One of the most common misconceptions about the scope of European Privacy legislation is that it does not apply to the processing of business data. The definition of personal data in the Data Protection Directive is very wide: “Personal Data shall mean any information relating to an identified or identifiable natural person”. Identifying factors include not just personal characteristics but economic ones as well. To be clear, business information without reference to a named individual is generally not covered but where a named individual is present, the data is personal.
Business database owners must, therefore, apply the same stringent requirements for consent as their consumer counterparts. For postal communications that generally means that the business person must be offered an opt-out when the data is collected. But the advent of the Directive on Privacy and Electronic Communications brought another layer of possible confusion into the mix. The Directive applies to “natural persons” but also requires that “the legitimate interests of subscribers other than natural persons with regard to unsolicited communications are sufficiently protected.” (Article 13)
The UK’s interpretation of this requirement in the Privacy and Electronic Communications Regulations (EC Directive) 2003 (PECR) has been to include some classes of business contacts within the definition of an “individual subscriber”. The definition covers not just residential subscribers but sole traders and non limited partnerships in England, Wales and Northern Ireland and any partnerships in Scotland. Individuals within corporates or public service employees are not covered but emails to them are still governed by the Data Protection Act 1998 and the PECR requirements to identify the sender of an email and to include an unsubscribe option still apply.
Other European countries have extended the protection in the Directive to corporate subscribers making no differentiation between “natural persons” and legal persons or their employees. Many countries have a strict interpretation of the so called “soft opt-in” rule.
In the UK’s interpretation, this rule allows email addresses collected “in the course of a sale or negotiations for a sale” to be gathered using opt-out – this includes collections which occur before the sale is completed. This is not so in most of the rest of Europe where the sale has to be completed for the dispensation to apply. Given the protracted nature of most B2B sales processes this de facto means that details have to be collected with opt-in.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.