ICO (UK) - Global One 2015: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...")
 
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


The UK DPA (ICO) imposed a fine of around €11600 on a charity called Global One 2015. The charity infringed regulations 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing an address for individual to refuse such marketing.
The UK DPA (ICO) imposed a fine of €11,600 on Global One 2015. This charity infringed Articles 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing a point of contact for individuals to refuse such marketing.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals having received unsolicited text messages from Global One. These complaints occured between the 30 April 2020 and 22 May 2020 where 573,000 texts were sent overall. The texts did not offer individuals the opportunity to opt-out.  
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals who received unsolicited text messages from Global One. These complaints occurred between April 30th, 2020 and May 22nd, 2020, when 573,000 marketing texts were sent overall. The texts did not offer individuals the opportunity to opt-out of further marketing.


Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gian donations. Global One says it assumed that this would be a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list they used was compliant with relevant laws.
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gain donations. Global One says it assumed that this would be carried out using a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list of contacts they compiled and used was compliant with relevant laws.


However, there was no evidence of consent being provided. Global One claimed to have undertaken due diligence, whilst the party it contracted with (X) claimed that it only advised Global One onto various other agencies.  
However, there was no evidence of consent being provided for such direct marketing messages. Global One nevertheless claimed to have undertaken due diligence, whilst the third party it contracted with (X) claimed that it only advised Global One of various other agencies who could do the marketing.
 
=== Dispute ===
Does sending marketing text to individuals where consent was gathered by a third party breach regulations 22 and 23 PECR?


=== Holding ===
=== Holding ===
The Information Commissioner's Office hld that Global One infringed Regulations 22 and 23 PECR.  
The Information Commissioner's Office held that Global One infringed Articles 22 and 23 PECR.  


Global One relied on consent obtained by another organisation to send these text messages. However, the ICO's view is that organisations must gather better consent. Indirect consent collected by a third party is only authorised where it is clear and specific enough.
Global One relied on consent obtained by another organisation (Y) to send these text messages. However, the ICO's view is that third parties cannot rely on consent provided to an organization when the consenting individuals did not know how their data would be used by third parties. Organisations can generally only send marketing messages to individuals who specifically consented to receiving them. Indirect consent collected by a third party is only authorised where it is freely given, specific and informed (Article 4(11) GDPR).


As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breach regulation 22 PECR.
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breached Article 22 PECR.


The ICO also held that Global One breached Regulation 23(b) PECR as it did not provide a valid address to recipients of marketing for them to send a request to refuse marketing. There was no procedure in place for handling such requests from individuals.
The ICO also held that Global One breached Article 23(b) PECR as it did not provide a valid contact point for recipients of marketing to send a request to refuse marketing. There was also no procedure in place for handling such requests from individuals.


The ICO therefore decided to imposed a fine of around €11600 on Global One from breaching regulations 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.
The ICO therefore decided to imposed a fine of €11600 on Global One for breaching Articles 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.


== Comment ==
== Comment ==

Latest revision as of 13:44, 23 June 2021

ICO (UK) - Global One 2015
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.06.2021
Published: 15.06.2021
Fine: 10000 GBP
Parties: Global One 2015
National Case Number/Name: Global One 2015
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The UK DPA (ICO) imposed a fine of €11,600 on Global One 2015. This charity infringed Articles 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing a point of contact for individuals to refuse such marketing.

English Summary

Facts

Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals who received unsolicited text messages from Global One. These complaints occurred between April 30th, 2020 and May 22nd, 2020, when 573,000 marketing texts were sent overall. The texts did not offer individuals the opportunity to opt-out of further marketing.

Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gain donations. Global One says it assumed that this would be carried out using a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list of contacts they compiled and used was compliant with relevant laws.

However, there was no evidence of consent being provided for such direct marketing messages. Global One nevertheless claimed to have undertaken due diligence, whilst the third party it contracted with (X) claimed that it only advised Global One of various other agencies who could do the marketing.

Holding

The Information Commissioner's Office held that Global One infringed Articles 22 and 23 PECR.

Global One relied on consent obtained by another organisation (Y) to send these text messages. However, the ICO's view is that third parties cannot rely on consent provided to an organization when the consenting individuals did not know how their data would be used by third parties. Organisations can generally only send marketing messages to individuals who specifically consented to receiving them. Indirect consent collected by a third party is only authorised where it is freely given, specific and informed (Article 4(11) GDPR).

