ICO (UK) - Emailmovers Limited

From GDPRhub
Revision as of 08:58, 28 July 2021 by NN (talk | contribs)
ICO (UK) - Emailmovers Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(7) GDPR
Article 4(11) GDPR
Article 5(1)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 22.06.2021
Published: 25.06.2021
Fine: None
Parties: Emailmovers Limited
National Case Number/Name: Emailmovers Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The UK DPA (ICO) found that an email data and marketing service violated the lawfulness, fairness, and transparency principle, since its email address database had no clear lawful basis and individuals were not informed that the service had acquired their personal data. Among other things, the DPA ordered the service to notify individuals whose data it processes of the information under Article 14 GDPR.

English Summary

Facts

Emailmovers Limited (EML) advertises its services, such as email data, email cleansing, email marketing, etc...). It has a database of data subjects' email addresses. On its website, it claims that it has a "GDPR and PECR [Privacy and Electronic Communications (EC Directive) Regulations 2003] compliant email database". The data was received from an unamed organisation that collected the individual's personal data and mentioned that it may be shared with third parties for marketing purposes.

In 2018, EML was investigated by the Information Commissioner's Office (ICO). EML provided the ICO enforcement team with 7000 records of personal data (names, dates of birth, postcodes, phone numbers, email addresses).

Emailmovers Limited claimed to be a data processor rather than a controller to the ICO. It claimed so on the basis that it processed data subjects' personal data on behalf of business clients that it had. It also relied on a document ("Legal and Commercial Terms for the Supply of Commercial and Personal Data") where it classified itself as a processor to its business clients.

Holding

The Information Commissioner's Office first established that Emailmovers Limited (EML) was a data controller by virtue of the definition in Article 4(7) GDPR. First, the ICO highlighted that EML's "Legal and Commercial Terms..." points to the fact that EML decided who it supplied the personal data to. Additionally, the ICO found that EML determined the purposes of processing the personal data when deciding whether to disclose the database to certain business clients. EML also had broad discretion over how the data is created, stored and manipulated. The ICO also clarified that the fact that the "Legal and Commercial Terms..." document specified that EML was a processor is not conclusive. Instead, one must rely on the definition of controller found in Article 4(7) GDPR. The ICO concluded that EML determines the purposes and means of processing and is as such a data controller.

The ICO considered that EML has processed personal data in a manner that is not fair, lawful nor transparent. It is therefore in violation of Article 5(1)(a) of the GDPR. The ICO concluded that EML did not identify a lawful basis to engage in business to consumer marketing, presumably because EML argued to be a processor. The only possible lawful basis that could have be relied upon is consent according to evidence provided by EML. However, the ICO is not satisfied that consent would have been effectively collected.

The ICO found that the privacy policy of the organisation that collected the personal data, despite stating that individual's personal data would be shared with third parties for marketing purposes, was not specific enough. It did not clearly name the third party recipients.

The ICO highlighted the requirements for consent, including that it need to be "specific and informed". It specified that consent for purchased "consented" data is valid only where the purchaser is identified at the time of collection of the data (at the point where consent was given). Therefore, EML could not have purchased the data on the basis of valid consent as a lawful basis as it was not identified as a potential buyer to individuals.

Additionally, EML did not process personal data in a transparent way as individuals were not aware EML was processing their data and EML's clients were not identified to data subjects either.

Therefore, the ICO found EML in violation of Article 5(1)(f) of the GDPR. The ICO therefore requires that EML complies with the following within three months:

  • notify individuals whose personal data was or is processed by EML the purposes of processing, the legal basis, the categories of personal data concerned and the recipients of this data (Article 14 GDPR);
  • cease to process personal data of data subject to whom information notices mentioned in the point above have not been sent to;
  • cease to process personal data obtained on the (alleged) basis of consent; and
  • ensure that appropriate records of consent are kept.

