ICO (UK) - Emailmovers Limited
From GDPRhub
| ICO (UK) - Emailmovers Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(7) GDPR Article 4(11) GDPR Article 5(1)(a) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 22.06.2021 |
| Published: | 25.06.2021 |
| Fine: | None |
| Parties: | Emailmovers Limited |
| National Case Number/Name: | Emailmovers Limited |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | n/a |
The UK DPA found that an email data and marketing service violated the lawfulness, fairness, and transparency principle, since its email address database had no clear lawful basis and individuals were not informed that the service had acquired their personal data. Among other things, the DPA ordered the service to notify individuals whose data it processes of the information under Article 14 GDPR.
English Summary
Facts
Emailmovers Limited (EML) advertises its services, such as email data, email cleansing, email marketing, etc...). It has a database of data subjects' email addresses. On its website, it claims that it has a "GDPR and PECR [Privacy and Electronic Communications (EC Directive) Regulations 2003] compliant email database". The data was received from an unamed organisation that collected the individual's personal data and mentioned that it may be shared with third parties for marketing purposes.
In 2018, EML was investigated by the Information Commissioner's Office (ICO). EML provided the ICO enforcement team with 7000 records of personal data (names, dates of birth, postcodes, phone numbers, email addresses).
Emailmovers Limited claimed to be a data processor rather than a controller to the ICO. It claimed so on the basis that it processed data subjects' personal data on behalf of business clients that it had. It also relied on a document ("Legal and Commercial Terms for the Supply of Commercial and Personal Data") where it classified itself as a processor to its business clients.
Holding
The Information Commissioner's Office first established that Emailmovers Limited (EML) was a data controller by virtue of the definition in Article 4(7) GDPR. First, the ICO highlighted that EML's "Legal and Commercial Terms..." points to the fact that EML decided who it supplied the personal data to. Additionally, the ICO found that EML determined the purposes of processing the personal data when deciding whether to disclose the database to certain business clients. EML also had broad discretion over how the data is created, stored and manipulated. The ICO also clarified that the fact that the "Legal and Commercial Terms..." document specified that EML was a processor is not conclusive. Instead, one must rely on the definition of controller found in Article 4(7) GDPR. The ICO concluded that EML determines the purposes and means of processing and is as such a data controller.
The ICO considered that EML has processed personal data in a manner that is not fair, lawful nor transparent. It is therefore in violation of Article 5(1)(a) of the GDPR. The ICO concluded that EML did not identify a lawful basis to engage in business to consumer marketing, presumably because EML argued to be a processor. The only possible lawful basis that could have be relied upon is consent according to evidence provided by EML. However, the ICO is not satisfied that consent would have been effectively collected.
The ICO found that the privacy policy of the organisation that collected the personal data, despite stating that individual's personal data would be shared with third parties for marketing purposes, was not specific enough. It did not clearly name the third party recipients.
The ICO highlighted the requirements for consent, including that it need to be "specific and informed". It specified that consent for purchased "consented" data is valid only where the purchaser is identified at the time of collection of the data (at the point where consent was given). Therefore, EML could not have purchased the data on the basis of valid consent as a lawful basis as it was not identified as a potential buyer to individuals.
Additionally, EML did not process personal data in a transparent way as individuals were not aware EML was processing their data and EML's clients were not identified to data subjects either.
Therefore, the ICO found EML in violation of Article 5(1)(f) of the GDPR. The ICO therefore requires that EML complies with the following within three months:
- notify individuals whose personal data was or is processed by EML the purposes of processing, the legal basis, the categories of personal data concerned and the recipients of this data (Article 14 GDPR);
- cease to process personal data of data subject to whom information notices mentioned in the point above have not been sent to;
- cease to process personal data obtained on the (alleged) basis of consent; and
- ensure that appropriate records of consent are kept.
