ICO (UK) - Papa John's (GB) Limited: Difference between revisions

From GDPRhub
No edit summary
m (grammatical mistake)
 
(3 intermediate revisions by one other user not shown)
Line 50: Line 50:
}}
}}


The UK DPA (ICO) imposed a fine of around €11600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of regulation 22 PECR.
The UK DPA (ICO) imposed a fine of €11,600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of Article 22 PECR.


== English Summary ==
== English Summary ==
Line 57: Line 57:
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices.  
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices.  


Papa John's provided details on the number of marketing messages sent between October 2019 and April 2020. It also outlined that it relies on soft opt in to send these messages to customers it has gotten data from directly. It was estimated at 168,022 text messages were received by individuals on that basis.
Papa John's responded by providing details on the number of marketing messages sent between October 2019 and April 2020. It outlined that it relied on a soft opt-in to send these messages to customers that had directly provided their data by filling out an order form. It was estimated that 168,022 text messages were received by individuals on that basis.


However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages.  
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages.  


=== Dispute ===
=== Holding ===
Is there a breach of regulation 22 PECR if individuals's whos information is collected by an organisation are not provided the option to opt out from direct marketing and subsequently sent direct marketing?
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of Article 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent.


=== Holding ===
Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under Article 22(3) PECR. The exemption enables organisations to send marketing texts to individuals whose details they have gathered "in the course or negotiation of a sale and in respect of similar products and services." However, the organisation must give individuals the opportunity to opt-out of direct marketing when gathering their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of Article 22(3)(c) PECR.
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent.  


Papa John's gathered details from individuals that ordered on their sales channels. It then attempted to rely on the soft opt-in exemption under regulation 22(3) PECR. The exemption enables organisations to send marketing texts and eails to individuals who's details they have gathered "in the course or negotiation of a sale and in respect of similar products and services". However, the organisation must give individuals the opportunity to opt-out of direct marketing whilst gather their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of regulation 22(3)(c) PECR.
The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention.  


The contravention was serious as a result of the quantity of messages sent without valid consent. It also considered that the action was negligent as Papa John's knew or ought reasonably to have known that there was a risk of contraventions and that Papa John's failed to take reasonable steps to prevent them. Therefore, the ICO imposed a fine of around €11600 on Papa John's (GB) Limited. This amount can be reduced by 20% should Papa John's pay the fine within a month of the decision.
Therefore, the ICO imposed a fine of €11,600 on Papa John's (GB) Limited. This amount can be reduced by 20% if Papa John's pays the fine within a month of the decision.


== Comment ==
== Comment ==

Latest revision as of 15:26, 20 June 2023

ICO (UK) - Papa John's (GB) Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.06.2021
Published: 15.06.2021
Fine: 10000 GBP
Parties: Papa John's (GB) Limited
National Case Number/Name: Papa John's (GB) Limited
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The UK DPA (ICO) imposed a fine of €11,600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of Article 22 PECR.

English Summary

Facts

Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices.

Papa John's responded by providing details on the number of marketing messages sent between October 2019 and April 2020. It outlined that it relied on a soft opt-in to send these messages to customers that had directly provided their data by filling out an order form. It was estimated that 168,022 text messages were received by individuals on that basis.

However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages.

Holding

The Information Commissioner's Office (ICO) held that Papa John's was in contravention of Article 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent.

Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under Article 22(3) PECR. The exemption enables organisations to send marketing texts to individuals whose details they have gathered "in the course or negotiation of a sale and in respect of similar products and services." However, the organisation must give individuals the opportunity to opt-out of direct marketing when gathering their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of Article 22(3)(c) PECR.

The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention.

Therefore, the ICO imposed a fine of €11,600 on Papa John's (GB) Limited. This amount can be reduced by 20% if Papa John's pays the fine within a month of the decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE




To:   Papa John’s (GB) Limited



Of:   Papa John’s UK & European Campus, 11 Northfield Drive, Northfield,

      Milton Keynes, MK15 0DQ


1.    The Information Commissioner (“the Commissioner”) has decided to

      issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary

      penalty under section 55A of the Data Protection Act 1998 (“DPA”). The

      penalty is in relation to a serious contravention of Regulation 22 of the

      Privacy and Electronic Communications (EC Directive) Regulations 2003
      (“PECR”).



