ICO (UK) - Energy Suite Limited: Difference between revisions
Gauravpathak (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...") |
(Changed the short summary for the newsletter, and changed the last line a tiny bit. Really clear clear summary otherwise, thank you and well done for a first one!) |
||
Line 52: | Line 52: | ||
}} | }} | ||
The UK | The UK DPA (ICO) fined Energy Suite £2000 for making unsolicited direct marketing calls in violation of Regulation 21 PECR. | ||
== English Summary == | == English Summary == | ||
Line 68: | Line 68: | ||
The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low. | The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low. | ||
Thus, the ICO issued a monetary penalty of £2000 (two thousand pounds) against Energy Suite, | |||
== Comment == | == Comment == |
Latest revision as of 16:29, 25 January 2022
ICO (UK) - Energy Suite Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Directive 2002/58 Data Protection Act 1998 Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 18.01.2022 |
Published: | 24.01.2022 |
Fine: | 2000 GBP |
Parties: | n/a |
National Case Number/Name: | Energy Suite Limited |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | Gauravpathak |
The UK DPA (ICO) fined Energy Suite £2000 for making unsolicited direct marketing calls in violation of Regulation 21 PECR.
English Summary
Facts
Energy Suite is a company marketing "boiler, heating, insulation, glazing and other energy-saving grants to homes under government-funded schemes." Between 1 March and 13 November 2020, Energy Suite connected at least 1,246 calls to subscribers whose numbers were listed on the TPS (Telephone Preference Service Ltd) register. Three complaints were made against Energy Suit during this period as it called people who had not given their no-objection to receive marketing calls.
Before the ICO, Energy Suite claimed that it had purchased "details of 11,005 live, validated landlines and 88,995 live HLR-checked mobiles" from third parties, without conducting any in-house checks.
Holding
The ICO found that Energy Suite had contravened Regulation 21 of Privacy and Electronic Communications (EC Directive) Regulations 2003 by calling numbers that were registered on the TPS. On the balance of probabilities, it found out that at least 1246 calls made by Energy Suite got connected. The ICO referred to another complaint made outside the investigation period to conclude that Energy Suite's compliance with Privacy and Electronic Communications (EC Directive) Regulations 2003 has been lax.
The ICO concluded that "unsolicited direct marketing calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and who for the purposes of regulation 21(4) had not notified Energy Suite that they did not object to receiving such calls." This contravention was considered to be serious due to multiple violations as Energy Suite made some 15,000 calls in total, many of which did not connect. Consequently, the ICO concluded that Energy Suite had been negligent and the "condition (b) from section 55A (1) DPA is met".
The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low.
Thus, the ICO issued a monetary penalty of £2000 (two thousand pounds) against Energy Suite,
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE To: Energy Suite Limited Of: Lomeshaye Bridge Mill Bridge Mill Road Nelson BB9 7BD 1. The InformationCommissioner ("the Commissioner") has decided to issue Energy Suite Limited ("Energy Suite") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is in relation to a serious contraveof regulation 21 of the Privacy and Electronic Communications(EC Directive) Regulations 2003 (" PECR"). 2. This notice explainse Commissioner's intended decision. Legal framework 3. Energy Suite, whose registered office is given above (Companies House Registration Number: 09999446) is the organisation stated in this notice to have used a public electronic communicatservice for the purpose of making unsolicited calls for the purposes of direct marketing contrary to regulation 21 of PECR. 1 • ICO. Information Commissioner's Office 4. Regulation 21 applies to the making of unsolicited calls for direct marketing purposes. It means that if a company wants to make calls promoting a product or service to an individual who has a telephone number which is registered with the Telephone Preference Service Ltd ("TPS"),then that individual must have notified the company that they do not object to its calls. 5. Regulation 21 paragraph (1) of PECRprovides that: "(1)A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where- (a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or (b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26." 6. Regulation 21 paragraphs (2), (3),(4) and (5) provide that: "(2) A subscriber shall not permit his line to be used in contravention of paragraph (1). (3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made. 2 • ICO. Information Commissioner's Office (4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstathat the number allocated to that line is listed in the said register. (5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his- (a) the subscriber shall be free to withdraw that notification at any time, and (b) where such notification is withdrawn, the caller shall not make such calls on that line." 7. Under regulation 26 of PECR,the Commissioner is required to maintain a register of numbers allocated to subscribers who have notified them that they do not wish, for the time being, to receive unsolicited calls for direct marketing purposes on those lines. The TPS is a limited company which operates the register on the Commissioner's behalf. Businesses who wish to carry out direct marketing by telephone can subscribe to the TPS for a fee and receive from them monthly a list of numbers on that register. 