BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> A marketing campaign sets up personalised website addresses and breaches the Acts [2008] IEDPC 3 URL: http://www.bailii.org/ie/cases/IEDPC/2008/3.html Cite as: [2008] IEDPC 3 |
||
[New search] [Printable RTF version] [Help]
A marketing campaign sets up personalised website addresses and breaches the Acts [2008] IEDPC 3 (31 December 2008)
During the summer of 2008 I received three complaints from data subjects concerning a marketing postcard campaign launched by X to promote its home insurance product. The complainants had no previous business dealings with X and they expressed surprise at receiving personally addressed marketing mail from this source. An unusual aspect of this marketing campaign involved the creation of personalised URLs (website addresses). Each postcard included details of a personalised URL set up in the name of the recipient. When the recipients logged-on to their personalised website address they were invited to input their email address details and phone numbers.
The establishment of URLs using people's names without obtaining their consent was a concern from a data protection perspective. In addition, there was no evidence that X had made any attempt to comply with the 'fair processing' requirements set out in section 2D of the Data Protection Acts. For that reason, my Office informed X that the establishment of personalised website addresses (or URLs) in this manner was a breach of the Acts. Printing the URL on a postcard and distributing it in the postal system was a disclosure of personal information and a further breach of the Acts. Furthermore, the collection of email addresses and phone numbers when the recipient logged on to the URL failed to meet the requirements of fair processing because no information was provided to those individuals about the purposes of collecting the information.
On receiving the complaints my Office immediately contacted X requesting that it disable the relevant personalised URLs. X cooperated with my Office on this matter and reverted without delay confirming that the URLs relating to each complainant had been disabled.
At the request of my Office X confirmed that:
• it would not undertake such a campaign again;
• that it had not used and would not use any of the information obtained from potential customers as a result of this campaign; and
• that it had disabled all URLs which incorporated individual names relating to this campaign.
Prior to my Office's receipt of the individual complaints referred to above, X informed my Office that it had discovered that minors had been targeted in its postcard campaign in error. X informed us that it worked with a creative agency (N.O.) and a data agency (Y) in the execution of its postcard campaign. Y is a subsidiary of J.P. It subsequently emerged that the names and addresses of the minors targeted during this postcard campaign were originally drawn from the J.P.M. file. My Office is actively communicating with J.P. on this matter to ensure that further breaches of the Acts do not occur in relation to the use of databases held by J.P. and in particular where those databases contain the details of minors. My Office views the inappropriate use of the personal data of children as a particularly serious breach of the Data Protection Acts.
