The General Data Protection Regulation (GDPR) allows an organisation to collect, store and use someone’s personal data if they can demonstrate a legitimate interest.
Recital 47 of the Regulation explains this further https://gdpr-info.eu/recitals/no-47. It suggests that the legitimate interest basis can be used to justify the processing of personal data for commercial activities, including direct marketing, if:
- the processing is in line with the individual’s reasonable expectations (e.g. if they are an existing client, or have shown an interest in the organisation)
- the activities of the organisation do not override the interests of the individual (e.g. they should not go beyond what can reasonably be expected).
At Oyster we have carried out legitimate interest assessments for the data processing of customers and non-customers, and concluded that our activities are in line with the legitimate interest definition. We can make these formal assessments available on request. However, the key points are summarised below.
Customers
- The customer would reasonably expect that Oyster will need their personal details in order to arrange a trip, book flights and respond to emergencies
- The customer would reasonably expect that some of this data will need to be shared with those supervising the customer abroad
- The customer is in control of supplying the data to Oyster
- Personal data will be used only for these purposes
- It will be kept secure and deleted when no longer needed.
Ex-customers and people who have expressed an interest in Oyster
- Oyster has a legitimate interest in processing very basic data (name, contact details, area of interest) for people who have shown an interest in our services
- These people have instigated the relationship with Oyster by doing one of our projects or enquiring about them
- The nature and frequency of communication is very limited and does not impact negatively on the individual
- The individual is invited to end the relationship at any time
- Personal data will be kept secure and deleted on request.
See Oyster’s Privacy Notice for more information about Oyster’s use of personal data, secure processing and your rights under the GDPR.