ICO (UK) - LTH Holdings Limited: Difference between revisions
No edit summary |
No edit summary |
||
Line 54: | Line 54: | ||
}} | }} | ||
The UK DPA fined a funeral plan service approximately €168,000 (£145,000) for sending direct marketing | The UK DPA fined a funeral plan service approximately €168,000 (£145,000) for sending direct marketing calls to individuals registered with the Telephone Preference Service who had not given their prior consent to be called. The DPA clarified that consent for such calls should be 'freely given' (meaning that data subjects must have had the choice to agree to electronic marketing from third parties like the funeral home), 'specific' with regards to the source and kind of direct marketing received, and 'informed' by easy-to-understand information. | ||
The ICO considered these communications to be of particular concern as they were directed at vulnerable people. | |||
== English Summary == | == English Summary == |
Revision as of 11:30, 16 June 2021
ICO (UK) - LTH Holdings Limited | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 03.06.2021 |
Published: | 08.06.2021 |
Fine: | 145000 GBP |
Parties: | n/a |
National Case Number/Name: | LTH Holdings Limited |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA fined a funeral plan service approximately €168,000 (£145,000) for sending direct marketing calls to individuals registered with the Telephone Preference Service who had not given their prior consent to be called. The DPA clarified that consent for such calls should be 'freely given' (meaning that data subjects must have had the choice to agree to electronic marketing from third parties like the funeral home), 'specific' with regards to the source and kind of direct marketing received, and 'informed' by easy-to-understand information.
The ICO considered these communications to be of particular concern as they were directed at vulnerable people.
English Summary
Facts
LTH Holdings Limited is a telephone marketing company which sells a variety of products under various trading names.
Between May 2019 and May 2020 the ICO received a number of complaints from individuals about marketing calls from 'Serenity Funeral Plans,' (a trading name of LTH) which noted the rising cost of funeral plans. On 12 May 2020, the ICO sent an initial investigation letter to LTH setting out concerns and asking a number of questions regarding LTH's campaigns, with the complaints received to date attached.
LTHs response, as well as its further responses throughout the investigation, provided details of campaigns it had carried out, the source of data for those campaigns, the Calling Line Identifiers (CLIs) used for its calls, the scripts used by it as its various trading identities during the calls, and the connected call figures.
It transpired that the data that LTH used for its campaigns was provided by third-party data providers that compile data via multiple sources, i.e. online and paper catalogues, as well as 'internal sales/ internal data'. These third party data providers allegedly only provide data from sources whereby individuals have 'opted in' to be called. The ICO collected information on the 'opt in' mechanisms operated by each of the relevant third party data providers (which were unnamed).
Holding
The ICO found that LTH contravened Regulation 21 of PECR, which establishes that if a company wants to make calls to an individual who has a telephone number which is registered with the Telephone Preference Service Ltd ("TPS"), then that individual must have given their consent to that company to receive such calls. It stated that LTH used a public telecommunications service for the purposes of making 1,414,519 unsolicited direct marketing calls to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and had not given their prior consent to LTH to receive calls.
The ICO highlighted that consent, as defined by Article 4(11) GDPR, must be "freely given", meaning an organisation must be able to demonstrate how consent can be said to have been given freely. LTH were unable to do this; for all of LTH's third-party data providers, the data of individuals who purchased a product from one of their sites was passed to LTH for use in further direct marketing campaigns, without those individuals being given a genuine choice about whether to consent to such marketing from LTH. Generally, the applicable 'consent' mechanisms gave users no option but to agree to electronic marketing from third parties.
Consent was also not valid as it was not 'specific' since individuals were not able to select the method by which they might wish to receive direct marketing, nor from whom they may consent to receive it. It was also not 'informed'. The ICO emphasized that consent will not be informed if individuals are asked to agree to receive marketing from "similar organisations", "partners", "selected third parties" or other similar generic description. Rather, information should be clear and easy to understand.
