Caselaw Digest
Caselaw Digest

Experian Limited v The Information Commissioner

17 February 2023
[2023] UKFTT 132 (GRC)
First-tier Tribunal
Experian got in trouble for not telling enough people how it uses their information for marketing. A judge said they need to improve, but didn't make them go back and tell everyone right away because it would be too much work. They have to make sure it's better in the future.

Key Facts

  • Experian, a Credit Reference Agency (CRA), operates Experian Marketing Services (EMS) which processes data of around 51 million UK adults for offline marketing services.
  • EMS uses data from various sources, including the Open Electoral Register, Companies House, and third-party suppliers, and its own CRA business.
  • The Information Commissioner (IC) issued an enforcement notice alleging Experian's processing contravened GDPR, particularly concerning transparency (Article 5(1)(a)) and lawful processing (Articles 5(1)(a) and 6(1)).
  • Experian appealed, arguing the IC's approach was disproportionate, based on flawed conclusions, and mischaracterized Experian's business.
  • The Tribunal found Experian's processing of CRA data for marketing was sufficiently transparent but that around 5.3 million data subjects hadn't received Article 14 notices.

Legal Principles

Lawfulness, fairness and transparency of data processing

GDPR Article 5(1)(a)

Purpose limitation of data processing

GDPR Article 5(1)(b)

Lawfulness of processing

GDPR Article 6(1)

Conditions for consent

GDPR Article 7

Transparent information, communication, and modalities for exercising data subject rights

GDPR Article 12

Information to be provided where personal data are collected from the data subject

GDPR Article 13

Information to be provided where personal data have not been obtained from the data subject

GDPR Article 14

Rights of appeal

DPA18 Sections 162 and 163

Outcomes

Appeal allowed in part.

The Tribunal found Experian's processing of CRA data for marketing was sufficiently transparent given the CRAIN and CIP, but that around 5.3 million data subjects lacked Article 14 notices, a contravention of GDPR. The Tribunal considered that issuing a notice to this group now was disproportionate, but that Experian must rectify this non-compliance in future data collections.

Substitute Enforcement Notice issued.

Experian must set up a system to provide relevant data subjects with Article 14 compliant privacy notices within three months. These notices must inform data subjects their data is used for direct marketing and comply with Article 14. Specific timelines and exemptions are detailed within the notice.

Similar Cases

Caselaw Digest Caselaw Digest

UK Case Law Digest provides comprehensive summaries of the latest judgments from the United Kingdom's courts. Our mission is to make case law more accessible and understandable for legal professionals and the public.

Stay Updated

Subscribe to our newsletter for the latest case law updates and legal insights.

© 2025 UK Case Law Digest. All rights reserved.

Information provided without warranty. Not intended as legal advice.