As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breached Article 22 PECR.

The ICO also held that Global One breached Article 23(b) PECR as it did not provide a valid contact point for recipients of marketing to send a request to refuse marketing. There was also no procedure in place for handling such requests from individuals.

The ICO therefore decided to imposed a fine of €11600 on Global One for breaching Articles 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                           •

                                                           ICO.
                                                           Information Commissioner's Office


                    DATA PROTECTION     ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION       COMMISSIONER



                    MONETARY    PENAL TY NOTICE




To:  Global One 2015


Of:  4 Gateway Mews, Bounds Green, London, Nll  2UT



1.   The InformationCommissioner ("Commissioner") has decided to issue
     Global One 2015 ("Global One") with a monetary penalty under section

     SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation
     to a serious contraventiof Regulation 22 of the Privacy and

     Electronic Communications(EC Directive) Regulations 2003 ("PECR").


2.   This notice explainse Commissioner's decision.


     Legal framework



3.   Global One, whose registered office is given above (Companies House
     Registration Number: 07517992) is the organisatistated in this

     notice to have instigated the transmission of unsolicited
     communications by means of electronic mail to individual subscribers

     for the purposes of direct marketing contrary to regulation 22 of PECR.


4.   Regulation 22 of PECRstates:




                                   1                                                            •


                                                           ICO.
                                                           Information Commissioner's Office
"(l) This  regulation  applies  to   the  transmission   of  unsolicited
     communications    by   means   of  electronic  mail  to  individual

     subscribers.

(2)  Except in the circumstances referred to in paragraph (3), a person

     shall neither transmit,nor instigate the transmission of, unsolicited
     communications   for the purposes of direct marketing by means of

     electronic mail unless the recipient   of the electronic  mail has

     previously notifiedthe sender that he consents for the time being
     to such communications   being sent by, or at the instigation of, the

     sender.

(3)  A person may send or instigate the sending of electronic mail for

     the purposes of direct marketing where-

        (a) that person has obtained the contact details of the recipient
            of that electronic mail in the course of the sale or

            negotiations for the sale of a product or service to that

            recipient;

        (b) the direct marketing is in respect of that person's similar
            products and services only; and


        (c) the recipient has been given a simple means of refusing
            (free of charge except for the costs of the transmission of

            the refusal) the use of his contact details for the purposes
            of such direct marketing, at the time that the details were

            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent
            communication.

(4) A subscriber shall not permit his line to be used in contraventionof

     paragraph (2)."





                                2                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

5.    Regulation 23 of PECRstates that "A person shall neither transmitnor
      instigate the transmission of, a communicationfor the purposes of

      direct marketing by means of electronic mail -


              (a) where the identity of the person on whose behalf the

                 communication  has been sent has been disguised or
                 concealed;

              (b) where a valid address to which the recipient of the

                 communication  may send a request that such

                 communications  cease has not been provided;

              (c) where that electronic mail would contravene regulatio7 of
                 the Electronic Commerce (EC Directive) Regulations 2002;

                 or

              (d) where that electronic mail encourages recipients to visit

                 websites which contravene that regulation."


6.    Section 122(5) of the DPA 2018 defines "direct marketing" as "the

      communication  (by whatever means) of any advertising material which
      is directedo particular individuals". This definition also applies for the

      purposes of PECR.


7.    Consent is defined in Article 4(11) the General Data Protection

      Regulation 2016/679 as "any freely given, specific, informed and
      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmatiaction, signifies

      agreement to the processing of personal data relating to him or her".


8.    "Individual"is defined in regulation 2(1) of PECRas "a living individual

      and includes an unincorporated body of such individuals".


                                     3                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

9.    A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
      a party to a contract with a provider of public electronic

      communications  services for the supply of such services".

10.  "Electronic mail" is defined in regulation 2(1) of PECRas "any text,

      voice, sound or image message sent over a public electronic

      communications  network which can be stored in the network or in the
      recipient's terminal equipment until it is collected by the recipient and

      includes messages sent using a short message service".