The ICO concluded that a penalty in the sum of £145,000 was reasonable and proportionate. In particular, it considered the following aggravating features:
- LTH's primary audience appears to be older people;
- LTH adopted aggressive, coercive, and persuasive methods in its direct marketing;
- the current owner of the business is now disqualified from acting as a director;
- despite providing superficial responses to the ICO's various correspondence, LTH failed to co-operate with the ICO's investigation, because: it tended to refer the ICO to the third party data providers for information, rather than taking steps to obtain it itself (particularly notable given that it was information which a company would reasonably be expected to be in possession of when engaging in direct marketing campaigns); an LTH failed to provide accurate call figures when asked to do so.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
• ICO. Information Commissioner's Office DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENAL TY NOTICE To: LTH Holdings Ltd Of: Unit G4 Capital Business Park, Parkway, Cardiff, United Kingdom CF3 2PY 1. The InformationCommissioner ("Commissioner") has decided to issue LTH Holdings Ltd ("LTH") with a monetary penalty under section SSA of the Data Protection Act 1998 ("DPA"). The penalty is being issued because of a serious contraventiof regulation 21 of the Privacy and Electronic Communications(EC Directive) Regulations 2003 ("PECR"). 2. This notice explainse Commissioner's decision. Legal framework 3. LTH, whose registered office is given above (Companies House Registration Number: 09571314) is the organisation stated in this notice to have used a public electronic communicatservice for the purpose of making unsolicited calls for the purposes of direct marketing contrary to regulation 21 of PECR. 4. Regulation 21 applies to the making of unsolicited calls for direct marketing purposes. It means that if a company wants to make calls 1 • ICO. Information Commissioner's Office promoting a product or service to an individual who has a telephone number which is registered with the Telephone Preference Service Ltd ("TPS"), then that individual must have given their consent to that company to receive such calls. 5. Regulation 21 paragraph (1) of PECRprovides that: "(1)A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where- (a) the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or (b) the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26." 6. Regulation 21 paragraphs (2), (3)(4) and (5) provide that: "(2) A subscriber shall not permit his line to be used in contravention of paragraph (1). (3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made. (4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls 2 • ICO. Information Commissioner's Office being made on that line by that caller, such calls may be made by that caller on that line, notwithstanthat the number allocated tothat line is listed in the said register. (5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his- (a) the subscriber shall be free to withdraw that notification at any time, and (b) where such notification is withdrawn, the caller shall not make such calls on that line." 7. Under regulation 26 of PECR,the Commissioner is required to maintain a register of numbers allocated to subscribers who have notified them that they do not wish, for the time being, to receive unsolicited calls for direct marketing purposes on those lines. The TPS is a limited company which operates the register on the Commissioner's behalf. Businesses who wish to carry out direct marketing by telephone can subscribe to the TPS for a fee and receive from them monthly a list of numbers on that register. 8. Section 122(5) of the Data Protection Act 2018 ("DPA18") defines direct marketing as "the communication (by whatever means) of any advertising material which is directed to particular individuals". This definition also applies for the purposes of PECR(see regulation 2(2) PECRand paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 9. Consent in PECRis defined, from 29 March 2019, by reference to the concept of consent in Regulation 2016/679 ("the GDPR"): regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Article 4(11) of the 3 • ICO. Information Commissioner's Office GDPR sets out the following definition: "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". 10. Recital 32 of the GDPR materially states that "When the processing has multiple purposes, consent should be given for all of them". Recital 42 materially provides that "For consent to be informed, the data subject should be aware at least of the identity of the controllRecital 43 materially states that "Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case". 11. "Individual"is defined in regulation 2(1) of PECRas "a living individual and includes an unincorporated body of such individuals". 12. A "subscriber" is defined in regulation 2(1) of PECRas "a person who is a party to a contract with a provider of public electronic communications services for the supply of such services". 13. Section SSA of the DPA (as applied to PECRcases by Schedule 1 to PECR, as variously amended) states: "(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that - (a) there has been a serious contraventionof the requirements of the Privacy and Electronic Communications (EC Directive) Regulations003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contraventiwas deliberate. 