ICO (UK) - Global One 2015: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 50: | Line 50: | ||
}} | }} | ||
The UK DPA (ICO) imposed a fine of | The UK DPA (ICO) imposed a fine of €11,600 on Global One 2015. This charity infringed Articles 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing a point of contact for individuals to refuse such marketing. | ||
== English Summary == | == English Summary == | ||
Line 57: | Line 57: | ||
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals who received unsolicited text messages from Global One. These complaints occurred between April 30th, 2020 and May 22nd, 2020, when 573,000 marketing texts were sent overall. The texts did not offer individuals the opportunity to opt-out of further marketing. | Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals who received unsolicited text messages from Global One. These complaints occurred between April 30th, 2020 and May 22nd, 2020, when 573,000 marketing texts were sent overall. The texts did not offer individuals the opportunity to opt-out of further marketing. | ||
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gain donations. Global One says it assumed that this would be carried out using a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list they compiled and used was compliant with relevant laws. | Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gain donations. Global One says it assumed that this would be carried out using a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list of contacts they compiled and used was compliant with relevant laws. | ||
However, there was no evidence of consent being provided for such direct marketing messages. Global One claimed to have undertaken due diligence, whilst the party it contracted with (X) claimed that it only advised Global One | However, there was no evidence of consent being provided for such direct marketing messages. Global One nevertheless claimed to have undertaken due diligence, whilst the third party it contracted with (X) claimed that it only advised Global One of various other agencies who could do the marketing. | ||
=== Holding === | === Holding === | ||
The Information Commissioner's Office | The Information Commissioner's Office held that Global One infringed Articles 22 and 23 PECR. | ||
Global One relied on consent obtained by another organisation to send these text messages. However, the ICO's view is that | Global One relied on consent obtained by another organisation (Y) to send these text messages. However, the ICO's view is that third parties cannot rely on consent provided to an organization when the consenting individuals did not know how their data would be used by third parties. Organisations can generally only send marketing messages to individuals who specifically consented to receiving them. Indirect consent collected by a third party is only authorised where it is freely given, specific and informed (Article 4(11) GDPR). | ||
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One | As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breached Article 22 PECR. | ||
The ICO also held that Global One breached | The ICO also held that Global One breached Article 23(b) PECR as it did not provide a valid contact point for recipients of marketing to send a request to refuse marketing. There was also no procedure in place for handling such requests from individuals. | ||
The ICO therefore decided to imposed a fine of | The ICO therefore decided to imposed a fine of €11600 on Global One for breaching Articles 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month. | ||
== Comment == | == Comment == |
Latest revision as of 13:44, 23 June 2021
ICO (UK) - Global One 2015 | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 23 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 14.06.2021 |
Published: | 15.06.2021 |
Fine: | 10000 GBP |
Parties: | Global One 2015 |
National Case Number/Name: | Global One 2015 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA (ICO) imposed a fine of €11,600 on Global One 2015. This charity infringed Articles 22 and 23 PECR by sending unsolicited marketing messages without consent and without providing a point of contact for individuals to refuse such marketing.
English Summary
Facts
Global One is a charity that aims to impove health, sanitation and agriculture. The Information Commissioner's Office received 539 complaints from individuals who received unsolicited text messages from Global One. These complaints occurred between April 30th, 2020 and May 22nd, 2020, when 573,000 marketing texts were sent overall. The texts did not offer individuals the opportunity to opt-out of further marketing.
Global One had entered into an agreement with a third party (X) that was to provide them with a marketing strategy. The third party (X) informed Global One that it would start an SMS campaign to gain donations. Global One says it assumed that this would be carried out using a marketing list that belonged to the third party (X). However, the third party (X) themselves commissioned another third party (Y) to deliver the test messaging campaign. The third party (Y) claimed that the list of contacts they compiled and used was compliant with relevant laws.
However, there was no evidence of consent being provided for such direct marketing messages. Global One nevertheless claimed to have undertaken due diligence, whilst the third party it contracted with (X) claimed that it only advised Global One of various other agencies who could do the marketing.
Holding
The Information Commissioner's Office held that Global One infringed Articles 22 and 23 PECR.
Global One relied on consent obtained by another organisation (Y) to send these text messages. However, the ICO's view is that third parties cannot rely on consent provided to an organization when the consenting individuals did not know how their data would be used by third parties. Organisations can generally only send marketing messages to individuals who specifically consented to receiving them. Indirect consent collected by a third party is only authorised where it is freely given, specific and informed (Article 4(11) GDPR).
