Before acquiring a contact list or a database with contact details of individuals from another organisation, that organisation must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes. For example, if the organisation acquired it based on consent, the consent should’ve included the possibility to transmit the data to other recipients for their own direct marketing.
Your company/organisation must also ensure that the list or database is up-to-date and that you don’t send advertising to individuals who objected to the processing of their personal data for direct marketing purposes. Your company/organisation must also ensure that if it uses communication tools, such as email, for the purposes of direct marketing, it complies with the rules set out in the ePrivacy Directive (Directive 2002/58/EC1).
Such lists are processed on grounds of legitimate interests and individuals will have a right to object to such processing. Your company/organisation must also inform individuals, at the latest at the time of the first communication with them, that it has collected their personal data and that it will be processing it for sending them adverts.
Two friends, Mrs. A and Mr. B, run, respectively, a gym and a book shop. Each collects data from their respective customers. Mr. B’s book shop isn’t doing well. His client database has few entries and not many people walk into his shop. He tells Mrs. A that he has a new biography of a famous athlete and asks whether Mrs. A’s clients would be interested in receiving advertising about the book. The terms of Mrs. A’s privacy notice informed her clients that she could share the data with partners offering products in the health and fitness area. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, Mrs. A can send the client list to Mr. B. No data can be sent about an individual who objected to the processing of their personal data.
- Article 4(10) and Articles 5, 6, 14 and 21 of the GDPR
- EDPB guidelines on Transparency under Regulation 2016/679
- ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13
1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002 p.37).