ICO (UK) - Brazier Consulting Services Ltd: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
more than 11 million unlawful claims management calls, | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Calls made by BCS led to 316 complaints to the ICO and Telephone Preference Service ('TPS'). | |||
ICO investigation, prompted by claims of the public. | |||
Brazier Consulting Services ('BCS') | |||
Privacy and Electronic Communications Regulations, implementing the e-Privacy Directive in the UK. | |||
=== Holding === | === Holding === | ||
BCS failed to evidence sufficient consent to call any of the complainants. in contravention of Regulation 12A of the PECR. | |||
No evidence to suggest that BCS provided any training whatsoever to staff in relation to the PECR. | |||
Fine | |||
Also issued BCS with an enforcement notice compelling them to stop their illegal marketing activity. | |||
== Comment == | == Comment == |
Revision as of 09:33, 28 July 2021
ICO (UK) - Brazier Consulting Services Ltd | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulations 21 & 24 of PECR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 25.06.2021 |
Published: | 01.08.2021 |
Fine: | 200000 GBP |
Parties: | n/a |
National Case Number/Name: | Brazier Consulting Services Ltd |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
more than 11 million unlawful claims management calls,
English Summary
Facts
Calls made by BCS led to 316 complaints to the ICO and Telephone Preference Service ('TPS').
ICO investigation, prompted by claims of the public.
Brazier Consulting Services ('BCS')
Privacy and Electronic Communications Regulations, implementing the e-Privacy Directive in the UK.
Holding
BCS failed to evidence sufficient consent to call any of the complainants. in contravention of Regulation 12A of the PECR.
No evidence to suggest that BCS provided any training whatsoever to staff in relation to the PECR.
Fine
Also issued BCS with an enforcement notice compelling them to stop their illegal marketing activity.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE To: Brazier Consulting Services Ltd Limited Of: 7 Victoria Court, Bank Square, Leeds, West Yorkshire, LS27 9SE 1. The Information Commissioner ("Commissioner") has decided to issue Brazier Consulting Services Limited ("BCS") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is being issued because of serious contraventiof regulation 21A of the Privacy and Electronic Communication(EC Directive) Regulations 2003 ("PECR"). 2. This notice explains the Commissioner's decision. Legal framework 3. BCS, whose registered office is given above (Companies House RegistrationNumber: 10531983) is the organisation stated in this notice to have used a public electronic communicatiservice for the purpose of making unsolicited calls for the purposes of direct marketing in relation to claims managemenservices contrary to regulation 21A of PECR. 4. Regulation 21A paragraph (1) of PECRprovides that: 1 • ICO. Information Commissioner's Office "(l) A person must not use, or instigate the use of, a public electronic communications service to make unsolicited calls for the purposes of direct marketing in relation to claims management services except in the circumstances referred to in paragraph (2)." 5. Regulation 21A paragraphs (2), and (3) provide that: "(2) Those circumstances are where the called line is that of a subscriber who has previously notified the caller that for the time being the subscriber consents to such calls being made by, or at the instigation of, the caller on that line (3) A subscriber must not permit the subscriber's line to be used in contravention of paragraph (l)." 6. Regulation 21A paragraphs (4), and (5) materially state that: "( 4) In this regulation "claims management services" means the following services in relation to the making of a claim- (a) advice; (b) financial services or assistance; (c) acting on behalf of, or representing,a person; (d) the referral or introductionof one person to another; (e) the making of inquiries. (5) In paragraph (4), "claim" means a claim for compensation, restitution,repayment or any other remedy or relief in respect of loss or damage or in respect of an obligation, whether the claim is made or could be made- 2 • ICO. Information Commissioner's Office (a) by way of legal proceedings, (b) in accordance with a scheme of regulation (whether voluntary or compulsory), or (c) in pursuance of a voluntary undertaking. 7. Prior to 29 March 2019, the European Directive 95/46/EC defined 'consent' as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relatingto him being processed". 8. Consent in PECRis now defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 ("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4( 11) of the GDPR sets out the following definitio"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmativaction, signifies agreement to the processing of personal data relating to him or her". 9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 10. Section 122(5) of the DPA 2018 defines "direct marketing" as "the communication (by whatever means) of any advertising material which is directedo particular individuals". This definition also applies for the purposes of PECR. 11. Under section SSA (1) of the DPA (as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 3 • ICO. Information Commissioner's Office 2011 and the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015) the Commissioner may serve a person with a monetary penalty notice if the Commissioner is satisfied that - "(a) there has been a serious contraventionof the requirementsof the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, and (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiwas deliberate. (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 12. The Commissioner has issued statutory guidance under section SSC (1) of the DPA about the issuing of monetary penalties that has been published on the ICO's website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 13. PECRimplements Directive 2002/58/EC, and Directive 2009/136/EC which amended the earlier Directive. Both the Directive and PECRare "designed to protect the privacy of electronic communicationusers": 4 • ICO. Information Commissioner's Office Leave.EU & Eldon Insurance Services v InformatioCommissioner [2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to interpret and apply PECRin a manner consistent with the purpose of the Directive and PECRof ensuring a high level of protection of the privacy of individuals, and in particular the protections provided from receiving unsolicited direct marketing communicatiwhich the individual has not consented to receive. 