Information provided under Regulation (EU) 2016/679, the General Data Protection Regulation, “GDPR”
Officefront is conducting a campaign of direct marketing within the meaning of the Data Protection Act 2018, s.122(5), in which you are a recipient.
Frequently Asked Questions
Under what law are you allowed to send me emails?
The protection of personal data and the delivery of marketing by email are governed in the United Kingdom by separate but related laws. In addition to data protection legislation such as the GDPR and Data Protection Act 2018, The Privacy and Electronic Communications (EC Directive) Regulations 2003, also known as “PECR”, is the principal law that covers direct marketing by email.
What is a “corporate subscriber”?
In terms of the PECR, the subscriber is the individual or legal entity that is party to a contract with a provider of public electronic communications services. It specifically defines a corporate subscriber as, essentially, an incorporated company. This is different to the usual meaning of “subscriber” when discussing mailing lists. ICO guidance clarifies that this includes public bodies and Scottish partnerships, but not sole traders or members of an ordinary partnership, as they are not incorporated. In terms of email, the subscriber is held to be the individual or organisation for whom the email service is operated. Any of a corporate subscriber’s email addresses would be a corporate email address. If a corporate email address contains a person’s name or distinctive job title, it is known as a personal corporate email address. This is not the same as a strictly personal email address pertaining only to a private individual.
Why have you not asked for my consent?
Your email address has been identified as pertaining to a “corporate subscriber” within the meaning of PECR Regulation 2. Regulation 22 prohibits the delivery of unsolicited marketing messages by email to “individual subscribers”, with certain exemptions such as for existing customers. However this does not apply to corporate subscribers. The UK’s data protection supervisory authority, the Information Commissioner’s Office or ICO, has published guidance clarifying that consent is not required to email business email addresses. Data protection laws still apply to any personal data being stored or used in relation to that address, such as if your email address contains your name, or a job title through which you could be easily identified. Such personal data is lawfully processed under Art. 6(1)(f) of the GDPR, about which more information is provided below.
Where did you get my email address?
Officefront obtains its client target information through research via publically available information, mainly on the internet. This information is utilised for a “one off” communication.
How do I stop getting emails from Officefront?
All emails sent as part of Officefront’s direct marketing campaign include an unsubscribe link to a page where you can check the email address and request that it be unsubscribed from further such emails.
Data Controller Information
The following information is in accordance with Chapter 3 of the GDPR.
Identity of the controller
Officefront (A partnership)
Daws House, 33-35 Daws Lane, London NW7 4SD
Data Protection Officer (DPO)
The following means of contacting the DPO may be used to make a request under the rights guaranteed by the GDPR or other applicable data protection and privacy laws:
Tel: 020 8906 6666
Categories of Personal Data
Where a name or job title may be used to identify a living human being (“data subject”) in relation to a business email address, the following categories of information directly or indirectly identifying that person may be processed: Name, job title and company, work contact details, records of emails opened with images enabled, records of hyperlinks clicked on in emails, IP addresses used to engage with emails, replies sent to emails, content submitted in forms linked to from emails.
Purposes and Basis of Processing
Personal data is processed for the purpose of targeting and personalising marketing messages, and delivering them to the data subject in order to prospectively market products and services of the data controller’s clients in pursuit of the commercial interests of both the data controller and its client. The personal data listed above is processed in accordance with Article 6(1)(f) of the GDPR, in pursuit of the legitimate interests detailed in this section. The data controller’s and its client’s legitimate interests are balanced with the fundamental rights and freedoms of data subjects by the provision of compliant transparency and disclosure notices, a clear, simple and effective means of opting out of further marketing messages, and the appointment of a Data Protection Officer who is available to fulfil any lawful request from a data subject.
No Personal data is retained.
Data Subject Rights
The data subject has the right to request access to, rectification of, erasure of, and restriction to the processing of their personal data, as well as to object to its processing, and to the portability of that data. At any time, the data subject has a right to lodge a complaint with the Information Commissioner’s Office in the United Kingdom.