I have a strange one, about which I am ambivalent. It’s strange mostly because it is unusual to me.
We curate a large database providing information about what is happening within a certain industry.
“Company X is doing activity Y with other company Z” sort of thing.
For each item, where possible, we list B2B contact details.
One of our clients wants to market to a few hundred of those B2B contacts. Our legal basis for processing is legitimate interest, using opt out.
They want our OK. thoughts?
HellenB
You, as a controller would be sailing very close to the wind with regards to being a third party seller of data and would need to be mindful of your obligations in this regard.
As you collected the data for your own purposes you will have described the purposes for processing in your privacy notice. This would not have included research for the purposes of selling the data for a profit.
I would suggest that you have a careful look at
https://dma.org.uk/article/an-open-letter-to-data-brokers
If this doesn’t form a key commercial imperative for your business I would strongly suggest that you consider if the legislative lift is worth it.
PhilM
Hi, you would be able to provide this information as a controller to controller data share against their legitimate interest. However, they would need to consider careful what they do with that information. If they wanted to market to them by email, that would contravene PECR as they don’t have consent. If they believed they had a legitimate interest to contact them, they would need to be mindful of their obligations under GDPR Art. 14 (Information to be provided where personal data have not been obtained from the data subject). Cheers, Phil.
Chris Roberts
I would follow Hellen’s advice.