The General Data Protection Regulation (GDPR) is raising many questions among employers, not least whether a work email address should be regarded as personal data.
The short answer is, yes it is personal data. If you take my email address, email@example.com, it states my full name, as well as the place that I work, clearly identifying me and, therefore, qualifying as personal data. However, an employer does not need consent to use your work email address or access your work emails, for example, for disciplinary purposes.
In contrast generic business email addresses (e.g. enquiry@ or info@) are not personal data. While email addresses that relate to a sole trader or a non-limited liability partnership are personal data if an individual can be identified from the email address.
When it comes to using a business email address for marketing purposes, it is the Privacy and Electronic Communications Regulations (PECR) that sit alongside current data protection legislation, which govern how an organisation can use email addresses for marketing by email, telephone, text or fax.
GDPR will apply to how personal data, including email addresses, is processed, while PECR gives further guidance on how that data can be used for electronic and telephone marketing purposes.
In short, PECR states that you must not send electronic mail marketing to individuals unless:
• they have specifically consented, preferably via an opt-in, or
• they are an existing customer who has bought a similar product or service from you in the past, and you give them a simple way to opt out of receiving your electronic marketing in every message you send. You must not disguise or conceal your identify and must provide a valid contact address so recipients can opt out or unsubscribe.
The term ‘soft opt-in’ is often used to describe the rule about existing customers. The theory is that if someone bought something from you, gave you their details and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented. However, you must have given them a clear chance to opt out both when their details were first collected and in every message you subsequently send. This rule means you may be able to email your own customers, even after GDPR comes into force.
It is worth noting that a new ePrivacy Regulation, currently in draft form and subject to change, is expected to eventually replace PECR. This will extend PECR’s reach to include ‘over the top’ communications such as voice over internet protocol providers, or VoIPs, (like Skype) and social media messaging services (for example, WhatsApp).
For business to business marketing, the new ePrivacy Regulation is ambiguous as to whether it will draw a distinction between corporate email addresses and individual email addresses, suggesting that member states will be able to make a provision for this under national law.
It is hoped more clarity will be provided on this, but one thing we do know is that named corporate B2B data (e.g. firstname.lastname@example.org) is personal data and would have to be processed in line with GDPR. Marketers would therefore need to make a choice between using ‘consent’ or ‘legitimate interest’ for sending electronic communications.