8. Section 122(5) of the Data Protection Act 2018 ("DPA18") defines direct marketing as "the communication(by whatever means) of advertising or marketing material which is directed to particular individuals". This definition also applies for the purposes of PECR(see regulation 2(2) PECR& Schedule 19 paragraphs 430 & 432(6) DPA18). 3 • ICO. Information Commissioner's Office 9. "Individual"is defined in regulation 2(1) of PECRas "a living individual and includes an unincorporated body of such individuals". 10. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is aparty to a contract with a provider of public electronic communications services for the supply of such services". 11. Section SSA of the DPA (as applied to PECRcases by Schedule 1 to PECR, as variously amended) states: "(1)The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventioof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiowas deliberate. (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 12. The Commissioner has issued statutory guidance under section SSC (1) of the DPA about the issuing of monetary penalties that has been published on the ICO's website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed fS00,000. 4 • ICO. Information Commissioner's Office 13. PECRwere enacted to protect the individual's fundamentalright to privacy in the electronic communicationssector. PECRwere subsequently amended and strengthened. The Commissioner will interpret PECRin a way which is consistent with the Regulations' overall aim of ensuring high levels of protection for individuals' privacy rights. 14. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introductionof the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case Complaints 15. Energy Suite is a company that markets boiler, heating, insulation, glazing and other energy-saving grants to homes under government funded schemes. 16. Complaints data from the TPS in September 2020 indicated that a complaint had been made about calls made from Calling Line Identity ("CLI") 01282612211. A third-partyinformationnotice was sent to British Telecommunications PLC (BT) on 3 September 2020. BT responded on 20 October 2020, identifying Energy Suite as the person to whom the CLI was allocated. 17. Further analysis identified that there had been three complaints in respect of Energy Suite, namely (i) three complaints to the TPS between 6 March and 20 July 2020 and (ii) one complaint to the Commissioner on 3 August 2020, by a complainant not registered for TPS. The complaints included the following comments: 5 • ICO. Information Commissioner's Office "Cold call re eligibility for new boiler and underfloor heating ...gov scheme (you don't list energy saving in your list to the right of this box!) ... men asking for my husband by name. Saying they were calling about the gov boiler scheme. Asked lots of questions about the house and any qualifying benefits. Said they check with the gov that the person i said gets benefits really does and then when that is confirmed they will send a letter and call back to make an appt to survey. Didn;t ask for any money or financial info. Sounded like a scam but not sure. however it was in total breach of TPS. Oh and all the info I gave them was untrue anyway!!" [sic][Complaintto TPS] "Calling as they were informed my boiler was in need of replacement and I could have a grant from the government. They kept asking whether my boiler was over7years old. I asked where they had got my personal information from (full name and telephone number), I was told from a 3rd party but they refused to disclose who as it was company policy to keep it secret. They ended the call and I called back to try and get more details they put me on hold and ended the call twice. I told the caller that I would be reporting this incident to the ico."] 18. Two further complaints to the TPS did not give details, save that the company that had called them was Energy Suite. Although the complaint from the consumer not registered for TPS does not in itself indicate a breach of regulation 21, it is included as it gives an example of the type and content of call in issue. 19. It is possible that more complaints would have been received but for Energy Suite's practice of making a significant volume of calls via (as to which, see below). 6 • ICO. Information Commissioner's Office The Commissioner's investigation 20. After conducting his initial investigthe Commissioner wrote to Energy Suite on 13 November 2020 to state that he had opened an investigationto set out the complaints in issue, and to ask some initial questions about Energy Suite's business. 21. On 2 December 2020 Energy Suite replied stating that: a. Energy Suite had made some 15,000 attempted calls, of which 6,000 had connected, in the period from 1 March to 13 November 2019; b. these had been made from the aforementionedCLI as well as from three mobile phone numbers and from c. Energy Suite had purchased the telephone numbers in question from third parties including d. allf the data in question had been sourced through third parties rather than the contact form on Energy Suite's website; e. Energy Suite did not screen these numbers in-house to assess whether they appeared on the TPS register, but rather purchased the numbers pre-screened. 