Compliance with the ICO's notice would remedy the violation in the ICO's view and a fine may be imposed if it is not.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
THE DATA PROTECTION ACT 2018
(PART 6, SECTION 149)
ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER
ENFORCEMENT NOTICE
To: Emailmovers Limited
Of: C/O Jackson Robson Licence
33-35 Exchange Street
Driffield
East Yorkshire
YO25 6LL
1. The Information Commissioner ("Commissioner") has decided that it
would be appropriate to issue Emailmovers Limited ("EML") with an
enforcement notice under section 149 of the Data Protection Act
2018 ("DPA") based on a failure by EML to comply with Art 5(1)(a)
of the General Data Protection Regulation EU2016/679 as it forms
part of the law of England and Wales, Scotland and Northern
Ireland by virtue of section 3 of the European Union (Withdrawal)
Act 2018 ("UK GDPR").
2. This notice explains the Commissioner's reasons for that opinion.
3. A Preliminary Enforcement Notice was given to EML on 4 September
2019 and an opportunity to make representations was provided. A
further opportunity to make representations was also afforded to
EML on 23 April 2021. The Commissioner has considered those
1 representations and taken them into account in determining
whether an Enforcement Notice should be issued.
Legal Framework
Controller
4. The Commissioner is of the view that EML is a controller as defined
in Article 4(7) of the UK GDPR and section 6 of the Data Protection
Act 2018 ("DPA"). A controller is "the natural or legal person, public
authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing of personal
data".
5. Although EML characterises itself as a processor, the Commissioner
does not accept that characterisation for the reasons set out below.
The obligation to process data fairly, lawfully and transparently
6. Personal data must be "processed lawfully, fairly and in a
transparent manner in relation to the data subject": UK GDPR Art
5(1)(a). This provision is supplemented by Recital 39 which
provides, relevantly:
"Any processing of personal data should be lawful and fair. It should
be transparent to natural persons that personal data concerning
them are collected, used, consulted or otherwise processed and to
what extent the personal data are or will be processed. The
principle of transparency requires that any information and
communication relating to the processing of those personal data be
easily accessible and easy to understand, and that clear and plain
language be used. That principle concerns, in particular, information
2 to the data subjects on the identity of the controller and the
purposes of the processing and further information to ensure fair
and transparent processing in respect of the natural persons
concerned and their right to obtain confirmation and communication
of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards
and rights in relation to the processing of personal data and how to
exercise their rights in relation to such processing."
7. Recital 58 also emphasises the need for transparency in processing:
"The principle of transparency requires that any information
addressed to the public or to the data subject be concise, easily
accessible and easy to understand, and that clear and plain
language and, additionally, where appropriate, visualisation be
used. Such information could be provided in electronic form, for
example, when addressed to the public, through a website. This is
of particular relevance in situations where the proliferation of actors
and the technological complexity of practice makes it difficult for the
data subiect to know and understand whether, by whom and for
what purpose personal data relating to him or her are being
collected, such as in the case on online advertising ..." (Emphasis
added)
Lawful bases of processing
8. Processing will only be lawful where at least one of the
circumstances in UK GDPR Art 6(1) applies. Those circumstances
include:
"(a) the data subject has given consent to the processing of his or
her personal data for one or more specific purposes"
39. Consent is defined in the UK GDPR as "any freely given, specific,
informed and unambiguous indication of the data subject's wishes
by which he or she, by a statement or by a clear affirmative action,
signifies agreement to the processing of personal data relating to
him or her": Art 4(11), see also Recital 32.
10. The conditions for "consent" are set out in UK GDPR Art 7. Article
7(1) states, relevantly:
"1. Where processing is based on consent, the controller shall be
able to demonstrate that the data subject has consented to
processing of his or her personal data."
11. Where consent is relied upon as the basis for processing, the data
subject "should be aware at least of the identity of the controller
and purposes of the processing for which the personal data are
intended": UK GDPR Recital 42.
Commissioner's Powers
12. If the Commissioner is satisfied that a person has failed, or is
failing, to comply with a provision of Chapter II of the UK GDPR, the
Commissioner may give the person an Enforcement Notice requiring
them to take within such time as may be specified in the Notice, or
to refrain from taking after such time as may be so specified, such
steps as are so specified: DPA 2018 s 149.
