United Kingdom: Issued Penalty Notice to Easylife for inferring health data without consent

On 5 October 2022, the United Kingdom (UK) Information Commissioner's Office (ICO) fined the company Easylife, a catalogue retailer that sells health products, with GBP 1'350'000 for using the personal information of over 145'400 customers without consent. In particular, ICO noted that Easylife collected its customers' data and processed it to infer health data, which is classified as sensitive personal data, to target them with health-related products. The company failed to obtain explicit consent for such data processing, violating the lawfulness, fairness and transparency requirements in the General Data Protection Regulation.