22. Energy Suite provided a data processing agreement wi1111 and a supplier privacy notice of unclear provenance, entitled "PRIV". The data processing agreement from - suggests that Energy Suite purchased details of 11,005 live, validated landlines and 88,995 live HLR-checked mobiles. 7 • ICO. Information Commissioner's Office 23. On 16 December 2020, the Commissioner wrote back to Energy Suite to request further informationamely: a. precise call volumes, or details of the dialler operator if volumes were not known; b. details of how opt-ins were obtained; c. clarification of the source of the document entitled "PRIV"; d. training documents; and e. evidence of the consent relied upon for the calls made to the complainants (i.e. notice that they did not object). 24. On 13 January 2021 Energy Suite replied stating that it: a. did not have a dialler, dialled manually, and did not hold details of call volumes; b. did not have any means for checking whether a number was TPS registered or had opted into contact from Energy Suite; c. had received the 'PRIV' document from OFGEM, which governed the schemes that Energy Suite marketed; d. did not have a PECRpolicy or any training records, but would welcome guidance from the Commissioner in that regard; e. had believed that it had consent to call the call recipients on the basis of the terms on which it had purchased their data. 25. On 14 January 2021, the Commissioner wrote again to Energy Suite to seek: a. clarification of the point at which the data in question was screened against the TPS register; and b. confirmation of how the data that Energy Suite had purchased had been obtained by those who supplied it. 8 • ICO. Information Commissioner's Office 26. On 27 January 2021 Energy Suite responded to say that it did not check the data against the TPS as it believed the data supplier to be reputable, and had been told that the leads in question were not on the TPS and had opted in. Energy Suite explained that they did not know how the leads had been obtained. 27. On 5 February 2021, the Commissioner requested copies of any due diligence documents held by Energy Suite, and confirmation of whether the - numbers that had called customers 28. On the same date, the Commissioner also reviewed the websites of the data suppliers. As to those: a. - was found to have a website at The precise source of-data was unclear from its website, although it did state that the data was sourced from lifestyle surveys, online comparisons, competition sites and strategic partners, and was TPS verified; b. was found to have a website at There were no clear details on the website of how the data sold had been obtained; c. similarly, website was unclear about the provenance of the company's data, although it did give an assurance that the data was accurate and up to date and had been provided directly by the potential client. 9 • ICO. Information Commissioner's Office 29. On 19 February 2021 Energy Suite replied to say that the numbers in question were but provided no new due diligence documents. 30. On 25 February 2021, the Commissioner sent BT a third-party informationnotice seeking call detail records for the calls from the above CLI. BT responded on 26 March 2021, and following further communications redirected the Commissioner to which serviced the CLI in question. On 9 April 2021, the Commissioner sought call records from which providedthem later the same day. 31. The records confirmed that Energy Suite had made 3,415 connected calls from the aforementionedCLI between 1 March and 13 November 2020, although some of these may have gone to voicemail. Of those calls,,202 were made to numbers registered with the TPS, and 44 were made to numbers registered to the Corporate TPS. The most recent registration was 89 days before the call in question. Thus, 36.5% of the calls made from the CLI in question were to customers who had been registered with the TPS (and for at least 28 days by the time of the call). 32. The Commissioner did not consider it appropriate to seek call records from the mobile phone numbers or landlines used, given that they were However, in light of Energy Suite's representationthat 6,000 calls had connected, in the relevant period, across alllls, at least 2,585 connected calls would appear to have been made from 33. On 29 April 2021, the Commissioner emailed Energy Suite to advise that the case would be reviewed, which it was. In further email on 4 May 2021, the Commissioner requested details of the personal data 10 • ICO. Information Commissioner's Office purchased and held by Energy Suite, and whether any leads had been sourced through its website. 34. On 11 May 2021, Energy Suite replied to explain that the data purchased included name, address and telephone number. It stated that leads were generated via Energy Suite's website as well as via purchased data. 35. On the same day, the Commissioner wrote to Energy Suite to request the volume of leads generated via Energy Suite's websiteIt responded to say that 2,033 enquiries had come in via that route, and that all of these would have been contacted. 