Update: This press release has been updated to reflect the fact that Easylife Ltd were fined for breaching the GDPR, as opposed to the Data Protection Act 2018.
The Information Commissioner’s Office (ICO) has reached an agreement with Easylife Ltd (Easylife) to reduce the monetary penalty notice (MPN), issued for breaching the GDPR, to £250,000.
Easylife accepts the ICO’s findings set out in the MPN and has agreed to pay the reduced fine.
The ICO fined Easylife on 4 October 2022. This followed an investigation which found the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products.
The ICO found this involved the processing of special category data by Easylife, and the activity was being conducted without a lawful basis. Easylife has since stopped the unlawful processing of special category data.
Easylife appealed against the MPN. Both parties have now reached agreement that the MPN and the ICO’s factual findings stand, and the amount of the penalty should be reduced.
The First-tier Tribunal (General Regulatory Chamber) has approved the agreement reached by both parties and has otherwise dismissed the appeal.
“As a pragmatic and proportionate regulator, my role is to ensure that we protect the public and ensure businesses abide by the law.
“Easylife has confirmed that it has stopped the unlawful processing which formed the basis of the ICO’s concerns. Having considered the amount of the penalty again during the course of the litigation, in light of the issues raised by Easylife, I considered that a reduction was appropriate.”
- John Edwards, UK Information Commissioner
Easylife also received a separate £130,000 fine on 4 October 2022 for being responsible for over 1.3m unsolicited direct marketing calls, which is a breach of the Privacy and Electronic Communications Regulations (PECR). This penalty was not appealed and was paid in full.