GDPR allows an organisation to communicate with people if it’s in the organisation’s interest to do so – but only if it doesn’t override the recipient’s rights and should only involve communications that one would reasonably expect. The same applies to sharing personal data.