36. On 19 May 2021, the Commissioner replied to Energy Suite to seek informationabout whether this figure was for connected or attempted calls, and how many of those called were TPS registered. On 21 May 2021 Energy Suite replied statinghat it did not hold this information. However, it seems inherently unlikely that every single such lead, of 2,033 in total, answered the phone when called (even if called multiple times). The Commissioner therefore assumes that the number 2,033 representsthe number of people whom Energy Suite tried to contact, not the number whom it contacted successfully (whether via voicemail or otherwise). 37. On 24 May 2021, the Commissioner wrote to Energy Suite to say that it had concluded its investigatioand would consider whether enforcement action would be appropriate. 38. The Commissioner is satisfied that the 1,246 calls were all made for the purposes of direct marketing as defined by section 122(5) DPA18. 11 • ICO. Information Commissioner's Office 39. The Commissioner has made the above findings of fact on the balance of probabilities. 40. The Commissioner has considered whether those facts constitute a contravention of regulation 21 of PECRby Energy Suite and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 41. The Commissioner finds that Energy Suite contravened regulation 21 of PECR. 42. The Commissioner finds that the contraventiowas as follows: Between 1 March and 13 November 2020, Energy Suite used a public telecommunications service for the purposes of making, on the balance of probabilities, at least 1,246 connected calls to subscribers whose number was listed on the TPS register. In that regard: a. it appears that 1,246 connected calls from Energy Suite's main CLI, given above, were made to numbers that had been on the TPS register for at least 28 days prior to the call; b. whilst it is possible that some of those called may have opted into marketing calls by submitting an enquiry on Energy Suite's website, Energy Suite was unable when asked provide any detail of the calls made via website leads; c. in the absence of any evidence at all from Energy Suite in that respect, the Commissioner concludes from the available evidence that, on the balance of probabilities, most or all of the numbers on the TPS register were not allocated to people 12 • ICO. Information Commissioner's Office who had notified Energy Suite, via the contact form on its website,that they did not object to being contacted; d. further, given (i) the volume of additional calls made - some 2,585 from (ii) Energy Suite's inability to provide any evidence of notices of non-objection from the holders of the numbers called, or records of these calls, and (iii) the very large number of telephone numbers on the TPS register (c.18 million), on the balance of probabilities at least some of the additional calls - i.e. calls not made from the CLI given above - were likely to have been to numbers registered with TPS for at least 28 days prior to the call; e. the Commissioner's conclusions in this regard are fortified by the fact that it has seen three complaints about Energy Suite in the relevant period from the holders of numbers registered on the TPS. The Commissioner considers that: i. those who complained to the TPS about Energy Suite would not have opted in via the company's website; and ii. as a matter of common sense and inherent probability, only a very small number of those who receive unsolicitedmarketing calls will in fact complain; iii. the Commissioner therefore infers from the three complaints made that a much larger number of unsolicited calls were in fact made to numbers registered on the TPS; f. the Commissioner has been referred to a further complaint made on 6 April 2021, outside the period under investigation. This further complaint fortifies the Commissioner's conclusion that Energy Suite's compliance with PECRhas been lax, and in turn that it has likely not taken effective steps to screen numbers called for TPS registration. 13 • ICO. Information Commissioner's Office 43. The Commissioner is also satisfied for the foregoing reasons that, for the purposes of regulation 21, these unsolicited direct marketing calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and who for the purposes of regulation 21(4) had not notified Energy Suite that they did not object to receiving such calls. 44. For such notification to be valid under regulation 21(4), the individual must have taken a positive action to override their TPS registration and indicatetheir willingness to receive marketing calls from the company. The notificatioshould reflect the individual's choice about whether or not they are willing to receive marketing calls. Therefore, where signing upto use a product or service is conditional upon receiving marketing calls, companies will need to demonstratehow this constitutes a clear and positive notification of the individual's willingnessto receive such calls. 45. The notification must clearly indicate the individual's willingness to receive marketing calls specifically. Companies cannot rely on individuals opting into marketing communicationsgenerally, unless it is clear that this will include telephone calls. 46. Further,the notification must demonstrate the individual's willingness to receive marketing calls from that company specifically. Notifications will not be valid for the purposes of regulation 21(4) if individuals are asked to agree to receive marketing calls from "similar organisations", "partners","selected third parties" or other similar generic descriptions. 