Background
13. EML is a company that advertises its services as including email
data, email cleansing, email marketing and data appending.
4 According to its website, it licenses in a wide range of personal data
which includes email addresses, gender, age, employment status,
and income bracket. It markets itself as having a "GDPR and PECR
compliant email database".
14. On 31 January 2018, during an operation conducted by the
Information Commissioner, EML provided 7000 records consisting of
personal ID numbers, forenames, surnames, dates of birth,
postcodes, mobile numbers (for some entries), email addresses (for
some entries) and landline numbers to members of the
Commissioner's Enforcement Team. The data was provided
pursuant to a 12 month licence. 15% of the records related persons
between the ages 75-79 and 1% related to persons over 80. The
Commissioner expressly does not rely upon this sale otherwise than
as background for the purposes of this Enforcement Notice. This
failing occurred prior to the implementation of the GDPR and,
although the Commissioner is able to rely upon enforcement powers
available to her under the Data Protection Act 1998 (see DPA 2018
Sch 20, Pt 7, para 33(1)(b) she has elected not to do so in this
case.
15. Following this sale, the Commissioner commenced an investigation
into EML's data protection practices.
16. In the course of that investigation, EML informed the Commissioner
that:
a. it was a processor with respect to the personal data sourced
on behalf of a client for the purposes of business to consumer
marketing; and
5 b. its business to consumer data was provided by
(now known as
EML is a controller, not a processor
17. While the Commissioner notes that EML characterises itself as a
processor under the GDPR in relation to business to consumer
marketing, the Commissioner does not accept that this
characterisation is correct for the reasons that follow.
18. As part of its first round of representations to the Commissioner,
EML produced a document setting out the "Legal and Commercial
Terms for the Supply of Commercial and Personal Data" ("Terms"),
which included as an appendix, a data processing agreement
("Processing Agreement"). The Terms, containing the Processing
Agreement, were executed on 25 July 2018. EML relies upon this as
evidence that it was a processor rather than a controller.
19. The Commissioner has reviewed the Terms and the Processing
Agreement and remains of the view that EML is a controller. The
Terms and Processing Agreement demonstrate that
licenses data to EML so that EML can enter into subscription
agreements with third parties to supply them with that data. The
choice as to which third parties are supplied with data is a decision
made by EML. The purposes of processing data in this way
(disclosure to third parties) are determined by EML. EML also
selects the means by which the data are processed. The Terms
provides EML with a broad discretion to undertake many processing
activities including using the data, creating derived data, storing the
data, and manipulating the data (see generally, Clause 10 of the
Terms).
620. Further, the Processing Agreement does not provide support for
EML's claim. The Processing Agreement does not adopt a clear
position on whether the Data Receiver (EML) is a controller or
processor. Indeed, para 3.1 states that EML
"...is either a Data Controller or a Data Processor in their capacity
as foreseen under this Agreement. The Data Receiver acknowledges
that, if acting as a Data Processor, they could be deemed to be a
Data Contoller depending upon their use of the Shared Personal
Data and would be deemed to be a Data Controller if they make use
of the Shared Personal Data in a way that is not in accordance with
this Agreement."
21. In any event, even if EML were characterised as a processor by the
Terms of the Processing Agreement, that does not determine
whether EML is a processor or a controller. That must be
determined by reference to the definitions in the UK GDPR and the
DPA 2018.
22. The Processing Agreement requires the parties to process the
Shared Personal Data for the "Agreed Purpose", namely:
"To broadcast marketing emails on behalf of a customer or to share
the data for email marketing purposes with a customer who is
promoting products or services within the Categories of Recipients
where a consumer has given consent for a third party marketing or
where there is a legitimate interest to share the data for marketing
purpose."
23. This purpose is too broadly expressed to constitute a genuine
restriction on the purposes for individual acts of processing.
It remains the case that EML is able to determine if, when and for
what purposes (within the scope of the broadly expressed Agreed
7 Purpose) processing should take place as well as the means by
which the data is processed.
24. The Commissioner is accordingly satisfied that, with respect to data
obtained from and licensed to customers of EML, EML
determines the purposes of that processing and the means by which
it is done. It is, accordingly, a controller with respect to that data.