4 • ICO. Information Commissioner's Office (3) This subsection applies if the person - (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention." 14. The Commissioner has issued statutory guidance under section SSC (1) of the DPA about the issuing of monetary penalties that has been published on the ICO's website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 15. PECRwere enacted to protect the individual's fundamentalright to privacy in the electronic communicationsector. PECRwere subsequently amended and strengthened. The Commissioner will interpret PECRin a way which is consistent with the Regulations' overall aimof ensuring high levels of protection for individuals' privacy rights. 16. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introductioof the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 17. LTH are a telephone marketing company. They operate a multitude of calling campaigns, selling a variety of products under different trading names. 5 • ICO. InformationCommissioner's ffice 18. LTH came to the attention of the Commissioner due to a complaint received relating to funeral plans. A TPS-registered individual had received a call from 'Serenity Funeral Plans' which noted the rising cost of funeral plans. 19. The 'Serenity Funeral Plans' website is accompanied by a paragraph which explains that it is a trading name of LTH. 20. The Commissioner noted that a number of complaints had been received between 1 May 2019 and 11 May 2020 about calls relating to these funeral plans, and on 12 May 2020 she sent an initial investigation letter to LTH setting out her concerns and asking a number of questions regarding LTH's campaigns. Attached to this initial investigation letter was an appendix of the TPS/ICO complaints that had been received to date. 21. LTH's response provided, inter alia, details of the campaigns it had carried out, the source of data for those campaigns, the Calling Line Identifier("CLI"s) used for its calls, the scripts used by it as its various trading identities during the calls, and the connected call figures. 22. Itrecorded that 29 campaigns had been carried out using 19 Clls during the periods in question. The data used had been provided from various sources, chiefly (''-"), and - ("1111") (referred to hereafter collectively as the "third-padata providers"), which obtain data via multiple sources, i.e. online and paper catalogues, as well as 'internal sales/ internal data'. 23. In response to the Commissioner's request for evidence of consent for the complaints, LTH provided a spreadsheet which provided the name of the third-partdata provider from which the data had been 6 • ICO. Information Commissioner's Office obtained, and details of the individual's orders with those third-party data providers. LTH also provided an extract from the 'privacy statement' used by one of its third-partdata providers (specifically -) which advised individuals that their personal informatiowould be processed/retained for "certain legitimate Interest[sic]. 24. LTH confirmed that it does not screen the data that it relied upon for its direct marketing calls against the TPS register, with an explanation that "the clients provide the instructions on TPS records". 25. Further,in terms of the data that it purchased from third-partdata providers, in responseto the Commissioner's request for details of any contractual obligations and due diligence on the data, LTH responded simply saying: "Any purchased third party data provided by data suppliers is checked", however no additional information was given save for a later reference to an internal suppression list. 26. LTH provided some internal training documents, however there was nothing provided which specifically related to PECRtraining or guidance. 27. The Commissioner sent further enquiries to LTH on 15 June 2020, particularlrequesting copies of any existing contracts with third-party data suppliers, and further details about the consent that LTH relied on to make its direct marketing calls, together with any details of its due diligence. 28. On 26 June 2020 a response was provided however it notably failed to address the Commissioner's request for contracts. LTH did provide extracts from the Privacy Policies of the third-padata providers and sought to provide an explanation of its relationship with _, 7 • ICO. InformationCommissioner'sfice stating that it "conduct[scalling on behalf of - and sell[s] [its] own products that have been produced with_,. 29. LTH also provided an explanation for those calls made using 'internal data', describing this as "[c]ustomerwho have purchased one of the products sold with- or other partners and then opted in for other products that are available with other partners[ ...]". 30. In terms of its due diligenceLTH explained that the third-partydata provider will "only provide data from sources that have been contracted to be called".LTH explained that as a second check it would then check the data against a suppression list. 31. The Commissioner sent further queries to LTH on 30 June 2020 asking for,amongst other things, information about- and details about the sources from which - obtains the data which it subsequently provides to LTH. The Commissioner again asked for copies of applicable contracts with the third-pardata providers, and also requested further details about LTH's data purchasing and evidence for the further complaints which the Commissioner had since discovered from the Clls identified by LTH. 32. LTH responded on 7 July 2020 providing responses to the Commissioner's queries. Itidentified eleven catalogues which - would obtain data from which it would subsequently relay to LTH for its direct marketing campaigns. 