The UK Information Commissioner’s Office (ICO) has issued an Enforcement Notice against a Canadian data analytics firm, AggregateIQ (AIQ) that allegedly produced targeted advertisements for pro-Brexit campaigns. This action is the first enforcement Notice issued under the GDPR.

According to the Notice, ICO announced a formal investigation into the use of data analytics in political campaigns in May 2017 and was subsequently in contact with AIQ regarding the processing of personal data by AIQ on behalf of political campaigns. AIQ confirmed that personal data of UK data subjects was still held by them and is stored on a code repository that had previously been subject to unauthorized access by a third party.

The complaint alleges that AIQ has violated GDPR’s Articles 5, 6 and 14. Specifically, the Notice asserts that AIQ violated Articles 5 and 6 because it processed personal data in a manner that was incompatible with the purposes for which it was collected and without a lawful basis. The complaint further alleges that AIQ did not provide the appropriate notice to data subjects as required by Article 14; that is it did not tell the potential voters that it had received data about them from a third party.

Although the data was collected before the effective date of the GDPR, May 25, 2018, the Notice alleges that AIQ was still holding the data after the GDPR’s effective date.

If AIQ does not comply with the Notice or does not appeal within 28 calendar days, then the IOC may serve a Penalty Notice. AIQ faces penalties that could be as high as € 20 million or 4% of the company’s annual turnover, whichever is greater.