Consent for sharing data with a third party [GDPR]

Do you need to obtain explicit affirmative user consent to send their data to a third party?

Currently we have a form on our website for users to fill out to register interest in our service. This data is then stored in our own database, but it is also sent to a sales service provider and a marketing service provider.

Do we need to get explicit consent from the user to send their details (personally identifiable, includes name and phone number) to these third party services?

Because the user has willingly given us this information is it OK to just send the data to third parties or do we need consent?


  • Is the third party acting on behalf of you and your core product which the customer has shown explicit consent in being contacted regarding?

    If the third party is a Data Provider and handling the customer's details on your behalf, to provide a service that the customer has explicitly consented to, then my understanding is you will be ok.

    If they aren't providing a service that the customer has consented to receive information on, or they are selling an unrelated service or product, you're going to be in big trouble.

    Basically you are the Data Controller: you have procured the information directly from the client and it is all necessary to fulfill the task for which it is given, and any contact will only receive communication relating to it or that they expect. If you or the Data Provider breach this then you, the Data Controller, could be in trouble.