Selgitustaotlus

Dear Sir/Madam,

We are writing to you to seek guidance from the Estonian Data Protection Inspectorate on the legal basis for collecting and storing of contact data of healthcare professionals. As we work with numerous companies in the pharmaceutical sector, we would like to understand the regulatory position regarding the processing of healthcare professionals’ personal data in Estonia.

Background:

Companies operating in the pharmaceutical sector often implement structured and compliant models for the engagement of Healthcare Professionals across Europe. To facilitate effective professional interactions, many companies procure databases from reputable third-party providers, such as IQVIA and Veeva, which compile publicly available information on healthcare professionals, including their names, workplaces, specialties, and professional contact details. This data is typically maintained within dedicated communication platforms and systems, most commonly a Customer Relationship Management (CRM) system, which ensures secure storage and allows for strict access rights management configuration.

In practice, the engagement process follows a widely adopted approach. Key Account Managers initiate contact exclusively via direct telephone outreach. The initial interaction consists of a personal phone call during which the Key Account Manager introduces the company and inquires whether the healthcare professional would be open to receiving relevant medical and scientific content. If the healthcare professional agrees, they are formally enrolled in the company’s engagement programs, which include updates on scientific and medical advancements, invitations to industry events conferences, and congresses, and opportunities to participate in advisory roles or research collaborations. These interactions are designed not only to uphold ethical and compliant engagement but also to support healthcare professionals in staying informed about advancements in their field.

Legal Assessment:

The justification for engaging healthcare professionals via telephone is based on well-established legal principles and precedents across EU. The E-Privacy Directive (Directive 2002/58/EC), which complements the GDPR, sets out rules for electronic communications. Specifically, Article 13 of the Directive differentiates between electronic communications (e.g., emails and SMS), which require prior consent, and real-time communications (e.g., telephone calls), which may be conducted under legitimate interest, depending on national legislation. Several EU data protection authorities, including the French CNIL, have recognized that professional engagement through telephone calls—where the data is sourced from publicly available directories and an opt-out mechanism is provided—can lawfully be conducted under the legitimate interest framework. This distinction is particularly relevant because real-time telephone interactions allow an immediate two-way dialogue, enabling professionals to confirm their interest in continued communications, in contrast with electronic communications, such as emails and SMS, that generally require prior consent.

Additionally, the rationale for storing the personal data in question is anchored in Article 6(1)(f) of the GDPR, which permits the processing of personal data when it is necessary for the purposes of legitimate interests pursued by the controller, provided that those interests are not overridden by the data subject’s fundamental rights and freedoms. We have observed that several European data protection authorities have accepted legitimate interest as a valid legal basis for processing publicly available professional data, particularly when such data are derived from sources such as regulatory bodies, professional directories, or scientific publications, the use of the data is strictly confined to professional engagement rather than aggressive marketing, and when appropriate safeguards, including privacy notices and opt-out mechanisms, are implemented.

Request for clarification:

In light of these considerations, we respectfully seek confirmation and clarification on the following key issues:

1. Storage of professional contact data in a CRM System

We seek clarification on whether the storage of publicly available professional contact data in a CRM system can be justified on the basis of legitimate interest in Estonia. Specifically, we wish to ascertain whether the lawful retention and processing of such data on this legal basis is consistent with Estonian regulatory expectations, given that comprehensive safeguards are implemented to ensure data security and compliance. As the GDPR applies uniformly across the EU, and legitimate interest has been widely accepted for similar business activities across other Member States, we respectfully submit that Estonia could follow a consistent and proportionate approach in recognizing legitimate interest as a lawful basis for storing and processing professional healthcare professional data. Such an approach would enhance compliance for multinational pharmaceutical companies while ensuring that Estonian healthcare professionals receive scientifically relevant and professionally beneficial information in a GDPR-compliant manner.

2. Legitimacy of telephone engagement

Given the allowance under the E-Privacy Directive for direct marketing calls using publicly available data, can companies lawfully engage Healthcare Professionals by telephone on the basis of legitimate interest in Estonia? We are aware that for B2C communications and targeted outreach, the Law of Obligations Act (Section 60 thereof) permits direct marketing calls based on legitimate interest, provided that recipients have not objected. Furthermore, to our knowledge, Estonia does not maintain a national opt-out list for telemarketing, which suggests that businesses face no legal impediments in engaging and continuing this business practice in Estonia.

We appreciate your attention to these matters, as your guidance is essential to ensuring that operations in Estonia remain fully compliant with both national and EU data protection frameworks. We are available to provide further details and look forward to your response.

Thank you for your time and consideration.

Yours sincerely,

ALG Data Privacy team