ICO (UK) - Brazier Consulting Services Ltd

From GDPRhub
Revision as of 10:45, 28 July 2021 by 10.90.129.140 (talk) (→‎Holding)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO (UK) - Brazier Consulting Services Ltd
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulations 21 of PECR
Type: Complaint
Outcome: Upheld
Started:
Decided: 25.06.2021
Published: 01.08.2021
Fine: 200000 GBP
Parties: n/a
National Case Number/Name: Brazier Consulting Services Ltd
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The ICO fined a claims management service approximately €235,000 for making more than 11 million unsolicited direct marketing calls over a six month period.

English Summary

Facts

The UK DPA (the Information Commissioner's Office, 'ICO') initiated an investigation into Brazier Consulting Services ('BCS') following a significant number of complaints from individuals in relation to marketing calls about claims management and insurance services.

Holding

The ICO found that BCS violated Regulation 21A of the Privacy and Electronic Communications Regulations, implementing the e-Privacy Directive in the UK, which requires organisations to obtain consent from individuals in order to make calls related to claims management services.

Between 1 February 2019 and 31 July 2019, BCS used a public electronic communications service for the purpose of making 11,489,873 unsolicited calls for direct marketing purposes to individuals in relation to claims management services. These calls were made to who had not given their prior consent to BCS to receive such calls.

The ICO issued a fine of £200,000 for this violation.

The ICO considered that the conditions for the imposition of a monetary penalty section 55A of the UK Data Protection Act are met, namely: the convention was sufficiently serious (since there were because multiple breaches over a six month period) as well as negligent (since BCS knew or ought reasonably to have known that there was a risk that these contraventions would occur)

With regards to the amount of the fine, the ICO stated that the fact that BCS did not fully cooperate during the investigation, and was not completely open and transparent regarding information provided, was an aggravating feature. It did not identify any mitigating features.

The ICO also issued BCS with an Enforcement Notice compelling them to stop their illegal marketing activity and informing them that failure to do is a criminal offence.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                            •

                                                           ICO.
                                                           Information Commissioner's Office


                     DATA PROTECTION    ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION        COMMISSIONER



                     MONETARY    PENAL TY NOTICE




To:   Brazier Consulting Services Ltd Limited

Of:   7 Victoria Court, Bank Square, Leeds, West Yorkshire, LS27 9SE


1.   The Information Commissioner ("Commissioner") has decided to issue

     Brazier Consulting Services Limited ("BCS") with a monetary penalty
     under section SSA of the Data Protection Act 1998 ("DPA"). The penalty

     is being issued because of serious contraventiof regulation 21A of
     the Privacy and Electronic Communication(EC Directive) Regulations

     2003 ("PECR").


2.   This notice explains the Commissioner's decision.


      Legal framework



3.   BCS, whose registered office is given above (Companies House
     RegistrationNumber: 10531983) is the organisation stated in this

     notice to have used a public electronic communicatiservice for the
     purpose of making unsolicited calls for the purposes of direct marketing

     in relation to claims managemenservices contrary to regulation 21A of

     PECR.


4.   Regulation 21A paragraph (1) of PECRprovides that:


                                   1                                                                  •


                                                                  ICO.
                                                                  Information Commissioner's Office
      "(l)  A person must not use, or instigate the use of, a public electronic

            communications   service to make unsolicited calls for the
            purposes of direct marketing in relation to claims management

            services except in the circumstances referred to in paragraph

            (2)."


5.    Regulation 21A paragraphs (2), and (3) provide that:


      "(2)  Those circumstances    are where    the called  line is that  of a

            subscriber who has previously notified the caller that for the time

            being the subscriber consents to such calls being made by, or at
            the instigation of, the caller on that line

       (3)  A subscriber must not permit the subscriber's line to be used in

            contravention  of paragraph (l)."



6.    Regulation 21A paragraphs (4), and (5) materially state that:



      "( 4) In this  regulation "claims  management     services"  means the
            following services in relation to the making of a claim-

            (a)   advice;

            (b)   financial services or assistance;

            (c)   acting on behalf of, or representing,a person;
            (d)   the referral or introductionof one person to another;

            (e)   the making of inquiries.