2.    This notice explains the Commissioner’s decision.



      Legal framework


3.    Papa John’s, whose registered office is given above (Companies House

      Registration Number:02569801) is the organisation stated in this

      notice to have transmitted unsolicited communications by means of

      electronic mail to individual subscribers for the purposes of direct

      marketing contrary to regulation 22 of PECR.


4.    Regulation 22 of PECR states:


                                     1“(1) This regulation applies to the transmission of             unsolicited

     communications by means of electronic mail to individual

     subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person

     shall neither transmit, nor instigate the transmission of, unsolicited

     communications for the purposes of direct marketing by means of

     electronic mail unless the recipient of the electronic mail has

     previously notified the sender that he consents for the time being
     to such communications being sent by, or at the instigation of, the

     sender.


(3) A person may send or instigate the      sending of electronic mail for
     the purposes of direct marketing where—


         (a) that person has obtained the contact details of the recipient

            of that electronic mail in the course of the sale or
            negotiations for the sale of a product or service to that

            recipient;


         (b) the direct marketing is in respect of that person’s similar
            products and services only; and


         (c) the recipient has been given a simple means of refusing
            (free of charge except for the costs of the transmission of

            the refusal) the use of his contact details for the purposes

            of such direct marketing, at the time that the details were

            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent

            communication.

(4) A subscriber shall not permit his line to be used in contravention of

     paragraph (2).”




                                  25.    Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines

      direct marketing as “the communication (by whatever means) of any

      advertising material which is directed to particular individuals”. This

      definition also applies for the purposes of PECR (see r egulation 2(2)

      PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).


6.    Consent in PECR is now defined, from 29 March 2019, by reference to

      the concept of consent in Regulation 2016/679 (“the GDPR”):

      regulation 8(2) of the Data Protection, Privacy and Electronic

      Communications (Amendments etc) (EU Exit) Regulations 2019. Article

      4(11) of the GDPR sets out the following definition: “‘consent’ of the
      data subject means any freely given, specific, informed and

      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmative action, signifies

      agreement to the processing of personal data relating to him or her”.



7.    “Individual” is defined in regulation 2(1) of PECR as “a living individual
      and includes an unincorporated body of such individuals”.


8.    A “subscriber” is defined in regulation 2(1) of PECR as “a person who is

      a party to a contract with a provider of public electronic

      communications services for the supply of such services”.


9.    “Electronic mail” is defined in regulation 2(1) of PECR as “any text,

      voice, sound or image message sent over a public electronic

      communications network which can be stored in the network or in the
      recipient’s terminal equipment until it is collected by the recipient and

      includes messages sent using a short message service”.



10.   The term "soft opt-in" is used to describe the rule set out in in

      Regulation 22(3) of PECR. In essence, an organisation may be able to

                                        3      e-mail or message its existing customers even if they haven't
      specifically consented to electronic mail. The soft opt-in rule can only

      be relied upon by the organisation that collected the contact details .



11.   Section 55A of the DPA (as applied to PECR cases by Schedule 1 to

      PECR, as variously amended) states:


      “(1) The Commissioner may serve a person with a monetary penalty if

           the Commissioner is satisfied that –

              (a) there has been a serious contravention of therequirements

                  of the Privacy and Electronic Communications (EC

                  Directive) Regulations 2003 by the person,

              (b) subsection (2) or (3) applies.


      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –

              (a) knew or ought to have known that there was a risk that the

              contravention would occur, but


              (b) failed to take reasonable steps to prevent the
                  contravention.”



12.   The Commissioner has issued statutory guidance under section 55C (1)

      of the DPA about the issuing of monetary penalties that has been

      published on the ICO’s website. The Data Protection (Monetary
      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

      that the amount of any penalty determined by the Commissioner must

      not exceed £500,000.



13.   PECR implements Directive 2002/58/EC, and Directive 2009/136/EC

      which amended the earlier Directive. Both the Directive and PECR are


                                       4      “designed to protect the privacy of electronic communications users:
      Leave.EU & Eldon Insurance Services v Information Commissioner

      [2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to

      interpret and apply PECR in a manner consistent with the purpose of

      the Directive and PECR of ensuring a high level of protection of the

      privacy of individuals, and in particular the protections provided from

      receiving unsolicited direct marketing communications which the
      individual has not consented to receive.



