You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
I have a few email addresses all at the same domain that I own - info@, my.work.name@, my.personal.name@, etc and a catch all. I also have subscription specific email addresses - eg BTFIBRE@mydomain, for my current internet supplier, and some for my dealings with companies hosue, tax man etc. This helps me sort my emails into folders etc and it costs me nothing to set up.
I got an email today to one of companies house related emails from a company called Acquirz Ltd, saying this:
Personal Information Notice
You are receiving this email as we believe it may be relevant to you in your professional role and we believe your business will benefit.
Your business and personal contact data has been collected from publicly available records such as websites and government records and combined with data from third-party data providers and is being processed on the basis of Acquirz’s legitimate interests and those of our data partners and customers.
These interests include our direct marketing and sharing your data with our data partners and selling it to our customers for their business marketing campaigns to reach business professionals like you.
You can read more about these interests and how you can exercise your rights in our Privacy Notice.
If you would like to opt out, please unsubscribe using the link below.
Click here to unsubscribe
Kind regards
Acquirz LtdCopyright © 2023 Acquirz Ltd | Company Registration Number: 12199595
1 Rockfield Business Park, Old Station Drive, Cheltenham, Gloucestershire, GL53 0AN
I looked them up, its UK company, matches the company reg numebr up there.
There is an opportunity to opt out, but I thought this kind of auto opt in unless you opt out was now illegal under GDPR?
It went to spam, I could have ignored it and suddenly I am enrolled on a data list being sold all over.
I am merely navel gazing here and I think it is all too late but it has pissed me off...
Opt out and request them to delete your data "Rights of the data subject"
There are several lawful bases for data processing under GDPR. For email marketing the most widely used one is consent but the wording of that email suggests that they are trying to justify the processing under the basis of legitimate interest. They should have two documents to support that (LIA and DPIA) but they don't have any obligation to share those with you. They do seem to be claiming that they can over-ride some of the key principles of GDPR on this basis and I'd love to see how their DPO is justifying that, but if you're concerned then first of all raise a complaint with their DPO and then if you don't get any resolution you can raise it with the ICO. Or just unsubscribe, invoke your right to be forgotten (which won't remove all of your data as they have to remember to forget you), and move on. If the email address they've used can only have come from one source you can also follow up with that source as you will have agreed to some data protection statement when you provided that email and the wording of that should clearly state what they will and won't do with the data you've provided. If it doesn't say they will share it with Acquirz Ltd (specifically named, not 'specially selected partners' cos that won't really wash any more) then they have breached data protection regs and you can raise it with them too - though if it was companies house it may be published on their website so anyone can grab it from there, but once again we come back to why Acquirz would believe they have a legitimate interest to send unsolicited emails to an address they found on line.
I think we're starting to see more of this - when it first arrived people were very wary of the restrictions of GDPR but these are now being tested and the only proof of that is when the ICO publish who they've told off for doing what, so it's a slow evolution.
Guff from ICO about Legitimate Interest:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/how-do-we-apply-legitimate-interests-in-practice/
Thanks for a detailed and informative reply. Amazing the font of knowledge on here. This answer alone is almost enough to make me buy a subscription to STW.
However if I buy a sub then STW has all my identity data and I can't have that...
I might be wrong on this.... but a subtlety in this case may well be... GDPR relates to personal data. Comapanies House is a list of companies not people, a company is its own legal entity but it isnt a 'person' and the email addresses it lists are for the 'company' not "a person".
So there can be a difference between holding a person's details - "named person"@domain and the business's details "info"@domain or "job title"@domain
If you look at it the other way around - you'll have reason to contact all sorts of businesses - your suppliers, utilities. and so on by email - using publicly available addresses. They don't need to opt in to you holding that address, phone number or whatever in order for you to contact them - because you're not holding anyones personal data.
enough to make me buy a subscription to STW.
and an email address such as "subs@STW" - not someones name / personal email / direct phone no. for instance
I similarly get post from businesses that have obviously lifted my info from company's house - but it will be addressed to 'the business owner' or similar and never uses my name.
I am merely navel gazing here and I think it is all too late
Because of the way you've set up your various emails for different services you have the advantage that you can just change the email address you have registered with companies house. That will of course again get published but the benefit of having that compartmentalised approach is you can change an address thats getting spammed and you only have to update the info with a small number of legitimate users
Coincidentally just picked up the outlaws’ post, and there’s a mail out from a hearing aid company to my MiL, with this printed on the envelope:
“Your name and address details were passed to us by CACI Ltd from the Edited Electoral Roll.
You can opt-out of your name appearing by contacting your local Electoral Registration office or visiting https://www.gov.uk/electoral-register/opt-out-of-the-open-register. You can read CACI’s privacy statement on how they process data here: https://www.caci.co.uk/data-privacy/privacy-policy/”
So there can be a difference between holding a person’s details – “named person”@domain and the business’s details “info”@domain or “job title”@domain
I think Maccruiskeen is pretty much right, but I've seen discussions from people who know their onions on this stuff saying even jon.smith@somecompany.com is not necessarily a GDPR issue. (whereas jon@smith-family.com could/would be). Its probably also a PECR issue rather than GDPR one. That said, I'd be very surprised if the email address was obtainable from companies house. More likely the OP has used the same address for multiple company things and one of them has sold it on.
jon.smith@company is definitely personal data, no discussions about that.
Direct marketing can be a complex area, and also falls under PECR (in the UK) or more broadly the ePrivacy directive in the EU.
The ICO has guidance here about B2B marketing, but in summary this activity is allowed, as long as they inform you, and let you object before starting to send the marketing.
in summary this activity is allowed, as long as they inform you, and let you object before starting to send the marketing.
They still need a lawful basis for processing too, and if you're going to rely on Legitimate Interest then you need to be able to demonstrate (and document) why the processing is in the interests of the recipient as well as your own interest. The DMA and others have clarified that 'making profit' is a legitimate interest of an organisation so their side is covered, but you still need a balancing argument for the recipient. If I'm selling MTB widgets and I start emailing corporate addresses that have nothing to do with biking then what is their interest in receiving the email? If there isn't any link then I can't rely on legitimate interest to process their data. So from the email in the OP, Acquirz will need to have demonstrated that the OP has some interest in their processing of the data and then if they share/sell his data on to other orgs for their marketing purposes each of those will need to do the same exercise.
There are a few orgs that claim to offer compliant cold marketing lists, and every time my employer has looked into them we've decided not to proceed.
True, and if they are sending this type of notification they feel they have a basis to do this, else they would just start spamming you.
If you don't want the emails, just object and insist on your right of erasure. Going to route of investigating their legitimate interests is time consuming and might not get you anywhere unless you want to possibly raise this with the ICO.
The B2B rules are broader than B2C direct marketing, so companies can try to exploit that.