33. In addition, a contract was provided between -and LTH dated 1 October 2019, explaining that LTH would provide telemarketing services for - and detailing the various campaigns to be undertaken by LTH using data provided by- The contract did not make any reference to PECR,or to data protection legislation at all. With regards to the request for evidence of consent for the additional 8 • ICO. Information Commissioner's Office complaints, LTH provided a spreadsheet listing the data source (_), with 'Product Purchase' in the 'Consent Type' column.LTH also provided details of how much data it had purchased from its third party data providers in 2020, and details of its Communications Service Provider ("CSP"). 34. The Commissioner went on to consider the opt-ins for each of the various sources used by LTH's third-partydata providers to obtain data. 35. LTH's first third-pardata provider,_, collects consent online at one of its two checkout pages. Its checkout page for individuals who wish to create an account gives individuals the option to opt-in to email marketing from _, and to opt-in to products/offerby post from third partiesIndividuals wishing to checkout as guests are given no options to opt-in to, or opt-out of, marketinRegardless of whether the individual checks out as a guest, or has an account, both checkout pages contain embedded text which advises individuals that: "We may also telephone you offering services like our Motor Club, Lotto, Gardening Club, Book Club, Supercard, Health Club and other leisure services that we very carefully select. We may also email you special offers and promotions.We work with other companies to understand what sort of products and services you might like so we can aim to contact you only about things you will be interested in.Individuals are not given the ability to agree to, or decline, this further advertising material at the point when they place an order with - and are required to log into an account to amend their details, which would not appear possible for individuals checking out as a 'guest'. 36. LTH's second third-partydata provider,_, collects consent through its eleven catalogues, which each have very similar consent statements: 9 • ICO. Information Commissioner's Office 37. 'offers just one pre-ticked box stating: "keep me up to date on news and exclusive offers", directly beneath a box where an individual would input their email contact informatiowhich states "For order confirmation"in brackets. The individual's telephone number is taken further down the form, but again this states: "For shipping updates" in brackets. There is no option for individuals to agree to direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 38. ,_, offers a series of opt-out boxes for contact methods for direct marketing from_, however under where it says: "Pass your contact data to other companies", there is only one box for "post". There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 39. ' offers a series of opt-out boxes for contact methods for contact from , however its checkout later states that it would like to pass individuals' contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitionand there is only one box for "post".There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 40. ' offers a seriesf opt-out boxes for contact methods for direct marketing from , however its checkout then states that 10 • ICO. Information Commissioner's Office pass individuals' contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitionsand there is only one opt-out box for "post". There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 41. ' offers a seriof opt-out boxes for contact methods for direct marketing from , however its checkout then states that Personal Choice would like to pass individuals' contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitions" and there is only one opt-out box for "post"There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 42. ,_, offers a series of opt-out boxes for contact methods for direct marketing from _, however its checkout then states that - would like to pass individuals' contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitionsand there is only one opt out box for "post".There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 43. 'offers a series of opt-out boxes for contact methods for contact from , however its checkout then states that would like to pass individuals' 11 • ICO. Information Commissioner's Office contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitions"and there is only one opt-out box for "post"There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 44. ,_, offers a series of opt-out boxes for contact methods for contact from _, however its checkout then states that - would like to pass individuals' contact data to "other companies in the Charity, Financial, Travel and Mail Order sectors" for "details of their products, services, offers and competitionand there is only one opt out box for "post".There is no option for individuals to agree to electronic direct marketing from third parties, to select which third parties, if any, they might wish to be contacted by, or to select the method by which they might consent to being contacted. 