The UK Information Commissioner’s Office (ICO) has ordered the company EasyLife to pay penalties costing a total of £1.48 million. The investigation was sparked by a separate investigation into a telemarketing company. Initially it was looking into possible violations of the Privacy and Electronic Communications Regulations (PECR) but then led onto further possible violations of GDPR.
Privacy and Electronic Communications Regulations (PECR)
Under the PECR any individual registered on the Telephone Preference Service (TPS) needs to provide consent to any company who wishes to contact them.
General Data Protection Regulations (GDPR)
GDPR requires personal data to be processed lawfully, fairly and in a transparent manner.
ICO Investigation
Easylife violated the above regulation in the PECR by making 1,345,732 unsolicited calls. This despite the numbers being registered with the TPS and having been registered at least 28 days prior to receiving the calls. None of the individuals contacted had given their consent to be called for direct marketing purposes. It was found that the company failed to make due diligence checks on the data being used and were negligent despite the issues being widely publicized.
Data processing of individuals happened in one of three ways. Customers would buy products by:
- Placing an order on the website
- Sending by post an order return form cut from the back of a catalogue
- Calling their call centre and placing an order by phone.
The ICO found that while this took place a significant amount of ‘invisible’ processing and profiling of customers took place. Invisible processing is called as such because the individuals involved are not aware of the processing taking place. In this case, 145,400 people were profiled, meaning that their data was collected, unlawfully processed, and used. The data being used in this included personal data, such as names and phone numbers, and special category data. This information was then shared with a third-party telemarketing company to sell on behalf of EasyLife. The target for this was to sell individuals non-medical lifestyle products that are relevant to the customer’s transactional history.
Outcome
ICO served penalties that must be paid by November 2, 2022:
- £1,350,000
- For using personal information of 145,400 customers to predict their medical condition and target them with health related products without their consent.
- £130,000
- For making direct marketing calls.