Calls to individuals
If the call is to an individual (including a sole trader business or individuals who are partners in a partnership) we can call if:
A. we have a GDPR compliant consent to our processing of the individual’s personal data for marketing purposes.
B. the person’s number is not listed on the Telephone Preference Service (TPS) and:
(i) we have an existing customer relationship with the recipient and they might reasonably expect a call from us, and
(ii) we gave them a chance to opt out when we collected their personal data and we give a chance to opt out whenever we contact them, and
(iii) the person has not objected to our calls in the past.
So first we need a legal basis to process (i.e. consent or legitimate interest) and if it is legitimate interest we need to be certain they are not listed on TPS and have not objected or opted out.
This means we will need to screen call lists against the TPS register and keep our own suppression list of people who have objected to calls or opted out.
Calls to businesses and organisations
If the call is to an organisation whose legal status is a limited company, public limited company, limited liability partnership or a government body we can call if:
A. We have the organisation’s consent (although this does not need to be GDPR compliant because companies are not data subjects under GDPR)
B. The recipient organisation’s number is not listed on Corporate Telephone Preference Service (CTPS) and they have not objected to our calls in the past.
So, we don’t need a legal basis to call business to business, but we do have to screen calls against the CTPS (and TPS also if we are unsure about the legal status of the recipient) and keep our own suppression list of organisations who have objected to calls.
Organisations should maintain a ‘suppression list’ of people who have opted out or otherwise told that organisation directly that they do not want to receive marketing.
Note that individuals may ask an organisation to remove or delete their details from a database or marketing list. However, in most cases organisations should instead follow the marketing industry practice of suppressing their details.
Rather than deleting an individual’s details entirely, suppression involves retaining just enough information to ensure that their preferences are respected in the future.
Suppression allows organisations to ensure that they do not send marketing to people who have previously asked them not to, as there is a record against which to screen any new marketing lists.
If people’s details are deleted entirely, there is no way of ensuring that they are not put back on the database. Deleting details might also breach industry-specific legal requirements about how long to hold personal data.
Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back in to receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the Data Protection Act 2018, and will also breach Privacy and Electronic Communications Regulations if the contact is by phone, text or email.
However, people can change their minds and marketing strategies also change. There is some merit in making sure that the information about people’s preferences is accurate and up to date.
It can be acceptable to send a message immediately after someone has opted out confirming they have unsubscribed and providing information about how to re-subscribe, or to remind individuals that they can opt back in to marketing if the reminder forms a minor and incidental addition to a message being sent anyway for another purpose. However, organisations must do this sensitively, must not include marketing material in the message, and must never require an individual to take action to confirm their opt-out.