A report at The Guardian explains that companies compliant with the GDPR can only process personal data for six legal purposes; consent, contract, legal obligation, vital interests, public interest and legitimate interests.
If the company communicating with you had consent to communicate with you in the past, they don’t need to get that consent again. But if they never specifically sought that consent sending you a message using your personal data to seek consent puts them in breach of the rules. However, if they are communicating with you with regards to the other five purposes then things may be OK.
This is further complicated because companies may have received consent when they first contacted a customer but failed to record how and when the consent was given.
According to the report, there are other regulations to consider.
“In many cases the sender will be breaching another set of regulations, the Privacy and Electronic Communications Regulations, which makes it an offence to email someone to ask them for consent to send them marketing by email”.
This is not dissimilar to the rules in Australia. While not every systems breach falls under the purview of the National Data Breach Notification rules, breaches that may create a material change in the value of an ASX-listed company need to be reported to Australian Prudential Regulation Authority (APRA)
ASX Listing Rule 3.1 requires companies to disclose any information that a reasonable person would expect to have a material impact on the value of a company. That extends beyond personal identifiable information which is the focus of the NDB laws.
The lesson in all this: it’s important to keep a record of any contractural commitments made between you and your customers when it comes to how people consent to providing information to you and how you intend to use that data.