Is it true that work email addresses are not considered personal data? This question has been quite common lately. The straightforward response is that work email addresses indeed qualify as personal data. If you can ascertain the identity of an individual, whether directly or indirectly (even within a professional context), the General Data Protection Regulation (GDPR) will still be applicable.
An individual’s work email address typically contains their first and last name, along with information about their place of employment. For instance, an email address in the format of firstname.lastname@company.com is regarded as personal data under GDPR. However, if it is a generic business email address, such as info@company.com, it does not fall into the category of personal data.
Do you have to seek consent for business-to-business marketing? Well, not necessarily. There are six legitimate grounds for data processing according to the GDPR, and these encompass your business-related interests. These include:
- Consent
- legitimate interest
- public interest
- protection of vital interest
- legal obligation
- contract
Recital 47 of the GDPR states that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”. However, if you intend to rely on legitimate interest rather than consent, you will need to apply the following three-part test:
- The purpose test: Are you processing personal data in pursuit of a legitimate interest?
- The necessity test: Is the processing proportionate to achieving your aims?
- The balancing test: Is your legitimate interest overridden by the rights of the person whose data you’re processing?
The regulations governing business marketing emails are rooted in the Privacy and Electronic Communications Regulations (PECR). Given that the GDPR focuses on consent, it is imperative to adhere to both the PECR and the GDPR when engaging in business-to-business marketing activities.
Adding a twist to the situation, the European Union is currently in the process of introducing a new ePrivacy Regulation (ePR) that will eventually replace the existing e-privacy law (PECR). Although the specifics of the ePR have not been finalized, it is poised to supersede the PECR.
Understanding the GDPR can sometimes appear to be a complex matter. If you have any questions or concerns, it is advisable to seek professional guidance rather than relying solely on information from the ICO (Information Commissioner’s Office). For more comprehensive information, please refer to our GDPR services.
Gov.uk also provides clear guidance on the Data Protection Act. The Data Protection Act controls how your personal information is used by organisations, businesses or the government. As in individual you can find out what your rights are here.
Your questions answered on the UK GDPR & Data Protection Issues
If you would like to speak with a GDPR legal expert do not hesitate to contact Mayumi Hawkes on 020 3034 0501 or email her on mayumi.hawkes@cognitivelaw.co.uk.