As there is no evidence of individuals consenting to third party marketing, the ICO concluded that Global One did not have the necessary valid consent to send marketing messages. Therefore, Global One breached Article 22 PECR.
The ICO also held that Global One breached Article 23(b) PECR as it did not provide a valid contact point for recipients of marketing to send a request to refuse marketing. There was also no procedure in place for handling such requests from individuals.
The ICO therefore decided to imposed a fine of €11600 on Global One for breaching Articles 22 and 23 PECR. The ICO concluded that the contravention was serious and negligent. The fine can be reduced by 20% if paid within a month.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE To: Global One 2015 Of: 4 Gateway Mews, Bounds Green, London, Nll 2UT 1. The InformationCommissioner ("Commissioner") has decided to issue Global One 2015 ("Global One") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation to a serious contraventiof Regulation 22 of the Privacy and Electronic Communications(EC Directive) Regulations 2003 ("PECR"). 2. This notice explainse Commissioner's decision. Legal framework 3. Global One, whose registered office is given above (Companies House Registration Number: 07517992) is the organisatistated in this notice to have instigated the transmission of unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECRstates: 1 • ICO. Information Commissioner's Office "(l) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit,nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notifiedthe sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where- (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person's similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contraventionof paragraph (2)." 2 • ICO. Information Commissioner's Office 5. Regulation 23 of PECRstates that "A person shall neither transmitnor instigate the transmission of, a communicationfor the purposes of direct marketing by means of electronic mail - (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided; (c) where that electronic mail would contravene regulatio7 of the Electronic Commerce (EC Directive) Regulations 2002; or (d) where that electronic mail encourages recipients to visit websites which contravene that regulation." 6. Section 122(5) of the DPA 2018 defines "direct marketing" as "the communication (by whatever means) of any advertising material which is directedo particular individuals". This definition also applies for the purposes of PECR. 7. Consent is defined in Article 4(11) the General Data Protection Regulation 2016/679 as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmatiaction, signifies agreement to the processing of personal data relating to him or her". 8. "Individual"is defined in regulation 2(1) of PECRas "a living individual and includes an unincorporated body of such individuals". 3 • ICO. Information Commissioner's Office 9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 10. "Electronic mail" is defined in regulation 2(1) of PECRas "any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient and includes messages sent using a short message service". 11. Section SSA of the DPA (as amended by the Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011 and the Privacy and Electronic Communications (Amendment) Regulations 2015) states: "(l) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventionof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiwas deliberate. (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 12. The Commissioner has issued statutory guidance under section SSC (1) of the DPA about the issuing of monetary penalties that has been 4 • ICO. Information Commissioner's Office published on the ICO's website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 13. PECRwere enacted to protect the individual's fundamentaright to privacy in the electronic communicatiosector. PECRwere subsequently amended and strengthened. The Commissioner will interpret PECRin a way which is consistent with the Regulations' overall aim of ensuring high levels of protection for individuals' privacy rights. 14. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introductioof the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of that Act). Background to the case 15. Phone users can report the receipt of unsolicited marketing text messages to the GSMA's Spam Reporting Service by forwarding the message to 7726 (spelling out "SPAM"). The GSMA is an organisation that represents the interests of mobile operators worldwidThe Commissioner is provided with access to the data on complaints made to the 7726 service and this data is incorporated into a Monthly Threat Assessment (MTA) used to ascertain organisations in breach of PECR. 16. Global One operates as a charity involved in issues such as improving health, sanitation and agriculture. Their work covers a number of internationalcountries, including the United Kingdom. Global One is registered with the Charity Commission, Companies House and the ICO. 5 • ICO. Information Commissioner's Office 17. Global One came to the attention of the Commissioner after numerous complaints were received via the 7726 complaints tool about unsolicited text messages. Between 30 April 2020 and 22 May 2020 539 complaints had been recorded on the 7726 system and 9 on the ICO's online recording tool. These text messages contained, or contained slight variations of, the following text: "Coronavirus Emergency Pakistan, Syria & Bangladesh. Donate Food & Hygiene Kits. Call (free): 03000113333 Online: globalone.org.uk Watch us live on SKY 752." 18. It was noted that these texts did not offer individuals an ability to 'opt out' of future unsolicited text messages. 19. An initial investigatletter was sent to Global One on 3 June 2020, highlighting the Commissioner's concerns with its PECRcompliance and requestinginformation relating to the volumes of texts sent, the source of data used to send said texts, details of any due diligence undertaken, together with evidence of consent relied upon for the messages sent to individuals identified within complaintAn appendix detailinghe complaints received was also attached. 