You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Home
Internal
Global
Contatto
it
Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |
In tutto il mondo
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
✕
Mondiale
Algeria
Angola
Arabia Saudita
Argentina
Australia
Austria
Azerbaigian
Bahrain
Belgio
Bielorussia
Bosnia ed Erzegovina
Botswana
Brasile
Bulgaria
Cambogia
Canada
Cile
Cina
Cipro
Colombia
Corea del Sud
Costa Rica
Croazia
Danimarca
Ecuador
Egitto
Emirati Arabi Uniti
Estonia
Etiopia
Finlandia
Flippine
Francia
Georgia
Germania
Ghana
Giappone
Grecia
Hong Kong
India
Indonesia
Irlanda
Italia
Kazakistan
Kenya
Kuwait
Lettonia
Libia
Liechtenstein
Lituania
Lussemburgo
Macedonia del Nord
Malesia
Marocco
Mauritius
Messico
Moldavia
Mongolia
Mozambico
Myanmar
Namibia
Nigeria
Norvegia
Nuova Zelanda
Oman
Paesi Bassi
Pakistan
Perù
Polonia
Portogallo
Qatar
Regno Unito
Repubblica Ceca
Romania
Serbia
Singapore
Slovacchia
Slovenia
Spagna
Sudafrica
Svezia
Svizzera
Taiwan
Tanzania
Thailandia
Tunisia
Turchia
Ucraina
Uganda
Ungheria
Uruguay
USA
Uzbekistan
Vietnam
Zambia
I nostri uffici Rödl & Partner
German Professional Services Alliance -
GPSA
�������������������������������������������������������������
(I colori appaiono al passaggio del mouse)
Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra
Cookie Policy
.
Approfondimenti
Servizi
Whistleblowing
Data Protection
Servizi legali
Servizi fiscali
Servizi multipractice
Industry
Revisione contabile
Formazione
Professionisti
Media
Rödl E-Book
RÖDL REPLAY - I NOSTRI WEBINAR
Newsletter
Legal Newsletter
Tax Newsletter
Data Protection Bites
Comunicati stampa
Comunicati operazioni
Rödl E-Book
Rödl & Partner sulla stampa online
Eventi
Su di noi
Currently selected
E-Book INTERNATIONAL VAT GUIDELINES
Uno studio internazionale
Uno studio internazionale
Le nostre sedi
Impegno sociale
Whistleblowing
Codice Etico
Modello 231
Sostenibilità
Carriera
Media
Pubblicazioni
Newsletter
Data Protection Bites
Data Protection Bites 7/2019
ICO Issues Monetary Penalty on ‘Bounty’ for Sharing Personal Data without Informing Users
Recent
Italian (Italy)
Currently selected
Consulenza legale, Consulenza fiscale, Audit, Servizi in outsourcing
Approfondimenti
Carriera
Cookie Policy
Cookie Policy
Eventi
Home
Informativa Privacy
Media
Privacy Policy
Professionisti
Servizi
Uno studio internazionale
BPO - Business Process Outsourcing
no-it-version-available
Profile
Error 404!
Error 401!
ICO Issues Monetary Penalty on ‘Bounty’ for Sharing Personal Data without Informing Users
Page Content
This case was subject to the Data Protection Act 1998.
Who is the ICO?
The Information Commissioner’s Office (ICO) is an independent authority set up to promote data privacy and uphold information rights in the UK, and can bring criminal prosecutions, non-criminal enforcements and conduct audits against organisations and individuals that breach data protection laws.
Case Facts
Bounty is a pregnancy and parenting support club, providing information and marketing offers and services to parents at different stages of a child’s life from pre-conception to pre-school.
Bounty also provides a mobile application which allows expectant mums to track their pregnancies, provides access to competitions and offers, and commission new-born portraits. In addition to this primary function, Bounty also operates a data brokering service, providing hosted marketing on behalf of third parties and, until 30 April 2018, it supplied data to third party entities for direct e-marketing.
Bounty was identified as a supplier of a significant amount of personal data to third parties for direct marketing during a general investigation into non-compliant practices of the data brokerage industry.
The ICO was informed that each unique record comprised the following:
Full Name
Parents’ Date of Birth
Email and Postal Address with Postcode (and by extension, Postal Address of child)
Status of Pregnancy
Gender and Date of Birth of Child
The mobile app also collected location data.
Bounty informed the ICO that during the period 1 June 2017 to 30 April 2018, it shared a total of 35,027,373 personal data records with Acxiom (a marketing and profiling agency), Equifax (a credit reference agency), Indicia (a marketing agency) and Sky (a telecommunications company) for the purposes of direct e-marketing. This was confirmed to have been the representation of data from 14,315, 438 unique individuals.
This case is similar to the Emma’s Diary data breach where, in August 2018, the ICO fined Emma’s Diary (Lifecycle Marketing (Mother and Baby Ltd) £140,000 for illegally collecting and selling personal information belonging to more than one million people. This information was sold to Experian Marketing Services, who created a database used to profile new mums leading up to the 2017 General Election. This case formed part of the ICO’s investigation into data analytics for political purposes.
Action taken against Bounty
Bounty is a data controller, as defined in section 1(1) of the Data Protection Act 1998 (DPA) in respect of the processing of personal data. Section 4(4) of the DPA provides that it is the duty of a data controller to comply with the data protection principles in relation to all personal data in respect of which he is the data controller.
Bounty contravened this first data protection principle by sharing the personal data of over 14 million individuals to a number of organisations without informing the individuals that it might do so. As a result Bounty processed that personal data unfairly and without satisfying any processing condition under the DPA. The amount of the monetary penalty which the ICO decided to issue was £400,000.
Why are these cases subject to the Data Protection Act 1998?
A limited number of criminal enforcement cases, including the cases above, are still being dealt with under the provisions of section 55 of the Data Protection Act 1998. This is because of the time when the breach of the legislation occurred.
The GDPR was introduced into domestic UK legislation through the Data Protection Act 2018, and brought into force on 25th May 2018. This means that all data breaches after this date will be governed by the 2018 Act.
Contact
Jan Eberhardt
+44 0121 2278963
Invia richiesta
Rödl & Partner UK
Discover more about our offices in the United Kongdom.
Read more »
Data Protection Bites
Our newsletter aims at collecting updates, news and insights on data protection matters worldwide, with a special focus on the GDPR.
Read all releases
»
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
Deutschland
Weltweit
Search
Menu
