GDPR does apply to generic business data, for example firstname.lastname@example.org. Such details can be used for marketing without change under GDPR.
GDPR does apply to personal data which includes a persons name, for example email@example.com. Such details can still be used for marketing as long as it complies with the following;
· Said marketing is of ‘Legitimate Interest’ to the contact
· Does not put them in danger or affect them negatively
· Has a clear method to ‘unsubscribe’ so future mailings can be ‘opted out’ from
To help assist in compliance with GDPR, Esky Learning Limited has conducted an Legitimate Interests Assessment, detailed below, to be transparent and open about any future marketing.
Ultimately Esky only conducts limited email campaigns throughout the year and will always honour any data request quickly.
Legitimate Interest Assessment
Purpose of Processing
Esky Learning Limited has a legitimate interest to process contact data and send occasional email marketing relating to decision makers in organisations who require the basic Health and Safety related training we offer. The data is gathered from publicly available sources, directly from the organisations concerned and through legitimately sourced data lists.
Lawful Business Objective
The processing is necessary in order to supply Esky Learnings customers, and potential customers with a legitimate interest in its products for marketing purposes; a lawful business objective specifically identified by the Privacy and Electronic Communications Regulations 2003 (PECR). Clause 47 of the GDPR identifies direct marketing as a legitimate use of personal information.
The data subjects are decision makers in organisations who require the basic Health and Safety related training Esky offers and can reasonably expect to be contacted with marketing material relating to their professional roles.
Adequate, Relevant & Limited
The data collected is limited to names of decision makers, job titles, addresses, company landline telephone numbers and corporate email addresses. If Esky is aware that a person leaves their role, their name and contact details are removed from the database.
If a data subject requests that their data is removed from the database, it is suppressed so that it cannot be accessed or added again at a later date.
Esky Learning Limited offers essential Health and Safety related training in core subjects relevant to everyone in the workplace. It’s training, delivered online, is easy to use, cost effective, flexible and engaging. In the absence of Esky Learning, workplace staff could potentially decide it is not worth undertaking such training, which would have a detrimental effect on the safety of their organisations and the wider economy.
What is Legitimate Interests?
Legitimate Interests is one of the six lawful bases for processing personal data under the GDPR (General Data Protection Regulation). You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Latest guidance from the ICO says that legitimate interests may be the most appropriate basis when:
"the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing."
You can read the ICO’s guidance on legitimate interests in full on the ICO website.