Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.

Enquire

Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.

GDPR – FREQUENTLY ASKED QUESTIONSBack

In a recent NFDA newsletter we published a frequently asked question in respect of GDPR relating to contacting customers regarding service and MOT reminders.  Please see an update below.

Under the General Data Protection Regulation (GDPR), contacting, for example via email or telephone, a customer about a service and/or MOT reminder is likely to be classed as marketing. This is because in most cases there is unlikely to be a legal obligation on a dealership to inform their customer about a due MOT or service. Whilst many customers are pleased to receive these reminders, they are technically the responsibility of the customer to remember.

This is separate to, for example, vehicle recalls, where there is a legal obligation to inform the customer that their vehicle is under recall.

Therefore, to contact a customer to remind them about an upcoming MOT or service, you will need to consider how you do this in compliance with the GDPR and another price of legislation called the Electronic Privacy Communications Regulations (PECR).

The GDPR sets out a number of legal bases (conditions) for processing personal data. In order to process personal data under the GDPR to remind individuals for example about an upcoming MOT or service you will need to ensure that you meet one of these conditions.

  • You have the consent of the individual;
  • You need to process the personal data to perform a contract with the individual or to take steps prior into entering into a contract with the individual;
  • You need to process the personal data to comply with a legal obligation;
  • You need to process the personal data to protect the vital interest of the individual;
  • You need to process the personal data to perform a public task; or
  • You need to process the personal data for your legitimate interests.

Under the GDPR you can send marketing to individuals by relying on the legitimate interest legal basis. This is set out in Recital 47.

However, although legitimate interests are the most flexible basis for processing, you cannot assume it will always be the most appropriate.  An assessment must be made to ensure that the processing meets the threshold required to rely on legitimate interests as a lawful basis and you must advise individuals that they have a right to object to processing under Article 21.

Electronic marketing

You must, also consider the method by which you are marketing to individuals. This is because PECR states that you have to have consent to send electronic marketing (fax, SMS and email) unless you can rely on an exemption which is called soft-opt in. Note this exemption only applies to the “person” collecting the personal data, therefore if you are using brought in or third party marketing lists it is very unlikely that you can rely on this exemption.

Soft-opt in applies where:

  • You have obtained the individual’s personal data (for example their email address) through the sale or negotiation for the sale of goods and/or services; and
  • The marketing is for similar goods or services only; and
  • At the time you collected the personal data you gave the individual an option to opt-out of receiving marketing; and
  • Each time you have contacted that individual you have given them the option to opt-out of receiving marketing.

PECR also contains rules relating to live calls and automated calls; general overviews of the rules are set out below:

Live calls

  • You must not make lives calls to individuals who are on the corporate telephone preference service (CTPS) or telephone preference service (TPS) and anyone who has told you not to call them.

You do not necessarily need consent to make live calls, however you must comply with the provisions set out above when making calls, therefore all call lists should be screened against the CTPS, TPS and any internal opt-out or suppression lists..

Automated calls

  • For automated calls, you must not make any automated marketing calls unless you have the individual’s consent to receive automated calls.

Therefore, you should review (1) how you collected the personal data for marketing purposes; and (2) the method by which you are sending marketing to make sure that where you are sending any marketing, you are complying with the GDPR and where relevant, PECR.

 

 

Posted by Sue Robinson on 06/04/2018