Arrange a Consultation

I received from a third party a list of peoples’ names, emails, phone numbers which I am told I can use for my own company marketing purposes – Can I use it under GDPR rules?

Feb 21 - Brian Siney

Warning: Invalid argument supplied for foreach() in /home/customer/www/ on line 28

Featured in JEP’s Expert Panel – 21st February 2018


You should always ask, “who owns the personal data?” The answer is, “The data subjects [i.e. each person on the list]”. Then taking the view of the data subject, they would correctly ask, why do you have their personal data, where did you get it from, what are you doing with it, how long are you keeping it and what lawful basis do you have to receive it and to use it. One would be concerned the third party has already committed a data breach by giving this data to you, outside of any business relationship agreed directly by each data subject and involving you.

Under A14 of GDPR, you have one month to meet the legal communication requirements to each data subject, effectively answering all the questions above and identifying yourself as potentially the new Data Controller. You must inform the data subject of these answers at the first opportunity and before you make any use their data.

GDPR has this important provision in law so you, the Data Controller, must meet the statutory requirements of ensuring lawful, fair and transparent processing of personal data which is a fundamental principle of GDPR. Breaching these core principles will expose you to the higher tier of fines by the new Data Protection Authority, after 25 May 2018.

If you are not going to follow the requirements of A14 of the GDPR law, then delete or destroy the data in a secure and confidential manner, as there is no lawful reason for you to retain it or use it. You may need to prove this too, if challenged.

Ensure Your Business is GDPR Compliant Today!

Contact me today and arrange a consultation…

Be Secure is a Jersey-based data consultancy business specialising in GDPR data protection, data privacy and cyber security. Leveraging extensive experience of founder Brian Siney, Be Secure offers a unique business focus and perspective for managing GDPR.

Send me a message

Call me on 07797 738743

More from the blog

Back to Blog home