GDPR and Email Communications with Behavioral Profiling of Opens and Clicks

While the GDPR does not specifically address "email marketing", there are numerous implications that would define its actions as "profiling".

By definition the GDPR, " 'profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; "  [GDPR Article 4, Paragraph (4)].  

When someone is sent and email (email address = personal data), opens it (behavioral action recorded) and clicks on a link (behavioral action, person preference and/or of what was clicked), these actions clearly fulfill the definition of "profiling" in the GDPR. Beyond this, the email recipient's server will be returning other personal data such as IP Address, operating system and version, screen resolution, Flash version , etc.

The GDPR specifically addresses being tracked on the Internet, "... In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes."  [GDPR Citation 24].