Our company is in the business of selling travel insurance. When customers buy our Annual Multi-trip policy we instantly enrol them for auto-renewal and write to them three weeks before renewal date giving notice that we will renew their policy and collect premium unless they notify us of their intention not to proceed with the renewal one week before due date.
We also inform them that they have 14 days after purchase to cancel the policy for a full refund. This matter is covered under terms and conditions on our websites. Can we continue with this policy of auto-renewal or do we need any more transparency or express authority from customers?
GDPR regulates the processing of personal data. “Processing” basically means any business activity that involves data, so writing to customers for whatever reason is a processing activity.
Under the GDPR, it is illegal to process personal data unless one has a “legal basis for processing” that data. The GDPR sets out six possible bases of processing. In this case, there are three possibilities (and you must choose one to the exclusion of the others because they are not allowed to overlap).
The first possibility is you use the “consent” of the customer as the basis of processing i.e. you have the consent of the individual to write to them in respect of the renewal date. But consent is a strict standard under GDPR and often “gets in the way” of the customer relationship.
This is because consent must now be “given by a clear act establishing a freely given, specific, informed and unambiguous indication of the recipient’s agreement”. Importantly, consent is not regarded as freely given if there is a detriment to the person giving it, were they to refuse. Since in this case a customer might well suffer a detriment, it is doubtful you could actually use consent as the basis of processing. Actually, here it does not matter because the other two possible bases seem preferable for all sorts of reasons.
The second possible basis of processing is where processing is necessary for the performance of a contract to which the customer is party (or in order to take steps at the request of the data subject prior to entering into a contract). Since you set out in your terms and conditions that you need to contact the customer to continue the contract, this seems like the most appropriate basis of processing here.
However, there is another third possible basis of processing you might use here. That is where processing is necessary for the purposes of the legitimate interests pursued by you “except where such interests are overridden by the interests or fundamental rights and freedoms of the [recipient]which require protection of personal data”. In other words, if you think it’s in your legitimate interests to write to the customer, then you may do so.
In this case, the second basis is best. But there is more to say. One of the overriding principles of GDPR is lawfulness, fairness and transparency. So the clearer you are about what you are doing and why, the safer you are about not infringing the GDPR. You cannot just bury the “need to contact for renewal” somewhere in the terms and conditions (i.e. in the small print); you need to make it clear and upfront.
As far as the free weekly newsletter goes, if one of the items the customer is paying for in the contract is that newsletter, then there is no difference to sending this to them than to the communication to renew the contract. But I don’t think you can say this here because you describe it as “free” i.e. some sort of add-on. It’s not “necessary” for the contract and you would need to rely on the consent basis of processing or the legitimate interests basis of processing instead.
If your “free weekly newsletter” is a marketing communication (which I suspect it is) then in addition you will need to comply with a piece of legislation that sits alongside GDPR called The Privacy and Electronic Communications (EC Directive) Regulations 2003. It restricts unsolicited marketing by phone, fax, email, text, or other electronic message. There are different rules for different types of communication. If you are sending by email, you may not send it unsolicited without consent unless:
i) you obtained the contact details of the recipient of that email in the course of the sale or negotiations for the sale of a product or service to that recipient;
ii) the direct marketing is in respect of your similar products and services only; and
iii) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. In other words, you give an opt-out.
PECR is due to be updated to make it stricter in line with GDPR – but this will not happen until much later this year.