       (5)  In  paragraph  (4),  "claim"  means   a claim  for compensation,

            restitution,repayment or any other remedy or relief in respect of
            loss or damage or in respect of an obligation, whether the claim is
            made or could be made-



                                       2                                                                •


                                                                ICO.
                                                                Information Commissioner's Office
            (a)  by way of legal proceedings,

            (b)   in accordance with a scheme of regulation (whether
                  voluntary or compulsory), or

            (c)  in pursuance of a voluntary undertaking.


7.    Prior to 29 March 2019, the European Directive 95/46/EC defined

      'consent' as "any freely given specific and informed indication of his
      wishes by which the data subject signifies his agreement to personal

      data relatingto him being processed".


8.    Consent in PECRis now defined, from 29 March 2019, by reference to

      the concept of consent in Regulation 2016/679 ("the GDPR"):

      regulation 8(2) of the Data Protection, Privacy and Electronic
      Communications   (Amendments   etc) (EU Exit) Regulations 2019. Article

      4( 11) of the GDPR sets out the following definitio"'consent' of the

      data subject means any freely given, specific, informed and
      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmativaction, signifies
      agreement to the processing of personal data relating to him or her".



9.    A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
      a party to a contract with a provider of public electronic

      communications  services for the supply of such services".


10.   Section 122(5) of the DPA 2018 defines "direct marketing" as "the

      communication  (by whatever means) of any advertising material which

      is directedo particular individuals". This definition also applies for the
      purposes of PECR.


11.   Under section SSA (1) of the DPA (as amended by the Privacy and

      Electronic Communications  (EC Directive) (Amendment)  Regulations

                                     3                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

      2011 and the Privacy and Electronic Communications (EC Directive)
      (Amendment)   Regulations 2015) the Commissioner may serve a

      person with a monetary penalty notice if the Commissioner is satisfied
     that -


     "(a) there has been a serious contraventionof the requirementsof the

          Privacy and Electronic Communications (EC Directive) Regulations

          2003 by the person, and


     (b)  subsection (2) or (3) applies.


           (2)   This subsection applies if the contraventiwas deliberate.


           (3)   This subsection applies if the person -


                (a) knew or ought to have known that there was a risk that

                    the contravention would occur, but


                (b) failed to take reasonable steps to prevent the

                    contravention."


12.  The Commissioner has issued statutory guidance under section SSC (1)
      of the DPA about the issuing of monetary penalties that has been

      published on the ICO's website. The Data Protection (Monetary

      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
     that the amount of any penalty determined by the Commissioner must

      not exceed £500,000.


13.   PECRimplements Directive 2002/58/EC,   and Directive 2009/136/EC
     which amended the earlier Directive. Both the Directive and PECRare

     "designed to protect the privacy of electronic communicationusers":

                                     4                                                             •

                                                             ICO.
                                                             Information Commissioner's Office

      Leave.EU & Eldon Insurance Services v InformatioCommissioner
      [2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to

      interpret and apply PECRin a manner consistent with the purpose of
     the Directive and PECRof ensuring a high level of protection of the

      privacy of individuals, and in particular the protections provided from
      receiving unsolicited direct marketing communicatiwhich the

      individual has not consented to receive.


14.  The provisions of the DPA remain in force for the purposes of PECR

      notwithstandingthe introductioof the Data Protection Act 2018 (see
      paragraph 58(1) of Part 9, Schedule 20 of that Act).



      Background to the case


15.   BCS first came to the attention of the Commissioner in July 2019
      following the receipt of a significant number of complaints from

      subscribers about marketing calls regarding claims management
      services and/or insurance. The majority of complainants were able to

      identify that the calls were made by BCS, or a variant of the name.


16.   Between 2 May 2018 and 26 July 2019, the ICO received 414

      complaints about unsolicited direct marketing calls made by BCS. In
      addition, between 5 June 2018 and 20 May 2019 a further 26

      complaints were received by the Telephone Preference Service ("TPS").


17.  The Commissioner, through enquiries with the relevant

      Communications  Service Provider ("CSP"), was able to establish that
     the CLI's identified within the complaints were allocated to BCS.


18.  The Commissioner sent an initial investigatiletter to BCS on 1

     August 2019, setting out her concerns with the organisation's

                                    5                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

     compliance with PECR,attaching details of all the complaints, and
     requesting information about its business and marketing activities

     which would assist in her investigation.


