Data processing compliance

Our Data Processing Compliance – PECR and GDPR

The Privacy and Electronic Communications Regulations 2003 (PECR) govern, in part, direct marketing by telephone and email. In order to send unsolicited (that is, unanticipated) email marketing to private individuals, they must have given consent to be marketed to in that way. This applies to sole traders and those working in partnership (i.e. not those employed by or directing limited companies).

This differs from the rules governing B2B marketing to individual employees/directors of limited companies. Unless such an individual has ‘opted out’ of receiving such email marketing (i.e. by using an unsubscribe function on the relevant email/s), then it is lawful to send unsolicited email marketing to them at their corporate email address.

Therefore, consent is essential if email marketing is to consumers, sole traders or those in partnership. PECR governs the process and legality of direct marketing.

The GDPR requires that personal data must be processed lawfully, which means that one of a selection of lawful bases for processing must be established, before that processing can take place.

Processing on the basis that the data subject has given consent is a legal basis, as is processing based on a ‘legitimate interest’. A legitimate interest to process personal data can be for the purpose of direct marketing. The question of whether or not to process on this basis is answered on analysis of the competing interests between the data subject (B2B contact) and the data controller (Us).

So, if we are processing a data subject’s personal data for direct marketing purposes, we will do so lawfully, because we assess that we have a legitimate interest that is in balance with the rights and freedoms of the data subject in these case.

B2B List Sales – Our legal compliance summary

  • Our data lists contain B2B contacts, where no ‘opt-out’ has been made.
  • We regularly screen our B2B lists for contacts who are sole traders and those in partnerships.
  • Consent (or ‘opt-in’) may or may not have been obtained for each contact on these lists, however consent is not legally required for B2B contacts of incorporated organisations (direct marketing by email, mail or telephone (live calls)).
  • To comply with GDPR, the B2B contacts list must be processed lawfully by us, and by the buyer of the list.
  • The lawful basis for processing these contacts is that we have a ‘legitimate interest’ to process them for the exclusive purpose of direct marketing.
  • We assess this to be an appropriate lawful basis, because:
    • The data subjects are business contacts (names, telephone numbers and email addresses);
    • The processing is of business contact details, and there is a demonstrable low impact on the privacy of the individual;
    • Email direct marketing is a reasonable and proportionate method of processing to achieve commercial objectives;
    • The data subjects in question might reasonably expect to receive business marketing to their corporate email addresses;
    • As such, the processing is transparent and fair;
    • The data subjects may easily indicate that the data processing is against their wishes, by unsubscribing from marketing emails
  • We conclude that the rights and freedoms of the data subjects in question are not disproportionately or negatively infringed upon through this course of processing.
  • Where a B2B contact objects to this processing, we will stop processing for this purpose (GDPR compliance and PECR compliance i.e. ‘opting out’)