Compliance with the ICO's notice would remedy the violation in the ICO's view and a fine may be imposed if it is not.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                  THE DATA PROTECTION ACT 2018

                        (PART 6, SECTION 149)


 ENFORCEMENT POWERS OF THE INFORMATION COMMISSIONER



                        ENFORCEMENT NOTICE



To:   Emailmovers Limited


Of:   C/O Jackson Robson Licence

      33-35 Exchange Street

      Driffield

      East Yorkshire

      YO25 6LL


1.    The Information Commissioner ("Commissioner") has decided that it

      would be appropriate to issue Emailmovers Limited ("EML") with an

      enforcement notice under section 149 of the Data Protection Act

      2018 ("DPA") based on a failure by EML to comply with Art 5(1)(a)
      of the General Data Protection Regulation EU2016/679 as it forms

      part of the law of England and Wales, Scotland and Northern

      Ireland by virtue of section 3 of the European Union (Withdrawal)

      Act 2018 ("UK GDPR").



2.    This notice explains the Commissioner's reasons for that opinion.


3.    A Preliminary Enforcement Notice was given to EML on 4 September
      2019 and an opportunity to make representations was provided. A

      further opportunity to make representations was also afforded to

      EML on 23 April 2021. The Commissioner has considered those




                                    1      representations and taken them into account in determining

      whether an Enforcement Notice should be issued.


Legal Framework



Controller



4.    The Commissioner is of the view that EML is a controller as defined

      in Article 4(7) of the UK GDPR and section 6 of the Data Protection
      Act 2018 ("DPA"). A controller is "the natural or legal person, public

      authority, agency or other body which, alone or jointly with others,

      determines the purposes and means of the processing of personal

      data".



5.    Although EML characterises itself as a processor, the Commissioner
      does not accept that characterisation for the reasons set out below.



The obligation to process data fairly, lawfully and transparently



6.    Personal data must be "processed lawfully, fairly and in a
      transparent manner in relation to the data subject": UK GDPR Art

       5(1)(a). This provision is supplemented by Recital 39 which

      provides, relevantly:


       "Any processing of personal data should be lawful and fair. It should

      be transparent to natural persons that personal data concerning

      them are collected, used, consulted or otherwise processed and to

      what extent the personal data are or will be processed. The
      principle of transparency requires that any information and

      communication relating to the processing of those personal data be

      easily accessible and easy to understand, and that clear and plain

      language be used. That principle concerns, in particular, information


                                       2      to the data subjects on the identity of the controller and the

      purposes of the processing and further information to ensure fair

      and transparent processing in respect of the natural persons

      concerned and their right to obtain confirmation and communication
      of personal data concerning them which are being processed.

      Natural persons should be made aware of risks, rules, safeguards

      and rights in relation to the processing of personal data and how to

      exercise their rights in relation to such processing."


7.    Recital 58 also emphasises the need for transparency in processing:



      "The principle of transparency requires that any information

      addressed to the public or to the data subject be concise, easily

      accessible and easy to understand, and that clear and plain

      language and, additionally, where appropriate, visualisation be
      used. Such information could be provided in electronic form, for

      example, when addressed to the public, through a website. This is

      of particular relevance in situations where the proliferation of actors

      and the technological complexity of practice makes it difficult for the

      data subiect to know and understand whether, by whom and for
      what purpose personal data relating to him or her are being

      collected, such as in the case on online advertising ..." (Emphasis

      added)



Lawful bases of processing


8.    Processing will only be lawful where at least one of the

      circumstances in UK GDPR Art 6(1) applies. Those circumstances

      include:



      "(a) the data subject has given consent to the processing of his or
      her personal data for one or more specific purposes"


                                       39.    Consent is defined in the UK GDPR as "any freely given, specific,

      informed and unambiguous indication of the data subject's wishes

      by which he or she, by a statement or by a clear affirmative action,
      signifies agreement to the processing of personal data relating to

      him or her": Art 4(11), see also Recital 32.



10.   The conditions for "consent" are set out in UK GDPR Art 7. Article

      7(1) states, relevantly:


      "1. Where processing is based on consent, the controller shall be

      able to demonstrate that the data subject has consented to

      processing of his or her personal data."



11.   Where consent is relied upon as the basis for processing, the data
      subject "should be aware at least of the identity of the controller

      and purposes of the processing for which the personal data are

      intended": UK GDPR Recital 42.



Commissioner's Powers


12.   If the Commissioner is satisfied that a person has failed, or is

      failing, to comply with a provision of Chapter II of the UK GDPR, the

      Commissioner may give the person an Enforcement Notice requiring

      them to take within such time as may be specified in the Notice, or

      to refrain from taking after such time as may be so specified, such
      steps as are so specified: DPA 2018 s 149.



