Someone hands you their business card. You feel pleased because it suggests they will be content for you to contact them again. It might signal the prospect of new business or the start of a mutually beneficial business relationship. But will you feel the same after the GDPR comes into force on 25 May 2018 – or is the GDPR the death knell for the business card?
Clearly you have received personal data and it is certainly your intention to process it.
By providing you with their business card in a business context, the person will reasonably expect that you will use their details to contact them. This means that “legitimate interest” should be available to you as a lawful basis to contact them and provide them with marketing and other business information. In this B2B setting, there is no need to obtain their consent.
It would be prudent, when you make the next contact using that personal data, for you to provide them with your privacy notice – this could be done as unobtrusively as drawing their attention to a link to that notice on your website.
You should restrict the information you send to the type of information they would reasonably expect to receive from you and remind them of their right to ask you to stop contacting them (unsubscribe). And you need to understand and comply with the limitations on “legitimate interest” as a basis for processing personal data. But yes, you can contact them.
If you are in the business of collecting business cards, for example on your stand at an exhibition, it will be best to get the person to confirm that they do indeed consent to you contacting them for specific purposes – and you need to be able to demonstrate that they gave that consent freely, unambiguously and knowing what they were consenting to.
No, the GDPR is not the death of the business card; but make sure you use the personal data on it in a lawful way.
My business card details appear below and I will be pleased to hear from you.