In this case I asked Village Hotels to:
- Confirm whether they are registered as a data controller under the Data Protection Act 1998.
- Provide a copy of all data they hold which relates to me.
- Confirm to me in writing where they obtained the data from and on what terms.
- Provide me with a complete list of companies, individuals, etc, that they have shared my data with and on what terms.
- Explain when and how they believe I gave them informed consent to send marketing emails.
It seems that they have only my name and email address, which they thought had previously been deleted from their systems.
Notably they haven't said why they think they had consent, or where they got my data.
They enclosed an email chain, which is interesting: it includes a comment from someone at DA Group, which says
Also agree that you need to be careful emailing contacts that have had no interaction with your emails for 18 months - may be better to focus on a re-engagement campaign to these contacts rather than actively marketing to themDA Group appear to be a marketing company, and the above comment seems a bit questionable. The Privacy and Electronic Communications (EC Directive) Regulations 2003 don't allow unsolicited emails to be sent to anyone who hasn't given the sender informed consent. So if they can't demonstrate that such consent has been received, they shouldn't be sending any unsolicited emails, including a "re-engagement campaign".
(Also, yes the email they sent had a confidentiality statement on the bottom, no that isn't a contract I have agreed to, so I am ignoring it.)