ICO - Rancom Security Limited

From GDPRhub
Revision as of 23:21, 29 January 2021 by Alex.tracks.privacy (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=R...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Rancom Security Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Section 55A
Regulation 21
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.01.2021
Published:
Fine: 110000 GBP
Parties: Rancom Security Limited
National Case Number/Name: Rancom Security Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO's Website (in EN)
Initial Contributor: alex.tracks.privacy

The Information Commissioner's Office (UK) has issued a fine to a security systems company that received 94 complaints because of unsolicited direct marketing calls violating the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR).

English Summary

Facts

Between 1 June 2017 and 31 May 2018, the ICO received 94 complaints about unsolicited direct marketing calls made by Rancom. Of those, 66 complaints were made to the TPS, with a further 28 made direct to the Commissioner. All of these complaints were made by individual subscribers who were registered with the TPS.

Dispute

On 3 July 2018, the Commissioner wrote to Rancom to explain that she could issue civil monetary penalties of up to £500,000 for PECR breaches. The letter informed Rancom that the Commissioner and the TPS had received complaints from individual subscribers in relation to unsolicited calls.

Rancom was asked a number of questions about its compliance with PECR. The Commissioner received a response from Rancom explaining that it purchased TPS screened data from third parties and also had acquired some data from other security companies it had taken over. They advised that no further due diligence or screening of the data was carried out. A contrary response was later provided to the Information Commissioner's Office indicating that they screen approximately 10% of the data they received against the TPS list.

The Commissioner found that there is no record of Rancom itself possessing or ever having possessed a TPS license. They explained that when a complaint was received that person's data would be removed immediately from their system.

Holding

The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000.

Comment

Here are two examples of the complaints received by the ICO which in a practical manner what should not occur:

“I was very annoyed that someone was targeting my mother with lies in the hope she would buy something from them. She told them the first time that she wasn't interested but they phoned twice more. She is anxious about them phoning again.”

“Promoting security service offer in 'my area'. When I mentioned that I was registered with the Telephone Preference Service, the lady told me that if I had registered for the 'free' service they were still allowed to call me. When I complained, she became aggressive and would not stop reading from what appeared to be a prepared script. I hung up.”

In the UK, you can register your number in the TPS (Telephone Preference Services Limited) which is a "blacklist" of telephone numbers that should not be contacted for direct marketing. The number of calls made to TPS registered individuals accounts for 66% of the total call volume, this shows a disregard for the legislation surrounding the making of marketing calls and suggests that Rancom made very little effort to screen the data they were using against the TPS.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                       •

                                                       ICO.
                                                       InformationCommissioner's ffice


                   DATA PROTECTION ACT 1998


   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER


                   MONETARY PENALTY NOTICE



To:  Rancom Security Limited


Of:  Serenity House, 31 Gate Lane, Boldmere, Sutton Coldfield, West
     Midlands, B73 5TR



1.   The Information Commissioner (“Commissioner”)has decided to issue
     Rancom Security Limited (“Rancom”) with a monetary penalty under

     section 55A of the Data Protection Act 1998 (“DPA”). The penalty is
     being issued because of a serious contravention of regulation 21 of the

     Privacy and Electronic Communications (EC Directive) Regulations 2003
     (“PECR”).


2.   This notice explains the Commissioner’s decision.


     Legal framework


3.   Rancom, whose registered office is given above(companies house

     registration number:04673465), is the person stated in this notice to
     have used a public electronic communications service for the purpose

     of making unsolicited calls for the purposes of direct marketing
     contrary to regulation 21 of PECR.




                                1                                                            •

                                                           ICO.
                                                           InformationCommissioner's ffice
4.   Regulation 21 applies to the making of unsolicited calls for direct

     marketing purposes. It means that if a company wants to make calls
     promoting a product or service to an individual who has a telephone

     number which is registered with the Telephone Preference Service Ltd
     (“TPS”), then that individual must have given their consent to that

     company to receive such calls.


5.   Regulation 21 paragraph (1) of PECR provides that:


     “(1) A person shall neither use, nor instigate the use of, a public

     electronic communications service for the purposes of making
     unsolicited calls for direct marketing purposes where-


     (a)     the called line is that of a subscriber who has previously

             notified the caller that such calls should not for the time being
             be made on that line; or


     (b)     the number allocated to a subscriber in respect of the called

             line is one listed in the register kept under regulation 26.”


