You have to ask permission. It has to be clear to the recipient what exactly their data is used for. So you can't just send people other digital content that fits their buyer persona and behavior on the website (without permission).
Furthermore, you must provide the option for your customers to unsubscribe at any time. It must be clear where and how this can be done. For example, by using an unsubscribe link (opt-out).
A no-reply address is not allowed. You must use an email address that the recipient of the mailing can respond to.
The above requirements are not new in principle, previously you also had to ask permission to send commercial e-mails. And this permission also had to be sufficiently specific. But now you have to store more information about the e-mail opt-in, such as the date and what exactly permission was given for. If you do not have this information, the e-mail opt-in is invalid and you run the risk of a fine. With the new legislation, there is more attention for compliance with the privacy law and the consequences of not complying with the rules are serious.
Also keep in mind that the new legislation also applies to your current address file. By this I mean the file that you have collected up until the new privacy law comes into effect. For these hk phone number contacts you need a new email opt-in that meets the guidelines of the GDPR before 25 May 2018, if you have one and want to stay in touch.
Dennis Leussink wrote the article E-mail marketing: how to prepare your opt-in for the GDPR law , in which he gives concrete examples of how to respond to the new AVG. A practical article. Definitely worth reading.
What does this mean for profiling?
For various clients, I use marketing automation to build profiles of people. They also regularly ask what is written in the new privacy law with regard to profiling. What is new with regard to profiling, is that profiling is explicitly mentioned in the new privacy law. If personal data is used to build profiles, data subjects must be informed about the profiling and its consequences. So we must again explicitly ask for permission that is given with an active action (for example by ticking the box for agreement).
Furthermore, it must be stated in plain language what exactly permission is being requested for. Here too, consumers have the right to withdraw their permission at any time. Where profiling used to be largely invisible to visitors, visitors must now be clearly informed about the existence of profiling and its consequences. This is preferably done via a privacy statement.