United Kingdom
Easylife Ltd.
GDPR enforcement action by Information Commissioner (ICO) on 2022-10-04.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2022-10-04
- Controller / Processor
- Easylife Ltd.
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 6 GDPR, Art. 9 GDPR, Art. 13 (1) c) GDPR, Regulation 21 PECR
- Type of violation
- Insufficient legal basis for data processing
Summary
The UK DPA has imposed a fine of EUR 1,547,000 on Easylife Ltd. Easylife is a retailer that sells household items as well as services and products under its health, motor, supercard and garden clubs.
When purchasing certain products, the company made assumptions about the customer's health condition, whereupon the customer was then offered further products for purchase by phone or SMS that were related to their health condition.
Of the 122 products in Easylife's Health Club catalog, 80 items were classified as "trigger products." Once customers purchased these products, Easlylife created a profile of them in order to target them with a health-related item.
During its investigation, the DPA found that the company collected and used the personal data (health data) of a total of 145,500 data subjects without their consent or even knowledge.
The DPA found that this "invisible" processing of the personal data constituted a serious violation of the data subjects' rights, as they were not able to exercise their privacy and data protection rights at all due to lack of knowledge of the processing.
In addition, the company had made 1,345,732 unsolicited marketing calls to individuals without their consent to the calls. The DPA considered this a violation of the PECR.
Related fines