11.   Section SSA of the DPA (as amended by the Privacy and Electronic

      Communications  (EC Directive)(Amendment)  Regulations 2011 and the
      Privacy and Electronic Communications (Amendment)   Regulations

      2015) states:


     "(l) The Commissioner may serve a person with a monetary penalty if

          the Commissioner is satisfied that -

             (a) there has been a serious contraventionof the requirements
                 of the Privacy and Electronic Communications (EC

                 Directive) Regulations 2003 by the person,

             (b) subsection (2) or (3) applies.

      (2) This subsection applies if the contraventiwas deliberate.

      (3) This subsection applies if the person -

             (a) knew or ought to have known that there was a risk that

             the contravention would occur, but

             (b) failed to take reasonable steps to prevent the

                 contravention."


12.   The Commissioner has issued statutory guidance under section SSC (1)
      of the DPA about the issuing of monetary penalties that has been

                                     4                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

     published on the ICO's website. The Data Protection (Monetary
     Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

     that the amount of any penalty determined by the Commissioner must
     not exceed £500,000.


13.   PECRwere enacted to protect the individual's fundamentaright to

      privacy in the electronic communicatiosector. PECRwere

      subsequently amended and strengthened. The Commissioner will
      interpret PECRin a way which is consistent with the Regulations'

      overall aim of ensuring high levels of protection for individuals' privacy
      rights.



14.  The provisions of the DPA remain in force for the purposes of PECR
     notwithstanding the introductioof the Data Protection Act 2018 (see

     paragraph 58(1) of Part 9, Schedule 20 of that Act).


     Background to the case


15.  Phone users can report the receipt of unsolicited marketing text
     messages to the GSMA's Spam Reporting Service by forwarding the

     message to 7726 (spelling out "SPAM"). The GSMA is an organisation

     that represents the interests of mobile operators worldwidThe
     Commissioner is provided with access to the data on complaints made

     to the 7726 service and this data is incorporated into a Monthly Threat
     Assessment (MTA) used to ascertain organisations in breach of PECR.



16.  Global One operates as a charity involved in issues such as improving
     health, sanitation and agriculture. Their work covers a number of

     internationalcountries, including the United Kingdom. Global One is
     registered with the Charity Commission, Companies House and the

     ICO.

                                    5                                                               •

                                                              ICO.
                                                              Information Commissioner's Office


17.   Global One came to the attention of the Commissioner after numerous
      complaints were received via the 7726 complaints tool about

      unsolicited text messages. Between 30 April 2020 and 22 May 2020

      539 complaints had been recorded on the 7726 system and 9 on the
      ICO's online recording tool. These text messages contained, or

      contained slight variations of, the following text:

      "Coronavirus Emergency Pakistan, Syria & Bangladesh. Donate Food

      & Hygiene Kits. Call (free): 03000113333 Online: globalone.org.uk
      Watch us live on SKY 752."


18.   It was noted that these texts did not offer individuals an ability to 'opt­

      out' of future unsolicited text messages.


19.   An initial investigatletter was sent to Global One on 3 June 2020,

      highlighting the Commissioner's concerns with its PECRcompliance and
      requestinginformation relating to the volumes of texts sent, the source

      of data used to send said texts, details of any due diligence

      undertaken, together with evidence of consent relied upon for the
      messages sent to individuals identified within complaintAn appendix

      detailinghe complaints received was also attached.


20.   Global One provided a response on 22 June 2020, stating that on 20
      March 2020 it had entered into a "revenue raising and sharing

      agreement" ("the agreement")  with                          (''.")
      under which •  would provide a marketing strategy in relation to a

      number of key initiativesGlobal One went on to explain that under the

      agreement they "will have no right nor will seek to exercise any
      direction, control or supervision over        ; and that

      has the sole right to control and direct the means, manner and method

      by which the services required by the Agreement would be performed".

                                     6                                                                 •

                                                                ICO.
                                                                Information Commissioner's Office
21.   A copy of the agreement later provided by Global One makes no

      mention of SMS marketing,   however the agreement is summarised as
      follows:


      "The charity intends to procure                       as
      consultant/advisers to develop and execute a revenue sharing

      agreement,  which will raise funds from public donations and allow the
      charity to enhance and apply for more institutionafunding. The charity

      wishes to diversify its fundraising income streams".


22.   The letter went on to state that on 23 April 202?   informed Global
      One that it would be undertaking an SMS campaign to maximise

      donations, which Global One says it assumed would be based on the
      use of third-partymarketing lists belonging to •.


