Under the DPA and the GDPR, there are 6 lawful grounds that can be used for the processing of personal data. Consent is one of such lawful grounds for processing, but not the only one. Many organisations will rely on other lawful grounds for processing of personal data, such as legitimate interest. Relying on legitimate interest involves:
1. Establishing the interest of the organisation – this could be for example promoting goods or services offered by the organisation. Processing for direct marketing purposes is specifically mentioned in the GDPR;
2. Carrying out a necessity test – this requires consideration of whether there is another way of achieving the interest, without having to use the personal data. Even if there is another way, but it would require disproportionate effort, the necessity could still be established. You need to consider - is there a way to make direct marketing communication with the correct contacts within an organisation without holding their personal data? It is unlikely that there would be another proportionate way of making direct marketing communications without the necessity to use personal data; and
3. Balancing the interest of the organisation against the fundamental rights of the data subjects and whether the use of their personal data by the organisation could have a significant impact on their fundamental rights. In the context of B2B direct marketing, where communications relate to business services rather than the personal life of the individuals receiving the communications, it is unlikely that the fundamental rights of such individuals would be impaired. Those communications need to be measured and unobtrusive.
Our view is that it is reasonable to rely on legitimate interest as grounds for the processing of personal data for direct marketing purposes, given the very limited amount of personal information being processed; the fact that it is being used solely for the purposes of marketing to the business for which the individual works and not the individual him/herself; and that the individuals concerned are likely to be people within the organisation who would expect to be contacted for business communications. GDPR requires each organisation to carry out an assessment (and document it) of which lawful grounds for processing of personal data apply to its processing activities.
Phone: (+44) 333 207 0540
The Lead Laboratory Limited is a private limited company registered in England & Wales under registration number 08729954. The company's registered office is Rollsbridge House, Exeter, Devon, EX2 9QU.