More and more people are asking companies to remove their personal data from the database. They always refer to the fact that they have not given permission to process their data (consent). Graydon receives requests like this on a regular basis. Nevertheless, there are other grounds for processing data other than consent within the General Data Protection Regulation (GDPR), which people often don't know about or forget, such as legitimate interest.
It's been talked about everywhere in recent months that personal data may no longer be used without the express consent of the person themselves. Many people have used this fact to go to war against companies. They assume that marketing and sales teams can no longer write to anyone without permission. I admit that I am also allergic to spam and irrelevant marketing emails. But the GDPR does not equate to deleting data.
The GDPR also offers companies the opportunity to finally get their data in order. Every self-respecting company should look for opportunities to generate new customers in a responsible way. Do all those companies that are now asking to be removed from the database not want to create new customers? Do remember that with direct mail, individuals have an absolute right to stop their data being used for direct marketing. Any balancing of interests does not apply here. Or are companies trying to use this as a tactic to paralyse their competitors' prospecting?
In any case, that reasoning is very short-sighted, because there are a range of different processing grounds under to the General Data Protection Regulation.
You have given a company permission to use your personal data. You have subscribed to a newsletter (opt-in) with interesting, relevant articles. To do so, the other party will need your email address. Everyone agrees on that.
Your personal data may also be processed because it is necessary for the execution of an agreement. For example, you have purchased an address file, which is delivered digitally. The company in question will need your email address to do this. And of course your supplier also needs to draw up an invoice. No one is concerned about that. Existing customers can always be approached for similar services or products, although that is a flexible concept.
Processing personal data is necessary in the context of a legal obligation. For example, the human resources department needs contact details for employees in order to arrange tax issues or withholding tax. For example, in the context of money laundering, banks are obliged to keep a record of Beneficial Owners. These are legal obligations that everyone agrees on.
The processing is necessary to protect the vital interests of the data subject or of another natural person. This mainly has to do with health. For example, if there are risks to your health for which you are mentally or physically unable to give consent. Everyone agrees on that, too.
Processing your personal data personal data is necessary in the context of the general interest or public interest. This point relates, among other things, to public affairs, such as tax collection or in the context of national security.
Your personal data will be processed in the context of a legitimate interest. Legitimate interest is often invoked by companies that need their gigantic database to do business. Media companies are a good example, but Graydon also processes data based on this principle.
In accordance with the General Data Protection Regulation, Graydon also needs grounds for processing personal data. Those grounds can be permission, but also 'legitimate interest', as is the case for including your data (your company name, company addresses that are also private addresses, etc.) in the database. Grounds based on legitimate interest mean that Graydon has to balance the interests of the parties involved:
Graydon's legitimate interest in processing personal data for the purpose of providing the service, and ...
your interest as a data subject not to suffer disproportionate harm with regard to your fundamental personal rights and freedoms.
Graydon always weighs your privacy interests carefully against the interest in providing customers with the necessary company information. Since the personal data processed only includes name and address information and that information can also be consulted using several sources (e.g. Companies House, etc.), the risk to privacy violation is low. It's also important that the actions that result from Graydon processing this personal data are minor intrusions. Graydon's interest in providing information about your business...
...therefore outweighs that of the subject.
All of that means that Graydon has a legitimate interest in processing companies' data, and that includes sole ownerships. It's a way for us to ensure that our customers can do better business, reduce risks and grow in a financially sound way. It's how we can contribute to a healthy economy and general prosperity.
Graydon processes data based on legitimate interest, which takes precedence over the individual interest, although not every case is assessed on the same level. Each request to delete personal data is carefully considered on a case-by-case basis. In some cases, there may indeed be a good reason for deleting the data.