The Information Commissioner’s Office (ICO) has handed the United Kingdom’s first formal General Data Protection Regulation notice to a Canadian firm linked to Cambridge Analytica, the firm behind the Facebook data scandal, according to the BBC.

Analytics firm AggregateIQ is accused of using people’s data in a way that they would not have expected.

A report published by the ICO states AggregateIQ had failed to comply with GDPR laws because “the controller has processed personal data in a way that the data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.”

While the data in question was collected prior to GDPR’s implementation in May this year, the ICO believes that by retaining the collected data beyond the GDPR deadline, AggregateIQ has breached the new data laws.

The firm has 30 days to “audit, assess, implement, and document” its data processing practices. If it fails to do so, it faces a maximum fine of €20m or 4% of its annual global turnover.

According to the BBC, the firm has appealed against the notice.

What is AggregateIQ?

AggregateIQ uses data to target specific groups of people, such as voters in the lead up to elections and votes.

The firm was paid $3.6m by the Vote Leave campaign to target British voters ahead of the Brexit referendum in 2016. Pro-Brexit campaigners such as Northern Ireland’s Democratic Unionist Party and Veterans for Britain have also worked with the firm.

AggregateIQ  has previously been linked to Cambridge Analytica, the analytics company that was accused of using the data of 50m people, taken from social media platform Facebook, to target voters ahead of the 2016 United States presidential election.

Company whistleblower Chris Wylie said that those within Cambridge Analytica had referred to AggregateIQ as “our Canadian office”.

AggregateIQ denies any links to Cambridge Analytica. However, both companies were suspended from Facebook following the scandal.