6

Read an article recently regarding FlyBe, and their attempt to find out (from a list of unknown user data) who wanted to be contacted in the future with promotions, etc.

They sent an email to this list of unknown users to determine just that, but they were later given a penalty for spamming (£70K). It is only fair to say that they did this because of the impending changes with the new GDPR rules.

If this was a genuine attempt to ensure that the company remain within the remains of the law/GDPR rules, how else could they have gone about this? If we are talking millions of rows of user data that could bring in a large amount of business, would it have been better for them to dispose of this?

I also wonder if a much larger company, e.g. Some big pharma company, did the same. Would they suffer the same sort of penalty?

Hemm K
  • 67
  • 4

1 Answers1

7

Given a large database of email addresses that you can't prove have given consent to receive email, the only legal thing to do with it, is to (securely) delete it.

(I am going to switch your question about a larger company to a bank: in the UK, big pharma is forbidden from advertising to individuals.)

In principle the rules are the same for a huge bank and everything down to a self-employed plumber. In practice the plumber will be told "don't do that again" rather than fined. This case was treated under the Data Protection Act, which has a maximum fine of £500,000 – so a big bank would probably have been fined more, but not necessarily much more. Under GDPR, fines are related to turnover, so the fine would be a lot bigger for a large bank.

The incident is a year old now. Details here.

David Richerby
  • 337
  • 2
  • 9
Martin Bonner supports Monica
  • 5,611
  • 15
  • 29