47. The Commissioner has gone on to consider whether the conditions under section SSA DPA are met. 14 • ICO. Information Commissioner's Office Seriousness of the contravention 48. The Commissioner is satisfied that the contraventidentified above was serious. This is because there have been multiple breaches of regulation 21 by Energy Suite arising from the organisation's activities between 1 March and 13 November 2020 and this led to over 1,000 unsolicited direct marketing calls being made to subscribers who were registeredwith the TPS and who had not notified Energy Suite that they were willing to receive such calls, and to three complaints being made as a result. 49. In addition, Energy Suite made some 15,000 calls in total, including calls that were not connected to subscribers. Although the Commissioner has not been able to screen those numbers against the TPS register because111 has not retained records, the numbers were called without any due diligence as to their TPS status. Given the lack of any such due diligence, it is reasonable to assume that a significant number of these numbers will have been registered with the TPS. The attempt to contact a large number of other individuals who may well have been registered with the TPS, and/or without conducting any due diligence as to the same, aggravates the contravention. 50. The Commissioner is therefore satisfied that condition (a) from section SSA (1) DPA is met. Deliberate or negligent contraventions 51. The Commissioner does not consider that Energy Suite deliberately set out to contravene PECRin this instance. He has therefore gone on to consider whether the contraventionidentified above was negligent. This consideration comprises two elements: 15 • ICO. Information Commissioner's Office 52. Firstly, the Commissioner has considered whether Energy Suite knew or ought reasonably to have known that there was a risk that this contravention would occur. He is satisfied that this condition is met, for the following reasons: a. Energy Suite conducted a very large amount of direct telephone marketing as part of its business model, with some 15,000 attempted calls, and 6,000 connected calls, over a periodof some eight and a half months; b. in conducting such a large number of calls, Energy Suite ought reasonably to have familiarised itself with the legislation around direct marketing calls. It failed abjectly to do so - indeed,on the evidence, even to attempt to do so; c. further, the existence of legal controls on direct marketing and of the importance of the TPS register is widely known, and public awarenessof wider data protection issues and of the importance of using data lawfully is also now widespread. 53. The Commissioner has published detailed guidance for companies carrying out marketing explaining their legal requirements under PECR. This guidance explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post or by fax. Specifically, it states that live calls must not be made to any subscriber registered with the TPS, unless the subscriber has specifically notified the company that they do not object to receiving such calls.In case organisations remain unclear on their obligations, the Commissioner operates a telephone helpline. ICO communications about previous enforcement action where businesses have not 16 • ICO. Information Commissioner's Office complied with PECRare also readily available 54. Standard practiceof the TPS is to contact the organisation making the calls on each occasion a complaint is made, and indeed Energy Suite toldthe Commissioner in correspondence that TPS had been in contact after receipt of the complaints in issue. That there were three complaints made to the TPS over the period of the contravention should have made Energy Suite aware of the risk that such contraventionsmay occur and were indeed occurring. 55. It is therefore reasonable to suppose that Energy Suite should have been aware of its responsibilities in this area. 56. Secondly, the Commissioner has gone on to consider whether Energy Suite failed to take reasonable steps to prevent the contravention. Again, he is satisfied that this condition is met. 57. The Commissioner's direct marketing guidance makes clear that organisations acquiring marketing lists from a third party must undertake rigorous checks to satisfy themselves that the personal data was obtained fairly and lawfully, that their details would be passed along for direct marketing to the specifically named organisation in the case of live calls, and that they have the necessary notifications for the purposes of regulation 21(4)It is not acceptable to rely on assurances given by third party suppliers without undertaking proper due diligence. No such checks were undertaken here, and a perusal of the websites of the companies in question, and of the documents that they provided to Energy Suite, does not give any good basis for thinking that their data was properly screened against the TPS register. 17 • ICO. Information Commissioner's Office 58. Reasonable steps that Energy Suite could have been expected to take in these circumstances may also have included: a. screening the data in question against the TPS register itself, regardless of the assurances given by the third parties in question; b. ensuring that it had in place an effective and robust suppression list; c. familiarisinitself with the legislation and ICO guidance applicable to marketing calls, and providing training to its staff accordingly. 59. Given the volume of calls and complaints, and indeed Energy Suite's own submissions, it is clear that it failed to take those reasonable steps. 60. