With the first year of GDPR behind us, it makes sense to consider lessons from customers and the data privacy community.
A persistent concern remains Legitimate interest for Direct marketing.
Some were advised to delete entire customer lists or run unnecessary re-permission campaigns. This broad-brush approach meant that many firms were left with a much-reduced capability to communicate with customers and subscribers.
If this applies to you, you may need to consider
Legitimate Interest Assessment (LIA).
There are six legal bases for processing personal data under GDPR Art 6(1): Consent, contract, legal obligations, vital interests, public interest and legitimate interest.
For Direct marketing, Recital 47 is clear. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Recital 47: Where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
Legitimate interest examples could include a company that sells medical packaging. Processing the data of the procurement director of multiple pharmaceutical firms would fall under legitimate interest.
A recruitment firm that accepts your application online, a Hotel that you stayed with or an eCommerce store you shopped at could rely on legitimate interest.
For a maker of ballet shoes, processing the data for marketing purposes of dance school owners would fall under legitimate interest.
Identify the Legitimate interest (Recital 47)
Show that the processing is necessary to achieve it.
Balance against interests, rights, and freedoms.
If you need help with your Legitimate Interest Assessment, please contact our support team.
For professional guidance, please contact the following privacy experts.