Welcome to the FAQ section
You can find answers plus hints and tips for all of your Data Protection queries

“Most of our database is made up of historical quotations or previous customers but under GDPR, just because they have gotten a quote from us or bought from us doesn't actually give us the right to use their data for marketing purposes. Is this correct?”.

Answer: When you originally sold, quoted or marketed products or services did you offer an opt-out at point of sale?

If the answer is yes you may be able to rely on ‘soft opt-in’.

If you did not offer an ‘opt-out’ then you will need consent. If you cannot reference an affirmative opt-in or consent then you do not have the data subject’s permission, therefore you cannot send marketing emails.

Fig 1: Legitimate Interests Assessment

Legitimate Interests

Remember, it’s PECR (Privacy and Electronic Communications Regulations) that regulates e-marketing NOT GDPR. Legitimate Interests IS NOT a lawful basis for electronic marketing under PECR.

Opt-in has to be specific, informed and freely given and if you are relying on the ‘soft opt-in’ you can only use it for marketing/promotion of your OWN products/services. So an opt-in is the cleanest way to start a new list.

See here some useful links in relation to PECR: Statutory Instrument 336 of 2011 (Ireland) and ICO (UK) Guide to PECR

The GDPR introduces direct obligations and potential liabilities on the Controller AND Processor. The GDPR requires a legally binding contract between the Data Controller and the Data Processor(s).

There are Compulsory details that must be included:

  • The subject matter and duration of the processing;
  • The nature and purpose of the processing;
  • The type of personal data and the categories of data subject; and
  • The obligations and rights of the controller.

Compulsory terms:

  • The processor must only act on the written instructions of the controller (unless required by law to act without such instructions);
  • The processor must ensure that people processing the data are subject to a duty of confidence;
  • The processor must take appropriate measure to ensure the security of processing;
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
  • The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • The processor must assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • The processor must delete or return all personal data to the controller as requested at the end of the contract; and
  • The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
  • The name and contact details of your organisation (and where applicable, of other controllers, your representative and your data protection officer);
  • The purposes of your processing;
  • A description of the categories of individuals and categories of personal data;/li>
  • The categories of recipients of personal data;
  • Details of your transfers to third countries including documenting the transfer mechanism safeguards in place;
  • Retention schedules;
  • A description of your technical and organisational security measures;

Should we document anything else?

As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:

Information required for privacy notices, such as:

  • The lawful basis for the processing;
  • The legitimate interests for the processing;
  • Individuals’ rights;
  • The existence of automated decision-making, including profiling;
  • The source of the personal data;
  • Records of consent;
  • Controller-processor contracts;
  • The location of personal data;
  • Data Protection Impact Assessment reports;
  • Records of personal data breaches;
  • Information required for processing special category data or criminal conviction and offence data under the Data Protection Bill, covering:
  • The condition for processing in the Data Protection Bill;
  • The lawful basis for the processing in the GDPR;
  • Your retention and erasure policy document.

NOTE! Many of the details above can be provided by the Data Mapping exercise.