Marketing activities to companies

I am unable to determine whether Limited companies are included in the restrictions or excluded

I do not understand if you are asking if Limited companies are subjected to GDPR rules (yes, they are) or if marketing activities towards Limited companies are subjected to GDPR rules (it depends).

Article 3 of GDPR states that it applies to all processing of personal data made by any legal entity. Exceptions are intended when personal data processing is carried out by:

• Individuals during personal or household activity
• in the course of an activity which falls outside the scope of Union law
• Member States in common foreign and security policy
• By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Consequently, if your company processes personal data in the EU or is located in the EU it is subject to the GDPR provisions.  

You can find more information about the GDPR application in the following articles:

• What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
• Is the GDPR applicable to our company? https://advisera.com/eugdpracademy/knowledgebase/who-needs-to-be-gdpr-compliant-an-easy-explanation/

Also, are email addresses with a person's name and the company domain deemed to be personal of for company/business purposes? 

Yes, it is considered personal data because the name and surname of the person allow identification. Mail like info@company.com is not considered personal data. GDPR does not consider purposes of data (personal or business) but only the afference to individuals.

Here you can find more information on the impact of GDPR on marketing activities:

• How does GDPR impact marketing activities? https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/

You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Thank you for the information. My question rephrased; is more about selling/marketing to people who work at a company (legitimate sales action) - can we send unsolicited email to offer a product or service. Your answer is good but I still cannot assess whether the accepetd business practice of one company directly offering products/services to another company is lawful under GDPR. The function of the approach is to make sure the sales/marketing message is sent to and received by the correct person in the company - surely the person's name on an email/email address is necessary and lawful? Many times this person's detail is public knowledge (director/owner/VP/manager/buyer). How does a company make sales revenue if GDPR enforces the sending a communication to a company for sales/marketing purposes illegal. How would any business trade or make sales necessar to sustain a business? The thought of STOPPING sales approaches to prior unaquainted individuals (decision makers) at a target company seems proposterous. Surely a company will not know a supplier exists (better prices, better products) if the sales activities cease? What are your comments? 

@Dudley

If you want to send unsolicited selling/marketing email to people working at a company you can determine if the recipient company is your client/supplier and verify if in your agreements and privacy policy you inserted marketing purposes among purposes of data processing. In this case, you can send emails in compliance with GDPR. You can send emails to persons who are relevant and connected with your products (as you said director/manager/buyer).

It is not compliant with GDPR to grab on the internet the email address of people working in companies to send them marketing email because of their job. It is considered a legitimate interest to send a cold email with a presentation of your company asking for consent to receive offers or information about your products.

There is a balance between the right to make a profit and the right of people to not receiving unsolicited emails. Some companies use not personal email to collect information from other companies like info@company.com or supplier@company.com.

Wow. Thank you so much. You are really helping me. So to clarify for my own understanding, I'll take it point by point. 
1) I can send email to a company who is already a customer and who has agreed to receive marketing messages from me? Please proved the GDPR clause for this point

2) The person receiving marketing messages/emails from me must be relevant and connected to my products/services? This means that relevance is important?

3) If I search on the Internet for a company and the relevant person to speak to about what I am selling, openly provides this information and is thus freely available on the public domain, then it is still not compliant to send them an email? This means that information that is in the public domain and openly presented to the public as having that title or role is still not appropriate to send him/her a cold email? Please provide the GDPR clause for this point?

4) A further example of public domain information that is freely available is LinkedIn social media which is purpose-built for networking between business individuals. Individuals openly make themselves available to be communicated with. LinkedIn also provides a  communication message box to approach a potential customer. Please provide the GDPR clause for this type of communication in social media?

5) The only method in which to engage with a person from a company is to send an unsolicited email invitation to the person to ask if I can send them marketing information. Is this not contradictory? because "sending them an offer in order to send them an offer" makes no sense to me. Can you provide the defined and explicit clause in the GDPR to reference the definitions and explanations of this point?

6) If I sell multiple products and services and the person opt-in for certain products/services and opt-out for other products/services. Where or how does the GDPR allow or disallow further promotion to an opt-in customer but opt out for specific product/service? Please provide the GDPR clause for this point?

I want to thank you for providing such an amazing service and for helping me on this journey of discovery. I look forward to your responses.

"Wow. Thank you so much. You are really helping me. So to clarify for my own understanding, I'll take it point by point. 

