ICO - Monetary Penalty against Decision Technologies Limited

From GDPRhub
ICO - Monetary Penalty against Decision Technologies Limited
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Privacy and Electronic Communications Regulations 2003 (PECR)
Type: Investigation
Outcome: Violation Found
Decided: 01.07.2020
Published: 02.07.2020
Fine: 90.000 GBP
Parties: Decision Technologies Limited (DTL)
National Case Number/Name: Monetary Penalty against Decision Technologies Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: decision-technologies-limited-mpn (in EN)
Initial Contributor: Andrea Spataro

The ICO imposed a fine of £90.000 against on Decision Technologies Limited ('DTL') for a breach of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003, which, except under certain circumstances, did not permit the transmission of unsolicited emails to the subscribers for marketing purposes without specific consent for it, even with the support of third parties ('indirect marketing').

English Summary[edit | edit source]

Facts[edit | edit source]

Between June 2017 and June 2018, a price comparison and technology company, Decision Technologies Limited ('DTL'), used the email marketing services of two companies (referred to as 'Aggregators') to carry out a marketing campaign on his behalf. In particular, these Aggregators, in turn, used different List Owners to effectively transmit the communications required by DTL.

Although DTL has done due diligence on the Aggregators, he has neither had any contacts nor compliance information from the List Owners against the PECR.

During this time period, the Aggregators, through the List Owners, sent more than 14 million emails to their subscribers.

Dispute[edit | edit source]

The ICO had to determine whether the DTL has correctly acted in compliance with the PECR, particularly with reference to Regulation 22, which requires a specific and informed consent to send emails for marketing purposes.

First, the ICO had to assess the approach adopted by the List Owners for the mentioned marketing activity.

Second, the ICO needs to see if DTL, or the category of organisations in which he is part of, is mentioned in the 'opt-in' box of List Owners.

Holding[edit | edit source]

The ICO found various non-compliant behaviours during its investigation on the List Owners. In particular, it found that some of these services did not have a specific and separate 'opt-in' box for marketing purposes, but consider it as a condition of the service.

Also, when the ICO found a specific consent for marketing purposes, most of them did not mention DTL or its category of industry (e.g. price comparison industry) in the list of partners that could use the data of subscribers for its own marketing campaign.

The ICO therefore confirmed the violation of the PECR, as that it did not find a ' freely given, specific and informed' expression of consent of the data subjects involved in the marketing campaign.

Lastly, the DPA highlighted that, even if the behaviour of DTL was not deliberate, it would appear to be negligent, keeping into account that DTL should have reasonably known the regulation on the marketing field and given the lack of reasonable steps that it should have taken to avoid or prevent these risks.

As a result, the ICO confirmed the violation of the PECR and issued a monetary penalty of £90.000 against DTL.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Not applicable. Please see the English original.