ICO - Studios MG Limited (Monetary Penalty)

From GDPRhub
Revision as of 14:22, 19 October 2020 by Kari (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=S...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Studios MG Limited (Monetary Penalty)
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Regulation 22 PECR
Section 55A DPA98
Type: Other
Outcome: n/a
Started:
Decided: 06.10.2020
Published: 08.10.2020
Fine: 40000 GBP
Parties: n/a
National Case Number/Name: Studios MG Limited (Monetary Penalty)
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Monetary Penalty Notice (in EN)
Initial Contributor: n/a

Information Commissioner’s Office (ICO) issues £40.000 monetary penalty for sending unsolicited marketing emails advertising protective face masks in breach of Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

English Summary

Facts

Studios MG Limited (SMG), a London based ‘software design and build’ company, sent, at the beginning of the Covid19 related lockdown measures, an email advertising surgical masks and providing a link to a vendor’s website to at least one, but an estimate of 8000-9000 email addresses.

Dispute

Did SMG act in breach of regulation 22 PECR, and, if so, are the conditions for a monetary penalty under section 55 A of the Data Protection Act 1998 (DPA) met?

Holding

The Commissioner finds that SMG contravened regulation 22 PECR.

In confirming the contravention she emphasizes that emails were obtained from a variety of undefined resources, and that no efforts were made to obtain or demonstrate consent.

In addition, the Commissioner notes in this context, had SMG deleted the relevant database as well as their platform provider account, following initiation of the Commissioner’s investigation, rendering an accurate determination of the number of affected individuals impossible.

She considered whether the ‘soft opt-in’ exemption provided by regulation 22 (3) PECR was relevant, but denied this for SMG being a ‘software design and build consultancy’, i.e. a business without any evident relation to the sale of protective equipment.

The Commissioner continues by examining the conditions for issuing a monetary penalty under section 55A DPA.

In the context of confirming the necessary seriousness of the contravention she makes specific reference to the ‘Information Commissioner’s guidance about the issue of monetary penalties prepared and issued under section 55C(1) of the Data Protection Act 1998’ to support the fact that such qualified breach may be constituted even by a single traceable incident.

In particular, she later elaborates, did the number of complaints not necessarily reflect the gravity of a potential breach, since most recipients could be expected not to go as far as making an official complaint but would rather just delete or ignore an unsolicited marketing email.

With a view to the time of registering the domains SMG used for their activities, the Commissioner concludes that the company deliberately ‘intended to capitalise on the health pandemic’.

The Commissioner returns to this element in elaborating on her exercise of discretion to issue a penalty. In summary, the Commissioner considers as aggravating elements the attempt to exploit and capitalise on the pandemic, the absence of any efforts to act in line with data protection principles (including, but not limited to, not having registered with the ICO’s public data protection register) as well as a lack of cooperation with the ICO regarding the investigation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.