So where has this company gone wrong (this is my speculation based on the phone call).
1. Breach 1 - I never gave them permission to email market to me. Never heard of them before the email came through so definitely didn't sign up. You need to have a persons permission to be able to electronically market to them. You should also record where the sign up information was gathered. Lots of people don't remember signing up and the ICO, if they investigate, will look for confirmation you have permission.
2. Breach 2 - The emails did not have an unsubscribe option on the bottom, so gave me no choice but to call to cancel it. Given the person didn't take my email address, I expect more emails from them in the future. There is certain criteria that has to be met when email marketing, one of which is that there is the ability to unsubscribe from future contact. It is an offence to fail to remove someone from your mailing list when they ask.
3. Potential Breach 3 - IF I had given them permission for email marketing, did they also ask my permission to send my details outside of the EEA (to their marketing company in China), probably not. If you are sharing personal information outside the EEA, you have to tell the provider of the information at the time of collection.
4. Potential Breach 4 - Sending the information to China, which is not an approved country, the company needed a specific clause in place to protect individuals information. As China is not an approved country for data transfers, they company needed a specific clause and contract in place. Seems unlikely in this case that they complied. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/
Needless to say this company is already getting attention from the ICO regarding the level of complaints. If you need help to avoid a similar situation, contact me to discuss how we can help. ask@audit-and-risk.co.uk
No comments:
Post a Comment