Contact tracing and GSPR

Van Doozy

I recently visited a business and immediately on entering i was asked by a receptionist (wearing a visor) for my details. It wasn't explicitly stated that this was for contact tracing though it was strongly implied.

Anyway on my visit I completed a purchase for a significant amount ( thousands). I gave a work email address to the salesperson as it was a work related purchase. This went on their system.


A week later I received an email to my personal address asking if I was still considering a purchase and offering to discuss finance.

The only explanation for this is that Covid contact tracing data is being used for marketing. Its the only time I gave that address.

Now, this is annoying, but isn't it also a flagrant breach of GDPR? What would you do in this scenario? Business is a local dealer for a well known brand.


Edit: Sorry, thread title should say GDPR

AndrewJRenko

Van Doozy wrote: »

I recently visited a business and immediately on entering i was asked by a receptionist (wearing a visor) for my details. It wasn't explicitly stated that this was for contact tracing though it was strongly implied.

Anyway on my visit I completed a purchase for a significant amount ( thousands). I gave a work email address to the salesperson as it was a work related purchase. This went on their system.


A week later I received an email to my personal address asking if I was still considering a purchase and offering to discuss finance.

The only explanation for this is that Covid contact tracing data is being used for marketing. Its the only time I gave that address.

Now, this is annoying, but isn't it also a flagrant breach of GDPR? What would you do in this scenario? Business is a local dealer for a well known brand.


Edit: Sorry, thread title should say GDPR

Just to be clear, did you receive the email to the address you gave? You mention both work and personal email addresses, so it's a bit confusing.

In general, yes, if they are using email addresses for marketing without getting explicit permission for marketing, they are breaching GDPR.


You could look for a response from a director of the business, or report them to the DPC or the main brand or all of the above.

Van Doozy

Hi Andrew, apologies for lack of clarity.

I walked in the door and gave a receptionist my personal details for contact tracing.

I completed a commercial transaction, giving them my work contact details for this.

A week later I received marketing to my personal email address. The only time I had given them this was for contact tracing.

YellowLead

You said they didn’t state it was for contact tracing though. If you were going to do business with them they could use legitimate interest for the basis for processing. Plus was it actually a marketing communication? Or just a follow up email from the receptionist?
Finally are you sure there wasn’t a privacy policy linked on the form you filled in (if it was digital)

Van Doozy

Doesn't express consent need to be given for direct marketing though?

You're right, they didn't actually state that they wanted my info for contact tracing. But I have gone into restaurants and been received by someone with a visor and a clipboard asking for my details in the exact same way - it was strongly implied, and they wouldn't have done it in pre-covid times, and if they had I would have queried it.

AndrewJRenko

The contact tracing issue is a red herring.

If they want to send you marketing materials, they need explicit consent.

YellowLead

It doesn’t actually. Where a company relies on consent as the basis for marketing communications then it must be clear and not implied. But they don’t have to rely on consent.
Also the e privacy directive allows for marketing comms to an existing customer about similar products. There is debate about what a customer actually means.

I would argue however that the email you received probably wasn’t even direct marketing.

Van Doozy

AndrewJRenko wrote: »

The contact tracing issue is a red herring.

If they want to send you marketing materials, they need explicit consent.

OK fair enough. But it's not quite as cut and dried as that, i think.

The question is, how do you define marketing? Could it be argued that it was a legitimate follow up email?

The email was generic copy-paste and went along the lines of 'thanks for your visit, we have a range of packages to suit all budgets, if you feel you want another viewing or to make a purchase let me know'

What piqued my interest was the fact that I made a purchase a week ago so this email was irrelevant, and I only received it because a record of my visit to the dealer and all my details were harvested from what could only be described as a contact tracing log.

Edit: YellowLead touched on this in the post above.

YellowLead

If it was a marketing communication there should have been an unsubscribe option and a link to the privacy policy.
If that was a covid contract tracing form you filled out then for sure - the info shouldn’t have been used for other purposes.