25. The Commissioner notes that EML provided a revised Data
Processing Agreement in response to the further invitation to make
representations. That Agreement was provided in template form,
with no reference to how the relationship with putative data
controllers operates in practice. No evidence of any executed
agreement was provided. The revised Data Processing Agreement
does not alter the fact that EML previously mischaracterised itself as
a processor.
26. Further, EML informed the Commissioner that it was now - having
seen the Commissioner's Preliminary Enforcement Notice -
operating "purely as an introducer". No acceptable explanation was
provided as to the actual practices adopted by EML, or how it
conceived the role of an "introducer" fit within the data protection
concepts of "controllers" and "processors". The Commissioner is
also not satisfied, on the basis of the information that has now been
provided, that EML does not continue to mischaracterise itself as
such.
The Failure
27. The Commissioner is of the view that EML has processed, and is
processing, personal data in a manner that is not fair, lawful, or
8 transparent, thereby failing to comply with UK GDPR Art S(l)(a).
The Commissioner's reasons for forming this view are as follows.
28. EML has not sought to identify the lawful basis upon which it
processes personal data when engaging in business to consumer
marketing. This appears to be the consequence of its
misclassification as a data processor. In response to a request for
policies concerning privacy and data protection, EML provided a
number of policies. None of those policies addressed the manner in
which, and the purposes for which, EML processed data provided to
it by third parties in business to consumer marketing.
29. However, EML has informed the Commissioner that it relies on-I
to provided appropriately consented marketing lists. On
this basis, the Commissioner infers that EML relies upon consent as
the basis for processing. The Commissioner does not accept that
any consent to processing provided tol is effective
to permit processing by EML.
30. The Commissioner understands that acquires
personal data from the following sources:
a. the website owned by , and
b. the website operated by
31. The website includes a link to the
privacy policy. That policy states that they will "Pass on your details
to selected Companies and Trusted Partners which provide you with
other offers and promotions of interest to you". The policy lists only
a selection of those "partners". Despite that selection being lengthy
and covering a very broad range of named companies, it does not
9 identify either or EML as potential third party
recipients of personal data. The policy further does not indicate that
those third party recipients may themselves disclose personal data
to additional unnamed third parties for any purpose.
32. privacy policy indicates that personal data may be
shared with marketing service providers. The policy states that
those providers may combine the information with data from other
sources, analyse and profile it and pass their knowledge on to other
companies. It also indicates that names and addresses may be
passed on by those providers to other companies so that those
other companies can contact the individual about relevant products,
services and offers. It states that this will occur "either directly or
indirectly via a data broker who may legitimately process your
data". The list of marketing service providers includes
but not EML. The companies that marketing service providers may
disclose personal data to are also not identified.
33. Further, privacy policy indicates that it will share
personal data for commercial gain with third parties who "have a
relationship with you" or where the third party has "a lawful reason,
which may include the organisation's own legitimate interest". It
states that that "data will be used ... to create a data product ... in
line with ICO code of practice". It is unclear what ICO Code of
Practice this was intended to refer to. The specific third parties with
whom data may be shared for these purposes are not identified.
The policy also indicates that data will be shared with specified
"Marketing Services Providers and special Marketing Agencies".
is identified as a potential third party recipient, but
EML is not. A link for more information about -takes the
i
user to the website, which identifies EML as a
"marketing partner".
1034. The ICO's Guidance on Consent under the GDPR makes clear that
for consent to be "specific and informed", it must specifically
identify the controller collecting the data and name any third party
controllers who will be relying upon the consent. Consent for
purchased "consented" data is valid only if the purchaser is
specifically identified at the time consent is given. That has not
occurred here.
35. EML is not identified as an organisation that may ultimately process
an individual's data at the point where consent is obtained. The
identity of EML's client would also not be clear to the data subject at
the time consent is given.
36. Accordingly, the Commissioner is of the view that any consent given
at the point of collection was not sufficiently specific or informed to
extend so far as consenting to disclosure to EML or one of EML's
customers. Any "consent" to processing could not extend to the
obtaining of that data by EML, processing of that data by EML, or
disclosure by EML to any of its clients.