45. The Commissioner was unable to identify the three remaining catalogues from the information provided by LTH and so on 9 July 2020 sought further details from LTH regarding these, and regarding how many campaigns an individual whose data was obtained via - might expect to be called about. The Commissioner also asked LTH to provide evidence that the individuals who provide 'consent' to its third party data provider catalogues are indeed consenting to receive unsolicited direct marketing calls from LTH. 46. LTH responded on 17 July 2020 advising that in respect of the three remaining catalogues, the Commissioner "would need to get in contact with - to request the domain names". LTH confirmed that, regarding the data from_, it would call the individuals "on multiple campaigns as agreed with _,_ LTH also stated, 12 • ICO. Information Commissioner's Office regarding consent,that it "acts as a third party contractor for - and [calls]to sell clubs on their behalf." 47. LTH identified that data was also collected from the paper catalogue of _, and a copy of the whole catalogue page / privacy policy was requested by the Commissioner. 48. A screenshot was subsequently provided with the following 'privacy promise': "As customers or subscribers, we will send you our catalogues and information by post or email and may telephone offering services or products such as our Health Motor, Supercard or Gardening clubs. If you would prefer not to receive these communications let us know (see below) or simply unsubscribe from any of the communications you receive at the time. We would also like to pass your name and address to other companies in the Charity, Financial, Leisure, Travel and Mail Order Sector so they can contact you with details of their products, services, offers and competitions.You can opt-out at anytime by either calling our customer service line or by contacting us at ,, 49. On 7 August 2020 the Commissioner sought details of the call volumes for calls made by LTH from 1 May 2019 to 12 May 2020, together with details of any 'opt-ouscript read to individuals when ordering products from - via telephone. 50. LTH responded on 17 August 2020 explaining that it did not hold -telephone order script and that the Commissioner would need to contact - directly for thisLTH confirmed that between 1 May 2019 and 12 May 2020 it had made 1,542,069 direct marketing calls, of which 1,197,717 connected to an individual subscriber. 13 • ICO. Information Commissioner's Office 51. In order to establish the Call Dialler Records ("CDR"s) for the connected calls, and to establish the number of those calls which had been made to individuals who had been listed on the TPS register for not less than 28 days prior to receiving a call, the Commissioner sent a third-partyinformation notice to LTH's CSP. 52. From the response provided, it was established that there had in fact been 2,614,015 connected calls made from Clls attributed to LTH between 1 May 2019 and 12 May 2020. Of these connected calls, the Commissioner was able to identify that 1,414,519 were to individuals who had been registered with the TPS for not less than 28 days at the time they received the call. In reaching this figure the Commissioner has removed those calls for which there is evidence that they were not unsolicited. 53. The Commissioner understands that LTH would contact individuals whose data had been obtained by its third-partdata providers with a view to communicating further advertising material to them, and is therefore satisfied that all 1,414,519 unsolicited calls were made for the purposes of direct marketing as defined by section 122(5) of the Data Protection Act 2018. 54. The Commissioner has made the above findings of fact on the balance of probabilities. 55. The Commissioner has considered whether those facts constitute a contravention of regulation 21 of PECRby LTH and, if so, whether the conditions of section SSA DPA are satisfied. The contravention 14 • ICO. Information Commissioner's Office 56. The Commissioner finds that LTH contravened regulation 21 of PECR. 57. The Commissioner finds that the contravention was as follows: 58. Between 1 May 2019 and 12 May 2020, LTH used a public telecommunications service for the purposes of making 1,414,519 unsolicited calls for direct marketing purposes to subscribers where the number allocated to the subscriber in respect of the called line was a number listed on the register of numbers kept by the Commissioner in accordance with regulation 26, contrary to regulation 2l(l)(of PECR. 59. The Commissioner is also satisfied for the purposes of regulation 21 that these 1,414,519 unsolicited direct marketing calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and they had not given their prior consent to LTH to receive calls. These calls resulted in a total of 41 complaints over the period of contravention. 