During last month’s MEF Connects Digital on the impact of GDPR on enterprise messaging, the expert panel were inundated with questions from the messaging community on this. Here then, one of session experts, Lee Suker, Market Development Director and Data Protection Officer at XConnect has kindly taken the time to give his views on the questions not covered in the session. Both the questions & answers show the complexity of this topic and the importance of being ready for the forthcoming regulation.

Is it necessary to comply with GDPR, if you are a UK company but you process data from say Brazilian customers i.e. data from users outside of the EU?

“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” – (www.eugdpr.org)

We are a Swiss company who is providing messaging services also to EU-clients. How is GDPR affecting us regarding EU clients as Switzerland is not a member of the European Economic Area? We have our data-center only in Switzerland. (which is therefore outside of EEA)

Increased Territorial Scope (extra-territorial applicability) – Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’.

This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.

Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. (https://www.eugdpr.org/the-regulation.html)

One of our services allows one person to buy a gift (voucher) for another person and then this is delivered via SMS on that persons birthday. How does consent apply in this scenario as the receiver of the gift has technically not given consent but the buyer has done it on their behalf.

The most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission.

This example is not unsolicited marketing. (ICO guidance on unsolicited marketing). This example is likely to rely on legitimate interest of third parties (Six legal basis for processing)

We are a Greece-based messaging automation company utilising Hubspot for outbound Sales. Do we have to obtain the consent of the existing clients and potential leads, in order to handle their data from Hubspot CRM?

B2C and B2B marketing rules are different. For B2C, the most important thing to remember is that you can only carry out unsolicited electronic marketing if the person you’re targeting has given you their permission. ICO guidance on unsolicited marketing.

If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. Look at guidance from the ICO on B2B marketing

Can you talk more about the shift from processor to controller?

Typically data processors determine the methods and the means of storage processing and transmission. See the guidance from the ICO

The point being made in the Webinar was that all organisations will be processors in some circumstances and controllers in others. For example, all companies will be controllers for their own employee’s HR data.

As organisations add more value to their services, this is likely to involve acquiring and processing data above and beyond the specific instructions of controllers-in-common. When this happens you will be a controller-in-common in the processing chain. Please see this link to guidance on processors and controllers

How can we get verbal consent? for example, in-store at a counter..?

Recital 32 of GDPR says that Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.

This information is kindly provided by the Contributor and does not constitute legal advice. References are from the UK’s Information Commissioner’s Office. All European markets have issued their own guidance.