5th October 2018
As you have done for most of your business career, you get chatting to the person sitting next to you at the latest networking event. At the end of the event, you swap business cards and one or both of you intend to get in touch when you get back to your desks. However, are you allowed to? Doesn’t that need some sort of consent now? Perhaps you should leave it to marketing to get in touch. This innocuous exchange of business cards is governed by privacy law but contrary to some of the inaccurate descriptions, the GDPR should not prevent you from swapping cards and following up.
The fact that swapping cards happens at a networking event is significant. By providing each other business cards, you will reasonably expect to contact or be contacted (including sending direct marketing) for business purposes (presuming nothing to the contrary is agreed or requested). There is no need to obtain consent in this business to business context. Instead, you can rely on the legitimate interest ground to send each other communications.
Matters are a little confused as the law also requires you to provide a privacy notice setting out how the information will be used and under what legal basis at the time the information is collected. However, in the absence of carrying this about your person (!), it is reasonable to take the view that you should provide a privacy notice in a way that is appropriate in the circumstances. For instance, if you have a dedicated stand at a networking event it might be appropriate to place a notice next to where business cards will be collected saying briefly what the intended use you will make of the information and have further details available if requested. If you are simply meeting at an event, you should make clear from your conversation that you intend to use the business card to get in touch or put on marketing list. For instance, ask them something like "Would you like to be included on our mailing list?" The most important thing will be to be clear about the way you are going to use their personal data (a business email address is personal data where individualised and not “info@” or “marketing@”.
Emails should contain links to your privacy notice (either by a prominent link to your online privacy notice or by including a copy of your privacy notice as an attachment). Additionally you should only send marketing to individuals that they would expect to receive - you should always remind individuals of their right to opt out. If you have not yet updated your privacy notice in light of the GDPR, the information you are required to give will not be accurate and this should be done to ensure individuals are given the information required.
The contents of this update are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this update. © Mundays LLP 2018.
Sophie Banks considers the use of employee images for marketing purposes under the GDPR and DPA 2018, and what steps an employer should take to prevent complaints of unlawful processing of data in this situation.
Within this edition of Mundays Business update you will find legal articles that we hope you will find useful and help you understand when you might need to seek legal advice.
Fiona Moss examines the approach to exchanging business cards under the EU General Data Protection Regulation (GDPR)