19.  Responses  to the Commissioner were provided by a company whom
     BCS explained were its compliance officers. The first substantive

     response, dated 25 August 2019, stated that BCS had been "locked

     out" of their old servers due to a dispute with their former dialler
     provider, and that it had changed its dialler system in June 2019. BCS

     stated that calls are screened through their dialler, meaning that calls
     should not have been made to any number on the TPS register.



20.  A further response on 19 September 2019 explained that BCS obtained
     leads though a data broker -

     (''-")       - using the website www.
     was supplied with 1,000 opt-ins per 100,000 records, including date,

     time stamp, IP address and opt-in statement. In relation to call
     volume, due to previously identified issues with the call dialler, BCS

     said it was unable to provide any information apart from the period 31

     May to 31 July 2019, when it provided the number of attempted calls.
     BCS also provided copies of its training assessments and manual,

     which indicated that the calls made by BCS were in relation to PPL No
     explanation or comments were provided in relation to the specific

     complaints and no evidence of consent supplied.


21.  At this stage it is noteworthy that during representations to the

     Commissioner's Notice of Intent, BCS advised that it had also sourced
     data from two additional brokers of which the Commissioner was

     previously unaware. BCS was unable to identify the website used by
     one of the brokers from which consent was acquired and accordingly no

     evidence of consent was provided. For the avoidance of doubt, the

                                   6                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

     focus of Commissioner's investigationand subsequently this Notice, is
     upon unsolicited marketing calls made to data sourced from

     -/                              . BCS informed the Commissioner in
     representations that it sourced data from -     from end January

     2019  to 29 August 2019.


22.  Open source research was conducted by the Commissioner on the

     website


23.  The website includes a consentstatement, which states:


     "I would like to have offers from xxx and its partners including xxx,

     xxx, xxx, Brazier Consulting Services Ltd. (authorised and regulated by
     the Financial Conduct Authority in respect of regulated claims

     management   activity FRN:829743) (...)".


     BCS also appear in the site's privacy policy and partners list, however
     the latter is extensive, with 435 named companies listed in alphabetical

     order. This means that individuals would not easily be able to view all

     companies within a specific sector and would be required to research
     the entirety of the list in order to establish the nature of each

     company. Individuals are unable to select which sectors or individual
     companies they wish to provide consent to, therefore, users would be

     consenting to receive correspondence from all 435 partners.

     Furthermore, use of the site appeared to be conditional on agreeing to
     at least one form of marketing.


24.   It was apparent that the means by which consent was obtained did not

      allow for it to be freely given, specific, or informed. Further, the
      Commissioner considered that individuals could not reasonably expect



                                   7                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

      to receive PPI marketing calls within the context of a general offer
      website.


25.  A further response from BCS dated 20 December 2019 to additional

     enquiries from the Commissioner explained that it had not conducted
     any marketing activity since 29 August 2019 when the PPI calling ban

     came into effect. Evidence of "consent" for 25 complaints was provided

     together with an indication of connected call volumes for June and July
     2019.


26.  On 4 February 2020, BCS provided a limited response to the

     spreadsheet of all the complaints previously provided by the

     Commissioner.   BCS confirmed that all of the calls it made during the
     campaign were marketing calls for the purpose of PPL BCS confirmed

     that some of the complaints were in relation to calls made by BCS, but
     due to previously identified issues with their previous dialler provider,

     they were unable to check any records prior to 1 June 2019.


27.  Accordingly, on 20 February 2020, the Commissioner issued a 3PIN to

     the previous dialler provider for call volumes, for the period 1 January
     2019 - 31 July 2019. The call dialler responded on 2 March 2020 and

     confirmed that whilst it could not provide the volume of attempted
     calls, it was able to provide details of connected calls per month, which

     totalled 22,762,863 over the entire period (including June and July

     2019). The call dialler later clarified that the figure for connected calls
     included voicemailsas it was unable to differentiabetween calls

     which were answered and those which went to voicemail.


28.   BCS had previously informed the Commissioner that it did not use its
     previous dialler provider in June and July 2019, which was inconsistent

     with evidence provided from the call dialler itself, and so the

                                    8                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

     Commissioner asked BCS to clarify the call volumes for June and July
     2019, to which BCS responded on 20 March 2020. The response

     however was inconsistent with both those previously provided by BCS,
     and the dialler provider, and BCS has not provided any further

     convincing evidence to support its position.