14. The provisions of the DPA remain in force for the purposes of PECR notwithstandingthe introductioof the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of that Act). Background to the case 15. BCS first came to the attention of the Commissioner in July 2019 following the receipt of a significant number of complaints from subscribers about marketing calls regarding claims management services and/or insurance. The majority of complainants were able to identify that the calls were made by BCS, or a variant of the name. 16. Between 2 May 2018 and 26 July 2019, the ICO received 414 complaints about unsolicited direct marketing calls made by BCS. In addition, between 5 June 2018 and 20 May 2019 a further 26 complaints were received by the Telephone Preference Service ("TPS"). 17. The Commissioner, through enquiries with the relevant Communications Service Provider ("CSP"), was able to establish that the CLI's identified within the complaints were allocated to BCS. 18. The Commissioner sent an initial investigatiletter to BCS on 1 August 2019, setting out her concerns with the organisation's 5 • ICO. Information Commissioner's Office compliance with PECR,attaching details of all the complaints, and requesting information about its business and marketing activities which would assist in her investigation. 19. Responses to the Commissioner were provided by a company whom BCS explained were its compliance officers. The first substantive response, dated 25 August 2019, stated that BCS had been "locked out" of their old servers due to a dispute with their former dialler provider, and that it had changed its dialler system in June 2019. BCS stated that calls are screened through their dialler, meaning that calls should not have been made to any number on the TPS register. 20. A further response on 19 September 2019 explained that BCS obtained leads though a data broker - (''-") - using the website www. was supplied with 1,000 opt-ins per 100,000 records, including date, time stamp, IP address and opt-in statement. In relation to call volume, due to previously identified issues with the call dialler, BCS said it was unable to provide any information apart from the period 31 May to 31 July 2019, when it provided the number of attempted calls. BCS also provided copies of its training assessments and manual, which indicated that the calls made by BCS were in relation to PPL No explanation or comments were provided in relation to the specific complaints and no evidence of consent supplied. 21. At this stage it is noteworthy that during representations to the Commissioner's Notice of Intent, BCS advised that it had also sourced data from two additional brokers of which the Commissioner was previously unaware. BCS was unable to identify the website used by one of the brokers from which consent was acquired and accordingly no evidence of consent was provided. For the avoidance of doubt, the 6 • ICO. Information Commissioner's Office focus of Commissioner's investigationand subsequently this Notice, is upon unsolicited marketing calls made to data sourced from -/ . BCS informed the Commissioner in representations that it sourced data from - from end January 2019 to 29 August 2019. 22. Open source research was conducted by the Commissioner on the website 23. The website includes a consentstatement, which states: "I would like to have offers from xxx and its partners including xxx, xxx, xxx, Brazier Consulting Services Ltd. (authorised and regulated by the Financial Conduct Authority in respect of regulated claims management activity FRN:829743) (...)". BCS also appear in the site's privacy policy and partners list, however the latter is extensive, with 435 named companies listed in alphabetical order. This means that individuals would not easily be able to view all companies within a specific sector and would be required to research the entirety of the list in order to establish the nature of each company. Individuals are unable to select which sectors or individual companies they wish to provide consent to, therefore, users would be consenting to receive correspondence from all 435 partners. Furthermore, use of the site appeared to be conditional on agreeing to at least one form of marketing. 24. It was apparent that the means by which consent was obtained did not allow for it to be freely given, specific, or informed. Further, the Commissioner considered that individuals could not reasonably expect 7 • ICO. Information Commissioner's Office to receive PPI marketing calls within the context of a general offer website. 25. A further response from BCS dated 20 December 2019 to additional enquiries from the Commissioner explained that it had not conducted any marketing activity since 29 August 2019 when the PPI calling ban came into effect. Evidence of "consent" for 25 complaints was provided together with an indication of connected call volumes for June and July 2019. 