The legitimate interest is quite vague, but it is NOT an open bar that can justify everything. Michelle Miles wrote a very good post on this here: Is Legitimate Interest a Legitimate Loophole for GDPR Consent?
I also observe that many people, especially in the data and marketing services supplier world, will try to use the legitimate interest clause to continue their work unchanged.... I personally think that this is a very dangerous course. I advise my customers to take to very carefully and make sure that these suppliers will 1/ send the emails themselves, 2/ send the emails in their own names with a clear mention that if they do promote offerings from someone else, they still do it in their own name. anything else is clearly off the mark.
Yeah, that seems the norm these days when asking our vendors/suppliers for their stance on how their company is compliant with GDPR. I expect our GDPR/Legal team to shut this down real quick if they don't change their interpretation of the law - and thus how they operate as a data processor/controller.
Reading further on down in this specific vendor's response - you'll all get a kick out of this one:
We think the GDPR, based on its plain language, does not apply to B2B marketing under this test because the offer is to the employer, not the employee. (See Id. Art. 3(2)(a) (“The Regulation applies . . . where the processing activities are related to . . . the offering of goods or services . . . to such data subjects in the Union[.]”) (emphasis added).) In layman's terms B2B companies are offering goods and services to companies, not the data subjects AT those companies - their products and services are for the benefit of the company, not the consumer (data subject) - think of this as the difference between selling a vacation cruise to a person over the phone or email vs. selling a sophisticated firewall or backup solution to a company. But it is a gray area that wants additional guidance
In a sense you could file this under "Marketers who don't understand their own business model," ugh.
Interesting attempt at spin, though. Since corporate personhood isn't recognized in the EU the way it is in the US, and a "data subject" is defined in GDPR as a natural person (not merely legal person) if you could establish that somehow no natural person's data was involved in processing, maybe you'd have something. But it would be impossible to make that guarantee since someone's work address is still "an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Hi Sanford & Dan,
This is on this ground that it is possible to make a distinction between generic email addresses (firstname.lastname@example.org) and personal ones (email@example.com) and being allowed to treat the first with much cooler rules.
But there it stops. As you duly point out, the GPDR is about personal identification, not data from the private sphere only.
Yeah, I doubt that this is what this vendor is referring to. They are attempting to interpret the law (and find whatever loopholes are possible (good luck with that)) that allows them to continue to operate business as usual - and therefore communicate to their customers that "yes, we are GDPR-compliant". Knowing who this vendor is, the data that they have (along with the email addresses) are of individuals, not company/generic.
I fully understand this. Yet 2 remarks:
Hi Greg - what's your take on contact subscription/enrichment services like ZoomInfo, ReachForce, Hoovers, DiscoverOrg, Data.com, D&B, InsideView, RainKing, Lead411, etc.? These are the ones that, IMO, are greatly going to be impacted (along with the typical telemarketing agency) and will need to change their business model to survive.
Salesforce has started to retire data.com in the EU. No reason given, but that tells a lot, IMHO
Data Enrichement can be OK (how to complete a person's information after she has entered your database through a form). You will have to get into details about what data you are appending, since it has to be relevant to your business.
Lead appending (adding new leads to your database after an anonymous visitors with an IP that is linked to a specific company visited your web site) is clearly off limit.