The information commissioner has launched an audit into Leave.EU and the insurance company owned by the campaign’s key financial backer, Arron Banks, after fining the organisations a total of £120,000 for data protection violations during the EU referendum campaign.

The Information Commissioner’s Office (ICO) announced in November that it intended to fine the two companies, which it determined were closely linked, with “ineffective” systems for segregating the data of insurance customers from that of political subscribers.

Leave.EU was fined £15,000 for using Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages, and a further £45,000 for its part in sending an Eldon marketing campaign to political subscribers. Eldon was fined £60,000 for the latter violation.

The fine for Leave.EU’s marketing campaign was £15,000 less than the ICO had initially proposed, after the regulator took account of representations made by the company. One mitigating factor was that the ICO had not received any complaints about the contravention, it said.

The referendum campaign sent more than 1m emails to subscribers that contained a banner advertising 10% off insurance at an Eldon brand, GoSkippy. More seriously, it sent almost 50,000 emails out after the referendum, titled “Skippy Saves the Day”, again offering a 10% discount. The campaign negligently disobeyed electronic marketing regulations in doing so, the ICO found.

Elizabeth Denham, the commissioner, said: “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes, and vice versa. It should never have happened.

“We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

The ICO will begin a full audit of Eldon and Leave.EU’s joint offices, staff and records, looking for evidence of whether or not the two companies followed data protection guidelines in processing personal information, how they trained staff and what policies and procedures they had in place.

The results of that audit, which will include interviewing the directors and staff, will be made public. The ICO noted “it is a criminal offence to obstruct an ICO audit or destroy information covered by it”.

Leave.EU is already being investigated by the National Crime Agency over a multimillion-pound donation the Electoral Commission believes came from Rock Holdings, one of Banks’s companies that is based in the Isle of Man, and thus not legally allowed to participate in UK elections.

Leave.EU and Eldon Insurance have been approached for comment.