I settled out of court with this controller, via their solicitors, Clough and Willis. I’ve agreed not to identify the organisation as part of the settlement, so I’ve anonymised this article.
In this case, I received an email from the controller at work – out of the blue, to invite me to attend a conference. I contacted the controller and asked them to clarify how they had obtained my information. They said:
As your public profile closely matches already registered delegates and we have an existing relationship with the organisation I have contacted you under legitimate interest. I do not hold any personnel data on you and have not obtained any information regarding you from any source other than the information you have made publicly available.
Interesting… an existing relationship with my employer but not with me. I sought further clarification and they replied as follows:
I thought I had been clear but let me try and explain further. I have contacted you because of the information you have made publicly available on LinkedIn that closely matches the delegate criteria for our upcoming event.
Ah, now it’s clear – they scraped my profile information from LinkedIn, which is shameful behaviour, and potentially a criminal offence. I followed-up again and they replied as follows:
You have been contacted by [The Controller] with legitimate reason on a B2B basis with an extremely generous offer. As you do not wish to be contacted again we will ensure that both your addresses are blocked from our server. We have not processed your details, they were simply noted by Miles in his own spreadsheet and have not been added to any company databases. Details are only processed on registration so as to administer bookings for our events.
You’ve got to laugh… they’ve not processed my information? How did they manage to target me with a marketing email then, and why are they telling me that they’re relying on the legitimate interests condition if they haven’t processed my information? They also informed me that they had phoned my employer’s switchboard to obtain my email address but that’s likely to be a lie, and it doesn’t make any difference anyway. Their audacity and incompetence is staggering.
So, why had this event organiser unlawfully processed my information? There are a number of arguments that I was able to rely on:
1. A relevant and appropriate relationship did not exist
A commercial controller cannot reasonably rely on the legitimate interests condition if they cannot demonstrate that they have some kind of relationship with the data subject. Recital 47 GDPR states:
(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
The example given above relates to a direct relationship between the controller – the service provider, and the data subject – the client. What is clear though, is that a controller has to consider the reasonable expectations of their data subjects, based on their relationship with the controller.
Based on Recital 47 GDPR, I argued that where a controller has obtained my information directly from me, they can likely rely on the legitimate interests condition to target me with direct marketing. This is because the controller and I have a relevant and appropriate relationship.
In some cases, it may be possible for a third-party to also target me with direct marketing – if they can demonstrate that they too have a relevant and appropriate relationship with me.
However, if a commercial controller obtained my information by scraping my profile, or from a mailing list, then they will be unable to demonstrate that they have a relevant and appropriate relationship with me and as such, will be unable to rely on the legitimate interests condition. Why would a judge accept that they can rely on the legitimate interests condition?
Indeed, the notion that a controller can just start processing personal information that they happen across is not only unlawful, but it’s despicable behaviour in my view. It’s like walking past someone’s garden, pulling up their flowers and taking them home – because they’re being displayed to the public.
2. They failed to demonstrate a need to process my information
Article 6f GDPR, states that the processing has to be necessary:
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
To rely on the legitimate interests condition therefore, a controller has to reasonably demonstrate that it was necessary to process my information to satisfy their legitimate interest. As such, I would expect the controller to undertake the three-part test to determine legitimate interests and I’d expect that information to appear in their privacy notice, pursuant to Article 13(d) GDPR.
In the initial invite however, they said that they were inviting [my employer] to attend and ICT conference. But they’re not inviting my employer are they, they’re inviting me. So, they would need to be able to demonstrate that it was necessary for them to specifically process my information to send me this invite. To make that determination, they need to ensure that they have documented and published their legitimate interests. In my view, they would need to create a new legitimate interests condition for each event, because they are tailored events.
3. They’d infringed my legitimate interests
When I use LinkedIn, I agree to their terms of use. My LinkedIn profile therefore, is not in the public domain, instead it is made public under the terms of a contract. As such, it’s my legitimate interest to have my information stored publicly without harassment from other controllers, and it’s an easy win in court. No controller is ever going to win a case where they’ve obtained my information from my LinkedIn profile.
In this case, they said that they used the information obtained from my LinkedIn profile to phone my employer and obtain my email address. Well, they had no right to do that because they’d have to demonstrate that my LinkedIn profile is somehow linked to my employer – which it is not. What did they do to determine that my LinkedIn account isn’t my own personal account? Some people spoil everything for their own selfish needs.