26. On 4 February 2020, BCS provided a limited response to the spreadsheet of all the complaints previously provided by the Commissioner. BCS confirmed that all of the calls it made during the campaign were marketing calls for the purpose of PPL BCS confirmed that some of the complaints were in relation to calls made by BCS, but due to previously identified issues with their previous dialler provider, they were unable to check any records prior to 1 June 2019. 27. Accordingly, on 20 February 2020, the Commissioner issued a 3PIN to the previous dialler provider for call volumes, for the period 1 January 2019 - 31 July 2019. The call dialler responded on 2 March 2020 and confirmed that whilst it could not provide the volume of attempted calls, it was able to provide details of connected calls per month, which totalled 22,762,863 over the entire period (including June and July 2019). The call dialler later clarified that the figure for connected calls included voicemailsas it was unable to differentiabetween calls which were answered and those which went to voicemail. 28. BCS had previously informed the Commissioner that it did not use its previous dialler provider in June and July 2019, which was inconsistent with evidence provided from the call dialler itself, and so the 8 • ICO. Information Commissioner's Office Commissioner asked BCS to clarify the call volumes for June and July 2019, to which BCS responded on 20 March 2020. The response however was inconsistent with both those previously provided by BCS, and the dialler provider, and BCS has not provided any further convincing evidence to support its position. 29. On 30 March 2020 the Commissioner wrote to BCS requesting evidence of due diligence in relation to data supplied by its third party data provider, details of the personal data purchased, call volume data from its current dialler, and enquiring whether BCS were still trading. As this information was not forthcoming,the Commissioner issued an Information Notice on BCS to which a response was received on 26 August 2020. BCS provided details of the data it purchased, explaining "as discussed and evidenced previously, we received opt-ins for the data on selected clients, which included IP address, statemDate and Time stamp". BCS also confirmed it was no longer marketing PPI claims albeit still operational as a business. BCS failed to provide any evidence of call volumes from its current dialler provider nor when it ceased using the services of their previous dialler provider. 30. In the period 1 February 2019 - 31 July 2019, during which time BCS sourced data from - , a total of 319 complaints were received by the ICO and a further 9 by the TPS. Despite detailed representationto the Notice of Intent in relation to complaints, save for any adjustment to account for duplicates, the Commissioner remains satisfied that the complaints relied upon relate to calls made by BCS. Deducting 12 complaints as probable duplicates, this amounts to a total of 316 complaints in relation to unsolicited direct marketing calls made by BCS. 9 • ICO. Information Commissioner's Office 31. Complaints received by the Commissioner relating to Clls allocated to BCS include: • "PPI claims company - I toldthem clearly I was not interested and asked where they got my data from. Refused to tell me and said it was obtained legally and they were FCAauthorised and GDPR compliant. I asked to not be contacted again and remove me from their listing but then got another call 24/07/19." • "It was an aggressive, intimidatincall aimed at making a PPI claim. This was another of a long list of calls. I told them repeatedly that I have never had PPI and did not wish to claim. Alter several calls they said that they would send out documents that would allow them to check for PPI . I said that they were wasting their time but if they wished to send out the documents that was up to them. I did not complete or return any of the documents. They are now telling me that because the documents have been sent out , it is effectively a contract and they suggested that I would face a charge if I cancelled. I asked " how can I cancel something I have not asked for". The advisor ( xxx ) was aggressive in manner and I felt quite threatened by his attitude. I am now worried that they intend to charge me for a service that I do not want , have never contacted them regarding PPI , and I have not signed any documents to the contrary. All I want is for them to stop these aggressive phone calls." [sic] • "I was asked if I had made any PPI claims. I then asked for the caller to remove my number from the system. She then said that she was not allowed to remove numbers from the system, and that I would have to do it myself. I asked her if she was aware of the GDPR regulations and she said, "Of course, but are you on the GDPR?'"' 10 • ICO. Information Commissioner's Office • "I have been called by Brazier Consulting many times (though they generally say they are BCS Consulting which is a different firm). Every time I have told this firm to remove me from the data base. I have not consented to be called by this firm. Today I was told by the agent that she could not remove me from the data base. I would have to be placed on hold and speak to a manager. I was placed on hold. The manager said I could not be removed from the data base until I had been told about the urgency of PPL" • "I asked where they got my number and was told that all numbers are opt-in by default when issued by network providers". 32. It is notable that the complaints made to the Commissioner indicate that not only did BCS make initial calls in breach of PECR,but also continued to call individuals who had specifically asked not to be contacted. Comments made by complainants suggest that BCS employees refused to comply with requests made by individuals to either remove their number from the database, or confirm where they had obtained their details, and it is apparent that there was a lack of knowledge in respect of PECR,GDPR and marketing in general. Comments also indicate that these calls caused great distress to some individuals. 