THE GHOSTS OF CHRISTMAS PAST, PRESENT AND FUTURE – GDPR, THE INSURANCE DISTRIBUTION DIRECTIVE AND PRICE TRANSPARENCY
Compliance Bulletin 77 – December 2018
Cold Christmas cheer from the GDPR
As the GDPR continues to bed in it seems to be following hard on the heels of Health and Safety in spawning urban myths as to what is no longer possible as a result of its supposed provisions. If health and safety, memorably, was taken to justify a local authority some years ago felling horse chestnut trees for fear of head injuries from falling conkers, and the possible negligence claims that might follow if they were not to do so, then likewise many are claiming that firms, and the individuals within them, may not send out Christmas and/or new year cards unless they have the prior permission of the recipient to do so.
Key to understanding the practical application of the GDPR in any such situation is to consider the six legal bases for processing data lawfully. These are respectively:
• there is consent from the data subject;
• it is necessary for the performance of a contract with the data
subject or so that a contract can be entered into;
• it is necessary for compliance with a legal obligation;
• it is necessary to protect the vital interests of a data subject
or another person;
• it is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in
the controller; and
• it is necessary for the purposes of legitimate interests
pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
For most legal work, the relevant heading will be the express or implied consent of the client as data subject to use their personal
  Copyright © Infolegal Limited 2018 1