Giving away information to a 3rd party
Sexy title, sexy subject…
As our weekend teaser, we asked:
Do you need explicit permission to submit a customer email address for a coating warranty…?
As with all great questions, the answer is a clear and concise “it depends”…
We’re assuming that your own GDPR is up to scratch, and you will already have or have been declined permission to process the information given to you by the customer. If you have the customer’s address as a result of a direct email contact, which has not given them an opt-out, the answer is a straight “yes”, you do need explicit permission. There are situations though where you don’t need explicit consent to pass on relevant information for the customer’s ultimate benefit.
As far as the regulations go, we’re interpreting Article 6 of the GDPR regulations, which relates to the “lawfulness of processing” – specifically sections b and f,.
Processing shall be lawful only if and to the extent that at least one of the following applies:
b] Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
f] Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If you’ve sold the customer a product and explained that it carries a warranty, you are completing the steps of the contract with the warranty provider who is requesting contact details for what is termed “legitimate interest”. What you aren’t signing them up for are; marketing lists, upselling emails, spam, and permission to sell their details on. This would need to be signed up with a secondary agreement and have explicit consent and the 3rd party should be aware of this.
Should I have to?
For starters, a warranty should not be invalidated as long as a customer can provide some contact details deemed necessary, perhaps for the sake of identification. A warranty should also not be subject to inclusion in marketing contact lists. it’s a service which is being paid for, though indirectly.
Any smart manufacturer will have their own online warranty system which takes this out of your hands. This absolves them of any issue should you provide them with data you shouldn’t, and gives them the opportunity so obtain precious marketing consent. Any manufacturer insisting on this should be able to demonstrate their own GDPR guidelines are in place and rock solid to the point of absolution of your responsibility.
Should you tell them anyway?
It’s just a courtesy, even if you are legally allowed to process their data, a simple “I need to supply your email address for your warranty to be activated, is that ok?” is never a hard sell, and if anyone objects and for whatever reason, you aren’t able to provide a warranty because of this, it’s their choice to make.
Just ask before you apply the products, or a “no” can become awkward…
GDPR is a subject covered in business and marketing and as part of our Level One professional detailer syllabus. We cover this because the punishments for a legitimate business can range from a fine, down to an inconvenience, but most of all; a dissatisfied and inconvenienced customer…