6.   Regulation 21 paragraphs (2), (3), (4) and (5) provide that:


    “(2) A subscriber shall not permit his line to be used in contravention

          of paragraph (1).


    (3)  A person shall not be held to have contravened paragraph (1)(b)
        where the number allocated to the called line has been listed on the

        register for less than 28 days preceding that on which the call is
        made.




                                   2                                                           •

                                                           ICO.
                                                           InformationCommissioner's ffice
    (4) Where a subscriber who has caused a number allocated to a line of

        his to be listed in the register kept under regulation 26 has notified
        a caller that he does not, for the time being, object to such calls

        being made on that line by that caller, such calls may be made by
        that caller on that line, notwithstanding that the number allocated

        to that line is listed in the said register.


     (5) Where a subscriber has given a caller notification pursuant to

        paragraph (4) in relation to a line of his —


     (a) the subscriber shall be free to withdraw that notification at any
        time, and

     (b) where such notification is withdrawn, the caller shall not make such
        calls on that line.”


7.   Under regulation 26 of PECR, the Commissioner is required to maintain

     a register of numbers allocated to subscribers who have notified them
     that they do not wish, for the time being, to receive unsolicited calls for

     direct marketing purposes on those lines. The Telephone Preference
     Service Limited (“TPS”) is a limited company which operates the

     register on the Commissioner’s behalf.Businesses who wish to carry
     out direct marketing by telephone can subscribe to the TPS for a fee

     and receive from them monthly a list of numbers on that register.


8.   Section 122(5) of the DPA18 defines direct marketing as “the

     communication (by whatever means) of any advertising material which
     is directed to particular individuals”. This definition also applies for the

     purposes of PECR (see regulation 2(2) PECR & Schedule 19 paragraph
     430 & 432(6) DPA18).




                                  3                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice
9.   Under section 55A (1) of the DPA (as amended by PECR 2011 and the

     Privacy and Electronic Communications (Amendment) Regulations
     2015) the Commissioner may serve a person with a monetary penalty

     notice if the Commissioner is satisfied that –


     “(a) there has been a serious contravention of the requirements of the
         Privacy and Electronic Communications (EC Directive) Regulations

         2003 by the person, and


     (b)  subsection (2) or (3) applies.


          (2)   This subsection applies if the contravention was deliberate.


          (3)   This subsection applies if the person –


               (a) knew or ought to have known that there was a risk that

               the contravention would occur, but


               (b) failed to take reasonable steps to prevent the
                   contravention.”


10.  The Commissioner has issued statutory guidance under section 55C (1)

     of the DPA about the issuing of monetary penalties that has been

     published on the ICO’s website. The Data Protection (Monetary
     Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

     that the amount of any penalty determined by the Commissioner must
     not exceed £500,000.


11.  PECR implemented European legislation (Directive 2002/58/EC) aimed

     at the protection of the individual’s fundamental right to privacy in the
     electronic communications sector. PECR were amended for the purpose

                                  4                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice
     of giving effect to Directive 2009/136/EC which amended and

     strengthened the 2002 provisions. The Commissioner approaches the
     PECR regulations so as to give effect to the Directives.


12.  The provisions of the DPA remain in force for the purposes of PECR

     notwithstanding the introduction of the Data Protection Act 2018 (see
     paragraph 58(1) of Part 9, Schedule 20 of that Act).



      Background to the case


13.  Rancom is a security firm which provides fully monitored security
     systems for the home, as well as connected systems for fire, medical

     and police response.


14.  Between 1 June 2017 and 31 May 2018, the ICO received 94
     complaints about unsolicited direct marketing calls made by Rancom .

     Of those, 66 complaints were made to the TPS, with a further 28 made
     direct to the Commissioner. All of these complaints were made by

     individual subscribers who were registered with the TPS.

15.  The following are examples of the complaints received by the ICO:


       • “The caller asked for confirmation of my name and address,

         then proceeded to say that due to an increase in false home

         security alarms in my area the police no longer responded to
         them. Then he said somebody will be in my area to advise on

         'home security.”


       • “I was very annoyed that someone was targeting my mother
         with lies in the hope she would buy something from them.

         She told them the first time that she wasn't interested but

                                  5                                                            •

                                                           ICO.
                                                           InformationCommissioner's ffice
          they phoned twice more. She is anxious about them phoning

          again.”


       •  “Our phone is registered with TPS and is ex-directory, how

          did he get our phone number. He knew my wife's name and
          that he knew the street that we lived in. Also claiming that

          he was doing a security checkIt is of course very worrying
          that he had our details with out our permission. After looking

          the phone number it is very worrying that that this company
          is targeting older people.”



       •  “Promoting security service offer in 'my area'. When I
          mentioned that I was registered with the Telephone

          Preference Service, the lady told me that if I had registered
          for the 'free' service they were still allowed to call me. When I

          complained, she became aggressive and would not stop
          reading from what appeared to be a prepared script. I hung

          up.”

16.   On 3 July 2018, the Commissioner wrote to Rancom to explain that she

      could issue civil monetary penalties up to £500,000 for PECR breaches.

      The letter informed Rancom that the Commissioner and the TPS had
      received complaints from individual subscribers in relation to

      unsolicited calls. Rancom was asked a number of questions about its
      compliance with PECR.


17.   The Commissioner received a response from Rancom explaining that it

      purchased TPS screened data from third parties and also had acquired

      some data from other security companies it had taken over. They
      advised that no further due diligence or screening of the data was

      carried out. A contrary response was later providedto the

                                   6                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice
     Commissioner indicating that they screen approximately 10% of the

     data they received against the TPS list. The Commissioner found that
     there is no record of Rancom itself possessing or ever having

     possessed a TPS license. They explained that when a complaint was
     received that persons data would be removed immediately from their

     system.


18.  Rancom further explained in correspondence that the majority of the

     dialled numbers listed in the provided complaints were obtained from
     two different third party data providers. They reiterated that they

     believed that the numbers were TPS screened and provided standard
     form contracts and terms and conditions to that effect. These were

     found by the Commissioner to contain non liability clauses that state
     the data provided may not be accurate, and neither of the contracts

     were signed or data. Rancom explained that it could not confirm the
     specific sources of the data as the data had been deleted by two

     former employees when they left in July 2017.


19.  Despite repeated requests from the Commissioner, Rancom were
     unable to confirm how many of their outb ound calls made during the

     contravention period were made for marketing purposes.They
     indicated that this was because a number of organisations used their

     telephone system. These organisations were based in the same

     building and with whom they had a commercial arrangement where
     they were permitted to use the lines in exchange for contributions

     towards the telephony costs. It revealed that ‘some’ marketing staff
     made calls on behalf of various companies from the same number . As

     Rancom did not keep, or no longer had access to, records on these
     calls, the number attributable to marketing was therefore unable to be

     determined.


                                  7                                                             •

                                                            ICO.
                                                            InformationCommissioner's ffice

20.   In later representations provided to the Commissioner(see para 50
      below), Rancom disputed that the calls at the heart of th is

      contravention were made for direct marketing purposes, instead
      stating that these were ‘market research’ calls made at a time when

      Rancom was considering a change of business model utilising private

      security responders. Rancom provided the Commissioner with no
      material evidence supporting the existence of a research project, other

      than a script apparently used in those calls. Rancom also stated that it

      made calls for other general business purposes such as calls to
      nominated keyholders and relatives. Rancom has not however been

      able to provide any evidence as to how many calls were made for
      these purposes.



21.   The Commissioner has considered the narrative of complaints, and
      remains unconvinced that the calls leading to those complaints were

      not for direct marketing purposes. The definition of direct marketing
      (see para 8 above) covers all advertising or promotional material. If a

      survey includes any promotional material or collects details to use in

      future marketing campaigns, the survey is for direct marketing
      purposes and the rules apply. Furthermore, the Commissioner’s Direct

      Marketing Guidance: states that “if an organisation claims it is simply
      conducting a survey when its real purpose (or one of its purposes) is to

      sell goods or services, generate leads, or collect data for marketing

      purposes, it will be breaching the DPA when it processes the data. It
      might also be in breach of PECR if it has called a number registered

      with the TPS, sent a text or email without consent, or instigated

      someone else to do so.” Whilst Rancom say they were conducting
      market research (which the Commissioner does not accept), the

_____________________________________________________________
      https://ico.org.uk/media/for-organisations/documents/1555/direc-marketing-
      guidance.pdf


                                   8                                                         •

                                                         ICO.
                                                         InformationCommissioner's ffice





     Commissioner’s view, following her own guidance and evidenced by

     complaints, which referenced offers of security checks and advice, is
     that those calls also included marketing or promotional material, and

     as such the rules apply.