23.   Global One advised that between April 2020 and May 2020, 573,000

      SMS marketing messages were sent on its behalf. During this period,
     •   managed the SMS marketing campaign, and Global One say it only

      became aware on 1 June 2020 that-      had entered into a verbal
      contract with a third party data supplier who undertook the sending of

      the SMS using a marketing list belonging to that supplier.


24.   In response to the Commissioner's request for evidence of consent to
      send SMS messages to those who had been identified on the list of

      complaints, Global One said it had not been provided this information
      from ?   and would need to approach.      to obtain this. In a further
      response dated 23 July 2020 Global One provided the following

      information:

                  have confirmed that they commissioned the [third party
      provider]to deliver the text messaging campaign.



                                      7                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

     The [third party provider]have confirmed in writing that the lists they
     use are fully compliant data, please see the attached letter and
     accompanying spreadsheet with their comments."

     The attached letter indicated that the data is obtained from multiple

     sources including "government records, licensing boards, directories,
     telephone searches, memberships, attendee registers, website

      registrationcounty courthouse records, credit reference agency data,
     Secretary of State data, business magazines and newspaper

     subscriptions". The spreadsheet of complaints provided by the

     Commissioner had been amended to add a new column titled "Consent"
     and the words "opt in for third party marketing" next to each

     complainant.


25.  On 21 August 2020 the Commissioner requested that Global One
      provide evidence of the consent that had been obtained by the third

      party data provider to market the complainants. In response, Global
     One explained that it did not have access to this information and the

     third party provider was reluctant to supply it. As such, no evidence of

     consent has been provided.


26.  The Commissioner  went on to request copies of correspondence
     between Global One, •   and the third party data provider relating to

     promotional or marketing activities. On 27 August 2020 Global One

     replied, statinghat they had been unable to locate any such written
     communications  regarding the SMS marketing campaign which was

     carried out on their behalf. The reason given was that all such
     communications  were conducted by telephone.



27.  Enquiries raised by the Commissioner directly with •elicited the
     following response:




                                    8                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

     "           is aware of the current investigation being conducted by
     the ICO in relation to one of our clients, Global One 2015. Other than

     providing strategic recommendationson how to deliver charitable
     appeal campaigns, we have done nothing more than advice/refer a

     client onto various other agencies/companieto support them in being

     able to reach a wider audience. We in this situation are not responsible
     for due diligence or any contractual obligations for any work Global One

     decide to undertake with any third party."


     In subsequent Representations to the Notice of Intent however, Global

     One evidenced an email from            in which the contrary was
     stated: "we undertook our responsibility to carry out due diligence on

     the provider            ". This statement was made in response to

     enquiries made of            by Global One dated 1 June 2020, and
     which post-dated the SMS campaign.


28.  The Commissioner has made   the above findings of fact on the

     balance of probabilities.


29.  The Commissioner has considered  whether those facts constitute
     a contraventionof regulation 22 of PECRby Global One and, if so,

     whether the conditions of section SSA DPA are satisfied.


     The contravention


30.  The Commissioner finds that Global One contravened regulations 22

     and 23 of PECR.


31.  The Commissioner finds that the contraventiowas as follows:





                                   9                                                                •

                                                                ICO.
                                                                Information Commissioner's Office

32.   Between 24 April 2020 and 23 May 2020 Global One instigated the
      transmission of 573,000 unsolicited direct marketing texts contrary to

      Regulations 22 & 23 of PECR. This resulted in a total of 539 complaints
      being received via the 7726 service and 9 via the Commissioner's

      online reporting tool.


33.   Global One, as the instigator of the direct marketing, is required to
      ensure that it is acting in compliance with the requirementof

      regulation 22 of PECR,and to ensure that valid consent to send those
      messages had been acquired. The   only exception to this is where the

      provisions of Regulation 22(3) apply, otherwise referred to as the 'soft
      opt-in'. As a charitable organisation, the 'soft opt-in' would not be

      applicablein this instance.


34.   Global One relied on consent obtained by another organisation for its

      own purposes, i.e.'indirect consent'.The Commissioner's direct
      marketing guidance says "organisations need to be aware that indirect

      consent will not be enough for texts, emails or automated calls. This is

      because the rules on electronic marketing are stricter, to reflect the
      more intrusive nature of electronic messages."


