ICO (UK) - Emailmovers Limited
ICO (UK) - Emailmovers Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(7) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 22.06.2021 |
Published: | 25.06.2021 |
Fine: | None |
Parties: | Emailmovers Limited |
National Case Number/Name: | Emailmovers Limited |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA (Information Commissioner's Office) found Emailmovers Limited (EML) in violation of Article 5(1)(f) of the GDPR for having a email database with no clear lawful basis, nor evidence that individuals wree informed that EML had acquired their personal data.
English Summary
Facts
Emailmovers Limited (EML) advertises its services, such as email data, email cleansing, email marketing, etc...). It has a database of data subjects' email addresses. On its website, it claims that it has a "GDPR and PECR [Privacy and Electronic Communications (EC Directive) Regulations 2003] compliant email database". The data was received from an unamed organisation that collected the individual's personal data and mentioned that it may be shared with thrid parties for marketing purposes.
In 2018, EML was investigated by the Information Commissioner's Office (ICO). EML provided the ICO enforcement team with 7000 records of personal data (names, dates of birth, postcodes, phone numbers, email addresses).
Emailmovers Limited claimed to be a data processor rather than a controller to the ICO. It claimed so on the basis that it processed data subjects' personal data on behalf of business clients that it had. It also relied on a document ("Legal and Commercial Terms for the Supply of Commercial and Personal Data") where it classified itself as a processor to its business clients.
Dispute
Holding
The Information Commissioner's Office first established that Emailmovers Limited (EML) was a data controller by virtue of the definition in Article 4(7) GDPR. First, the ICO highlighted that EML's "Legal and Commercial Terms..." points to the fact that EML decided who it supplied the personal data to. Additionally, the ICO found that EML determined the purposes of processing the personal data when deciding whether to disclose the database to certain business clients. EML also had broad discretion over how the data is created, stored and manipulated. The ICO also clarified that the fact that the "Legal and Commercial Terms..." document specified that EML was a processor is not conclusive. Instead, one must rely on the definition of controller found in Article 4(7) GDPR. The ICO concluded that EML determines the purposes and means of processing and is as such a data controller.
The ICO considered that EML has processed personal data in a manner that is not fair, lawful nor transparent. It is therefore in violation of Article 5(1)(a) of the GDPR. The ICO concluded that EML did not identify a lawful basis to engage in business to consumer marketing, presumably because EML argued to be a processor. The only possible lawful basis that could have be relied upon is consent according to evidence provided by EML. However, the ICO is not satisfied that consent would have been effectively collected.
The ICO found that the privacy policy of the organisation that collected the personal data, despite stating that individual's personal data would be shared with third parties for marketing purposes, was not specific enough. It did not clearly name the third party recipients.
The ICO highlighted the requirements for consent, including that it need to be "specific and informed". It specified that consent for purchased "consented" data is valid only where the purchaser is identified at the time of collection of the data (poitn where consent was given). Therefore, EML could not have purchased the data on the basis of valid consent as a lawful basis as it was not identified as a potential buyer to individuals.
Additionally, EML did not process personal data in a transparent way as individuals were not aware EML was processing their data and EML's clients were not identified to data subjects either.