22.  The Commissioner’s investigation revealed that at least 1 outbound CLI
     was being used to make unsolicited marketing calls. Call dialler records

     obtained for this number show that a total of 851,392 calls were made
     by Rancom within the period of 1 June 2017 to 31 May 2018. This list

     was filtered to establish the number of calls m ade to numbers which
     were registered with the TPS at least 28 days before receiving a call to

     show that there were 565,344 such calls made.


23.  The Commissioner has made the above findings of fact on the
     balance of probabilities.


24.  The Commissioner has considered whether those facts constitute a

     contravention of regulation 21 of PECR by Rancom and, if so, whether
     the conditions of section 55A DPA are satisfied.


     The contravention


25.  The Commissioner finds that Rancom contravened regulation 21 of

     PECR.


26.  The Commissioner finds that the contravention was as follows:



                                 9                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice
27.  Between 1 June 2017 and 31 May 2018, Rancom used a public

     telecommunications service for the purpose of making 94 unsolicited

     calls for direct marketing purposes to subscribers where the number
     allocated to the subscriber in respect of the line called was a number

     listed on the register of numbers kept by the Commissioner in
     accordance with regulation 26, contrary to regulation 21(1)(b) of

     PECR; and


28.  The Commissioner is also satisfied for the purposes of regulation 21
     that these calls were made to subscribers who had registered with the

     TPS at least 28 days prior to receiving the calls and had not given their

     prior consent to Rancom to receive calls.


29.  The Commissioner has gone on to consider whether the conditions
     under section 55A DPA are met.


     Seriousness of the contravention


30.  The Commissioner is satisfied that the contravention identified

     above was serious. This is because there have been multiple breaches

     of regulation 21 by Rancom’s activities over a 12 month period, and
     this led to a significant number of complaints about unsolicited direct

     marketing calls to the TPS and the Commissioner.


31.  In addition, it is reasonable to suppose that the contravention could
     have been far higher because those who went to the trouble to

     complain represent only a proportion of those who actually received
     calls.



32.  The Commissioner is therefore satisfied that condition (a) from
     section 55A (1) DPA is met.

                                  10                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice


     Deliberate or negligent contraventions


33.  The Commissioner has considered whether the contravention identified
     above was deliberate. In the Commissioner’s view, this means that

     Rancom’s actions which constituted that contravention were deliberate
     actions (even if Rancom did not actually intend thereby to contravene

     PECR).


34.  The Commissioner considers that in this case Rancom did not

     deliberately contravene regulation 21 of PECR in that sense.


35.  The Commissioner has gone on to consider whether the contravention
     identified above was negligent.


36.  First, she has considered whether Rancom knew or ought reasonably to

     have known that there was a risk that this contravention would occur.
     She is satisfied that this condition is met, given that Rancom relied

     heavily on direct marketing due to the nature of its business, and the
     fact that the issue of unsolicited calls has been widely publicised by the

     media as being a problem. In its representations to the Commissioner,
     Rancom stated that it no longer conducts direct marketing, instead

     focussing upon maintaining its existing database, however the

     Commissioner remains satisfied that Rancom was reliant upon direct
     marketing, at the very least prior to changing its business model , and

     as such should have been aware of the risk of contraventions of this
     type.


37.  Rancom, previously named Direct Response Security Systems Limited,

     had been subject to an Enforcement Notice issued by the
     Commissioner in 2010. This also related to Regulation 21 of PECR and

                                  11                                                          •

                                                          ICO.
                                                          InformationCommissioner's ffice
     outlined steps it was to incorporate with regards to how it used data for

     marketing purposes, including the need to screen against the TPS. The
     current directors of Rancom were in place at the time of the

     Commissioner’s previous enforcement action. It is therefore reasonable
     to assume that Rancom were aware of the requirements of PECR and

     should have had appropriate measures in place to ensure compliance.
     They were also aware of the consequences of not doing so.



