If you have a legitimate business interest to contact someone and you don't encroach on their personal freedoms, then oftentimes, yes!
Article 6(1)(f) gives you a lawful basis for processing where:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
In determining whether you can rely on legitimate interests, the key is to undertake the following three-part test:
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests could be considered legitimate. The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
When relying on legitimate interests may be appropriate:
- Marketing where you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object you may be able to rely on legitimate interests for your marketing interests. However, this is only if you don’t need consent under PECR.
- Minimal impact Where you can show that your processing is light touch and you are processing data in ways that people would reasonably expect and that have a minimal privacy impact.
- Third Parties You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.