As the holder of the data you are the ‘data controller’. When you send your contacts messages via mediums like email and SMS you are ‘processing’ that data for that purpose.
In order to upload new contacts into PureCampaign you are asked to confirm that you can prove lawful basis to process that data you are uploading. GDPR states Six lawful bases for processing:
Headlines from ICO Lawful basis for processing:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Most marketing activity will likely fall under consent or legitimate interest. It is important that you can prove that you have lawful basis in case someone submits a subject access request, where you are required to prove it. If you cannot, you could be liable for a fine.