29.  On 30 March 2020 the Commissioner wrote to BCS requesting evidence

     of due diligence in relation to data supplied by its third party data
     provider, details of the personal data purchased, call volume data from

     its current dialler, and enquiring whether BCS were still trading. As this
     information was not forthcoming,the Commissioner issued an

     Information Notice on BCS to which a response was received on 26

     August 2020. BCS provided details of the data it purchased, explaining
     "as discussed and evidenced previously, we received opt-ins for the

     data on selected clients, which included IP address, statemDate
     and Time  stamp". BCS also confirmed it was no longer marketing PPI

     claims albeit still operational as a business. BCS failed to provide any
     evidence of call volumes from its current dialler provider nor when it

     ceased using the services of their previous dialler provider.


30.  In the period 1 February 2019 - 31 July 2019, during which time BCS

     sourced data from -                              , a total of 319
     complaints were received by the ICO and a further 9 by the TPS.

     Despite detailed representationto the Notice of Intent in relation to

     complaints, save for any adjustment to account for duplicates, the
     Commissioner remains satisfied that the complaints relied upon relate

     to calls made by BCS. Deducting 12 complaints as probable duplicates,
     this amounts to a total of 316 complaints in relation to unsolicited

     direct marketing calls made by BCS.




                                   9                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

31.   Complaints received by the Commissioner relating to Clls allocated to
      BCS include:


     •  "PPI claims company - I toldthem clearly I was not interested and
        asked where they got my data from. Refused to tell me and said it

        was obtained legally and they were FCAauthorised and GDPR
        compliant. I asked to not be contacted again and remove me from

        their listing but then got another call 24/07/19."


      • "It was an aggressive, intimidatincall aimed at making a PPI claim.
        This was another of a long list of calls. I told them repeatedly that I

        have never had PPI and did not wish to claim. Alter several calls
        they said that they would send out documents that would allow

        them to check for PPI . I said that they were wasting their time but

        if they wished to send out the documents that was up to them. I did
        not complete or return any of the documents. They are now telling

        me that because the documents have been sent out , it is effectively
        a contract and they suggested that I would face a charge if I

        cancelled. I asked " how can I cancel something I have not asked

        for". The advisor ( xxx ) was aggressive in manner and I felt quite
        threatened by his attitude. I am now worried that they intend to

        charge me for a service that I do not want , have never contacted
        them regarding PPI , and I have not signed any documents to the

        contrary. All I want is for them to stop these aggressive phone

        calls." [sic]

      • "I was asked if I had made any PPI claims. I then asked for the

        caller to remove my number from the system. She then said that
        she was not allowed to remove numbers from the system, and that

        I would have to do it myself. I asked her if she was aware of the
        GDPR regulations and she said, "Of course, but are you on the

        GDPR?'"'

                                    10                                                             •

                                                            ICO.
                                                             Information Commissioner's Office


     •  "I have been called by Brazier Consulting many times (though they

        generally say they are BCS Consulting which is a different firm).
        Every time I have told this firm to remove me from the data base. I

        have not consented to be called by this firm. Today I was told by
        the agent that she could not remove me from the data base. I

        would have to be placed on hold and speak to a manager. I was

        placed on hold. The manager said I could not be removed from the
        data base until I had been told about the urgency of PPL"


     •  "I asked where they got my number and was told that all numbers

        are opt-in by default when issued by network providers".


32.  It is notable that the complaints made to the Commissioner indicate
     that not only did BCS make initial calls in breach of PECR,but also

     continued to call individuals who had specifically asked not to be
     contacted. Comments made by complainants suggest that BCS

     employees refused to comply with requests made by individuals to

     either remove their number from the database, or confirm where they
     had obtained their details, and it is apparent that there was a lack of

     knowledge in respect of PECR,GDPR and marketing in general.
     Comments also indicate that these calls caused great distress to some

     individuals.


33.  In representations to the Commissioner's Notice of Intent, BCS

     informed the Commissioner in relation to call volumes that calls made
     during the contraventionperiod were not solely for the purpose of PPI

     marketing; as a handler of PPI claims, BCS also made a significant
     number of service calls. BCS did not advise whether any of the Clls

     were dedicated to service calls as opposed to marketing, nor was it



                                   11                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
     able to provide any evidence as to the breakdown of calls made for

     marketing purposes.


