GDPR & Marketing Data

Yes, provided you comply with your obligations under our terms and conditions, the GDPR and the PECR when you use our data lists. For example, our data lists are sold for direct marketing purposes using legitimate interests as the legal basis for processing.

For further information on using legitimate interests, please see the ICO’s guidance which is available here:
Legitimate Interests

Marketing is a significant and important economic activity. Organisations are entitled to market their goods and services, and they have a legitimate interest in seeking to address marketing to the most relevant audiences.

Yes, all of our services are compliant with the GDPR and we have taken the necessary steps to ensure this is the case (including, for example, carrying out a legitimate interests assessment to determine that we can process personal data for direct marketing purposes and use in connection with our services).

Yes, all of our services comply with the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR):

• Postal mail: not subject to PECR.
• Email marketing: we only use B2B data (i.e. corporate data) not B2C data (consumers and sole traders) which does not require consent to market to under PECR.
• Live telephone marketing: all phone numbers are screened against the Telephone Preference Service (TPS) and the Corporate Telephone Preference Service (CTPS), as appropriate.

We do not provide any services where consent is required as the legal basis for processing under GDPR or PECR.

We rely on legitimate interests under Article 6(1)(f) of the GDPR to process personal data in connection with our services. We have chosen legitimate interests as our legal basis for processing as we believe that it is the most appropriate for our activities based on the GDPR and recent guidance from the Information Commissioner’s Office (ICO) and the Direct Marketing Association (DMA).

We have considered different legal bases, including consent, and determined that legitimate interests is the most appropriate for the processing of personal data in connection with our services. Amongst other considerations, we believe that where there are a large number of organisations which may process personal data for direct marketing purposes, naming those organisations individually is impractical and less useful to individuals than identifying categories of organisations. We therefore consider legitimate interests to be a fairer and more appropriate legal basis for processing than consent, whilst offering individuals a similar degree of control over their personal data.

We have conducted and documented a full legitimate interests assessment (LIA). Listed below are some of the key factors that are included and played a role in us determining that we can process personal data for use in our direct marketing services:

• Transparency. Transparency with data subjects is critical when using legitimate interests. We ensure that from the point when the data is collected right through to use of that personal data by our customers that individuals are clear about the purpose for which their data will be used, who will use it and that they have the chance to object to that processing when the personal data is originally collected and subsequently.

• ICO and DMA guidance followed. We ensure that we follow ICO and DMA guidance on the use of legitimate interests for direct marketing purposes, including the requirement that we only use personal data for direct marketing purposes where consent under the Privacy and Electronic Communications Regulations 2003 (PECR) is not required.

• Additional safeguards. We have put in a broad range of safeguards to ensure that any risk or potential harm to data subjects is mitigated, including security, due diligence and contractual measures to ensure that personal data is not misused.

Experian’s data partners obtain personal and commercial data compliantly and, where appropriate, notice has been given for them to pass the information to Experian for use in their products and services. Selectabase utilise Experian data services. More details about Experian’s consumer information can be found within the Experian website.

Selectabase process the data under a legitimate interest of a marketing company. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

This postal marketing data can be utilised by our clients under legitimate interests.

For your convenience postal marketing B2C data can be ordered and downloaded from Prospect Download.

Experian’s data partners obtain personal and commercial data compliantly and, where appropriate, notice has been given for them to pass the information to Experian for use in their products and services. Selectabase utilise Experian data services. More details about Experian’s business information.

Selectabase process the data under a legitimate interest of a marketing company. We have ensured that all of the requirements for legitimate interests to be used as the legal basis for processing have been met.

This postal and telephone marketing data can be utilised by our clients under legitimate interests.

For your convenience postal and telephone marketing B2B data can be ordered and downloaded from Prospect Download.

GDPR governs the processing of personal data while the Privacy and Electronic Communications Regulations 2003 (as amended) (PECR) govern direct marketing by electronic means.

For postal marketing to corporate entities, where only the name of the company is included (i.e. and not the name of an individual), this will generally not constitute personal data (unless, for example, an individual’s name forms part of the company name) and therefore the GDPR will not apply. PECR will also not apply as it is not marketing by electronic means. Where an individual’s name is included, this will constitute personal data under GDPR and you will require a legal basis for processing that data under GDPR. Where you purchase postal marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For telephone marketing to corporate entities, phone numbers must be screened against CTPS. Corporate phone numbers are unlikely to constitute personal data under GDPR but may do so (for example, if a mobile phone number is used as a corporate phone number), and you therefore require a legal basis for processing that data under GDPR. Where you purchase telephone marketing data from Selectabase, your legal basis for processing will be legitimate interests.

For email marketing to corporate entities, generic email addresses (such as info@companyname.com, admin@companyname.com) will generally not constitute personal data unless you can identify an individual from that data (for example, if you know that the company only has one individual working for it e.g. one director/employee). Such email addresses will therefore (generally) fall outside the scope of both GDPR and PECR.

For personal corporate email addresses (such as joe.bloggs@companyname.com), these will constitute personal data under GDPR but do not require consent to market to under PECR (i.e. legitimate interests can be used). Where you purchase corporate email data from Selectabase, your legal basis for processing will be legitimate interests. You must also ensure that you include an unsubscribe or opt-out where you send an email to a personal corporate email address. As a matter of best practice and to avoid any risk of a generic corporate email address (e.g. an info@company.com) address being considered personal data, you should include an unsubscribe or opt-out on all marketing emails you send (including to corporates).

You can find out more about the requirements for these forms of marketing from the ICO’s direct marketing guidance and checklist which are available via the following links:

• Direct marketing guidance
• Direct marketing checklist

Please note that in addition to GDPR and PECR, there are other laws and regulations which apply to marketing communications, including those sent by email (such as the Electronic Commerce (EC Directive) Regulations 2002).

For your convenience B2B email marketing data can be ordered and downloaded from Prospect Download.

Where consent was obtained prior to 25th May 2018, individuals will have either opted in or had the chance to opt-out to the processing of their personal data for direct marketing purposes. Third parties will have been identified by category/description.

From 25th May onwards (at the latest), all personal data previously processed on the basis of consent will be processed on the basis of legitimate interests.

The answer will depend on the data you have purchased and what type of direct marketing you are carrying out.

For example, if you are conducting email marketing to B2C recipients (consumers, sole traders and unincorporated partnerships, for example) you will be unable to use those lists after 25 May as the data will not meet the GDPR requirements for consent (in particular that any third parties relying on consent, such as your organisation, are specifically named).

For other data, for example postal mail or telephone data, you may need to change the legal basis for processing to legitimate interests and satisfy the relevant requirements for doing so (including, for example, informing individuals that you have changed the legal basis on which you are processing their personal data).

We would therefore suggest that the safest and easiest option is to purchase a new list.