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. The Commissioner's decision to issue a monetary penalty 61. The Commissioner has taken into account the following aggravating features of this case: a. Energy Suite's actions were done deliberately for financial gain, in that they aimed to generate sales and therefore profit; b. Energy Suite's ignorance of the law was unacceptable given the nature of its business and the ready availability of guidance; c. although Energy Suite cooperated with the Commissioner, it was unable to provide much of the information that she requested due to the serious inadequacy of its record-keeping; 18 • ICO. Information Commissioner's Office d. Energy Suite's non-compliance appears to have continued alter the period of contraventionwith a further complaint about the company having been made to the TPS on 6 April 2021; e. because of its processes and poor record-keepingEnergy Suite was unable to say whether calling leads from the might have withheld their numbers when doing so, thus raising the possibility that there had also been a breach of regulation 24 PECR as well, although this could not be confirmed. Energy Suite's poor processes and record-keeping in this regard is itself culpable and raises the possibility that some of the calls were also non-compliantwith regulation 24; f. one of the complaints indicates a reluctance on the part of Energy Suite's employee to disclose to the subscriber where they had got that subscriber's number, indicating an unwillingness on the company's part to comply with the spirit of its obligations under the PECR(see paragraph 17 above). 62. The Commissioner has taken into account the following mitigating features of this case: a. the company in question is small and may not be able to withstand a large penalty; b. the company has sought to cooperate to some degree with the Commissioner albeit its responses have been unsatisfactory; c. the volume of calls in this case is comparativlow compared to some of the other cases that have come before the ICO. 63. For the reasons explained above, the Commissioner is satisfied that the conditions from section SSA (1) DPA have been met in this case. He is also satisfied that the procedural rights under section SSB have been complied with. 19 • ICO. Information Commissioner's Office 64. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out his preliminary thinking. In reaching his final view, the Commissioner has taken into account the representations made by Energy Suite on this matter. 65. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 66. The Commissioner has considered whether, in the circumstances, he should exercise his discretion so as to issue a monetary penalty. 67. The Commissioner has considered the likely impact of a monetary penalty on Energy Suite. He has decided that a penalty remains the appropriate course of action in the circumstances of this case. 68. The Commissioner's underlying objective in imposing aonetary penalty notice is to promote compliance with PECR.The making of unsolicited direct marketing calls is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance,on the part of all persons running businesses currently engaging in these practices. This is an opportunity to reinforce the need for businesses to ensure that they are only telephoning consumers who are not registered with the TPS and/or have specifically indicated that they do not object to receiving such calls. 69. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. 20 • ICO. Information Commissioner's Office The amount of the penalty 70. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £2,00(two thousand pounds) is reasonable and proportionategiven the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 71. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 17 February 2022 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 72. If the Commissioner receives full payment of the monetary penalty by 16 February 2022 the Commissioner will reduce the monetary penalty by 20% to £1,600 (one thousand and six hundred pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 73. There is a right of appeal to the First-tier Tribunal (InfoRights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary penalty notice. 74. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 21 • ICO. Information Commissioner's Office 75. Information about appeals is set out in Annex 1. 76. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrand; • the period for appealing against the monetary penalty and any variation of it has expired. 77. In England, Wales and Northern Ireland, the monetary penalty is recoverable byOrder of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued bythe sheriff court of any sheriffdom in Scotland. Dated the 18thday of January 2022 Andy Curry Head of Investigations Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 22 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(S) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretionfferently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts &Tribunals Service PO Box 9300 Leicester LE1 8DJ 23 • ICO. Information Commissioner's Office Telephone: 0203 936 8963 Email: grc@justice.gov.uk a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative(if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 24 • ICO. Information Commissioner's Office and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (InformatiRights) are contained in section 55B(S) of, and Schedule 6to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (StatutorInstrument 2009 No. 1976 (L.20)). 25