20. Global One provided a response on 22 June 2020, stating that on 20 March 2020 it had entered into a "revenue raising and sharing agreement" ("the agreement") with (''.") under which • would provide a marketing strategy in relation to a number of key initiativesGlobal One went on to explain that under the agreement they "will have no right nor will seek to exercise any direction, control or supervision over ; and that has the sole right to control and direct the means, manner and method by which the services required by the Agreement would be performed". 6 • ICO. Information Commissioner's Office 21. A copy of the agreement later provided by Global One makes no mention of SMS marketing, however the agreement is summarised as follows: "The charity intends to procure as consultant/advisers to develop and execute a revenue sharing agreement, which will raise funds from public donations and allow the charity to enhance and apply for more institutionafunding. The charity wishes to diversify its fundraising income streams". 22. The letter went on to state that on 23 April 202? informed Global One that it would be undertaking an SMS campaign to maximise donations, which Global One says it assumed would be based on the use of third-partymarketing lists belonging to •. 23. Global One advised that between April 2020 and May 2020, 573,000 SMS marketing messages were sent on its behalf. During this period, • managed the SMS marketing campaign, and Global One say it only became aware on 1 June 2020 that- had entered into a verbal contract with a third party data supplier who undertook the sending of the SMS using a marketing list belonging to that supplier. 24. In response to the Commissioner's request for evidence of consent to send SMS messages to those who had been identified on the list of complaints, Global One said it had not been provided this information from ? and would need to approach. to obtain this. In a further response dated 23 July 2020 Global One provided the following information: have confirmed that they commissioned the [third party provider]to deliver the text messaging campaign. 7 • ICO. Information Commissioner's Office The [third party provider]have confirmed in writing that the lists they use are fully compliant data, please see the attached letter and accompanying spreadsheet with their comments." The attached letter indicated that the data is obtained from multiple sources including "government records, licensing boards, directories, telephone searches, memberships, attendee registers, website registrationcounty courthouse records, credit reference agency data, Secretary of State data, business magazines and newspaper subscriptions". The spreadsheet of complaints provided by the Commissioner had been amended to add a new column titled "Consent" and the words "opt in for third party marketing" next to each complainant. 25. On 21 August 2020 the Commissioner requested that Global One provide evidence of the consent that had been obtained by the third party data provider to market the complainants. In response, Global One explained that it did not have access to this information and the third party provider was reluctant to supply it. As such, no evidence of consent has been provided. 26. The Commissioner went on to request copies of correspondence between Global One, • and the third party data provider relating to promotional or marketing activities. On 27 August 2020 Global One replied, statinghat they had been unable to locate any such written communications regarding the SMS marketing campaign which was carried out on their behalf. The reason given was that all such communications were conducted by telephone. 27. Enquiries raised by the Commissioner directly with •elicited the following response: 8 • ICO. Information Commissioner's Office " is aware of the current investigation being conducted by the ICO in relation to one of our clients, Global One 2015. Other than providing strategic recommendationson how to deliver charitable appeal campaigns, we have done nothing more than advice/refer a client onto various other agencies/companieto support them in being able to reach a wider audience. We in this situation are not responsible for due diligence or any contractual obligations for any work Global One decide to undertake with any third party." In subsequent Representations to the Notice of Intent however, Global One evidenced an email from in which the contrary was stated: "we undertook our responsibility to carry out due diligence on the provider ". This statement was made in response to enquiries made of by Global One dated 1 June 2020, and which post-dated the SMS campaign. 28. The Commissioner has made the above findings of fact on the balance of probabilities. 29. The Commissioner has considered whether those facts constitute a contraventionof regulation 22 of PECRby Global One and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 30. The Commissioner finds that Global One contravened regulations 22 and 23 of PECR. 31. The Commissioner finds that the contraventiowas as follows: 9 • ICO. Information Commissioner's Office 32. Between 24 April 2020 and 23 May 2020 Global One instigated the transmission of 573,000 unsolicited direct marketing texts contrary to Regulations 22 & 23 of PECR. This resulted in a total of 539 complaints being received via the 7726 service and 9 via the Commissioner's online reporting tool. 33. Global One, as the instigator of the direct marketing, is required to ensure that it is acting in compliance with the requirementof regulation 22 of PECR,and to ensure that valid consent to send those messages had been acquired. The only exception to this is where the provisions of Regulation 22(3) apply, otherwise referred to as the 'soft opt-in'. As a charitable organisation, the 'soft opt-in' would not be applicablein this instance. 