Alasdair Taylor's Answer

There is no need to notify if the business is only using personal data for one of the exempt purposes, and marketing to your own customers is an exempt purpose. The exemption is set out in section 5 of the Schedule to The Data Protection (Notification and Notification Fees) Regulations 2000. It covers the processing of personal information where:

The processing-

(a) is for the purposes of advertising or marketing the data controller?s business, activity, goods or services and promoting public relations in connection with that business or activity, or those goods or services;

(b) is of personal data in respect of which the data subject is – (i) a past, existing or prospective customer or supplier; or (ii ) any person the processing of whose personal data is necessary for the exempt purposes;

(c) is of personal data consisting of the name, address and other identifiers of the data subject or information as to other matters the processing of which is necessary for the exempt purposes;

(d) does not involve disclosure of the personal data to any third party other than – (i) with the consent of the data subject; or (ii) where it is necessary to make such disclosure for the exempt purposes; and

(e) does not involve keeping the personal data after the relationship between the data controller and customer or supplier ends, unless and for so long as it is necessary to do so for the exempt purposes.

Assuming you do not need to register, that does not mean that you are not a data controller. This exemption applies only to the requirement to notify, not to the other requirements of the Data Protection Act. Accordingly, you should still include in your privacy policy a statement identifying the relevant data controller.