GDPR - chasing up debtors using emails

[MissUtilities]

We are a large utility company. We are relatively well prepared with regards to the GDPR but like many organisations we are still learning (no one wants to be a test case for the ICO : -).

The soft opt-in rule allows us to send marketing emails to existing customers who haven't specifically opted-out. We have opt-out links in all our marketing emails and adhere to all marketing opt-outs.

We also chase up debtors using emails. We are allowed to do this similar to the soft opt-in. We can email existing customers unless they specifically opt out. Some customers (usually the ones who owe us money) are telling us to stop sending them email reminders. They mention the GDPR and say we must stop emailing them. The question is, do we?

We don't bombard them but like any company, we need to be paid and the Data Protection Act and the GDPR was not passed to make it easier for people to avoid paying their bills!!

Today I received another email from a customer. This one was relatively polite. We had sent them an email reminding them about an outstanding bill. They have asked us to delete their email address from our billing system and only contact them by post. Obviously some people do this to make it more difficult for us to collect overdue payments.

If we refuse, and this person reports us to the ICO and says "they keep emailing me because I owe them money" would the ICO really do anything about it? We never send unsolicited marketing emails to non customers and always respect customers who opt out of marketing emails. I'm sure lots of our customers would like to opt out of receiving emails reminding them they owe us money too!!

Any information, tips or suggestions would be very welcome. Thank you.

 

[mattk]

No. GDPR has a "Legitimate interests" clause which allows you to process data if you can provide justification. Chasing outstanding debts would definitely fall within this. More info here:

https://ico.org.uk/for-organisation...ul-basis-for-processing/legitimate-interests/

 

[MissUtilities]

No. GDPR has a "Legitimate interests" clause which allows you to process data if you can provide justification. Chasing outstanding debts would definitely fall within this. More info here:


Thanks Mattk. We often refer to the seven lawful reasons for processing data, but processing data and using it to send electronic communications is one of those grey areas. Like many "responsible" companies, we adopt a granular approach to consent and like to give customers a choice. Our system has two sections for consent:-

General Contact Preferences
SMS [ ], Billing Email [ ]

Marketing Preferences
SMS [ ], Phone [ ], Email [ ], Post SMS [ ], Surveys [ ]


We allow all customers to opt out of all marketing communications if they wish. We also allow them to opt out of receiving general text messages and bills via email. This leaves us with telephone, email and post for general correspondence. No customer can opt out of any of these three communication channels. Even if a customer opts out of receiving electronic bills via email, we still send them reminders by email thus keeping as many channels open as possible for chasing overdue bills.

Based on your reply, I'm now wondering if we can always email a customer who has an overdue bill no matter how many times they ask us not to.

However, whilst getting the money in is very important, we don't want to alienate / annoy our customers. I suppose we still have to consider reasonable requests when someone says we can post the reminder but cant email the reminder. In this scenario the general contact preferences look like this

General Contact Preferences
SMS [ ], All Emails [ ]

 

[cjd]

Of course you can email customers who haven't paid you!

It's a necessary part of operating the service you provide. The GDPR Article 6 provides 6 ways of legally emailing customers - one is contractual, that's why it's fully legal. And they can not opt out of those kinds of emails.

 

[Paul Kelly ICHYB]

What CJD said!

I know this is a great place to get good advice, but why is a 'large utility company' not using their own experts or contacting ICO directly?

 

[MissUtilities]

In response to the question "why is a large utility company not using their own experts" the answer is the GDPR is so new we are making 100% sure we comply. So much is unknown so we use forums to bounce ideas around (who are the ISO by the way?).

With regards to my original question, another forum said we DO have to remove an email address if a customer asks for it to be removed, but only if their account is not in arrears. We don't have to remove an email address for a customer who is in arrears as we can use any reasonable method to try and recover the debt.

I'm trying to establish if we can store an email address for existing customers indefinitely so long as we don't use it for marketing purposes. i.e. they can opt out of marketing comms but cant opt out of account management comms. For example, can a customer tell us to remove their telephone number and home address? No. We need the right of contact so we can effectively manage customer accounts. The rules are different for marketing versus account management but sometimes the rules are difficult to interpret.

 

[Paul Kelly ICHYB]

Sorry, ISO should be ICO!

Don't rely on forums for your policy - employ an 'expert' who will give you advice that is insured so they are accountable if it is bad advice. However, there is still a lot of grey areas in relation to GDPR.

My take is that whilst you have a customer you have legitimate reasons to hold the contact details they allow you to hold and communicate via those means. Do not market to them unless they specifically allow you to. You need to look deeper into the right to be forgotten, which, whilst they are a client, they cannot reasonably ask for.

 

[mattk]

My view would be that you can store an existing customer's data for as long as they are a customer. They have no right to be forgotten, as you have a legitimate use for their information. Once they cease to be a customer you must have a retention policy in place to remove their data after a period of time.

You can determine the period of time based upon your business needs and any regulatory or legislative reasons. For example, many companies are choosing to retain data for seven years to satisfy HMRC requirements. After that the data should be removed.

If an ex-customer requests their data is removed before the seven year retention rule you can decide on a case-by-case basis what data, if any, can be removed.

 

[ffox]

We are a large utility company. We are relatively well prepared with regards to the GDPR but like many organisations we are still learning (no one wants to be a test case for the ICO : -).

Hmmm. One of the basic requirements under GDPR, PECR and DPA is that you have clearly defined data and information policies and measure these against recommended checklists -
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/

So, what do your checklists say you should be doing?

The outlines and recommended checklist for Right to Erasure is here -

https://ico.org.uk/for-organisation...tion-gdpr/individual-rights/right-to-erasure/

You will note that it says -
"Individuals have the right to have their personal data erased if:

the personal data is no longer necessary for the purpose which you originally collected or processed it for;"

A contractual arrangement between you and a customer clearly requires you to process data for that customer, and so long as they remain a customer they have no Right of Erasure. Once the contract is ended, the service or supply has ceased and the outstanding amount have been paid, then there could be a Right of Erasure. Except that you are under legal obligation to HMRC to keep all data related to accounting for several years, so there is still no Right of Erasure.

This should be embedded in you company privacy policy.

 

[cjd]

When a customer is no longer a customer you can only keep the data that is necessary to fulfil the business reason you've identified. So if you keep records for 7 years for HRMC it should only be documents they would need - invoices etc - not everything you know about him.