34. Global One relied on consent obtained by another organisation for its own purposes, i.e.'indirect consent'.The Commissioner's direct marketing guidance says "organisations need to be aware that indirect consent will not be enough for texts, emails or automated calls. This is because the rules on electronic marketing are stricter, to reflect the more intrusive nature of electronic messages." 35. It goes on to say that indirect consent can be valid but only if it is clear and specific enough. Moreover, "the customer must have anticipated that their details would be passed to the organisation in question, and that they were consenting to messages from that organisation. This will depend on what exactly they were told when consent was obtained". 36. The data lists utilised to transmit the SMS had been compiled from a diverse listf sources. Whilst the third party data provider stated that each complainant was "opted-in for third party marketing" Global One has not provided any evidence of this to the Commissioner and appears to have been reliant on the? 's verbal assurances that this was the 10 • ICO. Information Commissioner's Office case. In representations to the Commissioner, Global One demonstrated that some due diligence enquiries had been made of. - in early June 2020, however these post-dated the contravention and were insufficient to establish the existence of valid consent to send the SMS. 37. The Commissioner is therefore satisfied from the evidence she has seen that Global One did not have the necessary valid consent to instigate the sending of the direct marketing messages. This constitutes a contraventionof regulation 22 PECR. 38. Furthermore, Regulation 23(b) provides that individuals must be provided with a valid address to which the recipient of the marketing communication may send a request to refuse marketing. In representations to the Commissioner, Global One stated that it had an effective complaints process in place whereby any complaints it received directly would be sent to in order that the data could be supressed. was said to dear with their own requests. The Commissioner finds it difficult to accept that were in any position to handle direct requests, given that recipients of SMS were unaware of .,s involvement and were not provided with contact details. Althoughthe content of the messages identified Global One and contained a link to their website, no address has been provided for the third party who sent the messages. As Global One were unaware that a third party was the sender of the messages duringthe SMS marketing campaign, individuals informing Global One that they objected to receiving such communications would have been reliant upon Global One relaying these to , and then in turn to the third party sender, and so in effect produced a convoluted, unreliable and therefore ineffectual remedy. As such the Commissioner considers that Global One are also in breach of Regulation 23. 11 • ICO. Information Commissioner's Office 39. The Commissioner has gone on to consider whether the conditions under section SSA DPA are met. Seriousness of the contravention 40. The Commissioner is satisfied that the contraventiidentified above was serious. This is because between 24 April 2020 and 23 May 2020 Global One instigated a total of 573,000 unsolicited direct marketing messages, resulting in total of 548 complaints. 41. In representationsto the Notice of Intent, Global One stated that it had been the subject of a social media campaign of harassment, and SMS recipients encouraged to make complaints against Global One. Details provided to the Commissioner by way of evidence demonstrated that any such campaign (in relation to which the Commissioner makes no finding) post-dated the contraventioperiod and so the Commissioner finds no good reasonto disregard the complaints as disingenuous. 42. Global One has failed to provide evidence of valid consent for any of the 573,000 unsolicited direct marketing messages it instigated. 43. Furthermore, the messages did not contain adequate instruction on how individualsmay opt-out of receiving further marketing. 44. It is apparent that Global One adopted a targeted strategy in order both to raise their profile and increase their revenue stream during the Covid-19 pandemic. 12 • ICO. Information Commissioner's Office 45. The Commissioner is therefore satisfied that condition (a) from section 55A(l)DPA is met. Deliberate or negligent contraventions 46. The Commissioner has considered whether the contravention identified above was deliberate. 47. The Commissioner considers that Global One did not deliberately set out to contravene PECRin this instance. 48. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 49. Firstly, she has considered whether Global One knew or ought reasonably to have known that there was a risk that these contraventionswould occur. She is satisfied that this condition is met, not least since the issue of unsolicited text messages have been widely publicised by the media as being a problem. 50. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations can generally only send,r instigate, marketing messages to individuals if that person has specifically consented to receiving them. The guidance is also clear about the significant risks of relying on indirect consent, as Global One did in this instance. 13 • ICO. Information Commissioner's Office 51. In 2018 the charity sector came under much scrutiny following investigations and penalties in respect of contraventiof PECR. These investigations were well publicised at the time, receiving much media attention and further engagement with the Charity Commission and the ICO, including conferences to the third sector to highlight the issues and promote compliance. The introduction of the Fund Raising Preference Service in 2016 also provides advice and support to charities with the aim of making it easier for them to understand the standards expected when fundraising. 