38.  Each time a complaint is made to the TPS, the TPS inform the company
     complained about. Rancom would therefore have been aware that

     complaints were being made by TPS subscribers which should have
     prompted them to take steps to investigate the reasons for this and to

     address any deficiencies in their practices.

39.  The number of calls made to TPS registered individuals accounts for

     66% of the total call volume, this shows a disregard for the legislation
     surrounding the making of marketing calls and suggests that Rancom

     made very little effort to screen the data they were using against the
     TPS.


40.  The Commissioner has also published detailed guidance for companies

     carrying out marketing explaining their legal requirements under PECR.
     This guidance explains the circumstances under which organisations

     are able to carry out marketing over the phone,by text, by email, by

     post or by fax. Specifically, it states that live calls must not be made to
     subscribers who have told an organisation that they do not want to

     receive calls; or to any number registered with the TPS, unless the
     subscriber has specifically consented to receive calls.






                                  12                                                           •

                                                           ICO.
                                                           InformationCommissioner's ffice
41.  Finally, the Commissioner has gone on to consider whether Rancom

     failed to take reasonable steps to prevent the contravention. Again, she

     is satisfied that this condition is met.


42.  Reasonable steps in these circumstances would have included ensuring
     that Rancom could evidence consents relied upon to make marketing

     calls and screening the data against the TPS register. Rancom stated in
     representations to the Commissioner that it screened 10% of its leads

     against the TPS database, however there is no evidence that Rancom
     had purchased a TPS licence, and any such screening was clearly

     inadequate. Rancom also claimed to operate an internal suppression

     list, however complaints alluded to multiple calls to the same number
     despite suppression requests, and therefore any such system was

     ineffective. Contracts being in place with its third party data suppliers
     does not absolve Rancom of their own responsibilities to ensure that

     the data they use is complaint. Whilst they relied on these contracts
     they contained non liability clauses and neither were signed and dated.


43.  In addition, Rancom has allowed other organisations to use its lines. It
     kept no record of how many calls were made by these other

     organisations. This shows poor business practice and is suggestive of a

     cavalier approach to PECR. This further suggests that they failed to
     take reasonable steps to prevent the contravention.


44.  The Commissioner is therefore satisfied that Rancom failed to take
     reasonable steps to prevent the contravention.


45.  The Commissioner is therefore satisfied that condition (b) from section

     55A (1) DPA is met.



 The Commissioner’s decision to impose a penalty

                                  13                                                            •

                                                           ICO.
                                                           InformationCommissioner's ffice


46.  The Commissioner has taken into account the following
     aggravating features of this case:


        •  Complainants to both the Commissioner and the TPS referred to

           the aggressive and misleading nature of the calls with some
           indicating that they have received multiple calls.



        •  There has been deliberate action for financial or personal gain.
           The business was generating leads via marketing calls in order to

           create profit;

        •  Advice and guidance has been ignored or not acted upon. This is

           published on the Commissioner’s website and is available via its
           advice services.


        •  Rancom’s directors have been subject to a previous investigation
           by the Commissioner for contraventions of Regulation 21 of PECR

           which had resulted in an enforcement notice being issued in
           2010. They therefore should have been especially aware of the

           necessity to the comply with the Regulations .



47.  The Commissioner has also taken into account the following

     mitigating features of this case:


        •  Rancom stated that they have stopped making marketing calls
           and have only retained their database of existing customers. The

           Commissioner has not identified any further complaints that can
           be attributed to this company since the 1 January 2019 which

           may be indicative that the company’s activities are now


                                  14                                                           •

                                                           ICO.
                                                           InformationCommissioner's ffice
           compliant. For this reason the Commissioner has decided not to

           also issue Rancom with an Enforcement Notice.


48.  For the reasons explained above, the Commissioner is satisfied that the

     conditions from section 55A(1) DPA have been met in this case. She is
     also satisfied that the procedural rights under section 55B have been

     complied with.


49.  The latter has included the issuing of a Notice of Intent dated 12
     October 2020, in which the Commissioner set out her preliminary

     thinking.


50.  In reaching her final decision the Commissioner has considered

     representations received from Rancom dated 20 and 27 November
     2020. Nothing in Rancom’s representations has persuaded the

     Commissioner to alter her view as previously expressed in the Notice of
     Intent.


51.  The Commissioner is accordingly entitled to issue a monetary penalty

     in this case.


