Saga Personal Finance Limited – €87,750 Fine (United Kingdom, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Saga Personal Finance Limited was fined EUR 87,750 for sending millions of marketing emails without proper consent. This is important because it shows that companies must ensure they have clear permission before sending marketing messages. The case serves as a warning to businesses about the risks of indirect consent.
What happened
Saga Personal Finance Limited sent 28,523,745 unsolicited marketing emails without obtaining valid consent.
Who was affected
Individuals who received unsolicited marketing emails from Saga Personal Finance Limited.
What the authority found
The ICO found that Saga Personal Finance Limited breached PECR by sending marketing emails without valid consent.
Why this matters
This case highlights the importance of obtaining explicit consent for marketing communications and serves as a reminder that companies cannot rely on indirect consent obtained through third parties.
GDPR Articles Cited
National Law Articles
The ICO received a number of complaints regarding unsolicited email marketing. These were sent on behalf of Saga Personal Finance Limited (hereafter 'SPF') by different partner companies, so it launched an investigation into SPF's data practices. The company is a subsidiary of Saga Group Limited, which received a similar fine on the same day for another subsidiary's direct marketing practices. First, it sent a letter to the Saga Group requesting information "including details of Saga Group's Partners/Affiliates, websites from which consent for marketing was obtained together with evidence of that consent, and a description of any due diligence carried out with respect to the data used by Saga Group". The company replied, informing the ICO that the marketing content was indeed sent out by partners on behalf of SPF "using a database of individuals who had opted in to receiving marketing materials from third parties either via the Partners' websites or via websites operated by their sub-contractors". No personal data was actually transferred from the company, but it exercised total control over the content to comply with FCA requirements. The targeting and recipients was nonetheless controlled by its partners. Then, the ICO reviewed whether the consent on which the email marketing was based was legitimately obtained. It found that SPF was not named on any of the privacy policies the users of different websites agreed to. Some consent statements did not even inform the individuals agreeing to them that they would receive any third party marketing. The ICO held that SPF was in breach of Regulation 22 PECR because it instigated the transmission of the 28,523,745 unsolicited direct marketing messages sent and failed to obtain valid consent from individuals who received them. The breach was serious and negligent, respectively due to the high number of emails sent and lack of steps taken by the company to prevent it. It stated that while SPF relied on 'indirect consent' f
Related Enforcement Actions (0)
No other enforcement actions found for Saga Personal Finance Limited in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
13 September 2021
Authority
Information Commissioner's Office
Fine Amount
€87,750
75,000 GBP
GDPRhub ID
gdprhub-4019About this data
Cite as: Cookie Fines. Saga Personal Finance Limited - United Kingdom (2021). Retrieved from cookiefines.eu
Last updated: