ICO fines Flybe, Honda for breaking GDPR, by trying to comply with GDPR


GDPR = new data protection laws, General Data Protection Regulations, updating the Data Protection Act.

ICO = UK Information Commissioner.

ICO investigation into Honda Motor Europe Ltd revealed that the car company had sent 289,790 emails - again aiming to clarify certain customers’ choices for receiving marketing spam.

The firm believed the emails were not classed as marketing in and of themselves but instead were customer service emails to help the company comply with data protection law. Unfortunately, Honda couldn’t provide evidence that the customers had ever given consent to receive this type of email, which was also a breach of PECR (Privacy and Electronic Communications Regulations).

This is a familiar story to me. Having a lot of email contacts on a list, but from so long ago you don’t actually know 100% where they came from, and so don’t know up to date preferences, without asking, which you can’t do… In the bin with the contact details I guess!

(Jamie 🏳️‍🌈) #2


I felt I had to click the link just to find out what these all mean. It’s a little off-putting to be bombarded with unintelligible acronyms, even in the thread title.


Apologies, so used to them I don’t even notice. I’ll update with the main one.

(Tony Hoyle) #4

It sounds like Flybe sent the emails to people they knew had already opted out, and instead of asking a simple question sent out an offer to enter a prize draw. Not surprising they were fined.

The problem with allowing this kind of stuff is you just end up replacing the current spam torrent with ‘we’re just contacting you to make sure you still don’t want to hear about the following products…’ - ICO are stopping that one before it starts. About time, after years of inactivity.


It was clear why they were fined, the spammed people. As @TonyHoyle points out, they probably sent them to people who had opted out to all contact. It could also be interpreted that they wanted to get people to opt-in who had already opted-out. You can’t break the law in order to comply with the law.


Definitely, Hones get a bit of leeway from me for trying to clear something up when they didn’t have concrete data, but Flybe completely ignored people’s recorded wishes.

Very interesting to see it being taken this seriously. For those in Honda’s position it was a definite grey area, not so much now.

(Ben Green) #7

TL;DR: The title of the article is misleading but Flybe and Honda are still dumb.

GDPR won’t be enforceable until 25th May so I fail see how they can be fined on those grounds.

A lot of companies until now by default opt you into them storing and reusing your data or even worse just put it in their Ts&Cs. You can either opt-out or just not use that company. However, GDPR will require explicit consent by you opting-in to them storing and using your personally identifiable information.

All they’re doing now can be summarised as saying “we need your explicit consent for us to hold your data for the purposes of contacting you in the future, making your experience with us easier, improving our services and reccommending selected partners reach out to you”… but in a less concisely worded way and possibly other use cases. They’d need to separate each use of data into separate questions and provide an option to explicitly accept, otherwise it’ll be considered a decline and can even request access to the data held on them

Reaching out to contacts far in advance, allows them the reasonable time to be considered to have declined the request for that company to control and process the person’s identifiable information.

An investigation by the commissioner’s office found that Exeter-based airline Flybe had “deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm”.

Those emails ironically were asking customers to update their marketing preferences, including whether they wanted to receive emails like the ones Flybe had just sent, and offered customers the chance to be “entered into a prize draw” for contributing.

The title of this particular story is somewhat misleading. Flybe and Honda were fined for failing to comply with the Data Protection Act 1998 whereby consumers had unsubscribed from marketing emails but the type of emails those people received can be categorised as marketing.

Unless there’s a legal reason why those people’s data need to be stored then they should be deleted before 25th May. If there is such a reason, they will need to be informed but not under the guise of a marketing competition.


Yes please, you and everyone else who contacts me ‘because sometime in the past I may have had something to do with you’.

The ones that are particularly galling are those who start with ‘this is not unsolicited email’ - as if asking a question or making an order means I give permission to be contacted ad nauseam.

I NEVER tick the please contact me with spam box, but so many companies completely ignore it. I know because they all get unique email addresses and so i know when they sell them on (or get hacked and don’t reveal it).

And then you have the ones who don’t even have a single click unsubscribe in the email, or no unsubscribe at all.

I can’t wait for these companies to be fined.

(Jamie 🏳️‍🌈) #9

I too use unique email addresses and have caught out a couple of companies this way.

Gmail is especially good for this. If your email address is jamie@gmail you can use jamie+natwest, jamie+tesco, anything after the plus sign. Works with my custom domain too. In fact, it’s most tiresome when a company will not accept an email address containing a plus sign!


I usually just give them company@mydomain.com

Confuses them on the phone when I read out their name @ :slight_smile: