Information Commissioner's OfficeEnforcements Actioned
ICO is responsible for taking action to ensure organisations meet their information rights obligations. See the latest actions ICO has enforced.
American Express Services Europe Limited
18 May 2021
Between a 12-month period from 1 June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct marketing messages were sent by, or at the instigation, of American Express Services Europe Limited. These messages contained direct marketing material for which subscribers had not provided adequate consent.
18 May 2021
The ICO has fined a company for sending direct marketing emails to people who provided their personal data for contact tracing purposes.
Tested.me Ltd (TML) of St Albans, provides digital contact tracing services which work by offering people a QR code to scan when arriving at businesses’ premises.
The company sent nearly 84,000 nuisance emails at the height of the Covid-19 pandemic between September and November last year, when businesses were using private QR code providers to collect personal data to meet the government’s contact tracing rules.
Leads Work Limited
05 March 2021
Leads Work Limited sent 2,670,140 marketing text messages to individuals without their consent, resulting in excess of 10,000 complaints, over a period of 41 days.
Muscle Foods Limited
03 March 2021
Muscle Foods Limited sent approximately 135,651,627 marketing emails and 6,354,426 marketing SMS messages to individuals without their consent, over a period of seven months.
Valca Vehicle and Life Cover Agency Ltd
25 February 2021
Between 15 June 2020 and 20 July 2020 a total of 95,004 connected unsolicited direct marketing messages were received by subscribers, resulting in 114 complaints.
Call Centre Ops Limited
12 February 2021
There have been multiple breaches of regulation 21 by Call Centre Ops Limited arising from the organisation’s activities over a six-month period, and this led to a substantial number (159,461) of unsolicited direct marketing calls being made to subscribers who were registered with the TPS. Furthermore, Call Centre Ops Ltd has been unable to demonstrate that it held valid consent for the purposes of these calls.
House Guard UK Limited
12 February 2021
Between 8 May 2018 and 31 December 2018 House Guard UK Limited indicated that it had conducted a direct marketing telephone campaign in respect of which they admit that approximately 669,966 were connected to subscribers. Of these calls 371,958 were made to TPS registered numbers, without conducting any due diligence on the data provided to them.
Seafish Importers Limited
28 January 2021
Between 23 August 2019 and 7 April 2020, a confirmed total of 491,995 direct marketing messages were sent by Seafish Importers Limited and received by subscribers. Of those messages, 276,866 were sent between 20 March 2020 and 7 April 2020, during the height of the Covid-19 pandemic, relating to the sale of face masks. These messages contained direct marketing material for which subscribers had not provided valid consent.
Repair & Assure Ltd
27 January 2021
Repair & Assure Ltd were responsible for making 1,103,292 nuisance calls between 2 January and 11 June 2019. The ICO and TPS received 88 complaints about the calls, which all related to washing machine warranties.
Chameleon Marketing (H.I) Ltd
27 January 2021
Between 17 March and 2 July 2019, Leeds based CML made 617,323 direct marketing calls to people registered with the TPS. The calls promoted boiler replacements and resulted in 52 complaints from the public.
Solar Style Solutions Limited
27 January 2021
Over a four month period SSSL made 188,665 calls of which 126,019 were to TPS registered users and generated 29 complaints.
Rancom Security Limited
27 January 2021
The ICO and TPS received 94 complaints about the West Midlands security systems company for calls it made between 1 June 2017 and 31 May 2018. Of the 851,392 calls made 565,344 were to TPS registered users.
Kim Doyle and William Shaw
14 January 2021
A motor industry employee has been prosecuted for passing the personal information of service users to an accident claims management firm without authorisation.
Kim Doyle, of Village Lane, Higher Whitley, pleaded guilty to charges of conspiracy to secure unauthorised access to computer data, and to selling unlawfully obtained personal data. She was sentenced at Manchester Crown Court on 8 January 2021 to eight months’ imprisonment, suspended for two years.
Doyle unlawfully compiled lists of road traffic accident data including partial names, mobile phone numbers and registration numbers despite having no permission from her employers. Doyle then unlawfully transferred the data she obtained to William Shaw, the director of an accident claims management firm.
William Shaw, of Flixton Road, Urmston, was also sentenced to eight months’ imprisonment, suspended for two years after pleading guilty to conspiracy to secure unauthorised access to computer data.
Doyle and Shaw were also each ordered to carry out 100 hours’ unpaid work and contribute £1,000 costs.
A Confiscation Order, under the Proceeds of Crimes Act, to recover benefit obtained as a result of the offending had been given by the Court in which Doyle must pay a benefit figure of £25,000 and Shaw must pay a benefit figure of £15,000. Both Doyle and Shaw will face three months’ imprisonment if the benefit figures are not paid within three months.
Pownall Marketing Limited
16 December 2020
The Information Commissioner’s Office (ICO) Financial Recovery Unit (FRU) is starting proceedings to retrieve £250,000 from defunct company Pownall Marketing Limited (PML). The company was recently fined by the ICO for making over 350,000 nuisance calls.
Between 1 January 2019 and 28 May 2019 Pownall Marketing Limited used a public electronic communications service for the purpose of making 365,369 unsolicited calls for direct marketing purposes to subscribers in relation to claims management services, resulting in 63 complaints.
Pension House Exchange Limited
09 December 2020
The Information Commissioner’s Office (ICO) has fined Pension House Exchange Limited has been fined £45,000 for making 39,722 connected unsolicited calls for the purposes of direct marketing in relation to occupational pension schemes or personal pension schemes contrary to regulation 21B of PECR.
OSL Financial Consultancy Limited
04 December 2020
The Information Commissioner’s Office (ICO) has fined OSL Financial Consultancy Limited (OSL) £50,000 for illegally sending 174,342 nuisance marketing texts.
The Barnetby based mortgage and loans broker, trading as MortgageKey, came to the attention of the ICO as part of its probe into companies seeking to take advantage of the Covid-19 pandemic with nuisance marketing. Between March and June 2020, the ICO identified a number of complaints about OSL that had been sent to the 7726 spam text reporting service.
Ticketmaster UK Limited
13 November 2020
The ICO has fined Ticketmaster UK Limited £1.25 million for failing to protect customers’ payment details.
Marriott International Inc
30th October 2020
The ICO has fined Marriott International Inc £18.4million for failing to keep millions of customers’ personal data secure.
Marriott estimates that 339 million guest records worldwide were affected following a cyber-attack in 2014 on Starwood Hotels and Resorts Worldwide Inc. The attack, from an unknown source, remained undetected until September 2018, by which time the company had been acquired by Marriott.
Reliance Advisory Limited
29th October 2020
The Information Commissioner’s Office (ICO) has fined Reliance Advisory Limited (RAL) £250,000 for breaking electronic marketing law. The ICO found that over a six month period from the start of 2019, the Bury-based company RAL made 15.1 million calls in relation to claims management services such as mis-sold PPI. All of the calls, of which 1.1 million connected, were made to people who had not consented to receive them.
27th October 2020
The Information Commissioner’s Office (ICO) orders Experian Limited to make fundamental changes to how it handles people’s personal data within its direct marketing services.
16th October 2020
The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
Digital Growth Experts Limited
24th September 2020
The Information Commissioner’s Office (ICO) has fined Digital Growth Experts Limited (DGEL) £60,000 for sending thousands of nuisance marketing texts at the height of the pandemic.
CPS Advisory Limited
10th September 2020
Swansea company CPS Advisory Ltd was fined £130,000 for making more than 100,000 unauthorised direct marketing calls to people about their pensions.
Decision Technologies Limited
2nd July 2020
Price comparison and technology company fined £90,000 for a contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Black Lion Marketing Ltd
27th March 2020
Black Lion Marketing Ltd fined £171,000 for making unsolicited direct marketing calls.
4th March 2020
Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.
2nd March 2020
CRDNN Limited fined with the maximum £500,000 fine for making more than 193 million automated nuisance calls.
DSG Retail Ltd
9th January 2020
The Information Commissioner’s Office (ICO) has fined DSG Retail Limited (DSG) £500,000 after a ‘point of sale’ computer system was compromised as a result of a cyber-attack, affecting at least 14 million people.
Doorstep Dispensaree Ltd
20th December 2019
The Information Commissioner’s Office (ICO) has fined a London-based pharmacy £275,000 for failing to ensure the security of special category data. Doorstep Dispensaree Ltd, which supplies medicines to customers and care homes, left approximately 500,000 documents in unlocked containers at the back of its premises in Edgware. The documents included names, addresses, dates of birth, NHS numbers, medical information and prescriptions belonging to an unknown number of people.
Superior Style Home Improvements Ltd
17th September 2019
Superior Style Home Improvements Ltd issued with enforcement notice after making unsolicited marketing calls to individuals registered with the TPS to try and generate UPVC installation leads.
Hudson Bay Finance Ltd
12th August 2019
Hudson Bay Finance Ltd issued with an enforcement notice for failing to respond to a subject access request.
Making it Easy Ltd
2nd August 2019
Making it Easy Ltd has been fined £160,000 by the Information Commissioner’s Office (ICO) for making spam calls to people registered with the Telephone Preference Service (TPS). The ICO has also issued an enforcement notice to Making it Easy Ltd ordering it to stop its illegal marketing activity.
Life at Parliament View Limited
19th July 2019
Life at Parliament View Ltd fined £80,000 for leaving 18,610 customers’ personal data exposed for almost two years.
British Airways – Latest News
8th July 2019
British Airways could face a fine of £183 million as a result of a data breach that was disclosed by the airline on 6th September 2018.
Metropolitan Police Service
25th June 2019
Enforcement notices served under the 1998 and 2018 Data Protection Acts for sustained failures to comply with individuals’ rights in respect of subject access requests.
Her Majesty’s Revenue and Customs
10th May 2019
Her Majesty’s Revenue and Customs (HMRC) issued with an enforcement notice for failing to get adequate consent to collect callers’ personal data.
True Visions Productions
10th April 2019
ICO fines television company £120,000 for unfair and unlawful filming in maternity clinic.
05th April 2019
A former GP practice manager has been fined for sending personal data to her own email account without authorisation, following an investigation by the Information Commissioner’s Office (ICO).
London Borough of Newham
04th April 2019
The Information Commissioner’s Office (ICO) has fined the London Borough of Newham £145,000 for disclosing the personal information of more than 200 people who featured on a police intelligence database.
Grove Pension Solutions Limited
26th March 2019
A Kent pensions company which relied on ‘misleading’ professional advice has been fined £40,000 by the Information Commissioner’s Office for being responsible for sending nearly two million direct marketing emails without consent.
Vote Leave Limited
19th March 2019
The Information Commissioner’s Office (ICO) has fined Vote Leave Limited £40,000 for sending out thousands of unsolicited text messages in the run-up to the 2016 EU referendum.
15th March 2019
A former administration assistant at a used car dealership has been prosecuted for unlawfully obtaining the personal data of customers and other employees.
15th March 2019
A former administrator at Heart of England NHS Foundation Trust (HEFT) has been prosecuted for accessing medical records without authorisation.
For more information and the latest news from ICO visit www.ico.org.uk