ICO (UK) - Saga Personal Finance Limited: Difference between revisions

From GDPRhub
 
(One intermediate revision by the same user not shown)
Line 57: Line 57:


=== Facts ===
=== Facts ===
In progress
The ICO received a number of complaints regarding unsolicited email marketing. These were sent on behalf of Saga Personal Finance Limited (hereafter 'SPF') by different partner companies, so it launched an investigation into SPF's data practices.
 
The company is a subsidiary of Saga Group Limited, which received [[ICO (UK) - Saga Services Limited|a similar fine on the same day for another subsidiary's direct marketing practices]].
 
First, it sent a letter to the Saga Group requesting information "''including details of Saga Group's Partners/Affiliates, websites from which consent for marketing was obtained together with evidence of that consent, and a description of any due diligence carried out with respect to the data used by Saga Group''". The company replied, informing the ICO that the marketing content was indeed sent out by partners on behalf of SPF "''using a database of individuals who had opted in to receiving marketing materials from third parties either via the Partners' websites or via websites operated by their sub-contractors''". No personal data was actually transferred from the company, but it exercised total control over the content to comply with FCA requirements. The targeting and recipients was nonetheless controlled by its partners.
 
Then, the ICO reviewed whether the consent on which the email marketing was based was legitimately obtained. It found that SPF was not named on any of the privacy policies the users of different websites agreed to. Some consent statements did not even inform the individuals agreeing to them that they would receive any third party marketing.
=== Holding ===
=== Holding ===
In progress
The ICO held that SPF was in breach of Regulation 22 PECR because it instigated the transmission of the 28,523,745 unsolicited direct marketing messages sent and failed to obtain valid consent from individuals who received them. The breach was serious and negligent, respectively due to the high number of emails sent and lack of steps taken by the company to prevent it.
 
It stated that while SPF relied on 'indirect consent' for its direct marketing, the [https://ico.org.uk/for-organisations/guidance-index/data-protection-and-privacy-and-electronic-communications/ ICO's guidance explicitly states that it is insufficient for email marketing].
 
Thus, the ICO fined the company approximately €88,000 (GBP 75,000).


== Comment ==
== Comment ==
''Share your comments here!''
''This case is quasi-identical to the one linked, so please don't be surprised by the quasi-identical summaries.''


== Further Resources ==
== Further Resources ==

Latest revision as of 09:22, 17 September 2021

ICO (UK) - Saga Personal Finance Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 22 Privacy and Electronic Communications Regulations 2003
Section 55A Data Protection Act 1998
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.09.2021
Published: 15.09.2021
Fine: 75,000 GBP
Parties: Saga Personal Finance Limited
National Case Number/Name: Saga Personal Finance Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ico.org.uk (in EN)
Initial Contributor: Frederick Antonovics

The ICO fined Saga Personal Finance Ltd approximately €88,000 (GBP 75,000) for sending 28,523,745 unsolicited direct marketing messages without the recipients' valid consent.

English Summary

Facts

The ICO received a number of complaints regarding unsolicited email marketing. These were sent on behalf of Saga Personal Finance Limited (hereafter 'SPF') by different partner companies, so it launched an investigation into SPF's data practices.

The company is a subsidiary of Saga Group Limited, which received a similar fine on the same day for another subsidiary's direct marketing practices.

First, it sent a letter to the Saga Group requesting information "including details of Saga Group's Partners/Affiliates, websites from which consent for marketing was obtained together with evidence of that consent, and a description of any due diligence carried out with respect to the data used by Saga Group". The company replied, informing the ICO that the marketing content was indeed sent out by partners on behalf of SPF "using a database of individuals who had opted in to receiving marketing materials from third parties either via the Partners' websites or via websites operated by their sub-contractors". No personal data was actually transferred from the company, but it exercised total control over the content to comply with FCA requirements. The targeting and recipients was nonetheless controlled by its partners.

Then, the ICO reviewed whether the consent on which the email marketing was based was legitimately obtained. It found that SPF was not named on any of the privacy policies the users of different websites agreed to. Some consent statements did not even inform the individuals agreeing to them that they would receive any third party marketing.

Holding

The ICO held that SPF was in breach of Regulation 22 PECR because it instigated the transmission of the 28,523,745 unsolicited direct marketing messages sent and failed to obtain valid consent from individuals who received them. The breach was serious and negligent, respectively due to the high number of emails sent and lack of steps taken by the company to prevent it.

It stated that while SPF relied on 'indirect consent' for its direct marketing, the ICO's guidance explicitly states that it is insufficient for email marketing.

Thus, the ICO fined the company approximately €88,000 (GBP 75,000).

Comment

This case is quasi-identical to the one linked, so please don't be surprised by the quasi-identical summaries.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.


        

    
        
            
    
        
                
                        Action we've taken/
                
                
                        Enforcement/
                
                
                        
                            Saga Personal Finance Ltd MPN
                        
                
        
    
                Saga Personal Finance Limited
            
        
    
        
        
            
                        Date
                            15 September 2021
                        Type
                            Monetary penalties
                        Sector
                            Finance insurance and credit
            
        
    

    
        
            

        

                
            The ICO has fined Saga Personal Finance Ltd £75,000 for sending 28,523,745 unsolicited direct marketing messages. These messages contained direct marketing material for which subscribers had not provided valid consent.

        

        Further Reading
            
                
                    
                        Saga Personal Finance Limited monetary penalty notice
                            
                                    Action we've taken
                                    PDF (189.37K)
                            
                        
                    
                
                
                    
                        Saga Personal Finance Limited enforcement notice
                            
                                    Action we've taken
                                    PDF (81.63K)
                            
                        
                    
                
                
                    
                        We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages.
                            
                                    About the ICO
                            
                        
                    
                
        
        
            
 
        

        
    

    
    
        
            
    
        
                
                        Action we've taken/
                
                
                        Enforcement/
                
                
                        
                            Saga Personal Finance Ltd MPN
                        
                
        
    
                Saga Personal Finance Limited
            
        
    
        
        
            
                        Date
                            15 September 2021
                        Type
                            Monetary penalties
                        Sector
                            Finance insurance and credit
            
        
    

    
        
            

        

                
            The ICO has fined Saga Personal Finance Ltd £75,000 for sending 28,523,745 unsolicited direct marketing messages. These messages contained direct marketing material for which subscribers had not provided valid consent.

        

        Further Reading
            
                
                    
                        Saga Personal Finance Limited monetary penalty notice
                            
                                    Action we've taken
                                    PDF (189.37K)
                            
                        
                    
                
                
                    
                        Saga Personal Finance Limited enforcement notice
                            
                                    Action we've taken
                                    PDF (81.63K)
                            
                        
                    
                
                
                    
                        We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages.
                            
                                    About the ICO
                            
                        
                    
                
        
        
            
 
        

        
    
EnglishCymraegEnglishCymraeg