ICO (UK) - Emailmovers Limited
|ICO (UK) - Emailmovers Limited|
|Relevant Law:||Article 4(7) GDPR|
Article 4(11) GDPR
Article 5(1)(a) GDPR
|National Case Number/Name:||Emailmovers Limited|
|European Case Law Identifier:||n/a|
|Original Source:||Information Commissioner's Office (in EN)|
The UK DPA found that an email data and marketing service violated the lawfulness, fairness, and transparency principle, since its email address database had no clear lawful basis and individuals were not informed that the service had acquired their personal data. Among other things, the DPA ordered the service to notify individuals whose data it processes of the information under Article 14 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Emailmovers Limited (EML) advertises its services, such as email data, email cleansing, email marketing, etc...). It has a database of data subjects' email addresses. On its website, it claims that it has a "GDPR and PECR [Privacy and Electronic Communications (EC Directive) Regulations 2003] compliant email database". The data was received from an unamed organisation that collected the individual's personal data and mentioned that it may be shared with third parties for marketing purposes.
In 2018, EML was investigated by the Information Commissioner's Office (ICO). EML provided the ICO enforcement team with 7000 records of personal data (names, dates of birth, postcodes, phone numbers, email addresses).
Emailmovers Limited claimed to be a data processor rather than a controller to the ICO. It claimed so on the basis that it processed data subjects' personal data on behalf of business clients that it had. It also relied on a document ("Legal and Commercial Terms for the Supply of Commercial and Personal Data") where it classified itself as a processor to its business clients.
Holding[edit | edit source]
The Information Commissioner's Office first established that Emailmovers Limited (EML) was a data controller by virtue of the definition in Article 4(7) GDPR. First, the ICO highlighted that EML's "Legal and Commercial Terms..." points to the fact that EML decided who it supplied the personal data to. Additionally, the ICO found that EML determined the purposes of processing the personal data when deciding whether to disclose the database to certain business clients. EML also had broad discretion over how the data is created, stored and manipulated. The ICO also clarified that the fact that the "Legal and Commercial Terms..." document specified that EML was a processor is not conclusive. Instead, one must rely on the definition of controller found in Article 4(7) GDPR. The ICO concluded that EML determines the purposes and means of processing and is as such a data controller.
The ICO considered that EML has processed personal data in a manner that is not fair, lawful nor transparent. It is therefore in violation of Article 5(1)(a) of the GDPR. The ICO concluded that EML did not identify a lawful basis to engage in business to consumer marketing, presumably because EML argued to be a processor. The only possible lawful basis that could have be relied upon is consent according to evidence provided by EML. However, the ICO is not satisfied that consent would have been effectively collected.
The ICO highlighted the requirements for consent, including that it need to be "specific and informed". It specified that consent for purchased "consented" data is valid only where the purchaser is identified at the time of collection of the data (at the point where consent was given). Therefore, EML could not have purchased the data on the basis of valid consent as a lawful basis as it was not identified as a potential buyer to individuals.
Additionally, EML did not process personal data in a transparent way as individuals were not aware EML was processing their data and EML's clients were not identified to data subjects either.
Therefore, the ICO found EML in violation of Article 5(1)(f) of the GDPR. The ICO therefore requires that EML complies with the following within three months:
- notify individuals whose personal data was or is processed by EML the purposes of processing, the legal basis, the categories of personal data concerned and the recipients of this data (Article 14 GDPR);
- cease to process personal data of data subject to whom information notices mentioned in the point above have not been sent to;
- cease to process personal data obtained on the (alleged) basis of consent; and
- ensure that appropriate records of consent are kept.
Compliance with the ICO's notice would remedy the violation in the ICO's view and a fine may be imposed if it is not.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.