ICO (UK) - Papa John's (GB) Limited
From GDPRhub
| ICO (UK) - Papa John's (GB) Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 Regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 14.06.2021 |
| Published: | 15.06.2021 |
| Fine: | 10000 GBP |
| Parties: | Papa John's (GB) Limited |
| National Case Number/Name: | Papa John's (GB) Limited |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | n/a |
The UK DPA (ICO) imposed a fine of €11600 on Papa John's (GB) Limited for sending unsolicited direct marketing messages to 168,022 individuals in breach of Regulation 22 PECR.
English Summary
Facts
Papa John's, the pizza company, was the subject of various complaints to the Information Commssioner's Office (ICO). The ICO therefore initiated an investigation into Papa John's direct marketing practices.
Papa John's responded by providing details on the number of marketing messages sent between October 2019 and April 2020. It outlined that it relied on a soft opt-in to send these messages to customers that had directly provided their data by filling out an order form. It was estimated that 168,022 text messages were received by individuals on that basis.
However, the initial form filled in by individuals who ordered from Papa John's did not provide an option to opt out of receiving direct marketing messages.
Dispute
Is there a breach of regulation 22 PECR if individuals's whos information is collected by an organisation are not provided the option to opt out from direct marketing and subsequently sent direct marketing?
Holding
The Information Commissioner's Office (ICO) held that Papa John's was in contravention of regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Papa John's sent 168,022 direct marketing messages without valid consent.
Papa John's gathered details from individuals that ordered from their sales channels. It then attempted to rely on the soft opt-in exemption under regulation 22(3) PECR. The exemption enables organisations to send marketing texts to individuals who's details they have gathered "in the course or negotiation of a sale and in respect of similar products and services." However, the organisation must give individuals the opportunity to opt-out of direct marketing when gathering their details in the first place. As Papa John's failed to do this, the ICO deemed it in breach of regulation 22(3)(c) PECR.
The contravention is regarded as particularly serious in light of the quantity of messages sent without valid consent. The ICO also considered that the direct marketing was negligent because Papa John's knew, or ought reasonably to have known, that there was a risk of contravention of PECR and because Papa John's failed to take reasonable steps to prevent contravention.
Therefore, the ICO imposed a fine of €11600 on Papa John's (GB) Limited. This amount can be reduced by 20% if Papa John's pays the fine within a month of the decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENALTY NOTICE
To: Papa John’s (GB) Limited
Of: Papa John’s UK & European Campus, 11 Northfield Drive, Northfield,
Milton Keynes, MK15 0DQ
1. The Information Commissioner (“the Commissioner”) has decided to
issue Papa John’s (GB) Limited(“Papa John’s”) with a monetary
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The
penalty is in relation to a serious contravention of Regulation 22 of the
Privacy and Electronic Communications (EC Directive) Regulations 2003
(“PECR”).
2. This notice explains the Commissioner’s decision.
Legal framework
3. Papa John’s, whose registered office is given above (Companies House
Registration Number:02569801) is the organisation stated in this
notice to have transmitted unsolicited communications by means of
electronic mail to individual subscribers for the purposes of direct
marketing contrary to regulation 22 of PECR.
4. Regulation 22 of PECR states:
1“(1) This regulation applies to the transmission of unsolicited
communications by means of electronic mail to individual
subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person
shall neither transmit, nor instigate the transmission of, unsolicited
communications for the purposes of direct marketing by means of
electronic mail unless the recipient of the electronic mail has
previously notified the sender that he consents for the time being
to such communications being sent by, or at the instigation of, the
sender.
(3) A person may send or instigate the sending of electronic mail for
the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient
of that electronic mail in the course of the sale or
negotiations for the sale of a product or service to that
recipient;
(b) the direct marketing is in respect of that person’s similar
products and services only; and
(c) the recipient has been given a simple means of refusing
(free of charge except for the costs of the transmission of
the refusal) the use of his contact details for the purposes
of such direct marketing, at the time that the details were
initially collected, and, where he did not initially refuse the
use of the details, at the time of each subsequent
communication.
(4) A subscriber shall not permit his line to be used in contravention of
paragraph (2).”
25. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines
direct marketing as “the communication (by whatever means) of any
advertising material which is directed to particular individuals”. This
definition also applies for the purposes of PECR (see r egulation 2(2)
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18).
6. Consent in PECR is now defined, from 29 March 2019, by reference to
the concept of consent in Regulation 2016/679 (“the GDPR”):
regulation 8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Article
4(11) of the GDPR sets out the following definition: “‘consent’ of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to him or her”.