52.  The Commissioner has considered whether, in the circumstances, she

     should exercise her discretion so as to issue a monetary penalty.


53.  The Commissioner’s underlying objective in imposing a monetary
     penalty notice is to promote compliance with PECR. The making of

     unsolicited direct marketing calls is a matter of significant public
     concern. A monetary penalty in this case should act as a general

     encouragement towards compliance with the law, or at least as a

     deterrent against non-compliance, on the part of all persons running
     businesses currently engaging in these practices. This is an opportunity

                                  15                                                        •

                                                        ICO.
                                                        InformationCommissioner's ffice
     to reinforce the need for businesses to ensure that they are only

     telephoning consumers who want to receive these calls.


54.  In this case the Commissioner considers that a monetary penalty is an
     appropriate and proportionate response to the finding of a serious

     contravention by Rancom.


     The amount of the penalty


55.  Taking into account all of the above, the Commissioner has decided
     that a penalty in the sum of £110,000 (One hundred and ten

     thousand pounds) is reasonable and proportionate given the
     particular facts of the case and the underlying objective in imposing the

     penalty.


     Conclusion


56.  The monetary penalty must be paid to the Commissioner’s office by
     BACS transfer or cheque by 25 February 2021 at the latest. The

     monetary penalty is not kept by the Commissioner but will be paid into
     the Consolidated Fund which is the Government’s general bank account

     at the Bank of England.


57. If the Commissioner receives full payment of the monetary penalty by 24
    February 2021 the Commissioner will reduce the monetary penalty by

    20% to £88 ,000 (Eighty eight thousand pounds). However, you
    should be aware that the early payment discount is not available if you

    decide to exercise your right of appeal.





                                16                                                           •

                                                           ICO.
                                                           InformationCommissioner's ffice
58.  There is a right of appeal to the First-tier Tribunal (Information Rights)

      against:


      a)   the imposition of the monetary penalty

          and/or;


      b)  the amount of the penalty specified in the monetary penalty
          notice.


59.  Any notice of appeal should be received by the Tribunal within 28 days
     of the date of this monetary penalty notice.


60.  Information about appeals is set out in Annex 1.


61.  The Commissioner will not take action to enforce a monetary penalty
        unless:


   • the period specified within the notice within which a monetary penalty
     must be paid has expired and all or any of the monetary penalty has

     not been paid;


   • all relevant appeals against the monetary penalty notice and any
     variation of it have either been decided or withdrawn; and


   • the period for appealing against the monetary penalty and any
     variation of it has expired.


62.  In England, Wales and Northern Ireland, the monetary penalty is

     recoverable by Order of the County Court or the High Court. In
     Scotland, the monetary penalty can be enforced in the same manner

      as an extract registered decree arbitral bearing a warrant for execution
      issued by the sheriff court of any sheriffdom in Scotland.



                                  17                                               •

                                               ICO.
                                               InformationCommissioner's ffice
Dated the 25th day of January 2021


Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AFe






























                           18                                                          •

                                                         ICO.
                                                         InformationCommissioner's ffice
ANNEX 1


SECTION 55 A-E OF THE DATA PROTECTION ACT 1998


RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER


1.   Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right

of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.

2.   If you decide to appeal and if the Tribunal considers:-


a)   that the notice against which the appeal is brought is not in accordance
with the law; or

b)   to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,


the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will
dismiss the appeal.


3.   You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:


           GRC & GRP Tribunals

           PO Box 9300
           Arnhem House
           31 Waterloo Way
           Leicester
           LE1 8DJ


a)   The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.

b)   If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.

                                 19                                                           •

                                                          ICO.
                                                          InformationCommissioner's ffice


4.   The notice of appeal should state:-

     a)   your name and address/name and address of your representative
     (if any);


     b)   an address where documents may be sent or delivered to you;

     c)   the name and address of the Information Commissioner;

     d)   details of the decision to which the proceedings relate;


     e)   the result that you are seeking;

     f)   the grounds on which you rely;


     g)   you must provide with the notice of appeal a copy of the
     monetary penalty notice or variation notice;

     h)   if you have exceeded the time limit mentioned above the notice
     of appeal must include a request for an extension of time and the
     reason why the notice of appeal was not provided in time.


5.   Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.


6.   The statutory provisions concerning appeals to the First- tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (Firsttier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.

1976 (L.20)).









                                 20