33. In representations to the Commissioner's Notice of Intent, BCS informed the Commissioner in relation to call volumes that calls made during the contraventionperiod were not solely for the purpose of PPI marketing; as a handler of PPI claims, BCS also made a significant number of service calls. BCS did not advise whether any of the Clls were dedicated to service calls as opposed to marketing, nor was it 11 • ICO. Information Commissioner's Office able to provide any evidence as to the breakdown of calls made for marketing purposes. 34. BCS' own estimate isthat 53.6% of calls made were for marketing purposes, based upon call data provided by its current dialler provider post 29 August 2019 - the deadline for bringing new PPI claims. The Commissioner accepts that BCS would have made some service calls, but considers that this estimate is unlikely to reflect the true volume of marketing versus service calls. This is because the estimate is based on service call volumes made after the PPI deadline, and when the focus of the business would necessarily have switched entirely to servicing existingPPI claims; prior to 29 August 2021 the Commissioner finds it reasonable to suppose that the business would have focussed heavily on acquiring new claims via marketing before the PPI deadline. Notwithstanding the above, in the absence of any evidence from BCS to support the exact volume of marketing calls, the Commissioner has adopted the estimate provided by BCS for the purpose of this Notice. 35. On the basis of evidence provided by BCS' previous call dialler, the Commissioner is satisfied that 21,436,331 connected calls were made by BCS between 1 February 2019 and 31 July 2019. Of these, the Commissioner finds that 11,489,873 were made for the purposes of marketing 'claims management services' as defined at Regulation 21A(4) PECR.Those calls led to a total of 316 complaints to the Commissioner and the TPS. BCS has been unable to evidence sufficient consent to call any of the complainants. The consent relied upon by BCS is insufficient for the purposes of regulation 21A of PECR. 36. The Commissioner has made the above findings of fact on the balance of probabilities. 12 • ICO. Information Commissioner's Office 37. The Commissioner has considered whether those facts constitute a contraventionof regulation 21A of PECRby BCS and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 38. The Commissioner finds that BCS contravened regulation 21A of PECR. 39. The Commissioner finds that the contraventionis as follows: 40. Regulation 21A was brought into force on 8 September 2018 and requires that persons/organisatiohold consent from subscribers in order to make calls relating to claims management services. 41. Between 1 February 2019 and 31 July 2019, BCS used a public electronicommunications service for the purpose of making 11,489,873 unsolicited calls for direct marketing purposes to subscribers in relation to claims management services. This resulted in 316 complaintsbeing made to the TPS and the Commissioner. 42. The Commissioner is satisfied for the purposes of regulation 21A that these calls were made to subscribers who had not given their prior consent to BCS to receive such calls. 43. The Commissioner is satisfied that BCS was responsible for these contraventions. 44. The Commissioner has gone on to consider whether the conditions under section SSA DPA are met. Seriousness of the contravention 13 • ICO. Information Commissioner's Office 45. The Commissioner is satisfied that the contraventionidentified above were serious. This is because there have been multiple breaches of regulation 21A by BCS over a six month period. Specifically, between 1 February 2019 and 31 July 2019 BCS made a total of 11,489,873 connected calls relating to PPI claims management services. This led to a significant number of complaints. 46. The legislation is clearat TPS registration is not a relevant consideration in respect of such calls. A subscriber must have previously notified the caller that for the time being the subscriber consents to such calls being made by, or at the instigation of, the caller on that line. The Commissioner is satisfied that BCS did not have the necessary consent to make these calls. 47. BCS appeared to use aggressive tactics when making the calls to subscribers, as evidenced by the content of some of the complaints. 48. The Commissioner is therefore satisfied that condition (a) from section SSA (1) DPA is met. Deliberate or negligent contraventions 49. The Commissioner has considered whether the contraventions identified above were deliberatIn the Commissioner's view, this means that BCS's actions which constituted that contraventiwere deliberate actions (evenf BCS did not actually intend thereby to contravene PECR). 50. The Commissioner does not consider that BCS deliberately seout to contravene PECRin this instance. 14 • ICO. Information Commissioner's Office 51. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 52. Firstly, she has consideredether BCS knew or ought reasonably to have known that there was a risk that these contraventionswould occur. She is satisfied that this condition is met, not least because the issue of unsolicited calls in relation to claims management services has been widely publicised by the media as being a problem, so much so that it prompted recent legislative change to prohibit the making of such calls unless certain conditions are metIt is reasonable to suppose that any organisation wishing to carry out such activities should, and indeed must, be aware of its responsibilities in this area. 53. The Commissioner has published detailed guidance on her website for those carrying out direct marketing calls for the purposes of claims management services, explaining the strict criteria under which such calls can be made. This guidance explains such calls must not be made in relation to claims management services unless the individual being called has specifically consented to such calls or has a defined existing client relationship. 