The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 2

PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent

In early January 2003 I received a complaint from an individual to the effect that his ten year old daughter had received unsolicited mail from a bank offering her a credit card. The letter was addressed to the child using "Blackrock, Co. Dublin" as the postal address. However the use of "Blackrock, Co. Dublin" indicated to the complainant that the address was not provided by any member of the family as they always used "Stillorgan, Co. Dublin" in their correspondence. The complainant contacted the bank in the matter requesting an explanation and also that his daughter's name and that of his immediate family be removed from its mailing list. He was informed that the mailing list used by the bank had been rented from Precision Marketing Information Ltd.(PMI) who had got the details from a reputable third party.

The bank phoned my Office when this matter arose and stated that a mailing list, obtained from PMI, apparently had included data relating to a number of minors. The bank had issued credit card marketing material using this list and, in the process, had inadvertently marketed a minor. PMI also informed my Office that the maximum number of minors' records involved in this instance was 202 and that those records were in the process of being deleted.

As there appeared to be a contravention of the Data Protection Acts, I then investigated the matter under section 10 of the Acts.

I established that the data purchased by PMI from a UK Company was obtained by that company from a post-holiday survey form which include age categories. The information was held and processed by the UK Company with whom PMI had an agreement to purchase data relevant to residents of the Republic of Ireland. However in this instance, the data relating to a minor arose as a result of a coding error when loading the new data onto PMIs systems. The error was rectified and additional stringent checks were put in place to ensure that an error of this type never occurred again.

Under Data Protection legislation fair obtaining of personal data is an active duty. It is up to the data controller, not the data subject, to make sure that it takes place. For a data controller to satisfy the requirements of fair obtaining and purpose specification it must ensure that at the time of providing personal information, individuals are made fully aware of:

the identity of the persons who are collecting it (though this may often be implied),

to what use it will be put,

the persons or category of persons to whom it will be disclosed.

I consider that when dealing with personal data relating to minors, the standards of fairness in the obtaining and use of data, required by the Data Protection Acts, are much more onerous than when dealing with adults. I consider that use of a minor's personal data cannot be legitimate unless accompanied by the clear consent of the child's parent or guardian.

In this case, the minor's details were not fairly obtained in contravention of Section 2(1)(a) as a ten year old cannot give valid consent even if the opt-out box has not been ticked. The coding error resulting in the incorrect entry of the child's details onto PMI's systems was in contravention of Section 2(1)(b) as PMI, albeit it inadvertently, supplied data relating to minors to the bank and this led directly to the mailing received by the child in this case.

I considered the point made by PMI that they rather than the bank were the data controller in this case. While PMI were the original Data Controller of the mailing list however, when it came into the hands of the bank, through renting it, it then became the Data Controller of the list. While the bank actually mailed the minor, I accepted that it rented the mailing list, which inadvertently contained the minor's details, in good faith from PMI. I noted that PMI, with whom the bank had a contract, provided it with data which included data relating to 202 minors under18 and as a result the bank marketed the minor in this particular case. I therefore found that the bank and PMI as data controllers were both in contravention of section 2 with regard to fair obtaining, processing and use of the minor's data in this instance.

I was satisfied that PMI were aware of their responsibilities under the Data Protection Acts, 1988 and 2003 with regard to the use of data for direct marketing purposes, particularly in regard to minors. I accepted their assurance that the coding error which gave rise to the complaint was rectified and that additional stringent checks were put in place to ensure that an error of this type would not occur again. I acknowledged the swift action taken by both PMI and the bank in response to the complaint and to their co-operation with my Office in the course of the investigation.

While I also accept that the bank was the innocent party in this instance nevertheless marketing companies must take reasonable but effective measures to ensure that minors are not the targets of marketing campaigns without proper consent.