Reuters.com, here.
Tuesday, October 20, 2015
UK’s largest online pharmacy fined £130,000 for selling patients’ data to scammers
MedConfidential, here.
ICO's "Monetary Penalty Notice" here.
"35. Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.
36. In addition, Pharmacy2U did not provide the further information that was necessary to enable the processing in respect of its customers to be fair.
37. In the circumstances, Pharmacy2U’s customers did not give their informed consent to the sale of their personal data to third party organisations. Therefore Pharmacy2U did not have a lawful basis for processing the data under Part I of Schedule 2 to the DPA.
73. The Commissioner has decided that it is appropriate to issue a monetary penalty in this case, in light of the nature and seriousness of the contravention, Pharmacy2U’s shortcomings in terms of its DPA duties and the risks posed to a number of individuals. He has also considered the importance of monetary penalties in dissuading future contraventions of the DPA and encouraging compliance, in accordance with his policy."
ICO's "Monetary Penalty Notice" here.
"35. Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.
36. In addition, Pharmacy2U did not provide the further information that was necessary to enable the processing in respect of its customers to be fair.
37. In the circumstances, Pharmacy2U’s customers did not give their informed consent to the sale of their personal data to third party organisations. Therefore Pharmacy2U did not have a lawful basis for processing the data under Part I of Schedule 2 to the DPA.
73. The Commissioner has decided that it is appropriate to issue a monetary penalty in this case, in light of the nature and seriousness of the contravention, Pharmacy2U’s shortcomings in terms of its DPA duties and the risks posed to a number of individuals. He has also considered the importance of monetary penalties in dissuading future contraventions of the DPA and encouraging compliance, in accordance with his policy."
Subscribe to:
Posts (Atom)
-
J. Ryan, here .
-
A. Bradford, A. Chilton, and K. Linos, here .
-
Bloomberg, here.
-
PerkinsCoie, here.
-
C. Pattison et al., here.
-
FE, here. That was soon after South Korea's decision to dump its DMA too. Big Tech in Asia is likely celebrating, with Trump's sup...
-
DuckDuckGo, here.
-
ARD, Tagesschau hier.
-
An Indian undertaking filed an antitrust case against Google 15 y. ago and the case is still ongoingFrom this interesting India ASCOLA webinar, hopefully recording available soon. Why was their DMA "frozen"?