18

I just received an unsolicited email from a company that wanted to sell me their services. They claim they do "Functional Service Provision (FSP)", whatever that is, tailored for biotech companies. I am a C-level employee of a biotech company, but have never interacted with or requested anything from these people. Their spam contained the following disclaimer:

Disclaimer

You are receiving this email under ‘Legitimate Interest’ as defined by the General Data Protection Regulations. If you do not wish to receive any further emails from us, please reply to this email with the words ‘Opt Out’ in the subject line and we will ensure you do not receive further emails.

I am based in the UK, but the spammer is in the Republic of Ireland. I realize the GDPR isn't relevant anymore to the UK, but it is relevant to Ireland.

Does the above disclaimer make sense? Can spamming random (or, at best, semi-random; yes I am in the field, but no, I did not ask for this and no it isn't actually relevant to the part of the field I am active in) people come under Legitimate Interest? Why?

Ideally, I would like an answer for my specific case: I am a UK resident, but an EU national (Greek). If that is too complex, we can ignore the UK side and imagine I were resident in the EU. Either way, is there any legal basis under which Legitimate Interest permits outright spamming like this?

terdon
  • 848
  • 8
  • 23

2 Answers2

31

No.

"Legitimate interest" does not mean "I think I can get a few euros out of it" or "I feel like using your data for whatever I like." It means that it is necessary for the data operator, for a legitimate reason.

For example, it could be to inform you of changes to the T&C of the site, to warn you that your account is about to expire, to verify that you are actually who you claim to be, to inform you of a data breach... and similar.

A giveaway is that they claim that you are offered an opt-out. A legitimate interest would not give you that option, because it is something that the business must use your data for.

They are clearly trying to mingle "legitimate interest" with "consent", while they are two very different concepts.

And, regarding:

I am based in the UK, but the spammer is in the Republic of Ireland. I realize the GDPR isn't relevant anymore to the UK (right? They've made such a mess of things, I am not really sure anymore), but it is relevant to Ireland.

If the data processor is in the EU, they are required to comply with GDPR, even if you were a British citizen living in the UK.

https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm

Also IIRC, GDPR was transposed into UK laws. So you will not have it by that name, but probably there is something very similar to it.

SJuan76
  • 6,656
  • 1
  • 28
  • 31
3

Probably, but maybe not

The UK's Information Commissioner's Office has this to say about the UK GDPR and direct marketing. I've pulled out some quotes which I think reflect the whole but you may wish to read the whole thing

Can we use legitimate interests for our marketing activities?

Yes, in some cases, but you need to apply the three-part test and ensure that you comply with other marketing laws. Recital 47 of the UK GDPR says:

“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

This means that direct marketing may be a legitimate interest. However the UK GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances.

Reading on down, you get to a table giving an overview of when they may or may not engage in such marketing, and it comes down to whether they have gained "soft opt-in" - this is that they've told you that your data may be used for marketing. You say you haven't dealt with these people, I think it's much more likely that you have dealt with some other part of the same business since many biotech companies share ownership.

Moreover, although you say it has come to your private email, it seems to me more likely that the company is attempting to contact you in a business-to-business way and simply has your private email on record because you used that email to contact them (or another company in the group) in some prior situation, in which case the next section of the guidance applies:

Can we use legitimate interests for our business to business contacts?

Yes, it is likely that much of this type of processing will be lawful on the basis of legitimate interests, but there is no absolute rule here and you need to apply the three-part test.

You are still processing personal data when you are using and holding the names and details of your individual contacts at other businesses. You must have a lawful basis to process this personal data.

So there is no clear cut is/isn't legitimate interest line regarding direct e-mail marketing. It depends on the exact circumstances, and the circumstances under which they obtained your email.