60. For consent to be valid it is required to be "freely given", by which it follows that if consent to marketing is a condition of subscribing to a service, the organisation will have to demonstrate how the consent can be saidto have been given freely. LTH have been unable to do this. For bothof LTH's third-partydata providers, the data of individuals who purchased a product from one of their sites was passed to LTH for use in further direct marketing campaigns, without those individuals being given a genuine choiceabout whether to consent to such marketing from LTH. 61. Consent is also requiredo be "specific" as to the type of marketing communication to be received, and the organisationor specific type of organisation, that will be sending it. The Commissioner is concerned, 15 • ICO. Information Commissioner's Office particularly in respect of the consents obtaine1111 that individuals were not able to select the method by which they might wish to receive direct marketing, or even from whom they may consent to receive it. 62. Consent will not be "informed"if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small prinConsent will not be valid if individuals are asked to agree to receive marketing from "similar organisations","partners","selected third parties" or other similar generic description. 63. LTH did not have valid consent, and nevertheless engaged in direct marketing to individuals who had been registered with the TPS for not less than 28 days. 64. The Commissioner has gone on to consider whether the conditions under section SSA DPA are met. Seriousness of the contravention 65. The Commissioner is satisfied that the contraventiidentified above was serious. This is because there have been multiple breaches of regulation 21 by LTH arising from the organisation's activities over a twelve-month period, and this led to 1,414,519 unsolicited direct marketing calls being made to subscribers who were registered with the TPS. These 1,414,519 unsolicited calls led to a total of 41 complaints being made over the period of contraventionwith 19 being made to the Commissioner, and 22 being made directly to TPS. 16 • ICO. Information Commissioner's Office 66. The Commissioner is therefore satisfied that condition (a) from section SSA (1) DPA is met. Deliberate or negligent contraventions 67. The Commissioner has considered whether the contravention identified above was deliberate. 68. The Commissioner does not consider that there is sufficient evidence to find that LTH deliberately set out to contravene PECRin this instance. 69. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration compritwo elements: 70. Firstly, she has consideredether LTH knew or ought reasonably to have known that there was a risk that this contraventwould occur. This is not a high threshold, and she is satisfied that this condition is met. 71. The Commissioner has published detailed guidance for companies carrying out marketing explaining their legal requirements under PECR. This guidance explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post or by fax. It states that live calls must not be made to subscribers who have told an organisation that they do not want to receive calls; or to any number registered with the TPS, unless the subscriber has specifically consented to receive calls. The Commissioner has also published detailed guidance on consentnder the GDPR. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement 17 • ICO. Information Commissioner's Office action where businesses have not complied with PECRare also readily available 72. Standard practiceof the TPS is to contact the organisation making the calls on each occasion a complaint is madeIt is therefore reasonable to believe that LTH would have received a notification from the TPS for each of the complaints being made in this case. That there were 22 complaints made to the TPS alone over the period of the contravention should have made LTH aware of the risk that such contraventions may occur and were indeed occurring. 73. Itis therefore reasonable to suppose that LTH should have been aware of its responsibilities in this area. 74. Secondly, the Commissioner has gone on to consider whether LTH failed to take reasonable steps to prevent the contraventioAgain, she is satisfied that this condition is met. 75. The Commissioner's direct marketing guidance makes clear that organisations utilising marketing lists from a third party must undertake rigorous checks to satisfy themselves that the personal data was obtained fairly and lawfully, that their details would be passed along for direct marketing to the specifically named organisation in the case of live calls, and that they have the necessary consenItis not acceptable to rely on assurances given by third party suppliers without undertaking proper due diligence. 76. LTH did not check any data against the TPS register, despite the Commissioner's clear direct marketing guidance [at paragraph 108] that: "[t]o comply with PECRorganisations should screen the list of numbers they intend to call against the TPS register". 18 • ICO. Information Commissioner's Office 77. LTH have been unable to produce any internal training documents to demonstrate any regard for lawful direct marketing practices, or indeed for compliance with PECR. 78. Furthermore, LTH have been unable to evidence the existence of any contractual terms between itself and_, and the Commissioner is not persuaded that the contract in place between LTH and_, which itself is dated 1 October 2019 (i.e. after the direct marketing campaigns had commenced), contained any provision for consideration of data protection legislation, or for the protection of individuals rights. 79. Indeed, it appears to the Commissioner that beyond checking data against its own suppression list, LTH failed to carry out any due diligence onthe data whatsoever prior to initiating its various campaigns. 80. Given the volume of calls and complaints, it is clear that LTH failed to take sufficient reasonable steps to prevent the contravention. 