Directory last updated 14 March 2026
Guidance on GDPR and PECR compliance for organisations using UK healthcare data, including legitimate interests, marketing emails and privacy notice requirements.
GDPR (General Data Protection Regulation) governs the storage and processing of personal data, including information such as names and email addresses.
PECR (Privacy and Electronic Communications Regulations) specifically regulates electronic marketing communications, including marketing emails.
Because sending a marketing email involves storing and processing personal data, GDPR applies alongside PECR when organisations conduct email marketing.
Under GDPR, personal data can only be processed if there is a lawful basis for doing so. There are six lawful bases available, and for many organisations engaged in marketing activities, the most relevant is often Legitimate Interests.
Guidance from the Information Commissioner’s Office (ICO) explains how organisations can rely on legitimate interests as a lawful basis for processing personal data.
More information can be found here:
Under Recital 47 of the GDPR, it is recognised that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Organisations relying on legitimate interests should complete a Legitimate Interests Assessment (LIA) to ensure the processing is necessary and balanced against the rights and freedoms of individuals.
Guidance on completing a Legitimate Interests Assessment can be found here:
The Data & Marketing Association (DMA) also provides useful guidance on GDPR and marketing activities:
Guidance - DMA - Data & Marketing Association
According to the DMA, direct marketing is recognised within GDPR as a legitimate interest because communication with prospective customers is an essential component of commercial activity.
GDPR states that processing is lawful where it is:
“Necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual.”
(Article 6(1)(f), GDPR)
SpecialistInfo only provides email addresses (on request) to customers within healthcare-related organisations.
Customers may find the following ICO guidance on marketing emails helpful:
ico.org.uk/for-the-public/online/spam-emails/
The ICO notes that if someone receives a marketing email from a legitimate and identifiable UK organisation, they should first use the unsubscribe link provided. The organisation is then expected to stop sending marketing emails.
The ICO also states that:
Organisations are permitted to send marketing emails to corporate work email addresses (for example those belonging to companies, partnerships, LLPs or government bodies) without prior consent.
Organisations processing personal data must provide clear and transparent privacy notices. These should explain how personal data is used and the rights available to individuals.
A privacy notice should include the following information:
Under Article 12 of the GDPR, this information must be presented in clear, plain language and in a way that is easily understood by the intended audience.