The catalogue retailer Easylife Ltd. received two fines from the Information Commissioner’s Office (ICO). One fine is for Easylife´s unlawful processing of their customers data to predict their medical condition. Easylife then used this information to market their health products to the customers based on their possible condition.
Additionally, Easylife called over 1.3 million customers for marketing purposes despite the fact that these customers were registered with the Telephone Preference Service (TPS), which led to a second fine.
Update March 2023:
The ICO announced that, after the appeal by Easylife against the fine they reached an agreement with Easylife and reduced the fine. Easylife accepted the findings by the ICO and reduced fine of £250.000 in total.
The ICO reduced the fine as Easylife stopped its unlawful processing during the course of litigation which is now reflected in the monetary reduction.
Background of the ICO fine
Easylife retails household items, as well as services and products under their health, motor, supercard, and gardening clubs to their customers.
Easylife also runs a catalogue specifically on health topics. Of the 120 articles offered, 88 are considered targeted articles. When a customer buys such an item, Easylife draws conclusions about the customer’s medical conditions and targets them for advertising via calls and e-mails relating to their possible medical condition. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.
Easylife did not obtain consent for this type of profiling. In addition, the data subjects were not at all informed and, according to the ICO, “invisible” processing took place. Over 140,000 customers were affected. The ICO issued a fine of £1.35 million for this breach.
Irrespective of this complaint, the ICO also fined Easylife £130,000 for making marketing calls to customers who were registered with the TPS. It was therefore prohibited from making marketing calls to these customers. These calls took place between August 2019 and August 2020. Almost 1.3 million data subjects were contacted, although there was no legal basis for these calls.
In this context, the ICO received 25 complaints, according to which the data subjects stated that they were annoyed, stressed, threatened, and anxious from the calls. The ICO said that Easylife had been particularly aggressive, which justified the amount of the fine.
Companies that make similar calls will face similar harsh penalties, according to the ICO. The fact that Easylife had a compliance meeting with the ICO in June 2019 where this issue could have been discussed was taken particularly serious by the ICO. On the other hand, the remedial measures, such as a TPS screening and the introduction of a new data protection management system, were assessed positively and at the end led to a fine of only £130.000.
Do not repeat the mistakes of other companies!
Legal assessment of the data protection law breaches
According to Art. 5 (1)(a) of the United Kingdom General Data Protection Regulation (UK GDPR) any processing of personal data must be lawful, fair and transparent. When Easylife drew conclusions about the medical conditions of their customers from their respective purchase histories, they neither obtained the data subjects’ consent, nor informed the customers of the processing of their personal data. Therefore, the processing was, first of all, unlawful. Only when a controller, in this case Easylife, can provide a legal basis as set out in Art. 6 or 9 UK GDPR, may they process personal data. In case of profiling, consent would be the correct legal basis. The other legal bases, in particular the overriding legitimate interests of the controller, are not applicable to profiling. Accordingly, unlawful processing occurred here due to the lack of the necessary consent.
Furthermore, there was also a lack of transparency. According to Art. 13 and 14 of the UK GDPR, the data subjects must be informed about the data processing. This includes in particular information about:
- The identity and contact details of the controller,
- Contact details of the data protection officer, where applicable,
- Purposes and legal basis of the processing,
- In case of basing the processing on the legitimate interests, such interests must be named,
- recipients or categories of recipients of the personal data,
- any restricted transfers to restricted countries,
- storage periods, and
- the rights of the data subjects under the UK GDPR.
Such information was not provided. Rather, this processing was done without the knowledge of the data subjects, and as the ICO said, invisibly. This violates one of the basic principles of the UK GDPR from Art. 5 and was therefore objectionable.
Companies have two options for contacting data subjects for marketing purposes. One would be the consent of the individual. The second option is via legitimate interests. Marketing calls based on the legitimate interests of companies are permitted under strict rules according to the Privacy and Electronic Communications Regulations (PECR), which apply alongside the UK GDPR.
However, calls to telephone numbers registered with the TPS are exempt from this option. TPS provides a service to users that they can register themselves and thus not receive marketing calls. Companies are therefore obliged to carry out so-called TPS screenings before making marketing calls in the UK in order to avoid contacting such numbers with advertising.
Only if the data subject allows the individual company to contact them for advertising purposes, i.e. gives their consent, may such calls be made despite a TPS registration. Easylife however did not carry out such a screening and made numerous calls despite a n existing TPS registration.
The ICO claims that although there was no financial damage for those affected, there was emotional stress, which is already sufficient to constitute damage.
Conclusion: Always observe the UK GDPR’s principles
The UK GDPR sets out principles in Art. 5, which are integrated into the other articles and broken down into individual obligations and rights. In order to be compliant with data protection law, all principles, namely lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality should always be observed.
If, as in the case of Easylife, transparency and lawfulness are not complied with due to a lack of information of the data subjects, as well as unlawful or missing legal bases, high fines may be imposed.
In this case, the ICO had announced that it would take particularly hard action against companies that made similar calls. This still stands even though the fine has been reduced now. Companies however should not assume that they will also receive a reduction. Such reductions are always linked to the circumstances of the specific case, the impact on those affected as well as the cooperation of the company.
In addition, the ICO has already punished numerous other cases in which a TPS registration of telephone numbers was disregarded with high fines. TPS screening however is a comparatively small step in the process of making market calls, so that large fines can be avoided with little effort. Companies are therefore well advised to consider the data protection principles in all their processings, and to define strict processes to ensure that every necessary measure for compliance with data protection law is taken.
If you are uncertain about your processes or legal bases for processing, please contact our experts. We will be happy to advise you!