81. The Commissioner is therefore satisfied that condition (b) from section SSA (1) DPA is met. The Commissioner's decision to issue a monetary penalty 82. The Commissioner has taken into account the following aggravating features of this case: • The Commissioner is concerned that LTH's primary audience for its direct marketing appears to be older people, given the references to funeral plans within a number of the complaints, and the Commissioner's 19 • ICO. Information Commissioner's Office general understanding about the third-partydata providers' traditional customer bases; • The Commissioner also has consideration of online reports that LTH adopted aggressive, coercive, and persuasive methods in its direct marketing; • The Commissioner notes that the current owner of the business is now disqualified from acting as a director; • Despite providing superficial responses to the Commissioner's various correspondence, the Commissioner is satisfied that LTH failed to co operate with her investigation.This finding is based on LTH's tendency to refer the Commissioner to the third-party data providers for some information, rather than taking steps to obtain it itselfwhich is particularly notable given that it was information which a company would reasonably be expected to be in possession of when engaging in such direct marketing campaigns. Furthermore, LTH failed to provide accurate call figures when asked to do so. 83. For the reasons explained above, the Commissioner is satisfied that the conditions from section SSA (1) DPA have been met in this case. She is also satisfied that the procedural rights under section SSB have been complied with. 84. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out her preliminary thinking. In reaching her final view, the Commissioner has taken into account the representations made by LTH on this matter. 20 • ICO. Information Commissioner's Office 85. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 86. The Commissioner has considered whether, in the circumstances, she should exercise her discretion so as to issue a monetary penalty. 87. The Commissioner has attempted to consider the likely impact of a monetary penalty on LTH but has been unable to do so given the lack of recent publicly available informatioLTH was invited to provide financial representationin response to the Notice of Intent but failed to do so. The Commissioner considers in the circumstances that a penalty remains the appropriate course of action. 88. The Commissioner's underlying objective in imposing amonetary penalty notice is to promote compliance with PECR.The making of unsolicited direct marketing calls is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance,on the part of all persons running businesses currently engaging in these practices. This is an opportunity to reinforce the need for businesses to ensure that they are only telephoning consumers who are not registered with the TPS and/or specifically consent to receive these calls. The amount of the penalty 89. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £145,000 (one hundred and forty-five thousand pounds) is reasonable and proportionategiven the particular facts of the case and the underlying objective in imposing the penalty. 21 • ICO. Information Commissioner's Office Conclusion 90. The monetary penalty must be paid to the Commissioner's office by BACS transfer or cheque by 6 July 2021 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government's general bank account at the Bank of England. 91. If the Commissioner receives full payment of the monetary penalty by 5 July 2021 the Commissioner will reduce the monetary penalty by 20% to £116,000 (one hundred and sixteen thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 92. There is a right of appeal to the First-tier Tribunal (InfoRights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary penalty notice. 93. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 94. Information about appeals is set out in Annex 1. 95. The Commissioner will not take action to enforce a monetary penalty unless: 22 • ICO. Information Commissioner's Office • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdandn; • the period for appealing against the monetary penalty and any variation of it has expired. 96. In England, Wales and Northern Ireland, the monetary penalty is recoverable byOrder of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 3rdday of June 2021. Andy Curry Head of Investigations InformationCommissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 SAF 23 • ICO. Information Commissioner's Office ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(S) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal') against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that she ought to have exercised her discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts &Tribunals Service PO Box 9300 Leicester LEl 8DJ 24 • ICO. Information Commissioner's Office Telephone: 0300 123 4504 Email: grc@justice.gov.uk a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The noticeof appeal should state:- a) your name and address/name and address of your representative(if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 25 • ICO. Information Commissioner's Office and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (InformatiRights) are contained in section 55B(S) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (StatutorInstrument 2009 No. 1976 (L.20)). 26