1) I can send email to a company who is already a customer and who has agreed to receive marketing messages from me? Please proved the GDPR clause for this point

Yes, Article 6 par. 1 lett. a GDPR states that: 

“Processing shall be lawful only if and to the extent that at least one of the following applies: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;”

So if your customer has given you consent to process his personal data (email) for one or more specific purposes (providing your services and promoting/marketing) your processing (sending promotional email) will be lawful.

You can find more information about consent in the new Guidelines adopted by the European Data Protection Board (EDPB) on May 4th 2020: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf

2) The person receiving marketing messages/emails from me must be relevant and connected to my products/services? This means that relevance is important?

Relevance is important to the extent that the data subject can reasonably expect to receive such kind of communication. If I am the buyer of a company I can reasonably expect to receive offers and promotions from my company’s suppliers. In particular if in our commercial relationship I accepted to receive promotions signing consent.

Of course, this would not apply if I were the company HR manager. Why should I receive offers from this supplier? How did they get my email? The aim of GDPR is to not surprise your customers. 

Article 5 GDPR lists the principles of data processing states at letter b) that data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;” using the HR manager email is incompatible with the marketing purpose of sending offers because that manager has no decision power on your offer. 

The following letter c in Article 5 GDPR states also that data processing shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);”

That is where relevance comes into evidence. Of course, the data controller can estimate that sending offers to all management is relevant and adequate to his purposes, he/she will need to demonstrate such relevance and adequacy. In fact, paragraph 2 GDPR closes Article 5 GDPR affirming that: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”

If you are able to demonstrate that sending promotional emails to non-relevant persons in your customers’ companies comply with principles of the data processing listed in Article 5 GDPR, you will be free to send these emails. 

3) If I search on the Internet for a company and the relevant person to speak to about what I am selling, openly provides this information and is thus freely available on the public domain, then it is still not compliant to send them an email? This means that information that is in the public domain and openly presented to the public as having that title or role is still not appropriate to send him/her a cold email? Please provide the GDPR clause for this point?

You need to approach to personal data available on the public domain asking yourself “why those data are available?” Someone presenting him/herself as company CEO is claiming his role, he/she is not asking for receiving unsolicited promotional emails. 

You can discuss about the company and you can send a cold email, relying on the legitimate interest as a legal basis for data processing. 

Article 6 par. 1 (f) GDPR states that data processing is lawful when: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interest can be a commercial interest. You need to verify those steps:

1. identify a legitimate interest;
2. how that the processing is necessary to achieve it; and
3. balance it against the individual’s interests, rights and freedoms.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

4) A further example of public domain information that is freely available is LinkedIn social media which is purpose-built for networking between business individuals. Individuals openly make themselves available to be communicated with. LinkedIn also provides a communication message box to approach a potential customer. Please provide the GDPR clause for this type of communication in social media?

GDPR is a non-technology related regulation. It aims to protect personal data independently from the means of communication used. You need to apply principles of data processing and lawfulness of processing as proclaimed in Article 5 and 6 GDPR to all means of communications.

Therefore, you can use your legitimate commercial interest and send a cold message to the relevant person (principle of minimization) of the company to approach a potential customer. You need to apply the three steps verification and be sure that there is not a less intrusive way to contact the potential customer.

5) The only method in which to engage with a person from a company is to send an unsolicited email invitation to the person to ask if I can send them marketing information. Is this not contradictory? because "sending them an offer in order to send them an offer" makes no sense to me. Can you provide the defined and explicit clause in the GDPR to reference the definitions and explanations of this point?

As I said above, your unsolicited email will lay on the commercial legitimate interest ground-based on Article 6 (f) GDPR. This legal ground allows you to introduce yourself and your company. In order to send to the potential customer promotional emails, you need to act on a different legal ground which is consent under Article 6 (a) GDPR. 

Remember that Article 83 par. 5 (a) GDPR provides the highest fines for breach of the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9. The fine is up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

6) If I sell multiple products and services and the person opt-in for certain products/services and opt-out for other products/services. Where or how does the GDPR allow or disallow further promotion to an opt-in customer but opt out for specific product/service? Please provide the GDPR clause for this point?

Article 21 par 2, 3, 4 GDPR provides your answer. Your customer has the right to object to the processing of personal data for direct marketing purposes at any time. If he/she objects you cannot process his/her data for those purposes. Allowing your customer to opt-out for some products allows you to continue processing for the others. 

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

Here you can find the full wording of reported GDPR Articles:

Article 5 GDPR: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/

Article 6 GDPR: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/

Article 21 GDPR: https://advisera.com/eugdpracademy/gdpr/right-to-object/

Article 83 GDPR: https://advisera.com/eugdpracademy/gdpr/general-conditions-for-imposing-administrative-fines/