7. “Individual” is defined in regulation 2(1) of PECR as “a living individual
and includes an unincorporated body of such individuals”.
8. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services”.
9. “Electronic mail” is defined in regulation 2(1) of PECR as “any text,
voice, sound or image message sent over a public electronic
communications network which can be stored in the network or in the
recipient’s terminal equipment until it is collected by the recipient and
includes messages sent using a short message service”.
10. The term "soft opt-in" is used to describe the rule set out in in
Regulation 22(3) of PECR. In essence, an organisation may be able to
3 e-mail or message its existing customers even if they haven't
specifically consented to electronic mail. The soft opt-in rule can only
be relied upon by the organisation that collected the contact details .
11. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to
PECR, as variously amended) states:
“(1) The Commissioner may serve a person with a monetary penalty if
the Commissioner is satisfied that –
(a) there has been a serious contravention of therequirements
of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 by the person,
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the person –
(a) knew or ought to have known that there was a risk that the
contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention.”
12. The Commissioner has issued statutory guidance under section 55C (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO’s website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
13. PECR implements Directive 2002/58/EC, and Directive 2009/136/EC
which amended the earlier Directive. Both the Directive and PECR are
4 “designed to protect the privacy of electronic communications users:
Leave.EU & Eldon Insurance Services v Information Commissioner
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to
interpret and apply PECR in a manner consistent with the purpose of
the Directive and PECR of ensuring a high level of protection of the
privacy of individuals, and in particular the protections provided from
receiving unsolicited direct marketing communications which the
individual has not consented to receive.
14. The provisions of the DPA remain in force for the purposes of PECR
notwithstanding the introduction of the DPA18: see paragraph 58(1) of
Schedule 20 to the DPA18.
Background to the case
15. Papa John’s is a pizza company offering both delivery and take-out
service. It first came to the attention of the Commissioner following a
number of complaints being receive d.
16. An initial investigation letter was sent to Papa John’s on 21 May 2020
raising some preliminary concerns with its PECR compliance and
providing details of the complaints received. The correspondence also
requested information about the volume of messages sent to
subscribers, the sources of data for the recipients of those messages
and any evidence of consent it relied upon to send marketing
messages. Papa John’s were warned that the Commissioner could issue
civil monetary penalties of up to £500,000 for PECR breaches.
17. In its response of 26 June 2020, Papa John’s provided the total number
of marketing messages sent between 1 October 2019 and 30 April
2020. It explained that it only obtains data from its own customers
5 where orders are placed directly with the company. Itadvised that it
does not obtain data from any other third-party sources.
18. Papa John’s informed the Commissioner that it relied on the soft opt in
and provided examples of its online consent statements . It also
provided evidence to show that unsubscribe options are given in every
e-mail and text message sent.
19. In its correspondence Papa John’s advised that following an internal
review of the complaints received by the Comm issioner, there were a
number where the soft opt in was not available and a text message
should not have been sent to the customer. It revealed that the
individuals who had received these messages had placed an order over
the telephone but were not presented with an option to opt out of
receiving marketing messages. It explained that their privacy notice
was displayed in stores, and online, and individuals could access the
marketing preference centre on its website. It had suspended
marketing to individuals who have placed an order over the telephone
pending the outcome of the Commissioners enquiries. Further evidence
was provided to show opt out messages and screenshots of online
accounts showing individuals can unsubscribe.
20. The Commissioner subsequently requested the total volume of
messages sent to individuals where their data was obtained over the
telephone during the relevant period. This was provided although Papa
John’s were unable to confirm, of the 210,028 marketing messages
sent, how many had been received by individuals. However, based on
its success rate on delivery, it advised 168,022 text messages were
received by individuals.
621. The Commissioner has made the above findings of fact on the
balance of probabilities.
22. The Commissioner has considered whether those facts constitute
a contravention of regulation 22 of PECR by Papa John’s and, if so,
whether the conditions of section 55A DPA are satisfied.
The contravention
23. The Commissioner finds that Papa John’s contravened regulation 22 of
PECR.
24. The Commissioner finds that the contravention was as follows:
25. The Commissioner finds that between 1 October 2019 to 30 April 2020
there were 168,022 direct marketing messages received by
subscribers. The Commissioner finds that Papa John’s transmitted the
direct marketing messages sent, contrary to regulation 22 of PECR.
26. Papa John’s, as the sender of the direct marketing, is required to
ensure that it is acting in compliance with the requirements of
regulation 22 of PECR, and to ensure that valid consent to send those
messages had been acquired.
