ICO (UK) - Yes Consumer Solutions Ltd
ICO (UK) - Yes Consumer Solutions Ltd | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 4(11) GDPR Regulation 21 PECR Regulation 26 PECR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 02.08.2021 |
Fine: | 170000 EUR |
Parties: | Yes Consumer Solutions Ltd |
National Case Number/Name: | Yes Consumer Solutions Ltd |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Information Commissioner's Office (in EN) |
Initial Contributor: | n/a |
The UK DPA fined a controller €200,000 (£170,000) for contacting almost 200,000 individuals who had registered their intent not to receive marketing calls with the Telephone Preference Service ("TPS"). In particular, the controller had failed to check datasets purchased from 11 third-party data providers against the TPS.
English Summary
Facts
The UK DPA ('Information Commissioner's Office', or 'ICO') began investigating Yes Consumer Solutions Limited ('YCSL') after receiving 13 complaints.
YCSL sell nuisance call blocking systems. It purchases individuals' data indirectly via third parties, which it uses to engage in direct marketing calls.
The ICO investigation revealed that between 29 October 2018 and 29 October 2019, YCSL made 188,493 unsolicited direct marketing calls to customers not registered with the Telephone Preference Service ("TPS"). Regulation 21 of PECR, which implements the e-Privacy Directive in the UK, establishes that companies cannot contact individuals for direct marketing purposes who have registered their intent not to receive such calls with the TPS, where users have been on the list for longer than 28 days.
YCSL admitted to not having screened a dataset which it purchased from Yes Media Solutions Limited against the TPS. It claimed that the 188,493 direct marketing calls were only made to individuals whose data was contained within this dataset.
YCSL also obtained the records of 210,472 individuals between 29 October 2018 and 29 October 2019 from ten third party data providers. After reviewing the privacy policies of these providers, the ICO's investigation concluded that it was not possible for an individual to give valid consent via these sites to be contacted by YCSL for direct marketing purposes.
Holding
The ICO found that LTH contravened Regulation 21 of PECR, and issued a £170,000 fine.
The ICO stated that the conditions for the imposition of a monetary penalty, under section 55A of the UK's Data Protection Act, were met.
Firstly, the contravention was 'sufficiently serious' since a substantial number of calls were made over a 12 month period. Moreover, although YCSL had claimed that the unsolicited marketing calls were only made to individuals in the dataset it obtained from Yes Media Solutions, it had not provided the ICO with any evidence that marketing calls were not also made to individuals whose data was provided by the ten other third party data providers.
The contravention was also deemed to be 'deliberate.' This is because YCSL's sole director is known to the ICO, with one of his previous companies having been subject to an investigation for suspected unlawful direct marketing. Despite these prior interactions, YCSL appears to have been content to be wholly reliant on indirect consent, and conducted minimal due diligence on the data that it purchased.
The ICO accounted for a number of aggravating features when assessing the fine amount, including the fact that YCSL's responses lacked sufficient content to assist the investigation, as it maintained incomplete records, poor audit trails, and was unable to provide satisfactory responses regarding data obtained from third-party data providers.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.