14.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the DPA18: see paragraph 58(1) of

      Schedule 20 to the DPA18.



      Background to the case



15.   Papa John’s is a pizza company offering both delivery and take-out

      service. It first came to the attention of the Commissioner following a
      number of complaints being receive d.



16.   An initial investigation letter was sent to Papa John’s on 21 May 2020

      raising some preliminary concerns with its PECR compliance and

      providing details of the complaints received. The correspondence also

      requested information about the volume of messages sent to
      subscribers, the sources of data for the recipients of those messages

      and any evidence of consent it relied upon to send marketing

      messages. Papa John’s were warned that the Commissioner could issue

      civil monetary penalties of up to £500,000 for PECR breaches.


17.   In its response of 26 June 2020, Papa John’s provided the total number

      of marketing messages sent between 1 October 2019 and 30 April
      2020. It explained that it only obtains data from its own customers


                                       5      where orders are placed directly with the company. Itadvised that it
      does not obtain data from any other third-party sources.



18.   Papa John’s informed the Commissioner that it relied on the soft opt in

      and provided examples of its online consent statements . It also

      provided evidence to show that unsubscribe options are given in every

      e-mail and text message sent.


19.   In its correspondence Papa John’s advised that following an internal
      review of the complaints received by the Comm issioner, there were a

      number where the soft opt in was not available and a text message

      should not have been sent to the customer. It revealed that the

      individuals who had received these messages had placed an order over

      the telephone but were not presented with an option to opt out of
      receiving marketing messages. It explained that their privacy notice

      was displayed in stores, and online, and individuals could access the

      marketing preference centre on its website. It had suspended

      marketing to individuals who have placed an order over the telephone

      pending the outcome of the Commissioners enquiries. Further evidence

      was provided to show opt out messages and screenshots of online
      accounts showing individuals can unsubscribe.


20.   The Commissioner subsequently requested the total volume of

      messages sent to individuals where their data was obtained over the

      telephone during the relevant period. This was provided although Papa

      John’s were unable to confirm, of the 210,028 marketing messages

      sent, how many had been received by individuals. However, based on
      its success rate on delivery, it advised 168,022 text messages were

      received by individuals.







                                       621.   The Commissioner has made the above findings of fact on the
      balance of probabilities.



22.   The Commissioner has considered whether those facts constitute

      a contravention of regulation 22 of PECR by Papa John’s and, if so,

      whether the conditions of section 55A DPA are satisfied.


      The contravention



23.   The Commissioner finds that Papa John’s contravened regulation 22 of

      PECR.


24.   The Commissioner finds that the contravention was as follows:



25.   The Commissioner finds that between 1 October 2019 to 30 April 2020

      there were 168,022 direct marketing messages received by

      subscribers. The Commissioner finds that Papa John’s transmitted the

      direct marketing messages sent, contrary to regulation 22 of PECR.


26.   Papa John’s, as the sender of the direct marketing, is required to
      ensure that it is acting in compliance with the requirements of

      regulation 22 of PECR, and to ensure that valid consent to send those

      messages had been acquired.


27.   Papa John’s collected information for marketing purposes through

      customers who order directly via sales channels in its direct control

      including its website, app and in store. It relies on the ‘soft opt -in’
      exemption provided by Regulation 22(3) PECR. This exemption means

      that organisations can send marketing messages by text and e-mail to

      individuals whose details had been obtained in the course or

      negotiation of a sale and in respect of similar products and services.

      The organisation must also give the person a simple opportunity to

                                       7      refuse or opt out of the marketing, both when first collectng the details
      and in every message after that.


28.   Papa John’s informed the Commissioner that for those customers

      ordering over the telephone its privacy notice is made available in store

      and on its website. It is the Commissioners view that those individuals

      would not reasonably expect to receive marketing. As a result, 15

      complaints were received regarding text messages sent by Papa John’s

      during the contravention period in respect of those customers.


