Legitimate interests

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Julia Musgrave, Feb 28, 2018.

  1. Julia Musgrave

    Julia Musgrave UKBF Newcomer Free Member

    1 0
    can anyone help me understand if we can use this the 'legitimate interests' as an alternative to consent as the lawful basis for keeping data and for emailing someone?
    For example if someone buys something from a company, can the company then contact them about a similar product or service so long as they provide a way to opt out in the future?
    So if they bought apples can we contact about pears, but not about stationary?
    Could we have a policy of retaining and contacting a previous customer for a fixed period after they have bought before taking them off our mailing list? Is this a legitimate interest and reasonable? Have read the ICOs guidance but it's so vague
    Thanks
     
    Posted: Feb 28, 2018 By: Julia Musgrave Member since: Feb 28, 2018
    #1
  2. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,359 3,049
    The safe answer to all questions like this in no.

    That's really the end of it, in order to market using an email list you must get opt-ins.
     
    Posted: Feb 28, 2018 By: cjd Member since: Nov 23, 2005
    #2
  3. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    It’s not vague at all. Legitimate interest simply means you retain the data in order to process an order and meet legislative requirements. Anything else needs consent.
     
    Posted: Feb 28, 2018 By: fisicx Member since: Sep 12, 2006
    #3
  4. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,596 258
    I'm not sure you read Julia's question. As I understand it she is asking about an existing customer rather than an 'email list'. Under this circumstance she would be sensible to obtain consent if she can, but her business has a legitimate interest in this user because they have been a customer.

    Isn't this so?
     
    Posted: Mar 1, 2018 By: Nochexman Member since: Jun 14, 2011
    #4
  5. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,596 258
    I'm sorry, but I think you may be wrong.

    GDPR makes it explicit that you can process an order under item 6.1.b.

    I think legitimate interest means something else (6.1.f)
     
    Posted: Mar 1, 2018 By: Nochexman Member since: Jun 14, 2011
    #5
  6. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    Posted: Mar 1, 2018 By: fisicx Member since: Sep 12, 2006
    #6
  7. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    The two key parts in that guide are:

    "[legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect"

    and

    "The processing must be necessary"

    In other words, it's about product or service updates, renewal notices, safety information and so on. It's not about offering me a cushion for the office chair I brought last year.
     
    Posted: Mar 1, 2018 By: fisicx Member since: Sep 12, 2006
    #7
  8. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,359 3,049
    I did :)

    Obtaining consent is always best. You can use legitimate interest but it's not absolute. It depends of the thing you're promoting being similar to the thing you've sold in the passed and within a reasonable time of the original purchase. It's always about what the customer would expect. Would I expect to get a spam for a lawnmower 3 years after I bought a teapot and it was my only purchase?

    It's the "soft opt-in"

    If you use legitimate interest to email people who have been customers you need a record of what the interest was and you need it in your privacy policy.

    https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf

    131.Although organisations can generally only send marketing texts or emails with specific consent, there is an exception to this rule for existing customers, known as the ‘soft opt-in’. This means organisations can send marketing texts or emails if:

    •  they have obtained the contact details in the course of a sale (or negotiations for a sale) of a product or service to that person;

    •  they are only marketing their own similar products or services; and

    •  they gave the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that.

      132.The texts or emails must be marketing products or services, which means that the soft opt-in exception can only apply to commercial marketing. Charities, political parties or other not- for-profit bodies will not be able to rely on the soft opt-in when sending campaigning texts or emails, even to existing supporters. In other words, texts or emails promoting the aims or ideals of an organisation can only be sent with specific consent.

      133.The contact details must be obtained directly from the individual by the organisation who wishes to engage in the marketing and the marketing must be in relation to that organisation’s similar products and services. Therefore the soft opt-in can only be relied upon by the organisation that collected the contact details. This means organisations cannot rely on a soft opt-in if they obtained a marketing list from a third party – they will need specific consent. See the section on indirect (third party) consent for more on this.

      134.The customer does not actually have to have bought anything to trigger the soft opt-in. It is enough if ‘negotiations for a sale’ took place. This means that the customer should have actively expressed an interest in buying an organisation’s products or services – for example, by requesting a quote, or asking for more details of what it offers. There must be some sort of express communication:
     
    Posted: Mar 1, 2018 By: cjd Member since: Nov 23, 2005
    #8
  9. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,596 258
    I can't disagree with anything you have written. The trouble is, what is a legitimate interest?

    Its clearly not your example above - that is too easy.

    So, I buy a lawnmower from you last Spring and this Summer I get an email (spam?) from you offering me some new blades for my mower. Legitimate interest?
     
    Posted: Mar 1, 2018 By: Nochexman Member since: Jun 14, 2011
    #9
  10. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    Only if the expected safe life of the blade was 12 months then you might be OK and there was no other practical method of processing.

    From the ICO guide:

    "There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
    • identify a legitimate interest;
    • show that the processing is necessary to achieve it; and
    • balance it against the individual’s interests, rights and freedoms."
    The second test is where you come unstuck.
     
    Posted: Mar 1, 2018 By: fisicx Member since: Sep 12, 2006
    #10
  11. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,359 3,049
    I prefer the easy ones :)

    I'd say that was perfectly ok so long as you include an opt-out in the email and have it in your privacy policy that you'll send info on related products unless you opt out. But that's just my opinion....

    If you sent the same email to someone who bought the lawmower 5 years ago I think it's harder to argue. (Unless maybe you send it every year and the customer has never clicked your unsubscribe link?)
     
    Posted: Mar 1, 2018 By: cjd Member since: Nov 23, 2005
    #11
  12. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,596 258
    Two replies - two different answers :rolleyes:
     
    Posted: Mar 1, 2018 By: Nochexman Member since: Jun 14, 2011
    #12
  13. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    Read the ico guidance. There is no ambiguity at all.
     
    Posted: Mar 1, 2018 By: fisicx Member since: Sep 12, 2006
    #13
  14. Nochexman

    Nochexman UKBF Enthusiast Free Member

    1,596 258
    Unless two different people read the same guidelines.
     
    Posted: Mar 1, 2018 By: Nochexman Member since: Jun 14, 2011
    #14
  15. cjd

    cjd UKBF Legend Full Member - Verified Business

    15,359 3,049
    It's always going to be context specific and the only definitive answer is consent.

    The point is that if a customer complains to the ICO for receiving a spam, they're likely to side with the customer unless he'd given fairly recent consent. This is because one of the main tests is whether the customer could reasonably expect to receive the spam. If he's complaining, that's unlikely isn't it?
     
    Posted: Mar 1, 2018 By: cjd Member since: Nov 23, 2005
    #15
  16. fisicx

    fisicx It's Major Clanger! Staff Member

    29,072 8,579
    Which comes back to the three tests:

    Is it a legitimate interest, is it needed and is it within the expectations of the recipient?

    As @cjd said in another thread, people are trying to find ways to get round the legislation instead of doing it properly. This has been coming for two years, it gave everybody loads of time to prepare. Unfortunately, many business have just ignored their responsibilities until now.
     
    Posted: Mar 1, 2018 By: fisicx Member since: Sep 12, 2006
    #16