Firstly please refer to our Creditsafe GDPR customer briefing, which sets out how we align with the GDPR, in relation to our lawful grounds for processing data and our data security measure. The attached briefing can be found below.
Consent is typically obtained at point of data collection and annually thereafter via verification calls. However, due to the need for very granular consent under the GDPR, it is not entirely satisfactory as a ground for processing. It would not be possible to obtain the level of granular consent required under GDPR as it would essentially require every third party recipient of the data, as well as the reasons for the transfer and the purposes for which they will use the data, to be provided to the data subject. This is simply not possible for data aggregators and business registries, which have thousands of customers in different industries and different usage requirements. The same will apply to most, if not all, suppliers of this type of business data.
Therefore, we are also relying on legitimate interests as a lawful ground for B2B marketing. This is specifically acknowledged in recital 47 of the GDPR as being a plausible ground for marketing (“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”). In our case, we rely on legitimate interests on the basis that a business has made its details available and it is for the benefit of all businesses that marketing is facilitated. For businesses which do not wish to receive marketing, there are legitimate means to prevent it, including not supplying the details for inclusion in business registers, objecting to direct marketing under the GDPR, and/or registering with the TPS/CTPS.
Our customers ultimately need to make their own assessment and will be directly responsible for their own compliance with GDPR when using the information, as well as other requirements such as PECR and the TPS/CTPS. However, provided they do so and properly document (as Creditsafe has done) the grounds for processing data, there should not be any risk of legal challenge.