On April 9, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served a monetary penalty notice under section 55A of the Data Protection Act 1998 (DPA) of around $ 520,000. The fined company (Bounty) shared the personal data of over 14 million individuals to a number of organizations including credit reference and marketing agencies without informing those individuals that it might do so. According to the ICO, the company processed the personal data “unfairly and without satisfying any processing condition” under the DPA.
In particular, the ICO deemed that the company failed to comply with the data protection ‘fairness’ principle. The principle imposes a transparency duty requiring data controllers to provide data subjects with information about the purposes for which their personal data will be used. The “fairness’ principle also involves “adhering to individual’s reasonable expectations of how their data will be used and not using their data in ways that risk causing them damage or distress”.
In response to the ICO’s inquiries, the company provided an explanation of its processing and retention policies that informed the data subjects that their data would not be collected excessively and only for the specific purposes explained. In addition, the policy stated that the company might have shared only with “selected third parties”.
However, the ICO deemed that the data subjects’ consent wasn’t informed and that they couldn’t have foreseen that their data would be shared with certain organizations.
“Data subjects registering with a pregnancy and a parenting club would not reasonably have expected their personal data to be disclosed to the likes of credit reference, marketing and profiling agencies.”
The notice can be appealed.
{This is not the first time that a motherhood related company is fined by the ICO. On August 2018, the ICO fined £140,000 Lifecycle Marketing (Mother and Baby) Ltd, aka Emma’s Diary, a business providing advice on pregnancy and childcare. Also in that case, the ICO deemed the fairness principle violated since the data subjects could not reasonably have expected their personal data to be disclosed to a political party for the purposes of political marketing. See here for more info.}
More on the monetary penalty notice against Bounty (UK) Limited is available at https://ico.org.uk… Open PDF
For more information about GDPR and EU data protection, contact Francesca Giannoni-Crystal & Federica Romanelli.