ICO (UK) - Monetary Penalty Notice to Easylife Limited
|ICO - Monetary Penalty Notice to Easylife Limited|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 6 GDPR
Article 9 GDPR
Article 13 GDPR
|National Case Number/Name:||Monetary Penalty Notice to Easylife Limited|
|European Case Law Identifier:||n/a|
|Original Source:||ICO (in EN)|
The UK DPA imposed a fine of 1,350,000 GBP on a catalogue retailer for violating Articles 9 and 13 GDPR by profiling special category (health) data of their customers based on their product purchases without acquiring consent or informing them about it.
English Summary[edit | edit source]
Facts[edit | edit source]
The controller is a catalogue retailer that sells health related services and products. The DPA started to investigate the controller after it came across it during another investigation.
In its investigation into the controller, the DPA found that between August 2019 and 19 August 2020, when a customer purchased a "trigger product" from the controller, it would make assumptions about customers' medical conditions and then market health-related products to them without their consent. the controller linked the trigger products to several health conditions which Easylife inferred that the customer was likely to have. After this, the controller would trigger marketing calls through a third party telemarketing provider based on the transaction data. Overall, the incident affected 145,400 data subjects. Their personal data would include their names, telephone numbers, and special categories of data.
For the processing, the controller relied on its own legitimate interests for the processing, such as 'to store the information' and 'to maintain it as evidence'. Data subjects were not involved that their personal data would be used for profiling.
The DPA became concerned that using transaction data to make inferences about health conditions could constitute profiling, and the inferences made about health conditions could indicate processing of special category data.
In the representations, the controller argued that it had acquired the requisite consent to process special category data because it had notified customers that it would be using their personal data to notify them of products "that might be of interest'.
Holding[edit | edit source]
The DPA held that the transactional purchase data of Easylife's customers was personal data.
The DPA held that when the controller used relevant transactional data to select customers for telemarketing, this constituted profiling. When controller used the transactional data to decide which products to market to which customers, based on its inferences of customer's health conditions, this constituted the processing of special category data. This was irrespective of the controllers level of statistical confidence over the profiling.
The DPA held that Easylife breached Article 13 GDPR because the data subjects were not informed that their information would be used for profiling. The controller also violated Article 9 GDPR, because it did not collect customer's explicit consent to process special category data as required by Article 9 GDPR. Instead, the controller relied on legitimate interest. As a result, it also breached Article 6 GDPR besides Article 9 GDPR for not having lawful basis to process special category data. Since the individuals were not informed about profiling of special category data, the DPA held that controller also conducted "invisible" processing of special category data. Therefore, the controller didn't process the data fairly, lawfully or transparently pursuant to Article 5(1)(a) GDPR.
The DPA also dismissed the argument of the controller that it had acquired consent because it had notified them that it would use personal data to notify them of products that might be of interest to them. The DPA held that no customer would have understood this that the controller was going to use their special category data in a direct marketing telephone campaign.
The DPA imposed a fine of £1,350,000 on the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Ibrahim Hasan has blogged about this fine here: https://actnowtraining.blog/2022/10/10/1-35-million-gdpr-fine-for-catalogue-retailer/
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.