35.   It goes on to say that indirect consent can be valid but only if it is clear
      and specific enough. Moreover, "the customer must have anticipated

      that their details would be passed to the organisation in question, and

      that they were consenting to messages from that organisation. This will
      depend on  what exactly they were told when consent was obtained".


36.   The data lists utilised to transmit the SMS had been compiled from a
      diverse listf sources. Whilst the third party data provider stated that

      each complainant was "opted-in for third party marketing" Global One
      has not provided any evidence of this to the Commissioner and appears

      to have been reliant on the?  's verbal assurances that this was the

                                     10                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

     case. In representations to the Commissioner, Global One
      demonstrated that some due diligence enquiries had been made of.

     -       in early June 2020, however these post-dated the
     contravention and were insufficient to establish the existence of valid

     consent to send the SMS.


37.  The Commissioner is therefore satisfied from the evidence she has

      seen that Global One did not have the necessary valid consent to

     instigate the sending of the direct marketing messages. This
     constitutes a contraventionof regulation 22 PECR.


38.   Furthermore, Regulation 23(b) provides that individuals must be

      provided with a valid address to which the recipient of the marketing

     communication   may send a request to refuse marketing. In
     representations to the Commissioner, Global One stated that it had an

     effective complaints process in place whereby any complaints it
      received directly would be sent to         in order that the data

     could be supressed.            was said to dear with their own

      requests. The Commissioner finds it difficult to accept that
     were in any position to handle direct requests, given that recipients of

      SMS were unaware of .,s   involvement and were not provided with
     contact details. Althoughthe content of the messages identified Global

      One and contained a link to their website, no address has been

      provided for the third party who sent the messages. As Global One
     were unaware  that a third party was the sender of the messages

      duringthe SMS marketing campaign, individuals informing Global One

     that they objected to receiving such communications would have been
      reliant upon Global One relaying these to         , and then in turn

     to the third party sender, and so in effect produced a convoluted,
      unreliable and therefore ineffectual remedy. As such the Commissioner

     considers that Global One are also in breach of Regulation 23.

                                    11                                                             •

                                                             ICO.
                                                             Information Commissioner's Office


39.  The Commissioner has gone on to consider whether the conditions

      under section SSA DPA are met.


     Seriousness of the contravention


40.  The Commissioner is satisfied that the contraventiidentified
     above was serious. This is because between 24 April 2020 and 23 May

     2020 Global One instigated a total of 573,000 unsolicited direct
      marketing messages, resulting in total of 548 complaints.



41.  In representationsto the Notice of Intent, Global One stated that it had
     been the subject of a social media campaign of harassment, and SMS

     recipients encouraged to make complaints against Global One. Details
     provided to the Commissioner by way of evidence demonstrated that

     any such campaign (in relation to which the Commissioner makes no
     finding) post-dated the contraventioperiod and so the Commissioner

     finds no good reasonto disregard the complaints as disingenuous.


42.  Global One has failed to provide evidence of valid consent for any of

     the 573,000 unsolicited direct marketing messages it instigated.

43.   Furthermore, the messages did not contain adequate instruction on

     how individualsmay opt-out of receiving further marketing.


44.  It is apparent that Global One adopted a targeted strategy in order
     both to raise their profile and increase their revenue stream during the

     Covid-19 pandemic.






                                   12                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

45.  The Commissioner is therefore satisfied that condition (a) from
      section 55A(l)DPA is met.


      Deliberate or negligent contraventions


46.  The Commissioner has considered whether the contravention  identified

      above was deliberate.


47.  The Commissioner considers that Global One did not deliberately set

      out to contravene PECRin this instance.


48.  The Commissioner has gone on   to consider whether the contravention
      identified above was negligent. This consideration comprises two

      elements:


49.   Firstly, she has considered whether Global One knew or ought

      reasonably to have known that there was a risk that these
      contraventionswould occur. She is satisfied that this condition is met,

      not least since the issue of unsolicited text messages have been widely
      publicised by the media as being a problem.



50.  The Commissioner has published detailed guidance for those carrying
      out direct marketing explaining their legal obligations under PECR.

