ICO - Monetary penalty to CRDNN: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX <!--Information about the DPA--> |Jurisdiction=United Kingdom |DPA-BG-Color= |DPAlogo=logoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) <!--Informa...")
 
No edit summary
Line 24: Line 24:
|Type=Investigation
|Type=Investigation
|Outcome=Violation found
|Outcome=Violation found
|Date_Decided=n/a
|Date_Decided=26. 2. 2020
|Date_Published=2. 3. 2020
|Date_Published=2. 3. 2020
|Year=2020
|Year=2020
Line 31: Line 31:


<!--Information about the applied law-->
<!--Information about the applied law-->
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_1=  
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_Link_1=  
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_2=  
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_Link_2=  
|GDPR_Article_3=Article 10 GDPR
|GDPR_Article_3=  
|GDPR_Article_Link_3=Article 10 GDPR
|GDPR_Article_Link_3=  
|GDPR_Article_4=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|GDPR_Article_Link_4=
Line 113: Line 113:
|EU_Law_Link_20=
|EU_Law_Link_20=


|National_Law_Name_1=
|National_Law_Name_1=Section 40 Data Protection Act 1998
|National_Law_Link_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Name_2=Regulations 19 and 24 Privacy and Electronic Communication Regulations 2003
|National_Law_Link_2=
|National_Law_Link_2=
|National_Law_Name_3=
|National_Law_Name_3=
Line 174: Line 174:


<!--Here the main article starts-->
<!--Here the main article starts-->
On 6 February 2020, ICO adopted a decision, stating that the Northamptonshire Police acted lawfully by refusing to confirm or deny whether it held information requested by the complainant. However, ICO found that the Northamptonshire Police’s failure to specify the exemption on which it was relying constituted a breach. These conclusions were made based on the relevant provisions of the Freedom of Information Act 2000 ("FOIA"), Data Protection Act 2018 and the General Data Protection regulation ("GDPR").
.............


==English Summary==
==English Summary==


===Facts===
===Facts===
ICO examined a complaint submitted against the Northamptonshire Police regarding the way in which it handled a request for information. Namely, the complainant requested information from the Northamptonshire Police on whether it forcibly entered a property that he owns, but leases to a tenant, on suspicion that the property contained drugs. The complainant stated in the request that he could not obtain the information from the tenant itself. The Northamptonshire Police responded that it will neither confirm nor deny whether the entry took place, as sharing any information without the tenant’s consent would be contrary to the Data Protection Act 2018.
CRDNN was raided by the ICO which after investigation found that the company had instigated 193.606.544 attempted automated calls for the purpose of direct marketing, of which 63.615.075 were connected. CRDNN came to the attention of the ICO when more than 3.000 complaints were made about the nuisance calls.


===Dispute===
===Dispute===
Based on the complaint, ICO examined whether the Northamptonshire Police had the right to apply the section 40 of the FOIA ("neither confirm nor deny" provisions), which would allow it to neither confirm nor deny whether or not it held the requested information. These provisions are applied when confirming or denying would in itself disclose sensitive or potentially exempt information. In this regard, ICO considered whether the Northamptonshire Police complied with the criteria prescribed for relying on the "neither confirm nor deny" provisions, namely: (i) whether confirming or denying would constitute the disclosure of a third party’s personal data, and (ii) whether confirming or denying would contravene one of the data protection principles.
 


===Holding===
===Holding===
Regarding the first criteria, ICO concluded that confirming or denying whether Northamptonshire Police forced entry at a specific property would involve the disclosure of a third party’s personal data (i.e. the tenant’s). Although the request for information relates to the residential address and no individual is explicitly named, it is possible to identify the tenant as the occupant of the property. ICO therefore concluded that the information on whether Northamptonshire Police forced entry at the property is in fact information which relates to the tenant, withing the meaning of the GDPR.
The ICO found that there was no consent for these calls and in fact many of the complainants had sought to opt-out but CRDNN had not facilitated that. Thus, there was violation of regulation 19 PECR.  


As for the second criteria, ICO concluded that confirming or denying whether forced entry took place (i.e. disclosing data) constitutes data processing. Therefore, such disclosure must be done in a lawful, fair and transparent manner in accordance with Article 5(1)(a) and Article 6(1) of the GDPR. Specifically, ICO found that the processing in this case constitutes processing of "criminal offence data" within the meaning of Article 10 of the GDPR. This is because confirming or denying would disclose that that the tenant’s house either had, or had not, been raided by Northampton Police in connection with the presence of drugs in the property. Since such "criminal offence data" are sensitive data, they can only be processed (i) if there is a consent of the data subject, or (ii) if the data were made manifestly public by the data subject. None of these conditions were satisfied in the case in question (on the contrary, the tenant refused to provide the complainant with any information), which is why ICO found that there was no legal basis for the disclosure of data. Therefore, the Northampton Police had the right to rely on the "neither confirm nor deny" provisions.  
The ICO also found that the calls were carried out from spoofed CLIs while during the calls no company information or contact details were provided. In result, people who received the calls could not identify who was making them. Thus, there was violation of regulation 24 PECR.  


Finally, although the Northampton Police had the right to rely on said provisions, ICO found that it nonetheless breached section 17(1)(b) of the FOIA by failing to specify, in its response to the complainant, the exemption on which it was relying.
==Comment==
==Comment==
Feel free to add your comment here!
''Feel free to add your comment here!''


==Further Resources==
==Further Resources==

Revision as of 14:48, 3 March 2020

ICO - Enforcement notice to CRDNN
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Section 40 Data Protection Act 1998
Regulations 19 and 24 Privacy and Electronic Communication Regulations 2003
Type: Investigation
Outcome: Violation found
Started:
Decided: 26. 2. 2020
Published: 2. 3. 2020
Fine: 500,000 £
Parties: n/a
National Case Number/Name: Enforcement notice to CRDNN
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

.............

English Summary

Facts

CRDNN was raided by the ICO which after investigation found that the company had instigated 193.606.544 attempted automated calls for the purpose of direct marketing, of which 63.615.075 were connected. CRDNN came to the attention of the ICO when more than 3.000 complaints were made about the nuisance calls.

Dispute

Holding

The ICO found that there was no consent for these calls and in fact many of the complainants had sought to opt-out but CRDNN had not facilitated that. Thus, there was violation of regulation 19 PECR.

The ICO also found that the calls were carried out from spoofed CLIs while during the calls no company information or contact details were provided. In result, people who received the calls could not identify who was making them. Thus, there was violation of regulation 24 PECR.

Comment

Feel free to add your comment here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

Not applicable. Please see the English original.