Therefore, the ICO found EML in violation of Article 5(1)(f) of the GDPR. The ICO therefore requires that EML complies with the following within three months: - notify individuals whose personal data was or is processed by EML the purposes of processing, the legal basis, the categories of personal data concerned and the recipients of this data (Article 14 GDPR); - cease to process personal data of data subject to whom information notices mentioned in the point above have not been sent to; - cease to process personal data obtained on the (alleged) basis of consent; - ensure that appropriate records of consent are kept. Compliance with the ICO's notice would remedy the violation in the ICO's view and a fine may be imposed if it is not.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
THE DATA PROTECTION ACT 2018 (PART 6, SECTION 149) ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE To: Emailmovers Limited Of: C/O Jackson Robson Licence 33-35 Exchange Street Driffield East Yorkshire YO25 6LL 1. The Information Commissioner ("Commissioner") has decided that it would be appropriate to issue Emailmovers Limited ("EML") with an enforcement notice under section 149 of the Data Protection Act 2018 ("DPA") based on a failure by EML to comply with Art 5(1)(a) of the General Data Protection Regulation EU2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"). 2. This notice explains the Commissioner's reasons for that opinion. 3. A Preliminary Enforcement Notice was given to EML on 4 September 2019 and an opportunity to make representations was provided. A further opportunity to make representations was also afforded to EML on 23 April 2021. The Commissioner has considered those 1 representations and taken them into account in determining whether an Enforcement Notice should be issued. Legal Framework Controller 4. The Commissioner is of the view that EML is a controller as defined in Article 4(7) of the UK GDPR and section 6 of the Data Protection Act 2018 ("DPA"). A controller is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data". 5. Although EML characterises itself as a processor, the Commissioner does not accept that characterisation for the reasons set out below. The obligation to process data fairly, lawfully and transparently 6. Personal data must be "processed lawfully, fairly and in a transparent manner in relation to the data subject": UK GDPR Art 5(1)(a). This provision is supplemented by Recital 39 which provides, relevantly: "Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information 2 to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing." 7. Recital 58 also emphasises the need for transparency in processing: "The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice makes it difficult for the data subiect to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case on online advertising ..." (Emphasis added) Lawful bases of processing 8. Processing will only be lawful where at least one of the circumstances in UK GDPR Art 6(1) applies. Those circumstances include: "(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes" 39. Consent is defined in the UK GDPR as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her": Art 4(11), see also Recital 32. 10. The conditions for "consent" are set out in UK GDPR Art 7. Article 7(1) states, relevantly: "1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data." 11. Where consent is relied upon as the basis for processing, the data subject "should be aware at least of the identity of the controller and purposes of the processing for which the personal data are intended": UK GDPR Recital 42. Commissioner's Powers 12. If the Commissioner is satisfied that a person has failed, or is failing, to comply with a provision of Chapter II of the UK GDPR, the Commissioner may give the person an Enforcement Notice requiring them to take within such time as may be specified in the Notice, or to refrain from taking after such time as may be so specified, such steps as are so specified: DPA 2018 s 149. Background 13. EML is a company that advertises its services as including email data, email cleansing, email marketing and data appending. 4 According to its website, it licenses in a wide range of personal data which includes email addresses, gender, age, employment status, and income bracket. It markets itself as having a "GDPR and PECR compliant email database". 14. On 31 January 2018, during an operation conducted by the Information Commissioner, EML provided 7000 records consisting of personal ID numbers, forenames, surnames, dates of birth, postcodes, mobile numbers (for some entries), email addresses (for some entries) and landline numbers to members of the Commissioner's Enforcement Team. The data was provided pursuant to a 12 month licence. 15% of the records related persons between the ages 75-79 and 1% related to persons over 80. The Commissioner expressly does not rely upon this sale otherwise than as background for the purposes of this Enforcement Notice. This failing occurred prior to the implementation of the GDPR and, although the Commissioner is able to rely upon enforcement powers available to her under the Data Protection Act 1998 (see DPA 2018 Sch 20, Pt 7, para 33(1)(b) she has elected not to do so in this case. 15. Following this sale, the Commissioner commenced an investigation into EML's data protection practices. 16. In the course of that investigation, EML informed the Commissioner that: a. it was a processor with respect to the personal data sourced on behalf of a client for the purposes of business to consumer marketing; and 5 b. its business to consumer data was provided by (now known as EML is a controller, not a processor 17. While the Commissioner notes that EML characterises itself as a processor under the GDPR in relation to business to consumer marketing, the Commissioner does not accept that this characterisation is correct for the reasons that follow. 18. As part of its first round of representations to the Commissioner, EML produced a document setting out the "Legal and Commercial Terms for the Supply of Commercial and Personal Data" ("Terms"), which included as an appendix, a data processing agreement ("Processing Agreement"). The Terms, containing the Processing Agreement, were executed on 25 July 2018. EML relies upon this as evidence that it was a processor rather than a controller. 