     This guidance gives clear advice regarding the requirements of consent
      for direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,
      by email, by post, or by fax. In particular it states that organisations

      can generally only send,r instigate, marketing messages to

      individuals if that person has specifically consented to receiving them.
     The guidance is also clear about the significant risks of relying on

      indirect consent, as Global One did in this instance.

                                    13                                                               •

                                                               ICO.
                                                               Information Commissioner's Office

51.   In 2018 the charity sector came under much scrutiny following
      investigations and penalties in respect of contraventiof PECR.

      These investigations were well publicised at the time, receiving much
      media attention and further engagement with the Charity Commission

      and the ICO, including conferences to the third sector to highlight the
      issues and promote compliance. The introduction of the Fund Raising
      Preference Service in 2016 also provides advice and support to

      charities with the aim of making it easier for them to understand the
      standards expected when fundraising.


52.   It is therefore reasonable to suppose that Global One should have been

      aware of its responsibilities in this area.

53.   Secondly, the Commissioner has gone on to consider whether Global
      One failed to take reasonable steps to prevent the contraventions.

      Again, she is satisfied that this condition is met.

54.   During the course of the Commissioner's investigationresponses
      provided by Global One indicated that they were aware that proper due

      diligence should have been undertaken prior to entering into the
      agreement with ?    however due to time constraints no due diligence

      was conducted, stating:"under normal circumstances we would have
      had further meetings to fully review contractual terms and conduct
      proper due diligence with regards to databases and compliance,

      regrettably this was not the case". Global One instead relied on verbal
      assurances provided by ?

55.   Reasonable steps which the Commissioner might expect in these

      circumstances could have included ensuring a comprehensive contract
      was in place with • relating to the marketing campaign and the

      provision of the data to be relied upon, to ensure its reliability and

                                    14                                                                 •

                                                                ICO.
                                                                Information Commissioner's Office
      validity. Global One failed to provide any evidence of communications

      between itself and?   regarding the SMS marketing campaign, other
      than to say the matter was discussed and concluded in two telephone
      meetings with •.   Failure to formalise the obligation of due diligence

      also ledto conflicting evidence during the investigation and subsequent
      representations as to which party was thought to be responsible. There

      was a clear lack of control over a direct marketing campaign launched
      at their instruction ?o


56.   Global One did later ask.   for evidence of consent, but only after

      commencement of the campaign, and after it had received complaints
      directly in early May 2020. At that point Global One took no action to

      pause or suspend the campaign whilst enquiries were made. Even then
      Global One continued to rely upon .,s  assurances without any actual

      evidence of consent. Whilst Global One did attempt to undertake some
      due diligence in early June 2020, it was only after it became aware that

      the leads were supplied by a third party, and at the end of the
      campaign in question.  It would have been reasonable for Global One

      to carry out its own checks as to how consent was being obtained prior
      to instigating the SMS campaign, notwithstanding  any assurances by

     •·    In short, simple reliance on assurances of indirect consent alone
      without undertaking proper due diligence is not acceptable.


57.   In the circumstances, the Commissioner is satisfied that Global One
      failed to take reasonable steps to prevent the contraventions.


58.   The Commissioner is therefore satisfied that condition (b) from section

      SSA (1) DPA is met.





                                     15                                                               •


                                                               ICO.
                                                               Information Commissioner's Office
      The Commissioner's    decision to impose a monetary    penalty


59.   The Commissioner finds that there are no aggravating  features of

      this case.


60.   The Commissioner   has taken into account the following   mitigating

      features of this case:


         •  Since the commencement     of the Commissioner's  investigation

            Global One has ceased all direct   marketing  activitiesand is

            undertaking a full review of its data protection compliance.


61.   Forthe reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A(l)DPA have been met in this case. She is
      also satisfiedhat the procedural rights under section 55B have been

      complied with.


62.   This has included  the issuing of a Notice of Intent,   in which the

      Commissioner set out her preliminary thinking, and invited Global One
      2015 to make representations in response.



63.   The Commissioner   has received  and considered   Representations  in
      response to the Notice of Intent dated 30 April 2021.



64.   The Commissioner is accordingly entitledo issue a monetary penalty in
      this case.



65.   The Commissioner has considered whether, in the circumstances,   she
      should exercise her discretion so as to issue a monetary penalty. She

      has decided that a monetary penalty is an appropriate and proportionate



                                    16                                                             •

                                                            ICO.
                                                            Information Commissioner's Office

     response to the finding of a serious contraventof regulations 22 and
     23 of PECRby Global One.


