Spam is regulated in EU primarily by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations.
2. Are there additional anti-spam regulations that are country-specific that also must be adhered to?
This Directive is not directly applicable like the GDPR is and this meant that each member state had to adopt local legislation to accommodate the provisions of the directive. There is the Privacy and Electronic Communications Regulations 2003 in the UK, Act 34/2002 on Information Society Services and Electronic Commerce, Gesetz gegen den unlauteren Wettbewerb (UWG) in Germany etc. so it depends on the jurisdiction where you are operating.
3. How would this affect contracts an organization has with third parties (who might be marketing on an organization’s behalf)?
The anti-spam rules have nothing to do with third-party advertisers. If these parties will be providing advertisement on your behalf using personal data obtained from you they will be acting as your processors so the GDPR rules, especially art. 28, will be applicable.
4. What are the penalties for non-compliance?
The penalties for not complying with the provisions of anti-spam regulations depend on the local law so, as I said before, it depends on the jurisdiction. For example, in the UK you can be fined up to £500,000 for each unsolicited phone call.
>The GDPR does not directly regulate spam but it places consent as a condition for direct marketing in certain situations?
The GDPR establishes the rules around consent and those rules need to be respected whenever using consent as your lawful grounds for sending the advertisement. The GDPR also allows for direct marketing based on legitimate interest.
However the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. Some forms of marketing may not be legitimate if they do not comply with other legal or ethical standards or with industry codes of practice. However, as long as the marketing is carried out in compliance with e-privacy laws I mentioned previously and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest.