We're getting a lot of queries about emailing clients, and how this will change under the GDPR. So, in this blog, we're going to look at the legal aspects of marketing emails, as they apply to veterinary practices (although this is general advice that would apply to many other sectors). Please note, this is general and advisory information, for details of your own practices' situations we would advise that you seek specific advice from your legal team.
Sending an email is defined as a data processing activity, but it is also important to remember that segmenting email lists (e.g. into dog and cat clients to send them different marketing materials or information) is also a form of processing, and one that you might have to justify.
Personal data is defined as “any information relating to an identifiable [natural] person who can be directly or indirectly identified in particular by reference to an identifier” (ICO, 2018a). In other words, any details that on their own OR in combination with other information could be used to identify a living person. Note that this relates only to “natural persons”, as “legal persons” (companies etc.) are not in possession of personal data and are not protected by the GDPR.
Under the GDPR there are a number of different legal bases that can be used to justify the processing of personal data. It is important to remember that “No single basis is ’better’ or more important than the others - which basis is most appropriate to use will depend on your purpose and relationship with the individual.” (ICO, 2018b). Therefore, we should use the most appropriate basis for the task at hand.
The six available basis are:
Consent - the client must have given freely given specific and unambiguous permission for their data to be used for a particular purpose. This might include, for example, asking if people want to sign up for an optional reminder service.
Contract - the data is being processed for the performance of a contract. This, for example, might be used cover processing a client’s address and payment details, for billing purposes.
Legal obligation - you are required by law to process the data. It could easily be argued that this would cover keeping clinical records, for example.
Vital interests - processing the data is necessary to protect someone’s life. This wouldn’t usually apply to veterinary practice, but might, for example, be relevant if the practice had an employee with a severe allergy.
Public task - the processing is necessary to perform a task in the public interest. Again, not particularly relevant to us but might possibly cover some OV functions, e.g. Pet Passports.
Legitimate interests - the data is processed to perform a task in your legitimate interests AND there is no good reason to protect the Data Subject’s personal data that overrides those legitimate interests. This is the basis that is most appropriate for most client communications - for example, contacting a client about their animal, or sending them email newsletters.
For emailing a client, the appropriate basis would be either Consent or Legitimate Interests.
In the sections below we will consider these different approaches, and how to be legally compliant using either.
The GDPR sets several specific conditions that are required for consent to be considered valid.
It must be freely given - in other words, clients must not be required to give consent to marketing to access another service. So, you cannot require clients to give you consent to marketing before you will enroll them.
It must be unambiguous - clients must be aware of exactly what they are consenting to; specifically, they must know who the Data Controller is (that will be the practice - but if you are part of a group, you need to specify whether the branch, franchise or group is the Data Controller of record), why you will be processing that data (to send them email newsletters and to communicate with them about services, products and offers that may be of interest to them), and how you will process that data (by sending them emails/mailshots/text messages, potentially including specifying who will process the data on your behalf, i.e. us!). Much of this information should be on your practice Privacy Notice, but it may need to be restated in your consent documents.
It must require a positive action to opt-in; in other words, the client must take an action to give consent, a “pre-ticked” box on an online form is specifically prohibited. The same applies to offline consent - the client must opt in, not opt out, of consent to marketing.
It must be granular: a client can consent to one type of processing without consenting to another. So, for example, a client can give consent to be contacted by email, but not by telephone or post; or give consent to receive vaccine reminders but not other marketing materials.
You will, of course, need to keep records of that consent, and provide people with an opt-out - they must be specifically informed that they can withdraw consent at any time. Once a Data Subject has withdrawn their consent, you must stop processing their data immediately, and unless you have to store that data under another legal basis, delete the data.
As you see, this is very similar to what happens in practice every day when obtaining consent for a procedure on the client’s animals! The big difference now is that this is required for the processing of any personal data, as well.
In addition, any mailing lists you already hold will cease to be valid on 25th May 2018 IF:
(a) They are based on consent, and
(b) That consent does not meet the new requirements.
