GDPR and PECR GUIDANCE FOR MEDIMAX GLOBAL & ABPMpro USERS
A number of our customers, subscribers and registrants have enquired about the General Data Protection Regulations ('GDPR') that are to be introduced on 25 May 2018. This document aims to provide the relevant information required, including links to information provided by the Information Commissioner's Office ('ICO') and the Direct Marketing Association ('DMA').
The Privacy and Electronic Communications Regulations ('PECR') apply to marketing emails and remain in force unchanged on 25 May 2018 as they have been since 2003 (and last amended in 2016).
Brief Summary
GDPR is concerned with the storage and processing of personal data including names and email addresses. PECR is concerned with email marketing. An email cannot be sent without storing and processing the personal data concerned and GDPR applies to this aspect of sending emails. GDPR allows storage and processing of personal data under six lawful grounds. For many businesses, the most applicable of the possible grounds is "Legitimate Interests".
The Guidance from the ICO on Legitimate Interests can be found here: ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/what-is-the-legitimate-interests-basis/
Further useful information can be found at: ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
The above article, under the heading "Can we use legitimate interests for our marketing activities?" states that Recital 47 of the GDPR says:
"...The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
The information at the following link describes the process of completing a Legitimate Interests Assessment ('LIA'): ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/
Other Useful Information
he DMA website includes the following useful links:
GDPR Guidance for Marketers at: dma.org.uk/article/dma-gdpr-guidance-for-marketers?utm_source=Adestra&utm_medium=email&utm_term=&utm_content=Learn%20more&utm_campaign=%20Responsible%20round%20up%204%2F04%2F18
GDPR for Marketers: The essentials at: dma.org.uk/uploads/misc/5aabd9a90feff-gdpr-essentials-for-marketers----an-introduction-to-the-gdpr_5aabd9a90fe17.pdf
Direct Marketing
With regard to direct marketing, the above article states on page 18 that:
"During a parliamentary debate, the DMA advocated that a business' legitimate interests were recognised alongside the customer's right to privacy. Communicating to prospects and customers is the
essential lifeblood of commercial success so direct marketing is recognised specifically in the text as a legitimate interest in Recital 47.
"Marketers have always been able to rely on the legitimate interests condition as an alternative to consent under Data Protection Act 1998 ('DP 98'), in cases where the Privacy and Electronic
Communications Regulations (PECR) - which preceded DP 98 - wasn't applicable. However, this legal basis was not stated as explicitly in DP 98 as it is in the GDPR.
"Legitimate interests is one of six legal grounds in the new law that allows the processing of personal data. All of these legal bases are equally valid. The specific information needed for valid consent are rigorous, which can make it problematic to use for direct marketing activities. The DMA expects legitimate interests to be a widely used lawful basis for processing, particularly given the high level of
flexibility given to organisations in explaining and documenting their rationale for processing activity.
"The GDPR says: 'The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest' (see Recital 47 of the GDPR text for further information).
"In addition, the GDPR says that processing is lawful if it is: 'Necessary for the purposes of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal information, in particular where the individual is a child' (see Article 6.1(f) of the GDPR text for further information)' ".
Fines
With regards to fines, on page 17 of the above article, it states that:
"The Information Commissioner has told us [the DMA] that the GDPR is not about seeking to issue as many fines as possible. For them, GDPR and its implementation is about putting the consumer and
citizen first. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. The ICO policy has always been one of proportionality: it would much rather educate an organisation and see it correct bad practice before even talking about fines. Even with its current enforcement powers, the ICO has never issued the maximum fine of £500,000.
The size of the organisation, the impact of the breach and whether or not sufficient policies and procedures are in place to justify action (accountability) will all be taken into account".
Privacy Notices
Information you must display in your privacy notice includes:
This information must be displayed at a minimum in "clear and plain language" and must be relevant to the audience (see Aricle 12 of the GDPR text for further information using this website you accept the terms of this Privacy Statement.
COMMITMENT TO PRIVACY
We respect your privacy and are committed to protecting the personal information you provide to us.
When you provide us with your personal data, you consent to us processing all such personal data as set out in the Privacy Statement. Please read this Privacy Statement carefully and revisit this page from time to time to review any changes that we may have made. If you have any questions, comments or concerns about about how we handle your personal information, please contact us.
Even though we take appropriate technical steps to protect your security, you should remember that data transmission over the internet cannot always be guaranteed as 100% secure so you use the website at your own risk.
PERSONAL DATA
We keep personal data upon contacting us in order to provide you with a quotation or product information. This data will be held securely on our systems so we can contact you back in the future.
We will release personal information where it is required or permitted to do so by law or by the regulations and other rules to which it is subject. We may in particular exchange information with other companies and organisations for fraud protection and credit risk reduction.
Other than in the above situations we will not share personal information with third parties without your consent.
You have the right to ask for a copy of your data held by us in return for which you may be charged a small administration fee. You also have the right to require us to correct any inaccuracies in your data, or remove your details altogether.
LINKS
Our website contains links to other websites. We are not responsible for the privacy policies of other sites and we advise you to read the privacy statement of every website that collects personal information from you.
Tel: +44 (0) 1420 88688
Email: sales@medimaxglobaluk.com
Address: Unit 15, Old Aylesfield Buildings, Froyle Road, Shalden, Alton,
Hampshire, GU34 4BY, UK
Company VAT number: GB 917027240
EORI number: GB917027240000
Company Incorporated in England & Wales: 6220833
We need your consent to load the translations
We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.