Are companies able to share marketing lists business to business without consent?
Organisations that share personal data must comply with the data protection principles and requirements contained in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
The DPA 2018 sets out the framework for data protection law in the UK, updating and replacing the Data Protection Act 1998, and it came into effect on 25 May 2018. It sits alongside the GDPR and tailors how the GDPR applies in the UK. The potential consequences of non-compliance are risky, as the financial penalties are so high.
Business to business marketing
If the bulk of your client base are businesses – but you are still able to identify an individual, either directly or indirectly, within a company - the GDPR will still apply, even if they are acting in a professional capacity. For example, if you have the name and number of a business contact on file, or their email address identifies them (e.g. initials.lastname@company.com) the GDPR applies.
Is a data subject’s consent required?
Under the GDPR and the DPA 2018, any sharing of personal data with third parties, including with another data controller, must be done lawfully (e.g. in compliance with rules on confidentiality etc) and can only be done without the consent of those data subjects where you have an alternative legal basis to rely upon. The bases (Article 6, GDPR) are set out as follows:
1. Consent - a data subject has given clear consent for you to share their personal data for a specific purpose;
2. Contract - the sharing is necessary for the performance of a contract or to comply with a request by the individual before entering into a contract;
3. Legal obligation - the sharing is necessary for you to comply with the law (excluding contractual obligations);
4. Vital interests - the sharing is necessary to protect someone’s life;
5. Public task - the sharing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law;
6. Legitimate interests - the sharing is necessary for your legitimate interests or those of a third party, unless there is a good reason to protect the data subject’s personal data which overrides those legitimate interests.
Recital 47 of the GDPR states: ‘The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest’. This means that direct marketing may be a legitimate interest. However, this does not automatically mean that all processing for marketing purposes is lawful on this basis. You still need to show that your processing passes the necessity and balancing tests.
When looking at the balancing test, it is necessary to consider factors such as:

• Whether people would expect you to use their details in this way;
• The potential nuisance factor of unwanted marketing messages;
• The effect your chosen method and frequency of communication might have on more vulnerable individuals.
Given that individuals have the absolute right to object to direct marketing under Article 21(2), it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication, if the data was not collected directly from the individual).
However please note that the GDPR does not say that direct marketing always constitutes a legitimate interest, and whether your processing is lawful on the basis of legitimate interests depends on the particular circumstances. You can rely on legitimate interests for marketing activities if you can show the way you use people’s data is proportionate, has a minimal privacy impact and people would not be surprised or likely to object to what you are doing.
A further hurdle exists when trying to rely on the legitimate interests bases for marketing, as sometimes you will need consent to comply with the Privacy and Electronic Communications Regulations (PECR). PECR restricts unsolicited marketing by phone, fax, email, text or other electronic message. There are different rules for different types of communication. The rules are generally stricter for marketing to individuals than for marketing to companies but the rules also apply to business-to-business marketing.
The difficulty is that reliance upon the legitimate interest bases is not watertight. Furthermore, under the PECR, companies may not telephone a consumer without the consumer’s consent. If the PECR e-privacy laws require consent, then processing personal data for electronic direct marketing purposes is unlawful under the GDPR without consent. If you have not got the necessary consent, you cannot rely on legitimate interests instead. You are not able to use legitimate interests to legitimise processing that is unlawful under other legislation.
If e-privacy laws do not require consent, legitimate interests may well be appropriate. Based on the current legislation (PECR) and depending on the outcome of your three-part test, legitimate interests may be appropriate for ‘solicited’ marketing (i.e. marketing proactively requested by the individual) or for unsolicited marketing in limited circumstances.
If you are in doubt of your obligations, please contact Nusrat Qureishi in our commercial department for further advice on email: nxq@cooperburnett.com or tel: 01892 515022.
This blog is not intended as legal advice that can be relied upon and CooperBurnett does not accept any responsibility for the accuracy of its contents.
