Legalease Home page
Selling and marketing

Data Protection

Data protection is dealt with more fully in a separate section. This section deals briefly with data protection in the context of marketing.

The processing of data relating to living individuals (“personal data”) is regulated by the Data Protection Act 1998 (“DPA”). Subject to certain limited exceptions, a person who processes personal data (a “data controller”) must register certain information with the Office of the Information Commissioner (“IC”).

Personal data and the Data Protection Principles

Personal data by definition relates to living individuals and not legal entities. Therefore marketing to companies and other legal entities as such, and not directed at particular individuals, is not within the scope of the DPA.

The DPA requires data controllers to comply with the Data Protection Principles. (“DPPs”) listed in Schedule 1 of the DPA which are:
 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless one of the specified conditions is met (see below – conditions for processing personal data). NB: special protection is given to “sensitive personal data” (.i.e. data relating to political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, the commission of any offence)
 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
 4. Personal data shall be accurate and, where necessary, kept up to date.
 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
 6. Personal data shall be processed in accordance with the rights of data subjects under the DPA.
 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(DPA Sched.1 part 1).
The DPA sets out guidelines for the interpretation of the DPPs (DPA Sched.1 part 2).

Conditions for processing personal data

Personal data
In summary, in order for personal data to be processed “fairly and lawfully” within the first DPP, one of the following conditions must be met:

* the individual who is the subject of the data has given his consent to the processing
* the processing is necessary for the performance of a contract to which the data subject is a party, or for the taking of steps at the request of the data subject with a view to entering into a contract
* the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
* the processing is necessary in order to protect the vital interests of the data subject
* the processing is necessary for the administration of justice or certain other public functions
* the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(DPA Sched.2)

Use of personal data for marketing purposes
In the context of marketing to individuals, the primary concern is that the data relating to the individuals has been acquired and will be used in a way which complies with the DPPs. This will normally be done in one of 3 ways:
* the individual has consented to the use of his data by the marketer for a specific occasion
* the individual has consented to the use of his data by the marketer by giving a general consent to receiving marketing when he first bought a product or service from the marketer
* the individual has consented in the past to receiving marketing communications from third parties and the marketer has lawfully acquired the data from a third party.
NB: in all the above cases the consent from the individual will only be valid if he was given clear information about the identity of the user and the purposes for which the data would be used.

Right to prevent processing for purposes of direct marketing
An individual is entitled at any time to give a notice in writing to a data controller to require him to cease, or not to begin, processing the individual’s personal data for the purposes of direct marketing. The regulations do not set a fixed time limit for compliance with the notice. However the data controller is required to act on this notice by the end of such period “as is reasonable in the circumstances”. [We suggest action be taken as quickl;y as possible; the “reasonable” period probably relates to the time within which lists can be technically updated, and allows mailings in process to go out; but not longer delays].
“Direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

Civil enforcement:
The IC has the power to serve an enforcement notice in the case of breach of the DPA.(DPA s.40)
The IC has power to impose a monetary penalty on a data controller of up to £500,000 if he is satisfied that:
* there has been a serious contravention of the Data Protection Principles
* the contravention was of a kind likely to cause substantial damage or substantial distress, and
* the contravention was deliberate or the data controller knew or ought to have known that there was a risk that the contravention would occur, and  that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. (DPA s.55A)

An individual may apply to the court for a compliance order if a data controller fails to comply with a notice to stop using personal data for direct marketing.

An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the DPA is entitled to compensation from the data controller for that damage. There is a due diligence defence.(DPA s.13)

Criminal enforcement:
Non-compliance with the DPPs is not an offence. However, the DPA creates a number of specific offences including:
* Processing personal data without being registered on the DPA register (unless exempted). There is a <due diligence defence>. (DPA s.21)
* Failure to comply with an enforcement notice (DPA s.47).
* Knowingly or recklessly disclosing personal data without the consent of the data controller. There are certain defences if the accused reasonably believed he had consent. (DPA s.55).
These offences are punishable on indictment by an unlimited fine. In the case of an offence committed by a corporate body, there is Director’s liability.(DPA s.61).

Further reading – see the IC’s guidance:

Legaleze comment:
If you have obtained the personal data directly from the individuals, you need to ensure you have acquired it and will process it in compliance with the DPPs. This is normally done by a combination of a data protection or privacy policy and terms and conditions of sale  made known to the customer, and the customer ticking a box (e.g. physically on paper or virtually online) to signify his consent to the use of the data.
There is debate as to whether customers should be made to “opt in” to receiving marketing communications by signing a consent form or ticking a box online, or whether it is sufficient to rely on an “opt out” e.g. the customer must tick a box to signify that he does not want to receive such material. Other than referring to “consent”, the DPA does not specify either method.
Provided that the customer is given sufficiently clear information which is brought to the customer’s attention, an opt out may well be sufficient in most cases.
Further guidance is available from the IC’s website; see in particular the FAQs at

If you intend to obtain the data from a third party such as a list broker, you should make reasonable enquiries about the method used for obtaining the data and seek assurances, preferably in a legally binding form, that the data was acquired and will be transferred to you in full compliance with the DPPs.

More information>
The basics: contract for sale
Legal tender
Limitation and exclusion clauses
Sale of goods
Supply of services
Inertia selling to businesses
Sales to consumers
Unfair terms
Sales to consumers, distance selling
Doorstep selling
Marketing and advertising regulation    introduction
Advertising Codes
Advertising to businesses and    comparative advertising
Advertising to consumer regulations
Approved trader schemes
Direct marketing by telephone, email,    text message, fax and post
Data protection in relation to marketing