27. Papa John’s collected information for marketing purposes through
customers who order directly via sales channels in its direct control
including its website, app and in store. It relies on the ‘soft opt -in’
exemption provided by Regulation 22(3) PECR. This exemption means
that organisations can send marketing messages by text and e-mail to
individuals whose details had been obtained in the course or
negotiation of a sale and in respect of similar products and services.
The organisation must also give the person a simple opportunity to
7 refuse or opt out of the marketing, both when first collectng the details
and in every message after that.
28. Papa John’s informed the Commissioner that for those customers
ordering over the telephone its privacy notice is made available in store
and on its website. It is the Commissioners view that those individuals
would not reasonably expect to receive marketing. As a result, 15
complaints were received regarding text messages sent by Papa John’s
during the contravention period in respect of those customers.
29. In this instance Papa John’s have been unable to evidence consent.
From the evidence provided it is clear that the individuals had not, at
the point their data was collected, been given a simple means of
refusing the use of their contact details for direct marketing;
accordingly, Papa John’s direct marketing messages failed to meet the
criteria of Regulation 22(3)(c) PECR.
30. The Commissioner is therefore satisfied from the evidence she has
seen that Papa John’s did not have the necessary valid consent for the
168,022 direct marketing messages received by subscribers.
31. The Commissioner has gone on to consider whether the conditions
under section 55A DPA are met.
Seriousness of the contravention
32. The Commissioner is satisfied that the contravention identified
above was serious. This is because between 1 October 2019 and 30
April 2020 a confirmed total of 168,022 direct marketing messages
were sent by Papa John’s. These messages contained direct marketing
material for which subscribers had not provided adequate consent.
833. The rules for electronic marketing are clear in that organisations must
present individuals with an opportunity to opt out of marketing at the
time that their details are collected. Whilst Papa John’s does have
consent for the majority of marketing messages it sends, it does not
have consent to send marketing messages to individuals who have
placed an order over the telephone for delivery. It is unable to rely on
the soft opt in because those subscribers had not been given a simple
means of refusing the use of their contact details for direct marketing .
34. Papa John’s instead sought to rely upon the assumption that an
individual could review its privacy notice , in store or on its website, and
online marketing preference centre. This assumption is unfair as it puts
the responsibility back on to the individual rather than on to the
company. Customers may not have visited the company app or website
to locate the branch telephone number when placing their order, these
being widely available via online search engines. They may also not
have visited a store to collect their order. Further, any information
about any marketing communications should be provided to individuals
rather than them having to seek it out for themselves. All individuals
should be given the same choice in respect of these communications,
regardless of how they choose to place an order with Papa John’s.
35. The Commissioner is therefore satisfied that condition (a) from
section 55A(1) DPA is met.
Deliberate or negligent contraventions
36. The Commissioner has considered whether the contravention identified
above was deliberate. In the Commissioner’s view, this means that
Papa John’s actions which constituted that contravention were
9 deliberate actions (even if Papa John’s did not actually intend thereby
to contravene PECR).
37. The Commissioner does not consider that Papa John’s deliberately set
out to contravene PECR in this instance.
38. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
39. Firstly, she has considered whether Papa John’s knew or ought
reasonably to have known that there was a risk that these
contraventions would occur. She is satisfied that this condition is met,
not least since the issue of unsolicited text messages has been widely
publicised by the media as being a problem.
40. The Commissioner has published detailed guidance for those carrying
out direct marketing explaining their legal obligations under PECR.
This guidance gives clear advice regarding the requirements of consent
for direct marketing and explains the circumstances under which
organisations are able to carry out marketing over the phone, by text,
by email, by post, or by fax. In particular it states that organisations
can generally only send, or instigate, marketing emails to individuals if
that person has specifically consented to receiving them; and highlights
the difficulties of relying on indirect consent for email marketing . The
Commissioner has also published detailed guidance on consent under
the GDPR. In case organisations remain unclear on their obligations,
the ICO operates a telephone helpline. ICO communications about
previous enforcement action where businesses have not complied with
PECR are also readily available.
1041. It is therefore reasonable to suppose that Papa John’sshould have
been aware of its responsibilities in this area .
42. Secondly, the Commissioner has gone on to consider whether Papa
John’s failed to take reasonable steps to prevent the contraventions.
Again, she is satisfied that this condition is m et.
43. Such reasonable steps in these circumstances could have included
putting in place appropriate systems, policies and procedures to ensure
that it had the consent of all of its customers to whom it had sent
marketing messages. Whilst it is evident that Papa John’s had policies
in place to ensure a certain level of compliance its measures failed to
capture all types of customer and methods of customer contact. In this
case, a number of customers were not offered adequate means of
opting out of marketing at the time their details were collected by
telephone.
