises that the widespread access we have to digital mobile networks and the internet opens up new possibilities for businesses and users, but also that this level of accessibility brings new privacy risks.

Are the PECR superseded by the GDPR?

The PECR sit alongside the GDPR.  

The EU is currently replacing the e-privacy directive with a new e-privacy regulation to sit alongside the GDPR. However, the new regulation is not yet agreed. So for now, the Privacy and Electronic Communications Regulations (PECR) continue to apply alongside the General Data Protection Regulation (GDPR).

So what’s the difference between PECR and GDPR?

The key difference is that the GDPR relates to the processing of personal data, while the PECR relate specifically to electronic marketing and has specific rules on:

  • marketing calls, emails, texts and faxes
  • cookies
  • keeping communications services secure
  • customer privacy regarding traffic and location data, itemised billing, line identification and directory listings.

Do the PECR apply to me?

The PECR will apply to you if you:

  • market by phone, email, text or fax
  • use cookies or a similar technology on your website
  • compile a telephone directory or a similar public directory.

How does this fit with the GDPR?

The fundamental change here is that the GDPR changes the underlying definition of consent. Existing PECR rules continue to apply, but using the new GDPR standard of consent.

This means that if you send electronic marketing or use cookies or similar technologies, you must comply with both PECR and the GDPR.

In particular, it’s important to realise that the PECR apply even if you are not processing personal data. For example, many of the rules protect companies as well as individuals, and the marketing rules apply even if you cannot identify the person you are contacting.

So what about cookies?

Although cookies are governed by the PECR, they do not set out exactly what information you must provide or how to provide it – this is up to you.

In regulation 6 of the PECR, it states that you should:

  • Tell people that the cookies are there

  • Explain what the cookies are doing and why

  • Get the individual’s consent to store a cookie on their device.

To be valid, consent must be freely given, specific and informed, and must involve some form of positive action. This consent should be unbundled from other information in your website, such as your privacy policy. Consent does not necessarily have to be explicit ‘opt-in’ consent, as implied consent can also be valid, as long as users understand that their actions will result in cookies being set.

This consent should be obtained from the subscriber or the user and, in practice, you may not be able to tell who is a subscriber or a user. The key will be that valid consent has been provided by one of them.

If you'd like any help with your recruitment website's compliance, get in touch.

Useful links

These links give detailed information and will be regularly updated by the ICO.