34.  BCS' own estimate isthat 53.6% of calls made were for marketing

     purposes, based upon call data provided by its current dialler provider
     post 29 August 2019 - the deadline for bringing new PPI claims. The

     Commissioner accepts that BCS would have made some service calls,
     but considers that this estimate is unlikely to reflect the true volume of

     marketing versus service calls. This is because the estimate is based on
     service call volumes made after the PPI deadline, and when the focus

     of the business would necessarily have switched entirely to servicing

     existingPPI claims; prior to 29 August 2021 the Commissioner finds it
     reasonable to suppose that the business would have focussed heavily

     on acquiring new claims via marketing before the PPI deadline.
     Notwithstanding the above, in the absence of any evidence from BCS

     to support the exact volume of marketing calls, the Commissioner has
     adopted the estimate provided by BCS for the purpose of this Notice.


35.  On the basis of evidence provided by BCS' previous call dialler, the

     Commissioner is satisfied that 21,436,331 connected calls were made

     by BCS between 1 February 2019 and 31 July 2019. Of these, the
     Commissioner finds that 11,489,873 were made for the purposes of

     marketing 'claims management services' as defined at Regulation
     21A(4) PECR.Those calls led to a total of 316 complaints to the

     Commissioner and the TPS. BCS has been unable to evidence sufficient
     consent to call any of the complainants. The consent relied upon by

     BCS is insufficient for the purposes of regulation 21A of PECR.


36.  The Commissioner has made the above findings of fact on the
     balance of probabilities.



                                   12                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

37.  The Commissioner has considered whether those facts constitute a
      contraventionof regulation 21A of PECRby BCS and, if so, whether the

      conditions of section SSA DPA are satisfied.


     The contravention


38.  The Commissioner finds that BCS contravened regulation 21A of PECR.


39.  The Commissioner finds that the contraventionis as follows:


40.   Regulation 21A was brought into force on 8 September 2018 and

      requires that persons/organisatiohold consent from subscribers in

      order to make calls relating to claims management services.

41.   Between 1 February 2019 and 31 July 2019, BCS used a public

      electronicommunications  service for the purpose of making
      11,489,873 unsolicited calls for direct marketing purposes to

      subscribers in relation to claims management services. This resulted in

      316 complaintsbeing made to the TPS and the Commissioner.

42.  The Commissioner is satisfied for the purposes of regulation 21A that

     these calls were made to subscribers who had not given their prior
      consent to BCS to receive such calls.


43.  The Commissioner is satisfied that BCS was responsible for these

      contraventions.


44.  The Commissioner has gone on to consider whether the conditions
      under section SSA DPA are met.


  Seriousness of the contravention



                                    13                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

45.  The Commissioner is satisfied that the contraventionidentified
      above were serious. This is because there have been multiple breaches

      of regulation 21A by BCS over a six month period. Specifically,
      between 1 February 2019 and 31 July 2019 BCS made a total of

      11,489,873 connected calls relating to PPI claims management
      services. This led to a significant number of complaints.



46.  The legislation is clearat TPS registration is not a relevant
      consideration in respect of such calls. A subscriber must have

      previously notified the caller that for the time being the subscriber
      consents to such calls being made by, or at the instigation of, the caller

      on that line. The Commissioner is satisfied that BCS did not have the

      necessary consent to make these calls.


47.   BCS appeared to use aggressive tactics when making the calls to
      subscribers, as evidenced by the content of some of the complaints.


48.  The Commissioner is therefore satisfied that condition (a) from

      section SSA (1) DPA is met.


      Deliberate or negligent contraventions


49.  The Commissioner has considered whether the contraventions
      identified above were deliberatIn the Commissioner's view, this

      means that BCS's actions which constituted that contraventiwere

      deliberate actions (evenf BCS did not actually intend thereby to
      contravene PECR).


