“We are planning to send a nice introduction letter to some potential clients, with a view of follow up calls to introduce our organisation. However 50% of this potential client database was collected when staff were working at previous employers (note there’s no issue with restrictive covenants).
Now that the new GDPR regulations 2018 are in force, what are the implications on actioning this plan? Where do we stand legally as an organisation as we do not have authorisation for any of the potential clients to have their details on file? 🤔”
“There is yet no specific guidance applicable to your scenario, but our initial view is that you should be able to rely on a ‘legitimate interest’ exception and the ‘balancing test’ to use such data and send the intro letters without consent. See further here.