UK GDPR: Common Scenarios
Scenarios
Can I send marketing emails without consent?
Answer: No (with one exception)
Conditions: Marketing requires consent under PECR, not GDPR. The “soft opt-in” exception applies only if:
- Contact obtained during sale/negotiation
- Marketing similar products/services
- Opt-out provided at collection and in every message
Confidence: High
Citation: PECR Reg 22, not UK GDPR
Can I process customer data to fulfil their order?
Answer: Yes
Conditions:
- Processing is necessary for the contract
- Only process what’s needed for fulfilment
- Don’t use it for unrelated purposes without separate basis
Confidence: High
Citation: Article 6(1)(b)
Can I keep customer data indefinitely?
Answer: No
Conditions:
- Must define retention periods
- Delete when no longer needed for original purpose
- Can keep longer if required by law or for legal claims
Confidence: High
Citation: Article 5(1)(e)
Do I need consent to process employee data?
Answer: Usually no
Conditions:
- Employment contract basis often applies [Art 6(1)(b)]
- Legal obligation for payroll, tax [Art 6(1)(c)]
- Consent problematic due to power imbalance
- Legitimate interests may apply for some processing
Confidence: High
Citation: ICO Employment Guidance
Can I use legitimate interests for anything?
Answer: Conditional
Conditions:
- Must conduct Legitimate Interests Assessment (LIA)
- Balance your interests against individual’s rights
- Cannot override fundamental rights
- Not available for public authorities for core tasks
Confidence: High
Citation: Article 6(1)(f)