Background



13.   EML is a company that advertises its services as including email
      data, email cleansing, email marketing and data appending.


                                      4      According to its website, it licenses in a wide range of personal data

      which includes email addresses, gender, age, employment status,

      and income bracket. It markets itself as having a "GDPR and PECR

      compliant email database".



14.   On 31 January 2018, during an operation conducted by the

      Information Commissioner, EML provided 7000 records consisting of
      personal ID numbers, forenames, surnames, dates of birth,

      postcodes, mobile numbers (for some entries), email addresses (for

      some entries) and landline numbers to members of the

      Commissioner's Enforcement Team. The data was provided

      pursuant to a 12 month licence. 15% of the records related persons
      between the ages 75-79 and 1% related to persons over 80. The

      Commissioner expressly does not rely upon this sale otherwise than

      as background for the purposes of this Enforcement Notice. This

      failing occurred prior to the implementation of the GDPR and,

      although the Commissioner is able to rely upon enforcement powers

      available to her under the Data Protection Act 1998 (see DPA 2018
      Sch 20, Pt 7, para 33(1)(b) she has elected not to do so in this

      case.



15.   Following this sale, the Commissioner commenced an investigation

      into EML's data protection practices.


16.   In the course of that investigation, EML informed the Commissioner

      that:


         a. it was a processor with respect to the personal data sourced
            on behalf of a client for the purposes of business to consumer

            marketing; and






                                      5         b. its business to consumer data was provided by

            (now known as


EML is a controller, not a processor



17.   While the Commissioner notes that EML characterises itself as a
      processor under the GDPR in relation to business to consumer

      marketing, the Commissioner does not accept that this

      characterisation is correct for the reasons that follow.


18.   As part of its first round of representations to the Commissioner,

      EML produced a document setting out the "Legal and Commercial

      Terms for the Supply of Commercial and Personal Data" ("Terms"),
      which included as an appendix, a data processing agreement

      ("Processing Agreement"). The Terms, containing the Processing

      Agreement, were executed on 25 July 2018. EML relies upon this as

      evidence that it was a processor rather than a controller.


19.   The Commissioner has reviewed the Terms and the Processing

      Agreement and remains of the view that EML is a controller. The

      Terms and Processing Agreement demonstrate that
      licenses data to EML so that EML can enter into subscription

      agreements with third parties to supply them with that data. The

      choice as to which third parties are supplied with data is a decision

      made by EML. The purposes of processing data in this way

      (disclosure to third parties) are determined by EML. EML also

      selects the means by which the data are processed. The Terms
      provides EML with a broad discretion to undertake many processing

      activities including using the data, creating derived data, storing the

      data, and manipulating the data (see generally, Clause 10 of the

      Terms).





                                     620.   Further, the Processing Agreement does not provide support for

      EML's claim. The Processing Agreement does not adopt a clear

      position on whether the Data Receiver (EML) is a controller or
      processor. Indeed, para 3.1 states that EML


      "...is either a Data Controller or a Data Processor in their capacity

      as foreseen under this Agreement. The Data Receiver acknowledges

      that, if acting as a Data Processor, they could be deemed to be a

      Data Contoller depending upon their use of the Shared Personal
      Data and would be deemed to be a Data Controller if they make use

      of the Shared Personal Data in a way that is not in accordance with

      this Agreement."


21.   In any event, even if EML were characterised as a processor by the

      Terms of the Processing Agreement, that does not determine

      whether EML is a processor or a controller. That must be
      determined by reference to the definitions in the UK GDPR and the

      DPA 2018.



22.   The Processing Agreement requires the parties to process the

      Shared Personal Data for the "Agreed Purpose", namely:


      "To broadcast marketing emails on behalf of a customer or to share
      the data for email marketing purposes with a customer who is

      promoting products or services within the Categories of Recipients

      where a consumer has given consent for a third party marketing or

      where there is a legitimate interest to share the data for marketing

      purpose."


23.   This purpose is too broadly expressed to constitute a genuine

      restriction on the purposes for individual acts of processing.

       It remains the case that EML is able to determine if, when and for

      what purposes (within the scope of the broadly expressed Agreed

                                      7      Purpose) processing should take place as well as the means by

      which the data is processed.


24.   The Commissioner is accordingly satisfied that, with respect to data

      obtained from                and licensed to customers of EML, EML

      determines the purposes of that processing and the means by which

      it is done. It is, accordingly, a controller with respect to that data.



