Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

CASE STUDY 1/01

Bank and insurance company – cross-marketing of a third-party product – incompatible use and disclosure – fair obtaining and processing – small print and transparency



The complainant received a letter from his insurance company, informing him of their new credit card, and enclosing an explanatory booklet and application form. The complainant duly completed and returned the application form. Subsequently, he was contacted by a bank in connection with his credit card application. The bank – with which the individual already had a credit card account – queried the level of credit being sought by the individual, in the light of his existing credit card account.

The individual was most unhappy that the insurance company had apparently transferred his confidential personal data to another financial institution without his consent. The insurance company explained that they had an agreement with the bank, which was the issuer of the credit card, and that there was therefore no basis for his complaint.

The individual complained to my Office and made the following points:

  • The correspondence he had received from the insurance company enclosed an explanatory booklet and application form which referred throughout to the credit card as the insurance company's card. It also enclosed a return envelope addressed to the insurance company.
  • He clearly was given to understand that the communication from his insurance company was an offer to him to do further business with that company. The personal data which the company had used to contact him, and the information which he had furnished in his application, was of a confidential nature, and was to his mind a matter of private business between himself and his insurance company.
  • He did not want this confidential information to be disclosed to anyone other than the insurance company. In particular, he did not want the bank to have access to this information, and it was now apparent that the bank was seeking to use these confidential details to vary his existing credit limits.

In Data Protection terms, the essence of the complaint was that the insurance company had used and disclosed the complainant's personal data in a manner incompatible with the purpose for which the data had been obtained (contrary to section 2(1)(c)(ii) of the Data Protection Act); and that the bank had obtained and processed the complainant's data unfairly, contrary to section 2(1)(a) of the Act.

In investigating the 'fair obtaining' aspects of this complaint, I considered it appropriate to examine in detail the documentation that accompanied the credit card offer. I noted that on the front of the application form applicants were advised to send the completed application form, in a provided "freepost" envelope, to what appeared to be the insurance company's address. In fact, my investigations established that the address was really that of the bank. The promotional literature and application form clearly marketed the credit card as an offering of the insurance company. References to the 'insurance company credit card' were in large, colourful print and were given considerable prominence. I noted that the only references to the bank, as issuer of the credit card, were contained in the 'small print' of the application form, setting out the detailed terms and conditions. Indeed, the brochure appeared to distinguish 'its' credit card from those offered by other financial institutions, including the bank in question: the brochure listed, for comparison, the interest rates payable on credit cards of nine other financial institutions, including that particular bank.

On raising the complaint with the insurance company and the bank, it was explained that a formal agreement was in place whereby the bank was the issuer of the credit card, and the insurance company acted as agents for marketing the card – a practice referred to in this context as 'cross-marketing.' On receipt by the bank of the complainant's application form, his personal details were inputted onto the bank's computer system, and a routine check was made against the bank's database for any cards currently held by the applicant. This check highlighted the existence of the complainant's existing credit card with the Bank.

After detailed consideration of the matter, I reached the following conclusions:

  • It was clear from the nature of the Agreement between the insurance company and the bank that the bank was envisaged as being the data controller in respect of the credit card which was on offer; and as such the bank was responsible for ensuring that the obligations imposed on data controllers by section 2 of the Act were complied with. In all of the circumstances of this case, the necessary prerequisites for 'fair obtaining' had not been met by the bank.
  • The insurance company kept personal data relating to the complainant for the purpose of administering his insurance policy, and for related secondary purposes. In inviting its customers to apply for the credit card, the insurance company had used their own customer database for a different and unrelated purpose, namely the direct marketing of a third-party product – the bank's credit card. The insurance company did not produce any evidence that the unrelated purpose was supported by the necessary consent. Accordingly, the insurance company was in contravention of section 2(1)(c)(ii) of the Act, which prohibits the use or disclosure of personal data in a manner incompatible with the specified purpose.

In coming to this decision, I noted that the insurance company had undertaken to revise the documentation to give appropriate prominence to the role of the bank. I also noted the view of both organisations that they had acted in good faith throughout, pursuant to the Agreement between them.

Finally, I pointed out to both parties – and drew to the attention of the Central Bank –that, as regards data protection law, any 'cross-marketing' exercise of this or similar nature should, in future, clearly indicate – with suitable prominence – the real identity of the companies involved, in a manner readily apparent to any reasonable person. This case also brought to light an interesting interplay between data protection law and the general law of contract. While contractual agreements may be legally valid (having regard solely to the provisions of general contract law), this does not obviate the need to comply with data protection rules – including the fair obtaining rule – when processing personal data in pursuance of a possible contract. Whether, and to what extent, the contractual validity of an agreement may be affected by a deficiency in terms of data protection law – such as a failure in regard to fair obtaining – is a question on which the courts may eventually be called upon to adjudicate.