To clarify what the current status is regarding the processing of data and how GDPR affects e-marketing the following information is provided.
The EU General Data Protection Regulation is a far-reaching piece of European privacy legislation, which came into effect on 25th May 2018.
GDPR replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.
The GDPR applies to organisations processing and holding personal data within the EU. It also applies to organisations outside the EU who offer goods or services to individuals in the EU.
Personal data means any information that can be used to directly or indirectly identify the person. This could be anything from a name, computer IP address or bank details to location data.
GDPR requirements are not affected by Britain leaving the EU (Brexit); this has been confirmed by the Secretary of State for the Department of Culture Media and Sport.
The use of email marketing is governed by the Privacy and Electronic Communications Regulations (PECR). PECR sits alongside the Data Protection Act and the GDPR.
Under PECR, marketing emails are permissible in a B2B environment with no requirement for a prior opt-in, although there must be a clear opt-out option.
Sole traders and partnerships are excluded from this; take care not to send marketing emails to sole traders or partnerships.
Where GDPR is relevant is as the basis for processing of personal data; including data of employees within a business (i.e. B2B data).
GDPR has six lawful bases under which personal data can be processed. The sixth clause in Article 6 – Legitimate Interests – is the one that is relevant to email marketing, in a B2B context.
The sixth clause in Article 6, ‘Legitimate interests’ states:
This clause is consistent with Article 16 of the European Charter of Fundamental Rights, the ‘freedom to conduct a business’ which confirms the right to supply goods and services and generate profit, provided your business activities comply with the law.
This is clarified further under Recital 47 of GDPR, which states:
Businesses do need to apply a balanced view in using legitimate interest as the basis for processing the subject’s data, which in the context of PECR and the sending of B2B marketing emails should include:
The use of both email marketing and telemarketing is still permissible in today’s GDPR compliant world.
Marketers must however:
For further guidance on GDPR & Legitimate see further information from The Direct Marketing Association and The Information Commissioner’s Office:
The ICO Guide to GDPR & Legitimate Interests
The DMA Guide to Consent & Legitimate Interests