ZMLUK Limited – €122,850 Fine (United Kingdom, 2025)

ZMLUK Limited (the controller) is a financial intermediation and advertising agency. The DPA received several complaints relating to marketing emails sent in 2023 by the controller. The controller specified that it obtained the personal data used in sending the emails through customer activity, thus relying on Article 22(3) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK PECR), the transposition into UK law of the E-Privacy Directive 2002/58/EC. Furthermore, it also obtained personal data for direct marketing purposes from a third-party provider, in which case it relied on consent under Article 22(2) UK PECR. The controller further alleged that the data subjects who filed complaints with the DPA had opted in to receiving marketing communications. The DPA’s inspection of a third-party website providing personal data to the controller showed that it was unclear whether individuals could consent to specific third parties for direct marketing, out of the 300 plus organisations listed. The DPA analysed if the controller obtained valid consent for sending direct marketing, as well as if the controller was able to rely on the exception to the consent rule. Firstly, the DPA found that the consent was not informed, since data subjects were unable to select which companies they wished to receive marketing from, out of over 300 entities listed, on the third-party website. Alternatively, the DPA explained that the exception to the consent rule for direct marketing can only be relied upon by the controller that collected the contact details of the data subject. In this case, the controller obtained the data from a third party and thus could not rely on the exception. Therefore, the DPA found that the controller violated Article 22 UK PECR by sending over 67 million emails using data sourced from third parties for the purposes of direct marketing without valid consent. The DPA fined the controller GBP 105,000 (approximately €120,000).