ICO - Studios MG Limited (Monetary Penalty): Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=S...")
 
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 30: Line 30:
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/section/55A/2017-06-27
|National_Law_Link_2=https://www.legislation.gov.uk/ukpga/1998/29/section/55A/2017-06-27


|Party_Name_1=
|Party_Name_1=Studios MG Limited
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
Line 50: Line 50:
}}
}}


Information Commissioner’s Office (ICO) issues £40.000 monetary penalty for sending unsolicited marketing emails advertising protective face masks in breach of Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Information Commissioner’s Office (ICO) issued a €44000 fine against Studios MG Limited for sending unsolicited marketing emails advertising protective face masks, in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Studios MG Limited (SMG), a London based ‘software design and build’ company, sent, at the beginning of the Covid19 related lockdown measures, an email advertising surgical masks and providing a link to a vendor’s website to at least one, but an estimate of 8000-9000 email addresses.  
Studios MG Limited (SMG), a London based ‘software design and build’ company, sent, at the beginning of the Covid19 related lockdown measures, an email advertising surgical masks and providing a link to a vendor’s website to at least one, but an estimate of 8000-9000 email addresses.  


=== Dispute ===
===Dispute===
Did SMG act in breach of regulation 22 PECR, and, if so, are the conditions for a monetary penalty under section 55 A of the Data Protection Act 1998 (DPA) met?
Did SMG act in breach of regulation 22 PECR, and, if so, are the conditions for a monetary penalty under section 55 A of the Data Protection Act 1998 (DPA) met?


=== Holding ===
===Holding===
The Commissioner finds that SMG contravened regulation 22 PECR.  
The Commissioner finds that SMG contravened regulation 22 PECR.  


Line 79: Line 79:
The Commissioner returns to this element in elaborating on her exercise of discretion to issue a penalty. In summary, the Commissioner considers as aggravating elements the attempt to exploit and capitalise on the pandemic, the absence of any efforts to act in line with data protection principles (including, but not limited to, not having registered with the ICO’s public data protection register) as well as a lack of cooperation with the ICO regarding the investigation.  
The Commissioner returns to this element in elaborating on her exercise of discretion to issue a penalty. In summary, the Commissioner considers as aggravating elements the attempt to exploit and capitalise on the pandemic, the absence of any efforts to act in line with data protection principles (including, but not limited to, not having registered with the ICO’s public data protection register) as well as a lack of cooperation with the ICO regarding the investigation.  


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the English original. Please refer to the English original for more details.
The decision below is a machine translation of the English original. Please refer to the English original for more details.



Latest revision as of 09:15, 21 October 2020

ICO - Studios MG Limited (Monetary Penalty)
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Regulation 22 PECR
Section 55A DPA98
Type: Other
Outcome: n/a
Started:
Decided: 06.10.2020
Published: 08.10.2020
Fine: 40000 GBP
Parties: Studios MG Limited
National Case Number/Name: Studios MG Limited (Monetary Penalty)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Monetary Penalty Notice (in EN)
Initial Contributor: n/a

Information Commissioner’s Office (ICO) issued a €44000 fine against Studios MG Limited for sending unsolicited marketing emails advertising protective face masks, in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

English Summary

Facts

Studios MG Limited (SMG), a London based ‘software design and build’ company, sent, at the beginning of the Covid19 related lockdown measures, an email advertising surgical masks and providing a link to a vendor’s website to at least one, but an estimate of 8000-9000 email addresses.

Dispute

Did SMG act in breach of regulation 22 PECR, and, if so, are the conditions for a monetary penalty under section 55 A of the Data Protection Act 1998 (DPA) met?

Holding

The Commissioner finds that SMG contravened regulation 22 PECR.

In confirming the contravention she emphasizes that emails were obtained from a variety of undefined resources, and that no efforts were made to obtain or demonstrate consent.

In addition, the Commissioner notes in this context, had SMG deleted the relevant database as well as their platform provider account, following initiation of the Commissioner’s investigation, rendering an accurate determination of the number of affected individuals impossible.

She considered whether the ‘soft opt-in’ exemption provided by regulation 22 (3) PECR was relevant, but denied this for SMG being a ‘software design and build consultancy’, i.e. a business without any evident relation to the sale of protective equipment.

The Commissioner continues by examining the conditions for issuing a monetary penalty under section 55A DPA.

In the context of confirming the necessary seriousness of the contravention she makes specific reference to the ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C(1) of the Data Protection Act 1998’ to support the fact that such qualified breach may be constituted even by a single traceable incident.

In particular, she later elaborates, did the number of complaints not necessarily reflect the gravity of a potential breach, since most recipients could be expected not to go as far as making an official complaint but would rather just delete or ignore an unsolicited marketing email.

With a view to the time of registering the domains SMG used for their activities, the Commissioner concludes that the company deliberately ‘intended to capitalise on the health pandemic’.

The Commissioner returns to this element in elaborating on her exercise of discretion to issue a penalty. In summary, the Commissioner considers as aggravating elements the attempt to exploit and capitalise on the pandemic, the absence of any efforts to act in line with data protection principles (including, but not limited to, not having registered with the ICO’s public data protection register) as well as a lack of cooperation with the ICO regarding the investigation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.