66.  The Commissioner's   underlying objective in imposing  a monetary

     penalty notice is to promote compliance with PECR. The instigation or

     making of unsolicited direct marketingtexts is a matter of significant
     public concern. A monetary penalty in this case should act as a general

     encouragement   towards compliance  with the law, or at least as a

     deterrent against non-compliance, on the part of all persons running
     businesses currently engaging in these practices. This is an opportunity

     to reinforce the need for businesses to ensure that they are only texting
     consumers who want to receive these messages.



67.  The Commissioner has also considered the likely impact of a monetary
     penalty on Global One and in doing so has reviewed financial evidence

     supplied alongside its representations.


     The amount of the penalty


68.  Taking into account all of the above, the Commissioner has decided that

     the amount of the penalty is £10,000(Ten thousand   pounds).


     Conclusion


69.  The monetary   penalty must be paid to the Commissioner's office by

     BACS transfer or cheque by 15 July 2021 at the latest. The monetary
     penalty is not kept by the Commissioner   but will be paid into the

     Consolidated Fund which is the Government's general bank account at
     the Bank of England.





                                   17                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

70.   If the Commissioner receives full payment of the monetary penalty by
      14 July 2021  the Commissioner will reduce the monetary penalty by

      20% to £8,000   (Eight thousand  pounds).   However, you should be
     aware  that the early payment discount is not available if you decide to

     exercise your right of appeal.


71.  There is a right of appeal to the First-tier Tribunal (InformRights)

      against:


      a)   the imposition of the monetary penalty
           and/or;



       b)  the amount of the penalty specified in the monetary penalty
           notice.


70. Any notice of appeal should be received by the Tribunal within 28 days

     of the date of this monetary penalty notice.


71. Informationabout appeals is set out in Annex 1.


72. The Commissioner will not take action to enforce a monetary penalty
    unless:


   • the period specified within the notice within which a monetary penalty

      must be paid has expired and all or any of the monetary penalty has
      not been paid;



   • all relevant appeals against the monetary penalty notice and any
      variation of it have either been decided or withdraand


   •  period for appealing against the monetary penalty and any variation of
      it has expired.

                                   18                                                      •

                                                     ICO.
                                                     Information Commissioner's Office
73. In England, Wales and Northern Ireland, the monetary penalty is
   recoverable by Order of the County Court or the High Court. In

   Scotland, the monetary penalty can be enforced in the same manner
   as an extract registered decree arbitral bearing a warrant for execution

   issued by the sheriff court of any sheriffdom in Scotland.


Datedthe 14th day of June 2021


Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF

























                               19                                                           •

                                                           ICO.
                                                           Information Commissioner's Office




ANNEX 1


SECTION   55 A-E OF THE DATA PROTECTION      ACT 1998


RIGHTS   OF APPEAL AGAINST    DECISIONS   OF THE COMMISSIONER


1.   Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')

against the notice.

2.   If you decide to appeal and if the Tribunal considers:-


a)   that the notice against which the appeal is brought is not in accordance
with the law; or

b)   to the extent that the notice involved an exercise of discretion by the

Commissioner, that she ought to have exercised her discretion differently,

the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will

dismiss the appeal.

3.   You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:



           GRC & GRPTribunals
           PO Box 9300
           Arnhem House

           31 Waterloo Way
           Leicester
           LEl 8DJ


a)   The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.

                                  20                                                                •

                                                               ICO.
                                                               Information Commissioner's Office


b)   If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.


4.   The notice of appeal should state:-

     a)    your name and address/name and address of your representative
     (if any);


     b)    an address where documents may be sent or delivered to you;

     c)    the name and address of the Information  Commissioner;


     d)    details of the decision to which the proceedings relate;

     e)    the result that you are seeking;


     f)    the grounds on which you rely;

     g)    you must provide with the notice of appeal a copy of the
     monetary penalty notice or variation notice;


     h)    if you have exceeded the time limit mentioned above the notice
     of appeal must include a request for an extension of time and the
     reason why the notice of appeal was not provided in time.


5.   Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)

(General Regulatory Chamber) Rules 2009 (Statutory   Instrument  2009 No.
1976 (L.20)).






                                    21