Welcome to the FAQ section
You can find answers plus hints and tips for all of your Data Protection queries
“Most of our database is made up of historical quotations or previous customers but under GDPR, just because they have gotten a quote from us or bought from us doesn't actually give us the right to use their data for marketing purposes. Is this correct?”.
Answer: When you originally sold, quoted or marketed products or services did you offer an opt-out at point of sale?
If the answer is yes you may be able to rely on ‘soft opt-in’.
If you did not offer an ‘opt-out’ then you will need consent. If you cannot reference an affirmative opt-in or consent then you do not have the data subject’s permission, therefore you cannot send marketing emails.
Fig 1: Legitimate Interests Assessment
Remember, it’s PECR (Privacy and Electronic Communications Regulations) that regulates e-marketing NOT GDPR. Legitimate Interests IS NOT a lawful basis for electronic marketing under PECR.
Opt-in has to be specific, informed and freely given and if you are relying on the ‘soft opt-in’ you can only use it for marketing/promotion of your OWN products/services. So an opt-in is the cleanest way to start a new list.
The GDPR introduces direct obligations and potential liabilities on the Controller AND Processor. The GDPR requires a legally binding contract between the Data Controller and the Data Processor(s).
There are Compulsory details that must be included:
Should we document anything else?
As part of your record of processing activities, it can be useful to document (or link to documentation of) other aspects of your compliance with the GDPR and the UK’s Data Protection Bill. Such documentation may include:
Information required for privacy notices, such as:
NOTE! Many of the details above can be provided by the Data Mapping exercise.