19. The Commissioner has reviewed the Terms and the Processing Agreement and remains of the view that EML is a controller. The Terms and Processing Agreement demonstrate that licenses data to EML so that EML can enter into subscription agreements with third parties to supply them with that data. The choice as to which third parties are supplied with data is a decision made by EML. The purposes of processing data in this way (disclosure to third parties) are determined by EML. EML also selects the means by which the data are processed. The Terms provides EML with a broad discretion to undertake many processing activities including using the data, creating derived data, storing the data, and manipulating the data (see generally, Clause 10 of the Terms). 620. Further, the Processing Agreement does not provide support for EML's claim. The Processing Agreement does not adopt a clear position on whether the Data Receiver (EML) is a controller or processor. Indeed, para 3.1 states that EML "...is either a Data Controller or a Data Processor in their capacity as foreseen under this Agreement. The Data Receiver acknowledges that, if acting as a Data Processor, they could be deemed to be a Data Contoller depending upon their use of the Shared Personal Data and would be deemed to be a Data Controller if they make use of the Shared Personal Data in a way that is not in accordance with this Agreement." 21. In any event, even if EML were characterised as a processor by the Terms of the Processing Agreement, that does not determine whether EML is a processor or a controller. That must be determined by reference to the definitions in the UK GDPR and the DPA 2018. 22. The Processing Agreement requires the parties to process the Shared Personal Data for the "Agreed Purpose", namely: "To broadcast marketing emails on behalf of a customer or to share the data for email marketing purposes with a customer who is promoting products or services within the Categories of Recipients where a consumer has given consent for a third party marketing or where there is a legitimate interest to share the data for marketing purpose." 23. This purpose is too broadly expressed to constitute a genuine restriction on the purposes for individual acts of processing. It remains the case that EML is able to determine if, when and for what purposes (within the scope of the broadly expressed Agreed 7 Purpose) processing should take place as well as the means by which the data is processed. 24. The Commissioner is accordingly satisfied that, with respect to data obtained from and licensed to customers of EML, EML determines the purposes of that processing and the means by which it is done. It is, accordingly, a controller with respect to that data. 25. The Commissioner notes that EML provided a revised Data Processing Agreement in response to the further invitation to make representations. That Agreement was provided in template form, with no reference to how the relationship with putative data controllers operates in practice. No evidence of any executed agreement was provided. The revised Data Processing Agreement does not alter the fact that EML previously mischaracterised itself as a processor. 26. Further, EML informed the Commissioner that it was now - having seen the Commissioner's Preliminary Enforcement Notice - operating "purely as an introducer". No acceptable explanation was provided as to the actual practices adopted by EML, or how it conceived the role of an "introducer" fit within the data protection concepts of "controllers" and "processors". The Commissioner is also not satisfied, on the basis of the information that has now been provided, that EML does not continue to mischaracterise itself as such. The Failure 27. The Commissioner is of the view that EML has processed, and is processing, personal data in a manner that is not fair, lawful, or 8 transparent, thereby failing to comply with UK GDPR Art S(l)(a). The Commissioner's reasons for forming this view are as follows. 28. EML has not sought to identify the lawful basis upon which it processes personal data when engaging in business to consumer marketing. This appears to be the consequence of its misclassification as a data processor. In response to a request for policies concerning privacy and data protection, EML provided a number of policies. None of those policies addressed the manner in which, and the purposes for which, EML processed data provided to it by third parties in business to consumer marketing. 29. However, EML has informed the Commissioner that it relies on-I to provided appropriately consented marketing lists. On this basis, the Commissioner infers that EML relies upon consent as the basis for processing. The Commissioner does not accept that any consent to processing provided tol is effective to permit processing by EML. 30. The Commissioner understands that acquires personal data from the following sources: a. the website owned by , and b. the website operated by 31. The website includes a link to the privacy policy. That policy states that they will "Pass on your details to selected Companies and Trusted Partners which provide you with other offers and promotions of interest to you". The policy lists only a selection of those "partners". Despite that selection being lengthy and covering a very broad range of named companies, it does not 9 identify either or EML as potential third party recipients of personal data. The policy further does not indicate that those third party recipients may themselves disclose personal data to additional unnamed third parties for any purpose. 32. privacy policy indicates that personal data may be shared with marketing service providers. The policy states that those providers may combine the information with data from other sources, analyse and profile it and pass their knowledge on to other companies. It also indicates that names and addresses may be passed on by those providers to other companies so that those other companies can contact the individual about relevant products, services and offers. It states that this will occur "either directly or indirectly via a data broker who may legitimately process your data". The list of marketing service providers includes but not EML. The companies that marketing service providers may disclose personal data to are also not identified. 33. Further, privacy policy indicates that it will share personal data for commercial gain with third parties who "have a relationship with you" or where the third party has "a lawful reason, which may include the organisation's own legitimate interest". It states that that "data will be used ... to create a data product ... in line with ICO code of practice". It is unclear what ICO Code of Practice this was intended to refer to. The specific third parties with whom data may be shared for these purposes are not identified. The policy also indicates that data will be shared with specified "Marketing Services Providers and special Marketing Agencies". is identified as a potential third party recipient, but EML is not. A link for more information about -takes the i user to the website, which identifies EML as a "marketing partner". 1034. The ICO's Guidance on Consent under the GDPR makes clear that for consent to be "specific and informed", it must specifically identify the controller collecting the data and name any third party controllers who will be relying upon the consent. Consent for purchased "consented" data is valid only if the purchaser is specifically identified at the time consent is given. That has not occurred here. 35. EML is not identified as an organisation that may ultimately process an individual's data at the point where consent is obtained. The identity of EML's client would also not be clear to the data subject at the time consent is given. 36. Accordingly, the Commissioner is of the view that any consent given at the point of collection was not sufficiently specific or informed to extend so far as consenting to disclosure to EML or one of EML's customers. Any "consent" to processing could not extend to the obtaining of that data by EML, processing of that data by EML, or disclosure by EML to any of its clients. 37. Further, irrespective of the Commissioner's views about the lawfulness of processing by EML, the Commissioner is also of the view that the methods of collection identified above demonstrate that EML is not processing personal data in a transparent way. This is because (a) data subjects are unlikely to be aware that EML is processing their data at all; and (b) the identity of any EML client and how they would process the personal data is unlikely to be clear to the data subject at the time of collection. 38. Accordingly, the Commissioner is of the opinion that EML has failed to comply with its obligation to process data fairly, lawfully and transparently under Article 5(1)(a) of the UK GDPR. 11Damage/distress 39. The Commissioner has considered, as she is required to do under DPA 2018 s 149(2), whether the failure has caused, or is likely to cause, any person damage or distress. The sale of lists of personal data can cause substantial damage and distress. Such damage and distress can result in individuals being bombarded with unwanted direct marketing, or their data falling into the hands of unscrupulous individuals including scammers. 40. Moreover, data subjects are, at the least, likely to be concerned about the processing of their personal data in circumstances where they are not aware of the identity of the controller and where the nature of, and purposes of, processing have not been clearly drawn to their attention. Requirements 41. In view of the matters referred to above, the Commissioner is of the opinion that it is appropriate, in the exercise of her powers under DPA 2018 section 149, that she require EML, within three months, to: a. Notify all data subjects whose personal data are being processed by EML of the matters required by UK GDPR Art 14 including, but not limited to, the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, the categories of personal data concerned, and the recipients or categories of recipients of the personal data. 12 b. Cease processing the personal data of any data subject to whom an Article 14-compliant notice is not sent or cannot be sent because EML does not possess contact information. c. Cease processing personal data (as described in this Enforcement Notice) purportedly obtained and/or otherwise processed on the basis of consent. d. Ensure that appropriate records are kept as to what individuals have consented to; including the information they were provided with at the time of consent, when they consented, and how they provided that consent. 42. The Commissioner considers that the above requirements are appropriate for the purpose of remedying the failure identified. 43. In representations to the Commissioner, EML initially claimed to have already complied with the requirements above. No evidence was provided at that time to demonstrate compliance. In subsequent representations, EML claimed that "Any personal data being processed on the basis of consents that are insufficiently specific, informed and not freely given has been deleted from the company". No explanation was given by EML as to how it formed the view about the sufficiency of the data subject's consent, or how much data had in fact been deleted by it. Having regard to the additional evidence provided by EML, the Commissioner nonetheless considers that it is appropriate to impose the requirements set out above. Consequences of Failing to Comply with the Notice 44. If a person fails to comply with an Enforcement Notice, the Commissioner may serve a penalty notice on that person under 13 section 155(l)(b) DPA, requiring payment of a penalty in an amount up to £17,500,000 or 4% of annual worldwide turnover, whichever is the higher. Right of Appeal 45. By virtue of section 162(l)(c) DPA there is a right of appeal against this Notice to the First-tier Tribunal (Information Rights). If an appeal is brought against this Notice, it need not be complied with pending determination or withdrawal of that appeal. Information about the appeals process may be obtained from: First-tier Tribunal (Information Rights) GRC Tribunals PO Box 9300 Leicester LEl 8DJ Tel: 0300 1234504 Fax: 0870 7395836 Email: GRC@hmcts.gsi.gov.uk Website: www.justice.gov.uk/tribunals/general-regulatory-chamber Any Notice of Appeal should be served on the Tribunal within 28 calendar days of the date on which this Notice is sent. Dated the 22 nd day of June 2021 Stephen Eckersley Director of Investigations Information Commissioner's Office Wycliffe House Water Lane 14Wilmslow Cheshire SK9 SAF 15