25.   The Commissioner notes that EML provided a revised Data
      Processing Agreement in response to the further invitation to make

      representations. That Agreement was provided in template form,

      with no reference to how the relationship with putative data

      controllers operates in practice. No evidence of any executed

      agreement was provided. The revised Data Processing Agreement

      does not alter the fact that EML previously mischaracterised itself as
      a processor.


26.   Further, EML informed the Commissioner that it was now - having

      seen the Commissioner's Preliminary Enforcement Notice -

      operating "purely as an introducer". No acceptable explanation was

      provided as to the actual practices adopted by EML, or how it

      conceived the role of an "introducer" fit within the data protection
      concepts of "controllers" and "processors". The Commissioner is

      also not satisfied, on the basis of the information that has now been

      provided, that EML does not continue to mischaracterise itself as

      such.



The Failure


27.   The Commissioner is of the view that EML has processed, and is

      processing, personal data in a manner that is not fair, lawful, or




                                      8      transparent, thereby failing to comply with UK GDPR Art S(l)(a).

      The Commissioner's reasons for forming this view are as follows.


28.   EML has not sought to identify the lawful basis upon which it

      processes personal data when engaging in business to consumer

      marketing. This appears to be the consequence of its

      misclassification as a data processor. In response to a request for

      policies concerning privacy and data protection, EML provided a

      number of policies. None of those policies addressed the manner in
      which, and the purposes for which, EML processed data provided to

      it by third parties in business to consumer marketing.


29.   However, EML has informed the Commissioner that it relies on-I

                  to provided appropriately consented marketing lists. On

      this basis, the Commissioner infers that EML relies upon consent as

      the basis for processing. The Commissioner does not accept that

      any consent to processing provided tol                    is effective
      to permit processing by EML.



30.   The Commissioner understands that                      acquires

      personal data from the following sources:


         a. the               website owned by                   , and



         b. the                website operated by



31.   The                website includes a link to the

      privacy policy. That policy states that they will "Pass on your details
      to selected Companies and Trusted Partners which provide you with

      other offers and promotions of interest to you". The policy lists only

      a selection of those "partners". Despite that selection being lengthy

      and covering a very broad range of named companies, it does not


                                      9      identify either                   or EML as potential third party

      recipients of personal data. The policy further does not indicate that

      those third party recipients may themselves disclose personal data
      to additional unnamed third parties for any purpose.



32.                    privacy policy indicates that personal data may be

      shared with marketing service providers. The policy states that

      those providers may combine the information with data from other

      sources, analyse and profile it and pass their knowledge on to other
      companies. It also indicates that names and addresses may be

      passed on by those providers to other companies so that those

      other companies can contact the individual about relevant products,

      services and offers. It states that this will occur "either directly or

      indirectly via a data broker who may legitimately process your

      data". The list of marketing service providers includes
      but not EML. The companies that marketing service providers may

      disclose personal data to are also not identified.


33.   Further,                     privacy policy indicates that it will share

      personal data for commercial gain with third parties who "have a

      relationship with you" or where the third party has "a lawful reason,

      which may include the organisation's own legitimate interest". It
      states that that "data will be used ... to create a data product ... in

      line with ICO code of practice". It is unclear what ICO Code of

      Practice this was intended to refer to. The specific third parties with

      whom data may be shared for these purposes are not identified.

      The policy also indicates that data will be shared with specified

      "Marketing Services Providers and special Marketing Agencies".
                        is identified as a potential third party recipient, but

      EML is not. A link for more information about   -takes the
                                                      i
      user to the                       website, which identifies EML as a

      "marketing partner".


                                      1034.   The ICO's Guidance on Consent under the GDPR makes clear that

      for consent to be "specific and informed", it must specifically

      identify the controller collecting the data and name any third party

      controllers who will be relying upon the consent. Consent for

      purchased "consented" data is valid only if the purchaser is
      specifically identified at the time consent is given. That has not

      occurred here.


35.   EML is not identified as an organisation that may ultimately process

      an individual's data at the point where consent is obtained. The

      identity of EML's client would also not be clear to the data subject at

      the time consent is given.