37. Further, irrespective of the Commissioner's views about the
lawfulness of processing by EML, the Commissioner is also of the
view that the methods of collection identified above demonstrate
that EML is not processing personal data in a transparent way. This
is because (a) data subjects are unlikely to be aware that EML is
processing their data at all; and (b) the identity of any EML client
and how they would process the personal data is unlikely to be clear
to the data subject at the time of collection.
38. Accordingly, the Commissioner is of the opinion that EML has failed
to comply with its obligation to process data fairly, lawfully and
transparently under Article 5(1)(a) of the UK GDPR.
11Damage/distress
39. The Commissioner has considered, as she is required to do under
DPA 2018 s 149(2), whether the failure has caused, or is likely to
cause, any person damage or distress. The sale of lists of personal
data can cause substantial damage and distress. Such damage and
distress can result in individuals being bombarded with unwanted
direct marketing, or their data falling into the hands of
unscrupulous individuals including scammers.
40. Moreover, data subjects are, at the least, likely to be concerned
about the processing of their personal data in circumstances where
they are not aware of the identity of the controller and where the
nature of, and purposes of, processing have not been clearly drawn
to their attention.
Requirements
41. In view of the matters referred to above, the Commissioner is of the
opinion that it is appropriate, in the exercise of her powers under
DPA 2018 section 149, that she require EML, within three months,
to:
a. Notify all data subjects whose personal data are being
processed by EML of the matters required by UK GDPR Art 14
including, but not limited to, the purposes of the processing
for which the personal data are intended as well as the legal
basis for the processing, the categories of personal data
concerned, and the recipients or categories of recipients of
the personal data.
12 b. Cease processing the personal data of any data subject to
whom an Article 14-compliant notice is not sent or cannot be
sent because EML does not possess contact information.
c. Cease processing personal data (as described in this
Enforcement Notice) purportedly obtained and/or otherwise
processed on the basis of consent.
d. Ensure that appropriate records are kept as to what
individuals have consented to; including the information they
were provided with at the time of consent, when they
consented, and how they provided that consent.
42. The Commissioner considers that the above requirements are
appropriate for the purpose of remedying the failure identified.
43. In representations to the Commissioner, EML initially claimed to
have already complied with the requirements above. No evidence
was provided at that time to demonstrate compliance. In
subsequent representations, EML claimed that "Any personal data
being processed on the basis of consents that are insufficiently
specific, informed and not freely given has been deleted from the
company". No explanation was given by EML as to how it formed
the view about the sufficiency of the data subject's consent, or how
much data had in fact been deleted by it. Having regard to the
additional evidence provided by EML, the Commissioner nonetheless
considers that it is appropriate to impose the requirements set out
above.
Consequences of Failing to Comply with the Notice
44. If a person fails to comply with an Enforcement Notice, the
Commissioner may serve a penalty notice on that person under
13 section 155(l)(b) DPA, requiring payment of a penalty in an
amount up to £17,500,000 or 4% of annual worldwide turnover,
whichever is the higher.
Right of Appeal
45. By virtue of section 162(l)(c) DPA there is a right of appeal against
this Notice to the First-tier Tribunal (Information Rights). If an
appeal is brought against this Notice, it need not be complied with
pending determination or withdrawal of that appeal. Information
about the appeals process may be obtained from:
First-tier Tribunal (Information Rights)
GRC Tribunals
PO Box 9300
Leicester
LEl 8DJ
Tel: 0300 1234504
Fax: 0870 7395836
Email: GRC@hmcts.gsi.gov.uk
Website: www.justice.gov.uk/tribunals/general-regulatory-chamber
Any Notice of Appeal should be served on the Tribunal within 28
calendar days of the date on which this Notice is sent.
Dated the 22 nd day of June 2021
Stephen Eckersley
Director of Investigations
Information Commissioner's Office
Wycliffe House
Water Lane
14Wilmslow
Cheshire
SK9 SAF
15
