Easylife Ltd. – €1,579,500 Fine (United Kingdom, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK fined Easylife Ltd. for using customer purchase data to guess their health conditions and market related products without consent. This matters because it shows that using personal data without clear permission can lead to big fines. Easylife's actions affected over 145,000 people.
What happened
Easylife Ltd. used customer transaction data to infer health conditions and market products without consent.
Who was affected
Customers who bought certain products and had their health conditions inferred by Easylife.
What the authority found
The UK authority found Easylife violated GDPR by profiling customers and using their data without a valid legal basis.
Why this matters
This case highlights the importance of obtaining clear consent before using personal data for marketing. Businesses should ensure they have a valid reason to process data, especially when it involves sensitive information like health.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is a catalogue retailer that sells health related services and products. The DPA started to investigate the controller after it came across it during another investigation. In its investigation into the controller, the DPA found that between August 2019 and 19 August 2020, when a customer purchased a "trigger product" from the controller, it would make assumptions about customers' medical conditions and then market health-related products to them without their consent. the controller linked the trigger products to several health conditions which Easylife inferred that the customer was likely to have. After this, the controller would trigger marketing calls through a third party telemarketing provider based on the transaction data. Overall, the incident affected 145,400 data subjects. Their personal data would include their names, telephone numbers, and special categories of data. For the processing, the controller relied on its own legitimate interests for the processing, such as 'to store the information' and 'to maintain it as evidence'. Data subjects were not involved that their personal data would be used for profiling. The DPA became concerned that using transaction data to make inferences about health conditions could constitute profiling, and the inferences made about health conditions could indicate processing of special category data. In the representations, the controller argued that it had acquired the requisite consent to process special category data because it had notified customers that it would be using their personal data to notify them of products "that might be of interest'. The DPA held that the transactional purchase data of Easylife's customers was personal data. The DPA held that when the controller used relevant transactional data to select customers for telemarketing, this constituted profiling. When controller used the transactional data to decide which products to market to which customers, based on its inferences of
Related Enforcement Actions (1)
Other enforcement actions involving Easylife Ltd. in UK
Details
Fine Date
4 October 2022
Authority
Information Commissioner's Office
Fine Amount
€1,579,500
1,350,000 GBP
GDPRhub ID
gdprhub-5323About this data
Cite as: Cookie Fines. Easylife Ltd. - United Kingdom (2022). Retrieved from cookiefines.eu
Last updated: