AnsweredAssumed Answered

GDPR Legitimate Interest

Question asked by Sean Richards on Oct 2, 2019
Latest reply on Oct 4, 2019 by Chris Willis

I have a data provider that provides us access to a targeted database of people (names, emails, company, title, etc).


In their database it includes people from EU countries.


I emailed them some questions, see below...


I have some questions in regards to your privacy policy. We are in the process of doing some new high quality targeted marketing (email) campaigns which include people from your database that fall under GDPR.
I should state up front that Natalie and I have invested many months studying GDPR and global privacy legislation, how it relates to our sales and marketing operations and implementing much of the technology to support our compliance.
In regards to your Privacy Policy, it states the following:
So, as long as your communications aren’t overridden by the interests or fundamental data protection rights and freedoms of the individual, you can use personal data for the purposes of sending direct marketing communications so far as GDPR is concerned. Relevant, targeted and unobtrusive direct business-to-business marketing is unlikely to be overridden by those interests, but please see our Purchasing Guide for further guidance.
The way I read this is it says that you take the position that targeted B2B sales outreach or direct marketing to people that are relevant, would in many instances be classified as implying legitimate interest and therefore "implied consent" under GDPR. However as we understand it, this is not the law. Unless the people under GDPR have provided explicit (opt-in) consent to marketing, they cannot be marketed to. Legitimate interest is reserved for people who are customers or moving through a businesses systems under a transactional process. Imagine someone orders a pizza from an online pizza store. They are providing their details and expect you to process their data to complete the order, but they did NOT agree to opt in to marketing.
What is your stance on this and can you provide explicit consent has been provided from the people within your database?  
I also would like to know where in the policy it states that their opt-in (if any) also includes their consent to your customers (us in this case) using their personal information for marketing. If they have not agreed to this, we and you could be breaking the law by us marketing to these people who are under GDPR.
It seems you've taken a very liberal an approach to interpreting what constitutes "legitimate interests" and are essentially assuming "implied consent" if they are a match to our target market, much like our Privacy law in Australia (and many other countries that still allow inferred consent). However this is not how GDPR works.
Here as an example is a trusted resource that I've timestamped accordingly:
Here is another timestamp:
Can I also ask how are you proving legitimate interest for keeping these people's data and do you have their explicit consent for us to use your data for our marketing purposes? 
If you believe I have this wrong, please let me know. I am sure you have had to answer this already, so hopefully can copy and paste from another response.
Then I had a phone call with them where they stated:


Our position is that if someone is a fit for business (target persona) in a B2B model, that qualifies under GDPR as legitimate interest and we believe that it's lawful to add that person to our database AND market to them. Therefore our customers like yourself should also be able to use this same criteria to prove legitimate interest, so long as you and we provide the means for them to opt out.



This is definitely contrary to our understanding and interpretation of the law of GDPR.


Am I right?