Governance, Risk Management, Compliance


Posted by Mathieu Gorge on 06-07-2018
GDPR is not all about consent. It looks like a lot of organisations are only concentrating on consent or are seeking consent on a “just in case” basis. If this is how your company is approaching GDPR compliance, then be warned that this may well create problems for you at a later stage.

Consent is just one of the Lawful Bases under GDPR  which you can legally process personal data. There are, in fact, six options and you need to wisely determine which is the most appropriate for different data processing activities.

Here we outline the 6 GDPR Lawful bases for data processing, and specifically examine the case for Business to Business (B2B) Mailing Lists and Marketing Communications.

GDPR Lawful Bases for Data Processing Activities

  1. Compliance with a legal obligation e.g. employment records, accident reports for health & safety records, etc.
  2. Contractual performance An example of this is processing credit card details in order to perform payment. In cases where a contract is not yet existent, such as when an individual requests information from a service provider about a particular service via email or social network, the processing of that individual’s personal data is permitted for the purposes of responding to the enquiry.
  3. Vital interests usually apply only to life-or-death situations. Such situations can include emergency services receiving a list of residents’ names and ages upon responding to an emergency call.
  4. Public interest or acting under official public authority e.g. political parties might be allowed to manage a copy of the electoral register.
  5. Legitimate interests apply only in situations when the interests, rights or freedoms of the affected data subjects do not override the controller’s interests. Data controllers must conduct and show evidence of conducting a so-called “balancing test”. This means that even when data processing is necessary to the controller, such legitimate interests must be weighed against “the interests or fundamental rights and freedoms of the data subject”.
  6. Data subjects’ consent Finally, for scenarios not fitting into any of the above categories, data controllers are left with consent.

Which GDPR Lawful Basis should you use?

GDPR Lawful Basis 3 & 4 are really for very specific organizations or circumstances. For most organizations, it is preferable to make an argument to use 1 or 2 if possible, and 5, where it could be argued that the potential impact on their rights or freedoms is minimal. In the latter case you need to make sure that the opt-out option is very clear.

IMPORTANT: You can’t use more than one lawful basis for each personal data process. So you can’t opt for consent, but use the contract if you somehow fail to get consent or vice versa. The key message here is not to ask for consent if you haven’t made the decision that you are going to use it for a particular process.

For example, for employee data you would and should use Contractual Performance, and employee contracts will reflect this (i.e. include a note stating that the processing of personal data in compliance with GDPR is required to execute them). Consent from employees, can be considered to be “not freely given”, so is not of much use.

You should also use the Contractual Performance basis for your organization's members, clients and anyone with some form of a contract or agreement.

What about the GDPR Lawful Basis for Mailing Lists and Marketing Communications?

For your mailing lists, If at all possible, you should argue that “legitimate interest” applies.  As a B2B organization your reason for existence is to attract customer companies who want to buy your product or service.  It‘s therefore reasonable for you to be able to communicate to potentially interested parties about events, news etc. Just make sure they have the option to unsubscribe and that you execute the so called “balancing test”.

You’ll need to do this for each process, e.g. newsletters, event invitations, updates or whatever else is bulk e-mailed in your organization. It’s a bit onerous, but preferable to having to get consent from each person for each process, and renewing it on regular basis.

Issues around Consent as a Lawful Basis for Mailing Lists

As you’re probably aware, many organizations seem to be seeking consent from the people on their mailing list. One could argue that this is in breach of GDPR.

Firstly, they’re contacting “me” using my personal data to obtain my consent to use my personal data, which would appear not to be the reason they had it in the first place!  This is, perhaps, being pedantic! However, the regulator in the UK jurisdiction has taken companies to task for this, and advised them to delete their list if they don’t have consent.

Secondly, in some cases, the processing is simply defined as “sending emails”.  This is not specific and some might claim it’s too ambiguous. Consent, when sought, ought to be for a clear purpose.

If you want to use Consent…..

If you want to use consent as the lawful basis for your “mailing lists” then consent must be exclusive, reflective of a data subject’s discretionary action, a positive and freely given response to a well-structured, unambiguous description of the processing activity.

The principle of “opt-in” is obligatory, meaning no processing can take place until consent is assured. A data controller is required to be able to demonstrate that consent was given,  requiring the existence of an audit trail.


In the B2B world, it may be better to opt for Legitimate Interest rather than Consent as the legal basis for emailing people to promote the activities of your company.

Need further help managing your GDPR compliance and GDPR training? Consider using the VigiOne GRC Suite. Find out more with a Free Demo with the expert VigiTrust team. 


One GRC Solution, One Platform, Multiple Regulations & Standards 

Now you can get VigiTrust's award-winning products in one straightforward GRC suite. VigiOne helps you: 

  • Prepare
  • Validate
  • Comply

Across multiple regulations and standards, including:

  • GDPR
  • ISO 27001