Which Lawful Basis?

We identify ‘Legitimate Interest’ as the most appropriate lawful basis for processing our third party B2B marketing data. Direct marketing is recognised as a legitimate interest in GDPR recital 47.

How was this explained on collection?

Our online business directory and preference centre, 5mins.co.uk captures, legitimises, verifies and updates the corporate data on our file. On collection it was/is explained to each individual what their personal information would be used for. The 5mins Site Subscriber Privacy Policy is accessible directly on this link: https://www.5mins.co.uk/SubscriberPrivacy.aspx.

Do we use a Layered Privacy Policy?

On collection of the data we use a layered privacy policy with the most important information upfront. This is designed to be transparent and clear with concise language.

How are individuals informed of what we do with their data and how they can refuse marketing?

We send a regular data privacy notice by email reminding individuals of what personal information we hold and what we do with their data. The email includes a link for them to update their personal information and preferences within the 5mins preference centre. At this point they are also reminded of their right to object to processing and provided with the opportunity to unsubscribe. This gives them control over their information.

What do you need to do?

If you purchase B2B email data you will need to do your due diligence on your suppliers. We can assist you with documentation that will help you gather the necessary information. With sales of our prospect B2B email lists we to provide our clients with a copy of our data due diligence documents before purchase. We can also help with running balancing tests that ensure you are correctly targeting the right contacts. We can advise on any other necessary processes such as sending a data privacy notice on immediate purchase of an email list. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

What do we need to do with our clients?

We clearly have a responsibility to comply with the new law ourselves. This includes the need to ensure that, when we share personal data with you, it will be in good hands. Therefore we have to do our own due diligence on our customers. You will notice that we are asking you more questions, for instance about your lawful basis and data processes.

In summary

In summary, we are GDPR compliant with the UK B2B email data we supply because we do the following:

1. We are clear with individuals why we need their data at the point of collection
2. We always use clear and concise language appropriate for our target audience
3. We give individuals control over their data. They are always able to decide whether to share their personal data with us or not

Under the GDPR principle of accountability, Emailmovers is able to demonstrate that we are compliant. We always record the legal grounds for processing an individual’s personal data

We have done our Due Diligence on our suppliers of B2C data which has included documentation, site visits and a thorough understanding on how they collect data for third parties. Their details are as follows:

Data OD Ltd | Data On Demand – http://www.dataondemand.co.uk/privacypolicy

Data OD Ltd, Platform, New Station Street, Leeds, LS1 4JB

ICO: ZA231384

UK Reg No: 10183365

Which Lawful Basis?

Our suppliers offer 2 separate data-sets for targeted marketing. When collecting new data under GDPR for Third Party Marketing, our suppliers consider consent to be the most appropriate basis for lawful processing. However, our supplier also offers a data-set that was collected under PECR which is processed under legitimate interest.

How was consent gained on collection?

They collect data for Third Party Marketing from their Data Contributor Network (DCN).

Consent from the Data Subject on the Data Contributors websites is collected with the following rules:

1. Prominent and separate from other terms and conditions
2. Requires a positive opt in
3. Does not use pre-ticked boxes or default consent
4. Uses clear, plain language that is easy to understand
5. Specifies why we want the data and what we are going to do with it
6. Gives individual options to consent to the preferred marketing channels they choose
7. Third Party Controllers relying on consent are named in the Privacy Policy or linked in the Privacy Notice.
8. Individuals can withdraw their consent at any time
9. Consent is not a precondition of a service. Individuals can refuse consent without detriment to their original reason for visiting the website, i.e. to enter a competition, apply for a loan or subscribe to a newsletter.

How is consent recorded?

• They keep a record of how and when they got consent from the individual
• They keep a record of exactly what they were told at the time

How is consent managed?

• They regularly review consents to check that the relationship, the processing and the purposes have not changed.
• They have processes in place to refresh consent at appropriate intervals
• They have a preference-management tool called The Marketing Preference Service.
• They make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
• They act on withdrawals of consent as soon as we can.
• They don’t penalise individuals who wish to withdraw consent.

What do you need to do?

You need to do you due diligence with any data supplier and in preparation for this we will be assisting our clients with this. We will provide a copy of our data due diligence documentation for B2C email lists before purchase. We will help you correctly target your audience and will offer advice on any other necessary processes. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

In summary

In summary, the UK B2C data we provide to clients is GDPR compliant because we ensure our suppliers do the following:

1. Clear with individuals why their data is needed at the point of collection
2. Clear and concise language appropriate for our target audience is always used
3. At the point the data is collected information is given to the individual and is not hidden in small print.
4. Individuals are given control over their personal data and are given access to decide whether their personal data is shared or not.
5. We can demonstrate GDPR compliance and the lawful grounds of consent for processing the personal data of every individual. If challenged we would be able to provide screenshots of the tick box and the corresponding privacy notice.
6. Our customers can be specifically named as a company that data will be shared with, giving them the required consent under PECR to the GDPR standard of consent

We have been doing due diligence on our UK and overseas suppliers to ensure that their data collection is compliant with GDPR fair processing policies, and that their systems are robust enough to be able to deal with the rigours of GDPR such as SAR’s.

Which Lawful Basis?

The European third party B2B data we provide is processed under the legal basis of ‘Legitimate Interest’. Direct marketing is recognised as a legitimate interest in GDPR recital 47. In the B2B environment it can be assessed that sending relevant promotional materials to data subjects in their job roles will be appropriate.

How are individuals informed of what we do with their data and how they can refuse marketing?

• Our suppliers using LI have been sending messages to their European data subjects informing them of what data is held on them and why it is being held.
• Data subjects have been given the opportunity to opt-out.
• Data subjects have been given the opportunity to study the suppliers Privacy Policy.
• Data subjects have also been informed that third parties may use the data on the grounds of Legitimate Interest.
• Data subjects have been kept informed, offered opportunities for the processing not too happen, and offered extra information about their rights.

What do you need to do?

In preparation and post 25th May we will be assisting our clients in doing their due diligence. With future sales of prospect B2B email lists we are going to provide our clients with a copy of our data due diligence documentation before purchase. You will be expected to do an Impact Assessment to assess if your processing is relevant and appropriate. We will help with running balancing tests that ensure you are correctly targeting the right contacts. We can advise on any other necessary processes such as sending a data privacy notice on immediate purchase of an email list. We aim to help our clients as much as possible so that they understand the process and implications of GDPR.

What do we need to do with our clients?

We clearly have a responsibility to comply with the new law ourselves. This includes the need to ensure that, when we share personal data with you, it will be in good hands. Therefore we have to do our own due diligence on our customers. You will notice that we are asking you more questions, for instance about your lawful basis and data processes.