Resources

Case Studies Electronic Direct Marketing

 

Electronic Direct Marketing 2024

Prosecution of Supermac’s Ireland Limited

In August 2023, the DPC received a complaint from an individual regarding alleged unsolicited marketing SMS messages received from Supermac’s Ireland Limited. The DPC launched an investigation, in the course of which Supermac’s Ireland Limited explained that the individual had registered for their online ordering system in 2018 and had ticked the box to receive SMS and email marketing communications. The individual subsequently placed an online order in 2023 and was added to an active marketing list for SMS purposes. 

The DPC requested that the individual’s details be removed from the active marketing list in August 2023. Supermac’s Ireland Limited confirmed to the DPC that the opt-out had been successful and the individual had been removed from their marketing list. However, the individual contacted the DPC again in October 2023 to inform the DPC that they had received a further marketing SMS from Supermac’s Ireland Limited, despite assurances that they had been removed from marketing lists. Upon further investigation, Supermac’s Ireland informed the DPC that, due to a technical error by their subcontractor, the individual’s phone number had not been removed properly. 

The DPC’s investigation of this complaint established that Supermac’s Ireland Limited did not have valid consent to send electronic marketing communications to the individual concerned. As the DPC had issued a warning to the company in February 2023 with regards to a previous complaint, the DPC decided to prosecute the case. 

On 3 September 2024 before Judge Fahy in Galway District Court, Supermac’s Ireland Limited pleaded guilty to five charges of sending unsolicited marketing SMS messages under Regulation 13(7) and Regulation 13(13)(a)(i) of S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Galway District Court ordered the company to make a contribution of €3,500 to the Galway Simon Community and Cope  Galway, in lieu of a conviction and fine. The company was also required to discharge the DPC’s legal costs.

Key Takeaway

  • This case highlights the importance of maintaining marketing lists in accordance with customer preferences. The data controller is ultimatelyresponsible for the personal data they process, even when utilising third-party processors, such as a sub-contractor in this case. Organisations must implement effective systems to manage opt-out requests and prevent the continued sending of unsolicited electronic communications.