The Information Commissioner’s Office (ICO) has reached an agreement with Easylife Ltd (Easylife) to reduce the monetary penalty notice (MPN) issued for breaching the Data Protection Act 2018 to £250,000. Easylife has accepted the ICO’s findings set out in the MPN and has agreed to pay the reduced fine.

The ICO fined Easylife on 4 October 2022 following an investigation which found the company was making assumptions about customers’ medical conditions, based on their purchase history, to sell them further health related products. The ICO found that this involved the processing of special category data by Easylife without a lawful basis. Easylife has since stopped the unlawful processing of special category data.

Easylife appealed the MPN. Both parties have now reached agreement that the MPN and the ICO’s factual findings stand, and the amount of the penalty should be reduced. The First-tier Tribunal (General Regulatory Chamber) has approved the agreement and has otherwise dismissed the appeal.

Information Commissioner John Edwards said: “As a pragmatic and proportionate regulator, my role is to ensure that we protect the public and ensure businesses abide by the law. Easylife has confirmed that it has stopped the unlawful processing which formed the basis of the ICO’s concerns. Having considered the amount of the penalty again during the course of the litigation, in light of the issues raised by Easylife, I considered that a reduction was appropriate.” To read the ICO’s press release in full and for a link to the MPN, click here.