9

I was recently contacted on a work email address by a recruiter, working from a private recruitment agency. I have had no prior contact with this recruiter or agency before this.

The work email address I was contacted on is not listed in the public domain anywhere that I know of (not on the company site, not on LinkedIn etc).

When I questioned the recruiter about where he found my email, they stated that they had:

"[...] had contact with people at [CompanyX] before and know the email syntax".

I can only assume this means they knew I had started work at the company (this information is available on LinkedIn in the public domain) and knew the email syntax, and so used this knowledge to guess my email address and contact me.

Given new GDPR legislation in the UK and Europe, specifically around the need for a company to gain explicit consent to contact someone before doing so, is this approach for contacting people legal under GDPR?

George Harris
  • 93
  • 1
  • 4

1 Answers1

8

First take a look at Article 13(1) of Directive 2002/58/EC

Article 13

Unsolicited communications

  1. The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.

  2. Notwithstanding paragraph 1, where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use.

Note that this is a Directive, so it is not directly binding, but each EU member state has created it's own laws containing this. I also quoted paragraph 2 for completeness, but based on your description, it does not apply.

Article 95 GDPR explicitly specifies it does not change any obligations from Directive 2002/58/EC.

So it looks very clear to me the situation you describe is not legal.

Article 14 GDPR allows you to request all information regarding this, which included information how they have exactly obtained your name and email address.

wimh
  • 2,925
  • 12
  • 16