ICO (UK) - ICO Monetary Penalty on Tested.me Ltd

From GDPRhub
ICO (UK) - ICO Monetary Penalty on Tested.me Ltd
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
PECR Regulation 22
Type: Complaint
Outcome: Upheld
Decided: 10.05.2021
Published: 18.05.2021
Fine: 8.000 GBP
Parties: n/a
National Case Number/Name: ICO Monetary Penalty on Tested.me Ltd
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

The UK's DPA fined a company offering digital contact tracing services £8,000 for sending marketing emails to subscribers without obtaining their free and informed consent.

English Summary[edit | edit source]

Facts[edit | edit source]

Tested.Me Ltd (“TML”) offers digital contact tracing service in relation to COVID-19 for business premises. The service aims at keeping the records of people who visit a particular workplace in any day. It works through a given QR code which needs to be scanned by individuals on arrival at workplaces.

TML sent four emails in total, the last two of which are subject to investigation under this decision, to nearly 84,000 subscribers between the period of 26 June 2020 and 09 November 2020. The e-mails were concerning a promotion of the “digital health passport” which is another service of TML.

An individual submitted a complaint concerning such emails to the Information Commissioner's Office ('ICO') on 6 November 2020. The individual stated that they did not consent to receiving marketing e-mails.

ICO’s further investigation revealed that the individual filled out the Visitor Registration Form on the website of TML. The consent wording on the form was “Tick here if you agree for this venue, its alliance and tested.me to send you marketing materials in the future,” and it was accompanied by a disclaimer that shows the collected data and storage period of such data. Beyond that no further privacy information was provided.

TML highlighted a technical issue with the last e-mail. Individuals who had opted out of marketing communications following the receipt of the third e-mail were still among the recipients of the last email, if they had filled out the Visitor Registration Form for the second time and ticked the marketing consent box. Those affected by this error included the individual who had complained to the ICO.

Dispute[edit | edit source]

The ICO had to determine if the above-mentioned facts constitute a violation of Regulation 22 of the PECR that foresees the obtainment of the valid consent to marketing e-mails and if so, whether the conditions of Section 55A of the Data Protection Act 1998 (“DPA”) are met.

Holding[edit | edit source]

ICO holds that TML failed to comply with its obligations under Regulation 22 of the PECR by sending direct marketing e-mails to subscribers without obtaining their valid consent, as defined by the GDPR. Thus, the ICO is satisfied that conditions of Section 55A of the DPA are met.

ICO states that the consent given by the recipients of these marketing e-mails did not meet the requirements of Article 4(11) GDPR as it was not freely given, specific, and informed. In particular because:

  • The consent was not “informed” because the data subjects could not identify TML and its activities, and the could not access TML’s Privacy Notice when filling the Visitor Registration Form. The ICO highlighted that beyond a small “tested.me” logo at the bottom of the Visitor Registration Form, no information was provided about who TML is and what activities it engages in.
  • The consent was not “freely given” and “specific” because consent wording was ambiguous and did not indicate specific channels for marketing communication such as by e-mail or by phone.

Comment[edit | edit source]

The ICO indicates that the provision of digital track-and-trace services is an emerging business area with the COVID-19 pandemic, therefore ensuring compliance with the data protection and privacy rules is of strategic importance for these companies. With the decision summarised above, the ICO signals that it will further scrutinise companies offering contact tracing services in the future.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.