GDPR Vs. PECR
What is GDPR?
The GDPR (General Data Protection Regulation) is legal framework that was introduced across EU member states on May 25th 2018, bringing significant changes to data protection in Europe. It comes as a replacement to existing legislation surrounding data protection which was introduced in 1995. The purpose of this new legislation is to enhance protection of individuals’ privacy and ensure full control over their personal data.
How Does GDPR Affect Organisations?
The introduction of this new legal framework means a significant increase in organisations’ responsibility & obligation to protect personal data, and ensure they are fully compliant with the GDPR guidelines in how they collect, process, and store this information. Companies must ensure that the information they hold on individuals is congruent to new legal standards. Under new legislation, companies are not permitted to contact individuals unless they can demonstrate lawful grounds upon which to do so.
Processing of Data
As per GDPR guidelines, the processing of data may be deemed lawful if the sender can demonstrate at least one of the following:
- The data subject has consented to have their data processed and held by the data controller
- Data processing is necessary for the performance of a contract to which the data subject is a party
- Processing is necessary for compliance with a legal obligation
- Processing is necessary in order to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child
Legitimate Interest
As per the new legislation, the processing of data is deemed lawful if the data controller can demonstrate that it is necessary for the purpose of legitimate interest. Recital 47 of the legislation details instances whereby legitimate interest is appropriate, and what criteria is needed to meet those requirements. The guidelines state that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” As such, the processing of data may be deemed acceptable if carried out for direct marketing purposes.
Privacy & Electronic Communications Regulation
The Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act and GDPR, outlines the privacy rights of individuals specific to electronic communications, particularly direct marketing. The legislation stipulates that unsolicited marketing messages (i.e. any message that has not been specifically requested) are somewhat restricted for marketing to individuals. In the case of direct marketing to businesses, PECR states that: “You may email or text any corporate body (a company, Scottish partnership, limited liability partnership or government body). However, it is good practice – and good business sense – to keep a ‘do not email or text’ list of any businesses that object or opt out, and to screen any new marketing lists against that. In addition, many employees have personal corporate email addresses (e.g. [email protected]), and individual employees will have a right under section 11 of the DPA to stop any marketing being sent to that type of email address.” This rule is also stipulated in GDPR guidelines: “If you are processing an individual’s personal data to send business to business texts & emails, the right to object at any time to processing of their personal data for the purposes of direct marketing will apply the right to object to marketing is absolute and you must stop processing for these purposes when someone objects.”
Therefore, with regards to direct marketing specific to businesses, or individuals in a business capacity, it is permitted to send unsolicited messages provided that the correct measures have been taken to ensure opportunity for those individuals or businesses to object to such messages and opt-out from any further communications (mass marketing with poorly constructed messages of little value to the recipient will likely result in objection to such communications, and potentially reports of spam. All marketing messages should be relevant & specific to the needs of recipients). For more information on PECR, please read the following:
https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
How SalesOptimize is GDPR & PECR Compliant
SalesOptimize provides company information and website data. We do not provide personal data relating to individuals outsides of an organisation. As per the guidelines of PECR related to direct marketing for businesses, any data we provide is at an organisational level and prior consent for contacting these organisations is not required, provided that the sender has given the recipient an opportunity to remove consent and withdraw from any future communications. We do not provide any personal email addresses or phone numbers, nor do we provide any contact data for Sole Traders, who are deemed ‘individuals’ and not companies.
If you would like to talk to us in more detail about our GDPR compliance, just drop us an email or a phone call. We are more than happy to chat!
+353 1 659 9292