This blog will explain why there should be no breach of GDPR when a business adds business contacts to their mailing list, processing data “lawfully, fairly and in a transparent manner” (Art 5(1)(a))
Article 4(1) of the General Data Protection Regulation (GDPR) defines personal data to encompass “any information relating to an identified or identifiable natural person”. It, therefore, follows that an individual’s business email which allows you to identify them, whether directly or indirectly, would be considered personal data. This excludes generic email addresses such as enquiries@ and info@ where the user cannot be recognised. Processing such personal data would have to be GDPR compliant even when acting in a professional capacity.
In order to process data lawfully at least one of the lawful bases stated under Article 6 must apply. For example, data could be processed (i) for the necessary performance of a contract or (ii) compliance with a legal obligation or (iii) in order to protect the vital interests of the data subject and (iv) consent to use that data.
The ground most applicable to processing data in the form of adding business contacts to your business mailing list is the one referred to under Art 6(1)(f) – “necessary for the purposes of the legitimate interests pursued by the controller or by a third party”.
“Legitimate interests” is the most flexible of the six lawful bases but one which may require more justification than the rest. A three part test is to be applied as part of the legitimate interest assessment. The test involves assessing:
1 whether the processing of data is necessary
2 whether there is a balance of interest (one which cannot be overridden by the fundamental rights and freedoms of the data subject)
3 and whether there is a strong purpose behind processing the data.
By applying this test to the situation of adding business contacts to a mailing list, it could be argued that data is being processed for the purpose of networking and growing your business. The business would not be able to achieve this objective without processing the data and, in this case, the balance favours the processing as they are more likely to expect the processing of their personal data in a business context. The processing is less likely to have a significant impact on the business contacts personally and such interests are not overridden by fundamental rights and freedoms.
Additionally, the GDPR recitals, in particular recital 47, confirms that a legitimate interest could exist where there is a “relevant and appropriate relationship” between the data subject and the controller. Again, In this case, the business nature of such relationship between the controller and data subject reaffirms that the processing of data is less likely to be unexpected and unjustified.
It is important to note that if you intend to process the personal data of your business contacts you ought to remember individual rights, including the right to be informed, right to object and right to revoke consent.
It may be that the decision is made in the future that this analysis is varied, but our view at the moment is: A business can add business contacts to their mailing list.