The driver behind all these emails is, of course, the General Data Protection Regulation (“GDPR”), which came into force on 25 May 2018. Under the GDPR, organisations owe enhanced obligations to individuals than under the Data Protection Act 1998.
- How and why personal data is collected – individuals must be told how their personal data is going to be used. The GDPR does not usually require individuals to give consent before personal data can be processed. The GDPR allows data to be processed, without consent, where it is necessary to perform a contract between the organisation and the individual. For example, if a customer buys a fridge from an online retailer, the retailer may collect the customer’s name, address and billing details (without the customer’s explicit consent) to fulfil its contractual obligation of supplying the fridge.
- Who personal data is being shared with – organisations must inform individuals if their personal data is going to be disclosed to third parties, and if so the purpose of any such disclosures.
Please note the contents of this blog are given for information only and must not be relied upon. Legal advice should always be sought in relation to specific circumstances.