36.   Accordingly, the Commissioner is of the view that any consent given

      at the point of collection was not sufficiently specific or informed to
      extend so far as consenting to disclosure to EML or one of EML's

      customers. Any "consent" to processing could not extend to the

      obtaining of that data by EML, processing of that data by EML, or

      disclosure by EML to any of its clients.


37.   Further, irrespective of the Commissioner's views about the

      lawfulness of processing by EML, the Commissioner is also of the
      view that the methods of collection identified above demonstrate

      that EML is not processing personal data in a transparent way. This

      is because (a) data subjects are unlikely to be aware that EML is

      processing their data at all; and (b) the identity of any EML client

      and how they would process the personal data is unlikely to be clear

      to the data subject at the time of collection.


38.   Accordingly, the Commissioner is of the opinion that EML has failed
      to comply with its obligation to process data fairly, lawfully and

      transparently under Article 5(1)(a) of the UK GDPR.



                                      11Damage/distress


39.   The Commissioner has considered, as she is required to do under

      DPA 2018 s 149(2), whether the failure has caused, or is likely to

      cause, any person damage or distress. The sale of lists of personal

      data can cause substantial damage and distress. Such damage and

      distress can result in individuals being bombarded with unwanted
      direct marketing, or their data falling into the hands of

      unscrupulous individuals including scammers.



40.   Moreover, data subjects are, at the least, likely to be concerned

      about the processing of their personal data in circumstances where
      they are not aware of the identity of the controller and where the

      nature of, and purposes of, processing have not been clearly drawn

      to their attention.


Requirements



41.   In view of the matters referred to above, the Commissioner is of the

      opinion that it is appropriate, in the exercise of her powers under
      DPA 2018 section 149, that she require EML, within three months,

      to:


         a. Notify all data subjects whose personal data are being

            processed by EML of the matters required by UK GDPR Art 14

            including, but not limited to, the purposes of the processing

            for which the personal data are intended as well as the legal

            basis for the processing, the categories of personal data
            concerned, and the recipients or categories of recipients of

            the personal data.






                                     12         b. Cease processing the personal data of any data subject to

            whom an Article 14-compliant notice is not sent or cannot be

            sent because EML does not possess contact information.


         c. Cease processing personal data (as described in this

            Enforcement Notice) purportedly obtained and/or otherwise
            processed on the basis of consent.



         d. Ensure that appropriate records are kept as to what

            individuals have consented to; including the information they

            were provided with at the time of consent, when they
            consented, and how they provided that consent.


42.   The Commissioner considers that the above requirements are

      appropriate for the purpose of remedying the failure identified.



43.   In representations to the Commissioner, EML initially claimed to

      have already complied with the requirements above. No evidence

      was provided at that time to demonstrate compliance. In
      subsequent representations, EML claimed that "Any personal data

      being processed on the basis of consents that are insufficiently

      specific, informed and not freely given has been deleted from the

      company". No explanation was given by EML as to how it formed

      the view about the sufficiency of the data subject's consent, or how

      much data had in fact been deleted by it. Having regard to the
      additional evidence provided by EML, the Commissioner nonetheless

      considers that it is appropriate to impose the requirements set out

      above.


Consequences of Failing to Comply with the Notice


44.   If a person fails to comply with an Enforcement Notice, the

      Commissioner may serve a penalty notice on that person under


                                     13      section 155(l)(b) DPA, requiring payment of a penalty in an

      amount up to £17,500,000 or 4% of annual worldwide turnover,

      whichever is the higher.


Right of Appeal



45.   By virtue of section 162(l)(c) DPA there is a right of appeal against

      this Notice to the First-tier Tribunal (Information Rights). If an

      appeal is brought against this Notice, it need not be complied with
      pending determination or withdrawal of that appeal. Information

      about the appeals process may be obtained from:



      First-tier Tribunal (Information Rights)

      GRC Tribunals

      PO Box 9300
      Leicester

      LEl 8DJ

      Tel: 0300 1234504

      Fax: 0870 7395836

      Email: GRC@hmcts.gsi.gov.uk
      Website: www.justice.gov.uk/tribunals/general-regulatory-chamber



      Any Notice of Appeal should be served on the Tribunal within 28

      calendar days of the date on which this Notice is sent.



Dated the 22 nd day of June 2021




Stephen Eckersley

Director of Investigations
Information Commissioner's Office
Wycliffe House
Water Lane


                                     14Wilmslow
Cheshire
SK9 SAF
























































                                   15