On 27 October 2020, the UK’s DPA (“ICO UK”) announced it had taken enforcement action against a credit reference agency. ICO UK requested the agency to make fundamental changes in how it handles data subjects’ personal data within its direct marketing services by July 2021.
The enforcement action was taken following an investigation carried out by ICO UK into data protection compliance in the direct marketing data broking business of the three largest credit reference agencies in the UK. In a nutshell, ICO UK found that:
- the privacy information in the context of the agencies’ marketing services did not clearly explain the processing;
- the agencies were incorrectly relying on an exception from the requirement to directly provide privacy information to data subjects;
- the agencies were using personal data collected for credit referencing purposes for limited direct marketing purposes;
- none of the consents relied on by the agency against whom was taken the enforcement action was valid under the GDPR;
- the legitimate interest assessments conducted by the agencies were not properly weighted;
- in some cases, the agency against whom was taken the enforcement action was obtaining data on the basis of consent and then processing it on the basis of legitimate interests. ICO UK stated that switching from consent to legitimate interests in this situation is not appropriate.
According to ICO UK’s press release, all three credit reference agencies investigated made improvements to their direct marketing services business. Two of them made the improvements alongside withdrawing some products and services, and therefore ICO UK has not taken further action against them.