29.   In this instance Papa John’s have been unable to evidence consent.
      From the evidence provided it is clear that the individuals had not, at

      the point their data was collected, been given a simple means of

      refusing the use of their contact details for direct marketing;

      accordingly, Papa John’s direct marketing messages failed to meet the

      criteria of Regulation 22(3)(c) PECR.


30.   The Commissioner is therefore satisfied from the evidence she has
      seen that Papa John’s did not have the necessary valid consent for the

      168,022 direct marketing messages received by subscribers.



31.   The Commissioner has gone on to consider whether the conditions

      under section 55A DPA are met.


      Seriousness of the contravention



32.   The Commissioner is satisfied that the contravention identified

      above was serious. This is because between 1 October 2019 and 30

      April 2020 a confirmed total of 168,022 direct marketing messages
      were sent by Papa John’s. These messages contained direct marketing

      material for which subscribers had not provided adequate consent.




                                       833.   The rules for electronic marketing are clear in that organisations must
      present individuals with an opportunity to opt out of marketing at the

      time that their details are collected. Whilst Papa John’s does have

      consent for the majority of marketing messages it sends, it does not

      have consent to send marketing messages to individuals who have

      placed an order over the telephone for delivery. It is unable to rely on

      the soft opt in because those subscribers had not been given a simple
      means of refusing the use of their contact details for direct marketing .


34.   Papa John’s instead sought to rely upon the assumption that an

      individual could review its privacy notice , in store or on its website, and

      online marketing preference centre. This assumption is unfair as it puts

      the responsibility back on to the individual rather than on to the

      company. Customers may not have visited the company app or website
      to locate the branch telephone number when placing their order, these

      being widely available via online search engines. They may also not

      have visited a store to collect their order. Further, any information

      about any marketing communications should be provided to individuals

      rather than them having to seek it out for themselves. All individuals
      should be given the same choice in respect of these communications,

      regardless of how they choose to place an order with Papa John’s.



35.   The Commissioner is therefore satisfied that condition (a) from

      section 55A(1) DPA is met.


      Deliberate or negligent contraventions



36.   The Commissioner has considered whether the contravention identified

      above was deliberate. In the Commissioner’s view, this means that

      Papa John’s actions which constituted that contravention were




                                       9      deliberate actions (even if Papa John’s did not actually intend thereby
      to contravene PECR).



37.   The Commissioner does not consider that Papa John’s deliberately set

      out to contravene PECR in this instance.


38.   The Commissioner has gone on to consider whether the contravention

      identified above was negligent. This consideration comprises two

      elements:



39.   Firstly, she has considered whether Papa John’s knew or ought
      reasonably to have known that there was a risk that these

      contraventions would occur. She is satisfied that this condition is met,

      not least since the issue of unsolicited text messages has been widely

      publicised by the media as being a problem.



40.   The Commissioner has published detailed guidance for those carrying
      out direct marketing explaining their legal obligations under PECR.

      This guidance gives clear advice regarding the requirements of consent

      for direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,

      by email, by post, or by fax. In particular it states that organisations
      can generally only send, or instigate, marketing emails to individuals if

      that person has specifically consented to receiving them; and highlights

      the difficulties of relying on indirect consent for email marketing . The

      Commissioner has also published detailed guidance on consent under

      the GDPR. In case organisations remain unclear on their obligations,

      the ICO operates a telephone helpline. ICO communications about
      previous enforcement action where businesses have not complied with

      PECR are also readily available.




                                       1041.   It is therefore reasonable to suppose that Papa John’sshould have
      been aware of its responsibilities in this area .


42.   Secondly, the Commissioner has gone on to consider whether Papa

      John’s failed to take reasonable steps to prevent the contraventions.

      Again, she is satisfied that this condition is m et.


43.   Such reasonable steps in these circumstances could have included

      putting in place appropriate systems, policies and procedures to ensure

      that it had the consent of all of its customers to whom it had sent

      marketing messages. Whilst it is evident that Papa John’s had policies
      in place to ensure a certain level of compliance its measures failed to

      capture all types of customer and methods of customer contact. In this

      case, a number of customers were not offered adequate means of

      opting out of marketing at the time their details were collected by

      telephone.


44.   In the circumstances, the Commissioner is satisfied that Papa John’s

      failed to take reasonable steps to prevent the contraventions.