54. The Commissioner notes that BCS employed the services of a compliance company, which, given its extensive background and history with the ICO, would be reasonable to assume that the compliance company should also have been aware of the introduction of regulation 21A and ensured its client was acting in a compliant manner. 55. Secondly, the Commissioner has gone on to consider whether BCS failed to take reasonable steps to prevent the contraventionAgain, she is satisfiedhat this condition is metEvidence suggests that BCS 15 • ICO. Information Commissioner's Office appear to have been relying upon regulation 21 PECRto ensure compliance, indicating a lack knowledge or understanding of regulation 21A, which was fundamental to BCS' business model. Had BCS familiarised itself with the relevant legislation and guidance and set its due diligence checks accordingly, it would have realised that it could not lawfully make unsolicited direct marketing calls for the purposes of claims management services. 56. Furthermore, there is no evidence to suggest that BCS provided any training to staff in relation to PECRwhatsoever. The training documents provided during the course of the Commissioner's investigationdo not contain any reference to PECR.There are only brief references to the ICO, DPA 98, and Telephone Preference Service, the latter of which would suggest that BCS felt they only needed to comply with regulation 21. 57. Given the volume of calls and complaints, it is clear that BCS failed to take those reasonable steps. 58. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. The Commissioner's decision to impose a monetary penalty 59. The Commissioner finds that there are the following aggravating features of this case: • It became apparent during representations to the Commissioner's Notice of Intent that neither BCS nor their compliance advisors fully co-operated during the Commissioner's investigationand were not completely open and transparent in 16 • ICO. Information Commissioner's Office relation to information provided. For instance, BCS failed to disclose two further data sources in addition to -· BCS were unable to identify the website utilised by one of these data sources to capture consent thus demonstratinglack of due diligenceon the part of BCS, and thereby also hindering the Commissioner's investigation.BCS also made no mention of service calls when providing information about call volumes until representations,but BCS were unable to provide any evidence as to the breakdown of call purpose. 60. The Commissioner has taken into account representations by BCS, however considers that there are no relevant mitigating features of this case. 61. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A(l)DPA have been met in this case. She is also satisfied that the procedural rights under section 55B have been complied with. 62. This has included the issuing of a Notice of Intent on 18 February 2021, in which the Commissioner set out her preliminary thinking, and invited BCS to make representations in response. 63. The Commissioner has received and considered extensive Representations in response to the Notice of Intent dated 23 April 2021. 64. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 65. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. She 17 • ICO. Information Commissioner's Office has decided that a monetary penalty is an appropriate and proportionate response to the finding of a serious contraventof regulations 21A of PECRby BCS. 66. The Commissioner's underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The instigatioor making of unsolicited direct marketingtexts is a matter of significant public concern. Amonetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. This is an opportunity to reinforce the need for businesses to ensure that they are only texting consumers who want to receive these messages. 67. The Commissioner has also considered the likely impact of a monetary penalty on BCS and in doing so has reviewed financial evidence supplied alongside its representations. The amount of the penalty 68. Taking into account all of the above, the Commissioner has decided that the amount of the penalty is £200,000 (Two hundred thousand pounds). Conclusion 69. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 28 July 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 18 • ICO. Information Commissioner's Office 70. If the Commissioner receives full payment of the monetary penalty by 27 July 2021 the Commissioner will reduce the monetary penalty by 20% to £160,000 (One hundred and sixty thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 71. There is a right of appeal to the First-tier Tribunal (InforRights) against: a) the imposition of the monetary penalty and/or; b) the amount of the penalty specified in the monetary penalty notice. 70. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 71. Informationabout appeals is set out in Annex 1. 72. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • allrelevant appeals against the monetary penalty notice and any variation of it have either been decided or withdraand 19 • ICO. Information Commissioner's Office • period for appealing against the monetary penalty and any variation of it has expired. 73. In England, Wales and Northern Ireland, the monetary penalty is recoverable byrder of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 25th day of June 2021 Andy Curry Head of Investigations InformationCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 20 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRPTribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 21 • ICO. Information Commissioner's Office 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) detailsof the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 22