Name and type of organisation: Operation Smile UK (registered charity no. 1091316)
Fundraising method: Addressed mail
Code themes examined: Personal data and complaint handling
Code breach? No
The complaint
The complainant was concerned that their name and address had been used in a postal fundraising mailing from Operation Smile UK (the charity). They believed that the charity was incorrect to use “legitimate interest” as the basis for contacting them, having obtained their personal data from a third party. The complainant suggested that Operation Smile’s action was a breach of the General Data Protection Regulation (GDPR).
What happened?
When the complainant brought the issue to the charity it apologised. It said that it used “cold mailings”, which are marketing communications sent to people where the sender has no previous relationship, to raise awareness of their charity. It said that it had a legal basis to use legitimate interest for its marketing under GDPR.
The charity said that it had removed the complainant’s details from its mailing list and had made a note to ensure that it did not mail them in future. It also suggested that the complainant register their details with the Mailing Preference Service (MPS). The charity said it would contact its mailing company to have the complainant’s details removed from the source list too.
The charity was unable to tell us precisely how the complainant’s data had reached its mailing list. This was because it had already acted on the deletion request when we made our enquiry. In addition, the charity was unable to obtain further information from its mailing company due to its status as a client. The charity said the complainant could try to request more information themselves, or by make a subject access request to the mailing company.
The charity told us it had obtained two different lists from the mailing company, but it could not identify which list held the complainant’s details, having acted on the deletion request. The people on the charity’s lists had an interest in charities working in humanitarian, children, and overseas areas. The information was no more than 12 months old. The details were checked weekly against the MPS. The charity held that information as part of its verification process with its broker and the mailing company.
The charity had a record of its decision making that it could share with us. We looked at a website which was given as the main source of names, which provided clear information on opting out of marketing and what opting-in would entail. In the mailing itself, the charity stated how it had obtained the recipients’ details and gave information on how recipients could remove themselves from the list(s).
Our decision
We appreciated that the complaint was not about the actions taken by the charity in being clear about opt-outs from marketing. Their concern is that the charity should not have obtained data from a third party in order to send the postal mailing. Taking into account all the information we had seen about the charity’s process and handling of the mailing list information, we found that the charity’s decision to use data from a third party was not a breach of the sections of the code relating to personal data.
When the complainant made their complaint, the charity responded and acted promptly. Therefore, we also found that the charity had not breached the complaint handling section of the code.
Recommendations
None.
Outcome
There are no actions for the charity.