They’d also have to explain why they decided to process my information outside of the LinkedIn platform, when there’s a perfectly good contact form within LinkedIn. Why didn’t they use the contact form to contact me directly? Was it because I have a right to reject invites and they didn’t want me to reject their invite? Did they deliberately scrape my profile information so that they could bypass LinkedIn and contact me directly? Good luck explaining that to a judge.
This controller would have been utterly humiliated had they argued in court that they had some claim over my LinkedIn profile. The only thing that a controller can do with LinkedIn profile information is to try and connect to those individuals via LinkedIn.
Getting back to the case…
Once they realised that I was being serious about taking them to court, the controller’s staff stopped communicating with me, so I filed the claim. They didn’t submit a Defence, so the judge ruled in my favour for the full amount claimed. They didn’t pay and they ignored my request for payment, so I paid to issue a Warrant to recover the dept.
At this point, their solicitors contacted me and claimed that their client had not received the information from me. I negotiated a settlement with the solicitors that included the money awarded by the court plus the cost of issuing the Warrant.
To show that I’m not unreasonable, here’s a list of the emails that I sent to the controller and their replies. I’ve not included the letters that I sent by next day signed-for post. For example, they must have received my Statement of Case by post because it had been signed-for. I think the staff in the office actually withheld the information from their employer hoping that it would just go away. As you can see, it did not.
I gave them fair notice… this is in reverse order:
01.09.19 Claimant sent an email.
No reply was received.
The Claimant informed the Defendant that he had followed the process to issue a warrant, and to make them aware that he’s obligated to cancel the warrant as soon as payment has been made.
No reply was received.
11.08.19 Claimant sent an email.
No reply was received.
The Claimant informed the Defendant that a judgement had been made and he needed payment to avoid having to issue a warrant.
No reply was received.
11.06.19 Claimant sent an email.
No reply was received.
The Claimant informed the Defendant that the claim had been filed.
No reply was received.
11.06.19 Claimant sent an email.
No reply was received.
The Claimant informed the Defendant that he would file the claim that evening.
No reply was received.
07.06.19 Claimant sent an email.
No reply was received.
The Claimant warned that he would be filing the case at the weekend.
No reply was received.
03.06.19 Claimant sent an email.
No reply was received.
The Claimant sent an email.
No reply was received.
24.05.19 Claimant sent an email.
No reply was received.
The Claimant attached a draft copy of his Statement of Case.
No reply was received.
26.04.19 Claimant sent an email.
The Claimant apologised for the break in correspondence but that he was now ready to proceed with a claim.
No reply was received.
The Claimant was really busy working on a project deadline at work in Winter 2018, so was unable to focus on the case due to the amount of overtime he was working.
02.11.2018 Claimant sent an email.
No reply was received.
01.11.2018 Claimant sent an email.
No reply was received.
01.11.2018 Defendant replied.
26.10.2018 Claimant sent email.
26.10.2018 Defendant replied.
25.10.2018 Claimant sent email.
25.10.2018 Defendant replied.
25.10.2018 Claimant sent email.
24.10.2018 Claimant sent email.
No reply was received.
24.10.2018 Defendant replied.
24.10.2018 Claimant sent a follow-up email.
23.10.2018 Claimant submitted a complaint.
No reply was received.
23.10.2018 The original marketing email received.
To conclude
For me, there are a few clear rules that controllers need to adhere to when relying on the legitimate interests condition to target individuals with direct marketing:
1. Do not rely on the legitimate interests condition to target someone with B2B direct marketing unless you have a direct relationship with that individual, or with a controller that has a direct relationship with that individual. So, do not use third-party mailing lists or information that you consider to be in the public domain because you have no relationship at all with that individual.
2. Do not rely on the legitimate interests condition to obtain a small amount of information via a web-form because if challenged, you will have to demonstrate that it was necessary for you to process the personal information submitted into the form. However, if you cannot prove that the individual submitted their own information into the form, then you cannot demonstrate that your processing was necessary. Although it’s not a legal requirement, controllers should always rely on a double opt-in, when it is easy for anyone to submit anyone’s information into a form.
Don’t rely on the legitimate interests condition to process personal information that is made public under the terms of a contract. LinkedIn profiles are not in the public domain, they are made public under the terms of a contract. Not only will you lose in court, but it’s potentially a criminal offence to obtain information from LinkedIn without the consent of LinkedIn.
And don’t forget, a corporate email address that contains a full name, will likely constitute personal information. If you process that information then you will be the controller and the employee will be your data subject.