To comply with GDPR, Whitehall Management has carried out a Legitimate Interests Assessment which is documented below
Purpose of Processing
Whitehall Management has a legitimate interest to process personal data relating to decision makers and budget holders in medium-to-large organisations in the UK. The data is gathered from publicly available sources and directly from the companies concerned.
Lawful Business Objective
The processing is necessary in order to carry out business-to-business direct marketing; a lawful business objective specifically identified by the Privacy and Electronic Communications Regulations 2003 (PECR). Recital 47 of the GDPR identifies direct marketing as a legitimate use of personal information.
Reasonable Expectation
The data subjects are senior business people with decision making and budgetary responsibilities and can reasonably expect to be contacted with marketing material relating to their professional roles.
Adequate, Relevant & Limited
The data collected is limited to names of senior managers and directors, their job titles, company addresses, company landline telephone numbers and corporate email addresses. If a person leaves their role, their name and contact details are deleted from the database.
Opt Out
If a data subject requests that their data is removed from the database, it is suppressed so that it cannot be accessed or added again at a later date.
Whitehall Management has updated its privacy policy to show that we are relying on legitimate interests to process data.
What is Legitimate Interests?
Legitimate Interests is one of the six lawful bases for processing personal data under the GDPR (General Data Protection Regulation). You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.
Legitimate interests might be your own interests, or the interests of the third party receiving the data, or a combination of the two.
Latest guidance from the Information Commissioner says that legitimate interests may be the most appropriate basis when:
“the processing is not required by law but is of a clear benefit to you or others; there’s a limited privacy impact on the individual; the individual should reasonably expect you to use their data in that way; and you cannot, or do not want to, give the individual full upfront control (i.e. consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.”
You can read the Information Commissioner’s guidance on legitimate interests in full on the ICO website