ICO fines Bounty Limited UK
The company Bounty Limited describes itself as a pregnancy and parents club and has been active in the British market since 1959.
Personal data was collected via various platforms (website, app, customer cards, etc.). Each record contained at least the following information:
- full name
- date of birth (parents)
- pregnany status
- information if it is the first child
- gender of the child
- date of birth/term of the child
If the data was captured via the smartphone app, the location data was also captured.
Deletion of the data after a certain period of time was not planned, instead the data would have been stored for an infinite period of time.
The data collected was shared with a total of 39 companies, including Acxiom (marketing agency), Equifax (business information company), Indicia (marketing agency) and Sky (PayTV provider). In total, more than 34 million individual data records were transmitted, including multiple transmissions to one company.
The UK Data Protection Commission (ICO) also found that data collection was incompatible with the UK Data Protection Act. An opt-in system for data collection and disclosure was not in place, but the data subjects were merely informed via a notice.
The Data Protection Authority ultimately imposed a fine of £500,000 (around €465,000) for multiple breaches of the Data Protection Act. One of the criticisms was that the transfer of data was not legitimate, as the company only spoke of selected partners, but was actually sold to a large number of companies. The lack of deletion deadlines was also the subject of the investigation.
The investigation period ran until 30 April 2018, so the GDPR has not yet been applied. According to the legal situation at the time, the maximum fine was £ 500,000.
The processing and transfer of data is a rewarding business, but has strict rules since the GDPR entered into force in May 2018. The documentation of data processing is complex and time-consuming. easyGDPR is a powerful tool to reduce these costs. Beside that easyGDPR prevents your company from illegal data processing. If your business needs more measures to be GDPR compliant, easyGDPR will show you which actions are necessary. The versions standardand enterprise also includes data processing agreements to legalise the data transfer to other companies.
Type of Issue:
Illegal data processing
Number of involved data records:
34 267 889
Special category of data involved:
Violation of GDPR Paragraph:
5. Principles relating to personal data processing
6. Lawfulness of processing