ICO (UK) - Saga Services Limited: Difference between revisions
(→Facts) |
|||
Line 55: | Line 55: | ||
=== Facts === | === Facts === | ||
in | The ICO received a number of complaints regarding unsolicited email marketing. These were sent on behalf of Saga Services Limited (hereafter 'SSL') by different partner companies, so it launched an investigation into SSL's data practices. | ||
First, it sent a letter to the Saga Group requesting information "''including details of Saga Group's Partners/Affiliates, websites from which consent for marketing was obtained together with evidence of that consent, and a description of any due diligence carried out with respect to the data used by Saga Group''". The company replied, informing the ICO that the marketing content was indeed sent out by partners on behalf of SSL "''using a database of individuals who had opted in to receiving marketing materials from third parties either via the Partners' websites or via websites operated by their sub-contractors''". No personal data was actually transferred to the company, but it exercised total control over the content to comply with FCA requirements. The targeting and recipients was nonetheless controlled by its partners. | |||
Then, the ICO reviewed whether the consent on which the email marketing was based was legitimately obtained. It found that SSL was not named on any of the privacy policies the users of different websites agreed to. Some consent statements did not even inform the individuals agreeing to them that they would receive any third party marketing. | |||
=== Holding === | === Holding === | ||
in | The ICO held that SSL was in breach of [https://www.legislation.gov.uk/uksi/2003/2426/regulation/22 Regulation 22 PECR] because it instigated the transmission of the 128,895,718 unsolicited direct marketing messages sent and failed to obtain valid consent from individuals who received them. The breach was serious and negligent, respectively due to the high number of emails sent and lack of steps taken by the company to prevent it. | ||
It stated that while SSL relied on 'indirect consent' for its direct marketing, the [https://ico.org.uk/for-organisations/guidance-index/data-protection-and-privacy-and-electronic-communications/ ICO's guidance] explicitly states that it is insufficient for email marketing. | |||
Thus, the ICO fined the company approximately €176,000 (GBP 150,000). | |||
== Comment == | == Comment == |
Revision as of 14:01, 16 September 2021
ICO (UK) - Saga Services Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulation 22 PECR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.09.2021 |
Published: | 15.09.2021 |
Fine: | 150,000 GBP |
Parties: | Saga Services Limited |
National Case Number/Name: | Saga Services Limited |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ico.org.uk (in EN) |
Initial Contributor: | Frederick Antonovics |
The UK DPA fined Saga Services Limited approximately €176,000 (GBP 150,000) for sending a total of 128,895,718 unsolicited direct marketing messages to subscribers without their consent.
English Summary
Facts
The ICO received a number of complaints regarding unsolicited email marketing. These were sent on behalf of Saga Services Limited (hereafter 'SSL') by different partner companies, so it launched an investigation into SSL's data practices.
First, it sent a letter to the Saga Group requesting information "including details of Saga Group's Partners/Affiliates, websites from which consent for marketing was obtained together with evidence of that consent, and a description of any due diligence carried out with respect to the data used by Saga Group". The company replied, informing the ICO that the marketing content was indeed sent out by partners on behalf of SSL "using a database of individuals who had opted in to receiving marketing materials from third parties either via the Partners' websites or via websites operated by their sub-contractors". No personal data was actually transferred to the company, but it exercised total control over the content to comply with FCA requirements. The targeting and recipients was nonetheless controlled by its partners.
Then, the ICO reviewed whether the consent on which the email marketing was based was legitimately obtained. It found that SSL was not named on any of the privacy policies the users of different websites agreed to. Some consent statements did not even inform the individuals agreeing to them that they would receive any third party marketing.
Holding
The ICO held that SSL was in breach of Regulation 22 PECR because it instigated the transmission of the 128,895,718 unsolicited direct marketing messages sent and failed to obtain valid consent from individuals who received them. The breach was serious and negligent, respectively due to the high number of emails sent and lack of steps taken by the company to prevent it.
It stated that while SSL relied on 'indirect consent' for its direct marketing, the ICO's guidance explicitly states that it is insufficient for email marketing.
Thus, the ICO fined the company approximately €176,000 (GBP 150,000).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Action we've taken/ Enforcement/ Saga Services Limited EN Saga Services Limited Date 15 September 2021 Type Enforcement notices Sector Finance insurance and credit During the period 29 November 2018 and 2 May 2019, a confirmed total of 128,895,718 unsolicited direct marketing messages were received by subscribers, having been sent at the instigation of Saga Services Ltd. These messages contained direct marketing material for which subscribers had not provided valid consent. Further Reading Saga Services Limited enforcement notice Action we've taken PDF (81.68K) Saga Services Limited monetary penalty notice Action we've taken PDF (189.43K) We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages. About the ICO Action we've taken/ Enforcement/ Saga Services Limited EN Saga Services Limited Date 15 September 2021 Type Enforcement notices Sector Finance insurance and credit During the period 29 November 2018 and 2 May 2019, a confirmed total of 128,895,718 unsolicited direct marketing messages were received by subscribers, having been sent at the instigation of Saga Services Ltd. These messages contained direct marketing material for which subscribers had not provided valid consent. Further Reading Saga Services Limited enforcement notice Action we've taken PDF (81.68K) Saga Services Limited monetary penalty notice Action we've taken PDF (189.43K) We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages. About the ICO EnglishCymraegEnglishCymraeg