44. In the circumstances, the Commissioner is satisfied that Papa John’s
failed to take reasonable steps to prevent the contraventions.
45. The Commissioner is therefore satisfied that co ndition (b) from section
55A (1) DPA is met.
The Commissioner’s decision to issue a monetary penalty
46. The Commissioner has also taken into account the following
aggravating features of this case:
• The actions of Papa John’s were carried out to generate business and to
increase profits, gaining an unfair advantage on those businesses
complying with the PECR;
1147. The Commissioner has also taken into account the following mitigating
feature of this case:
• Papa John’s have advised the Commissioner that it has temporarily
suspended marketing to individuals placing orders by telephone, but
otherwise has not yet taken steps to rectify its marketing practices to
ensure overall compliance with PECR for this method of customer
contact.
48. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A (1) DPA have been met in this case. She is
also satisfied that the procedural rights under section 55B have been
complied with.
49. The latter has included the issuing of a Notice of Intent, in which the
Commissioner set out her preliminary thinking. In reaching her final
view, the Commissioner received no representations from Papa John’s.
50. The Commissioner is accordingly entitled to issue a monetary penalty
in this case.
51. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty.
52. The Commissioner has considered the likely impact of a monetary
penalty on Papa John’s. She has decided on the information that is
available to her, that Papa John’s has access to sufficient financial
resources to pay the proposed monetary penalty without causing
undue financial hardship.
1253. The Commissioner’s underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The sending of
unsolicited marketing emails is a matter of significant public concern. A
monetary penalty in this case should act as a general encouragement
towards compliance with the law, or at least as a deterrent against
non-compliance, on the part of all persons running businesses currently
engaging in these practices. The issuing of a monetary penalty will
reinforce the need for businesses to ensure that they are only
messaging those who specifically consent to receive marketing.
54. For these reasons, the Commissioner has decided to issue a monetary
penalty in this case.
The amount of the penalty
55. Taking into account all of the above, the Commissioner has decided
that a penalty in the sum of £10,000 (Ten thousand pounds) is
reasonable and proportionate given the particular facts of the case and
the underlying objective in imposing the penalty.
Conclusion
56. The monetary penalty must be paid to the Commissioner’s office by
BACS transfer or cheque by 15 July 2021 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government’s general bank account at
the Bank of England.
57. If the Commissioner receives full payment of the monetary penalty by
14 July 2021 the Commissioner will reduce the monetary penalty by
20% to £8,000 (Eight thousand pounds). However, you should be
13 aware that the early payment discount is not available if you decide to
exercise your right of appeal.
58. There is a right of appeal to the First-tier Tribunal (Information Rights)
against:
(a) the imposition of the monetary penalty
and/or;
(b) the amount of the penalty specified in the monetary pena lty
notice.
59. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
60. Information about appeals is set out in Annex 1.
61. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary
penalty must be paid has expired and all or any of the monetary
penalty has not been paid;
• all relevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdrawn; and
• the period for appealing against the monetary penalty and any
variation of it has expired.
62. In England, Wales and Northern Ireland, the monetary penalty is
recoverable by Order of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner as
14 an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
Dated the 14 thday of June 2021
Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
15ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 55B(5) of the Data Protection Act 1998 gives any person
upon whom a monetary penalty notice has been served a right of
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in
accordance with the law; or
b) to the extent that the notice involved an exercise of
discretion by the Commissioner, that she ought to have exercised
her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as
could have been made by the Commissioner. In any other case the
Tribunal will dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the
Tribunal at the following address:
General Regulatory Chamber
HM Courts & Tribunals Service
PO Box 9300
Leicester
LE1 8DJ
16 Telephone: 0203 936 8963
Email: grc@justice.gov.uk
a) The notice of appeal should be sent so it is received by the
Tribunal within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it
unless the Tribunal has extended the time for complying with this
rule.
4. The notice of appeal should state:-
a) your name and address/name and address of your
representative (if any);
b) an address where documents may be sent or delivered to
you;
c) the name and address of the Information Commissioner;
d) details of the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the
notice of appeal must include a request for an extension of time
17 and the reason why the notice of appeal was not provided in
time.
5. Before deciding whether or not to appeal you may wish to consult
your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.
6. The statutory provisions concerning appeals to the First- tier
Tribunal (Information Rights) are contained in section 55B(5) of, and
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).
18