50.  The Commissioner does not consider that BCS deliberately seout to
      contravene PECRin this instance.




                                    14                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

51.  The Commissioner has gone on to consider whether the contravention
      identified above was negligent. This consideration comprises two

      elements:


52.   Firstly, she has consideredether BCS knew or ought reasonably to

     have known that there was a risk that these contraventionswould
     occur. She is satisfied that this condition is met, not least because the

     issue of unsolicited calls in relation to claims management services has

     been widely publicised by the media as being a problem, so much so
     that it prompted recent legislative change to prohibit the making of

     such calls unless certain conditions are metIt is reasonable to
     suppose that any organisation wishing to carry out such activities

     should, and indeed must, be aware of its responsibilities in this area.


53.  The Commissioner has published detailed guidance on her website for
     those carrying out direct marketing calls for the purposes of claims

     management services, explaining the strict criteria under which such
     calls can be made. This guidance explains such calls must not be made

      in relation to claims management services unless the individual being

     called has specifically consented to such calls or has a defined existing
     client relationship.



54.  The Commissioner notes  that BCS employed the services of a
     compliance company, which, given its extensive background and

     history with the ICO, would be reasonable to assume that the
     compliance company should also have been aware of the introduction

     of regulation 21A and ensured its client was acting in a compliant

     manner.

55.  Secondly, the Commissioner has gone on to consider whether BCS

     failed to take reasonable steps to prevent the contraventionAgain,

     she is satisfiedhat this condition is metEvidence suggests that BCS
                                    15                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      appear to have been relying upon regulation 21 PECRto ensure
      compliance, indicating a lack knowledge or understanding of

      regulation 21A, which was fundamental to BCS' business model.
      Had BCS familiarised itself with the relevant legislation and guidance

     and set its due diligence checks accordingly, it would have realised that

     it could not lawfully make unsolicited direct marketing calls for the
     purposes of claims management services.



56.   Furthermore, there is no evidence to suggest that BCS provided any
     training to staff in relation to PECRwhatsoever. The training

     documents provided during the course of the Commissioner's
     investigationdo not contain any reference to PECR.There are only brief

      references to the ICO, DPA 98, and Telephone Preference Service, the

      latter of which would suggest that BCS felt they only needed to comply
     with regulation 21.


57.  Given the volume of calls and complaints, it is clear that BCS failed to

     take those reasonable steps.


58.  The Commissioner is therefore satisfied that condition (b) from section

      SSA (1) DPA is met.


     The Commissioner's    decision to impose a monetary    penalty


59.   The Commissioner finds that there are the following aggravating
      features of this case:



        •  It became apparent during representations to the
           Commissioner's Notice of Intent that neither BCS nor their

           compliance advisors fully co-operated during the Commissioner's
           investigationand were not completely open and transparent in


                                    16                                                               •


                                                              ICO.
                                                              Information Commissioner's Office
            relation to information provided. For instance, BCS failed to
            disclose two further data sources in addition to -·   BCS

            were unable to identify the website utilised by one of these data

            sources to capture consent thus demonstratinglack of due
            diligenceon the part of BCS, and thereby also hindering the

            Commissioner's investigation.BCS also made no mention of

            service calls when providing information about call volumes until
            representations,but BCS were unable to provide any evidence as

            to the breakdown of call purpose.


60.   The Commissioner   has taken  into account representations  by BCS,

      however considers that there are no relevant mitigating features  of
      this case.



61.   For the reasons explained above, the Commissioner is satisfied that the
      conditions from section 55A(l)DPA have been met in this case. She is

      also satisfied that the procedural rights under section 55B have been

      complied with.


62.  This has included the issuing of a Notice of Intent on 18 February 2021,
      in which the Commissioner set out her preliminary thinking, and invited

      BCS to make representations in response.


63.  The    Commissioner    has   received   and    considered   extensive

      Representations in response to the Notice of Intent dated 23 April 2021.


64.  The Commissioner is accordingly entitled to issue a monetary penalty in

     this case.


65.   The Commissioner has considered   whether, in the circumstances, she

      should exercise her discretion so as to issue a monetary penalty. She

                                    17                                                             •


                                                            ICO.
                                                            Information Commissioner's Office
     has decided that a monetary penalty is an appropriate and proportionate
     response to the finding of a serious contraventof regulations 21A of

     PECRby BCS.


