The Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) release a joint statement warning FCA authorised companies and Insolvency Practitioners (IPs) to be responsible when dealing with customers’ personal data.
On February 7th 2020, the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and the Financial Services Compensation Scheme (FSCS) released a joint statement warning FCA authorised firms and insolvency practitioners (IPs) against the unlawful sale of clients’ data to claims management companies (CMCs). This is because it has come to their attention that some FCA-authorised firms and IPs have attempted to sell clients’ personal data to these CMCs unlawfully. The CMCs may not be acting in consumers’ best interest and may also be unlawfully marketing their services.
While The FCA handbook states that CMCs are required to act honestly, fairly and professionally in line with the best interests of their customers, they may not be acting in the customer’s best interest. As a matter of fact, CMCs that intend to buy and use such personal data must demonstrate their compliance with privacy laws. Although contracts may vary, standard contracts typically do not provide sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful.
Why Selling Customers’ Data with CMCs may not be Lawful.
Apart from the fact that most standard contracts simply do not provide the legal consent for customers’ personal data to be sold to CMCs,companies who pass on customers’ personal information may also fail to meet the requirements of the the Data Protection Act 2018 and GDPR. Thereafter, any direct marketing calls, text or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003 (PECR).
What are the implications of such breaches in data protection legislation?
Companies are expected by law to abide by the Data Protection Act 2018, the GDPRand the FCA Handbook. In the case of FCA authorised companies and IPs in particular, the CMCOB Claims Management: Conduct of Business sourcebook applies. In cases where the ICO or FCA finds these companies to be in breach of any of these data protection laws, they will take appropriate action,and there could be serious legal consequences.
Time and again,we see fines being imposed on companies for breaches in these data protection laws, and just last week,we reported on the Italian DPA Fining TIM SpA in excess of EUR 27 Million for unlawful data processing.