GDPR vs PECR: what recruiters need to know

Privacy and Electronic Communications (EC Directive) Regulations 2003 – or the PECR – are part of European law (European Directive 2002/58/EC, soon to be known as the e-privacy directive).


The e-privacy directive makes clear the privacy rights on electronic communications and deals with the changing face of data movement on the internet and mobiles.


Is PECR needed if we have GDPR?


PECR works alongside the GDPR and covers in more detail key aspects of what is done with data.


The key difference is that the GDPR covers the processing of personal data, where PECR relates specifically to electronic marketing and has detailed rules on:

  • marketing calls, emails, texts and faxes
  • cookies
  • security of communications services
  • customer privacy for traffic and location data, itemised billing, line identification and directory listings.


When does PECR apply?


Authorities say PECR will apply if you:


  • market by phone/mobile, email, text or fax
  • use cookies or a similar tracking tech on your website
  • provide a telephone directory/public directory.


How does GDPR work with PECR?


GDPR changes the way we deal with personal data. PECR is now better off for the clarity that GDPR brings on that data, and so their rules can be implemented in a clear way, with support from GDPR.


In simple terms, if you do any of the aforesaid phone calls, emails, cookies, etc., then you have to work with both GDPR and PECR.


It is key, however, to note that PECR applies if you are not processing personal data.


PECR & website cookies?


Cookies fall under PECR, but you have some say in how you approach cookies at the same time.


At the time of writing, regulation 6 of the PECR states that you should:

  • Tell people that the cookies are there
  • Explain what the cookies are doing and why
  • Get the individual’s consent to store a cookie on their device.


For consent to be valid, it must be freely given, specific and informed, and must involve some form of positive action. This consent should be unbundled from other information on your website, such as your privacy policy. Consent does not necessarily have to be explicit ‘opt-in’ consent, as implied consent can also be valid, as long as users understand that their actions will result in cookies being set.


This consent should be obtained from the subscriber or the user and, in practice, you may not be able to tell who is a subscriber or a user. The key will be that valid consent has been provided by one of them.


Useful links