66.  The Commissioner's   underlying objective in imposing  a monetary

     penalty notice is to promote compliance with PECR. The instigatioor

     making of unsolicited direct marketingtexts is a matter of significant
     public concern. Amonetary penalty in this case should act as a general

     encouragement   towards  compliance with the law, or at least as a
     deterrent against non-compliance, on the part of all persons running

     businesses currently engaging in these practices. This is an opportunity

     to reinforce the need for businesses to ensure that they are only texting
     consumers who want to receive these messages.



67.  The Commissioner has also considered the likely impact of a monetary
     penalty on BCS and in doing so has reviewed financial evidence supplied

     alongside its representations.


     The amount of the penalty


68.  Taking into account all of the above, the Commissioner has decided that

     the amount   of the penalty is £200,000  (Two  hundred   thousand

     pounds).


     Conclusion


69.  The  monetary  penalty must be paid to the Commissioner's  office by

     BACS transfer or cheque by 28 July 2021 at the latest. The monetary
     penalty is not kept by the Commissioner   but will be paid into the

     Consolidated Fund which is the Government's general bank account at
     the Bank of England.


                                   18                                                             •

                                                            ICO.
                                                             Information Commissioner's Office


70.  If the Commissioner receives full payment of the monetary penalty by

      27 July 2021 the Commissioner will reduce the monetary penalty by
      20% to £160,000    (One  hundred   and sixty thousand    pounds).

      However, you should be aware that the early payment discount is not
     available if you decide to exercise your right of appeal.


71.  There is a right of appeal to the First-tier Tribunal (InforRights)

      against:


      a)   the imposition of the monetary penalty

           and/or;


      b)   the amount of the penalty specified in the monetary penalty
           notice.


70. Any notice of appeal should be received by the Tribunal within 28 days

     of the date of this monetary penalty notice.


71. Informationabout appeals is set out in Annex 1.

72. The Commissioner will not take action to enforce a monetary penalty

    unless:


   • the period specified within the notice within which a monetary penalty

     must be paid has expired and all or any of the monetary penalty has
     not been paid;


   • allrelevant appeals against the monetary penalty notice and any

     variation of it have either been decided or withdraand



                                   19                                                        •

                                                        ICO.
                                                        Information Commissioner's Office
  •  period for appealing against the monetary penalty and any variation of

     it has expired.

73. In England, Wales and Northern Ireland, the monetary penalty is
   recoverable byrder of the County Court or the High Court. In

   Scotland, the monetary penalty can be enforced in the same manner
   as an extract registered decree arbitral bearing a warrant for execution

   issued by the sheriff court of any sheriffdom in Scotland.


Dated the 25th day of June 2021


Andy Curry
Head of Investigations
InformationCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF






















                                20                                                            •


                                                           ICO.
                                                           Information Commissioner's Office
ANNEX 1

SECTION   55 A-E OF THE DATA PROTECTION      ACT 1998



RIGHTS   OF APPEAL AGAINST     DECISIONS   OF THE COMMISSIONER


1.   Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right

of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
against the notice.

2.   If you decide to appeal and if the Tribunal considers:-


a)   that the notice against which the appeal is brought is not in accordance
with the law; or


b)   to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,

the Tribunal will allow the appeal or substitute such other decision as could

have been made by  the Commissioner. In any other case the Tribunal will
dismiss the appeal.

3.   You may bring an appeal by serving a notice of appeal on the Tribunal

at the following address:


           GRC & GRPTribunals

           PO Box 9300
           Arnhem House
           31 Waterloo Way
           Leicester

           LEl 8DJ

a)   The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.


b)   If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.

                                  21                                                               •

                                                              ICO.
                                                              Information Commissioner's Office


4.   The notice of appeal should state:-

     a)    your name and address/name and address of your representative
     (if any);


     b)    an address where documents may be sent or delivered to you;

     c)    the name and address of the Information Commissioner;


     d)    detailsof the decision to which the proceedings relate;

     e)    the result that you are seeking;


     f)    the grounds on which you rely;

     g)    you must provide with the notice of appeal a copy of the
     monetary penalty notice or variation notice;


     h)    if you have exceeded the time limit mentioned above the notice
     of appeal must include a request for an extension of time and the
     reason why the notice of appeal was not provided in time.

5.   Before deciding whether or not to appeal you may wish to consult your

solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory  Instrument  2009 No.
1976 (L.20)).










                                    22