As a result, consent may not be the most appropriate basis. If you wish to contact your existing clients, you may find that Legitimate Interest is a more appropriate basis. This is the most flexible approach to data processing, and much less arduous for the client (no consent forms for them to fill in!). However, it does place certain responsibilities on the Data Controller (i.e. you), and you will need to be able to defend your decision to use Legitimate Interest, if necessary.
In general, Legitimate Interest is appropriate if “you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing” (ICO, 2018b). In other words, it is a use of data that the client would expect from you, and they’re not likely to feel that you’re invading their privacy by doing so. As an example, if a client gives you their email address, it is reasonable to assume that they expect you to email them occasionally. Use of their name, animal type and email address to communicate with an existing client would not usually seem to put their privacy at increased risk, since you already hold that data for legitimate purposes.
However, Legitimate Interests processing does mean that you take on a certain degree of additional responsibility - you must be able to demonstrate that your processing passes the “three part test”:
You have a legitimate interest. This may be commercial, individual, or even a wider societal benefit. In this case, informing your clients about animal health and welfare issues, or an opportunity to give you feedback on the service that you provide would be in your commercial interest, but also in the interests of society more widely. Emailing your clients would therefore usually pass this test.
That the processing is necessary to achieve it - if all of your clients visit your practice every week or so, emailing them is not necessary to meet the interest above. If, however (like in the real world!) many of your clients are seen only infrequently, then processing would generally be seen as necessary, so would pass this test.
That your interests have been balanced against the interests of the Data Subject. This is where you must compare the benefits to you against the benefits and potential harms to the Data Subject (the client). This is something you have to do based on your client base and the exact purposes for sending emails; however, generally speaking, we would argue that sending newsletters about offers and services are in your commercial interests and the client’s interest; emails about animal health and welfare issues are in your commercial interests, the client’s interests and the interests of society more widely; and review-request emails would be in your interests and those of wider society. The potential harms - any invasion of privacy - can be minimised if you have suitable safeguards in place (e.g. data protection policies in the practice, and a suitable data processing contract or agreement with the data processor you use).
This Legitimate Interests Assessment (LIA) process must be documented and recorded, including all potential harms and benefits. This is a weighting process, where you must be able to demonstrate that you have considered the consequences of this processing, and should probably be recorded in your practice Data Protection Policy. However, once done, that process doesn’t need to be repeated every time. It simply needs to be reviewed periodically - perhaps every year or two, or if you want to make significant changes to the content or type of marketing you’re sending. If you agree that the original balance of harms and benefits remains unchanged, you just need to record that you have reviewed it.
Our legal opinion is that you “can rely on the legitimate interests processing condition to contact your own clients with information about your own products and services and that you wouldn't necessarily have to ask for consent for this first... the relevant section of the GDPR is Article 6(1)f. Recital 47 which accompanies Art 6(1)f states that direct marketing is a legitimate interest” (Wakelam, 2018). However, this does not extend to third parties - in other words, you can only use this legal basis to market to existing clients.
In addition, under Legitimate Interest, clients retain all of their data rights, especially the Right to be Informed. As such, it is important to include your legitimate interests in your Privacy Notice (on your website), and also to inform clients when you collect their email addresses that you may use it to contact them in relation to these. Finally, you must include an opt-out on all marketing emails.
As a result, we suggest that Legitimate Interests justifies the sending of marketing emails to clients; however, to be legally compliant you must document the LIA within your practice before doing so, inform clients (on your Privacy Notice), and allow them an opt-out.
ICOa - Information Commissioner’s Office (2018), Key Definitions in Guide to the GDPR for Organisations. Accessed on 20/04/2018, available at:
ICOb - Information Commissioner’s Office (2018), Lawful Basis for Processing in Guide to the GDPR for Organisations. Accessed on 20/04/2018, available at:
Walkham, T. (2018), private correspondence from Probert Legal Ltd.