45.   The Commissioner is therefore satisfied that co ndition (b) from section
      55A (1) DPA is met.



      The Commissioner’s decision to issue a monetary penalty



46.   The Commissioner has also taken into account the following
      aggravating features of this case:




   •  The actions of Papa John’s were carried out to generate business and to

      increase profits, gaining an unfair advantage on those businesses

      complying with the PECR;


                                       1147.   The Commissioner has also taken into account the following mitigating

      feature of this case:



  •   Papa John’s have advised the Commissioner that it has temporarily

      suspended marketing to individuals placing orders by telephone, but

      otherwise has not yet taken steps to rectify its marketing practices to
      ensure overall compliance with PECR for this method of customer

      contact.



48.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A (1) DPA have been met in this case. She is
      also satisfied that the procedural rights under section 55B have been

      complied with.



49.   The latter has included the issuing of a Notice of Intent, in which the

      Commissioner set out her preliminary thinking. In reaching her final

      view, the Commissioner received no representations from Papa John’s.


50.   The Commissioner is accordingly entitled to issue a monetary penalty

      in this case.



51.   The Commissioner has considered whether, in the circumstances, she
      should exercise her discretion so as to issue a monetary penalty.



52.   The Commissioner has considered the likely impact of a monetary

      penalty on Papa John’s. She has decided on the information that is

      available to her, that Papa John’s has access to sufficient financial

      resources to pay the proposed monetary penalty without causing
      undue financial hardship.




                                       1253.   The Commissioner’s underlying objective in imposing a monetary
      penalty notice is to promote compliance with PECR. The sending of

      unsolicited marketing emails is a matter of significant public concern. A

      monetary penalty in this case should act as a general encouragement

      towards compliance with the law, or at least as a deterrent against

      non-compliance, on the part of all persons running businesses currently

      engaging in these practices. The issuing of a monetary penalty will
      reinforce the need for businesses to ensure that they are only

      messaging those who specifically consent to receive marketing.


54.   For these reasons, the Commissioner has decided to issue a monetary

      penalty in this case.


      The amount of the penalty

55.   Taking into account all of the above, the Commissioner has decided

      that a penalty in the sum of £10,000 (Ten thousand pounds) is

      reasonable and proportionate given the particular facts of the case and

      the underlying objective in imposing the penalty.



      Conclusion


56.   The monetary penalty must be paid to the Commissioner’s office by

      BACS transfer or cheque by 15 July 2021 at the latest. The monetary

      penalty is not kept by the Commissioner but will be paid into the

      Consolidated Fund which is the Government’s general bank account at
      the Bank of England.



57.   If the Commissioner receives full payment of the monetary penalty by

      14 July 2021 the Commissioner will reduce the monetary penalty by

      20% to £8,000 (Eight thousand pounds). However, you should be




                                      13      aware that the early payment discount is not available if you decide to
      exercise your right of appeal.



58.   There is a right of appeal to the First-tier Tribunal (Information Rights)

      against:



      (a) the imposition of the monetary penalty
          and/or;

      (b) the amount of the penalty specified in the monetary pena lty

          notice.



59.   Any notice of appeal should be received by the Tribunal within 28 days
      of the date of this monetary penalty notice.



60.   Information about appeals is set out in Annex 1.



61.   The Commissioner will not take action to enforce a monetary penalty

      unless:


          • the period specified within the notice within which a monetary

            penalty must be paid has expired and all or any of the monetary

            penalty has not been paid;

          • all relevant appeals against the monetary penalty notice and any

            variation of it have either been decided or withdrawn; and


          • the period for appealing against the monetary penalty and any

            variation of it has expired.

62.   In England, Wales and Northern Ireland, the monetary penalty is

      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as



                                       14      an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.


Dated the 14 thday of June 2021



Andy Curry

Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane

Wilmslow
Cheshire
SK9 5AF








































                                     15ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that she ought to have exercised
            her discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                  General Regulatory Chamber
                  HM Courts & Tribunals Service
                  PO Box 9300
                  Leicester

                  LE1 8DJ


                                      16      Telephone: 0203 936 8963
      Email:      grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative (if any);



      b)     an address where documents may be sent or delivered to

      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;



      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time



                                 17      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First- tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 18