52. It is therefore reasonable to suppose that Global One should have been aware of its responsibilities in this area. 53. Secondly, the Commissioner has gone on to consider whether Global One failed to take reasonable steps to prevent the contraventions. Again, she is satisfied that this condition is met. 54. During the course of the Commissioner's investigationresponses provided by Global One indicated that they were aware that proper due diligence should have been undertaken prior to entering into the agreement with ? however due to time constraints no due diligence was conducted, stating:"under normal circumstances we would have had further meetings to fully review contractual terms and conduct proper due diligence with regards to databases and compliance, regrettably this was not the case". Global One instead relied on verbal assurances provided by ? 55. Reasonable steps which the Commissioner might expect in these circumstances could have included ensuring a comprehensive contract was in place with • relating to the marketing campaign and the provision of the data to be relied upon, to ensure its reliability and 14 • ICO. Information Commissioner's Office validity. Global One failed to provide any evidence of communications between itself and? regarding the SMS marketing campaign, other than to say the matter was discussed and concluded in two telephone meetings with •. Failure to formalise the obligation of due diligence also ledto conflicting evidence during the investigation and subsequent representations as to which party was thought to be responsible. There was a clear lack of control over a direct marketing campaign launched at their instruction ?o 56. Global One did later ask. for evidence of consent, but only after commencement of the campaign, and after it had received complaints directly in early May 2020. At that point Global One took no action to pause or suspend the campaign whilst enquiries were made. Even then Global One continued to rely upon .,s assurances without any actual evidence of consent. Whilst Global One did attempt to undertake some due diligence in early June 2020, it was only after it became aware that the leads were supplied by a third party, and at the end of the campaign in question. It would have been reasonable for Global One to carry out its own checks as to how consent was being obtained prior to instigating the SMS campaign, notwithstanding any assurances by •· In short, simple reliance on assurances of indirect consent alone without undertaking proper due diligence is not acceptable. 57. In the circumstances, the Commissioner is satisfied that Global One failed to take reasonable steps to prevent the contraventions. 58. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. 15 • ICO. Information Commissioner's Office The Commissioner's decision to impose a monetary penalty 59. The Commissioner finds that there are no aggravating features of this case. 60. The Commissioner has taken into account the following mitigating features of this case: • Since the commencement of the Commissioner's investigation Global One has ceased all direct marketing activitiesand is undertaking a full review of its data protection compliance. 61. Forthe reasons explained above, the Commissioner is satisfied that the conditions from section 55A(l)DPA have been met in this case. She is also satisfiedhat the procedural rights under section 55B have been complied with. 62. This has included the issuing of a Notice of Intent, in which the Commissioner set out her preliminary thinking, and invited Global One 2015 to make representations in response. 63. The Commissioner has received and considered Representations in response to the Notice of Intent dated 30 April 2021. 64. The Commissioner is accordingly entitledo issue a monetary penalty in this case. 65. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. She has decided that a monetary penalty is an appropriate and proportionate 16 • ICO. Information Commissioner's Office response to the finding of a serious contraventof regulations 22 and 23 of PECRby Global One. 66. The Commissioner's underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The instigation or making of unsolicited direct marketingtexts is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. This is an opportunity to reinforce the need for businesses to ensure that they are only texting consumers who want to receive these messages. 67. The Commissioner has also considered the likely impact of a monetary penalty on Global One and in doing so has reviewed financial evidence supplied alongside its representations. The amount of the penalty 68. Taking into account all of the above, the Commissioner has decided that the amount of the penalty is £10,000(Ten thousand pounds). Conclusion 69. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 15 July 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 17 • ICO. Information Commissioner's Office 70. If the Commissioner receives full payment of the monetary penalty by 14 July 2021 the Commissioner will reduce the monetary penalty by 20% to £8,000 (Eight thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 71. There is a right of appeal to the First-tier Tribunal (InformRights) against: a) the imposition of the monetary penalty and/or; b) the amount of the penalty specified in the monetary penalty notice. 70. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 71. Informationabout appeals is set out in Annex 1. 72. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdraand • period for appealing against the monetary penalty and any variation of it has expired. 18 • ICO. Information Commissioner's Office 73. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Datedthe 14th day of June 2021 Andy Curry Head of Investigations InformatioCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 19 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 48 of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice or variation notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: GRC & GRPTribunals PO Box 9300 Arnhem House 31 Waterloo Way Leicester LEl 8DJ a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. 20 • ICO. Information Commissioner's Office b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in sections 48 and 49 of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 21