ICO (UK) - Outsource Strategies Ltd

From GDPRhub
ICO - Outsource Strategies Ltd
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Privacy and Electronic Communications Regulation
UK Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 10.05.2022
Decided: 23.04.2024
Published:
Fine: 240,000 GBP
Parties: Outsource Strategies Ltd
National Case Number/Name: Outsource Strategies Ltd
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: lm

The DPA fined a controller €279,100 (GBP 240,000) for making direct marketing calls to data subjects on a ‘do not call’ register, noting that controllers must verify whether data subjects are on the register and cannot rely on data suppliers' assurances.

English Summary

Facts

In 2022, the Information Commissioner’s Office (ICO) received 74 complaints submitted by data subjects concerning unsolicited direct marketing calls from Outsource Strategies Ltd (the controller), a telemarketing company that telesales campaigns for its partners.

Between 11 February 2021 to 22 March 2022, the controller used a public telecommunications service to make 8,503,026 direct marketing calls. Of these, 1,346,503 connected and were answered by data subjects who had registered their phone numbers on the UK’s ‘do not call’ register. None of them had notified the controller that they did not object to receiving such calls. The data subjects stated that the callers were aggressive and used high-pressure sales tactics to persuade them to sign up for products.

On 10 May 2022, the ICO send an initial investigation letter to the controller concerning alleged violations of the Privacy and Electronic Communications Regulations 2003 (PECR), the UK’s implementation of the European e-Privacy Directive. Regulation 21(1) of the PECR prohibits unsolicited direct marketing calls where the data subject has previously notified the caller that such calls shouldn’t be made or where the data subject has listed the number in the ICO’s ‘do not call’ register pursuant to Regulation 26 PECR. Article 21(3) and (4) PECR anticipate two exceptions, respectively, to the prohibition on direct marketing calls to people registered on the ‘do not call’ list. First, when the number has been listed on the no-call list for less than 28 days, and second, when a data subject has notified a caller that he does not, for the time being, object to calls being made on that line.

The controller told the ICO that its direct marketing campaigns were organised by their data supplier. Accordingly, it argued that screening callers for registration on the ‘do not call’ list was the responsibility of the data supplier, not the controller as the data purchaser. Other calls were sourced from opt-ins that the controller claimed to obtain on calls and mail inserts. It also told the ICO that it maintains an internal screening system, wherein individuals who indicate they do not want to receive calls from the controller are marked ‘do not call,’ or ‘DNC’. Nonetheless, the ICO found that several complainants were marked DNC but still received calls. It also found evidence that the company was targeting elderly and vulnerable people.

Holding

The ICO determined that the controller violated Article 21 PECR. It issued a €279,100 (GBP 240,000) fine as well as an enforcement notice prohibiting unsolicited direct marketing calls pursuant to the PECR.

The ICO found that the unsolicited calls were made to data subjects registered on the ‘do not call list.’ It noted that neither of the PECR exceptions applied as the affected data subjects were all registered on the list at least 28 days prior to receiving the calls and none of them notified the controller that they did not object to receiving the calls. The ICO emphasised that the Regulation 21(4) PECR notification must be particularized: it must demonstrate the individual’s willingness to receive marketing calls specifically and from that company specifically. Companies cannot rely on individuals opting into marketing communications generally. As a result, the external opt-ins that the controller obtained from third parties and mail inserts were insufficient to notify the controller of willingness to be called under 21(4) PECR.

The ICO deemed the controller’s contravention of the PECR serious, intentional and negligent, and thus imposed a monetary penalty pursuant to Section 55A of the Data Protection Act. In finding the infraction serious, the ICO took into account the 1,346,500 calls that connected and were answered by ‘do not call’ registrants as well as a large number of ‘do not call’ registrants which the controller attempted to contact but did not connect with, reaching voicemail instead. The ICO also found the breach deliberate. Despite having training materials demonstrating awareness of PERC, the controller disregarded its own internal guidance. The continued calling of data subjects marked ‘DNC’ internally further indicated that the controller was aware it was conducting calls to data subjects who did not want to be called. Finally, the ICO determined that the infraction was negligent because the controller knew there was a risk that contravention would occur if it disregarded PERC and its own training materials, and because the controller failed to take reasonable steps to prevent the contravention. Companies are obliged to undertake rigorous checks to verify that personal data was obtained fairly and lawfully; it is not acceptable to rely on assurances given by third party suppliers without proper due diligence.

The ICO took account of several aggravating factors. The controller repeatedly made calls to data subjects despite multiple requests to cease contact and several data subjects described callers as being aggressive. The controller used a database containing a high proportion of elderly and vulnerable individuals. In addition, the ICO considered evidence that the controller was likely affiliated with a different company which had been fined for the same PECR breach. The ICO did not identify any mitigating features in the case.

Comment

The ICO’s enforcement notice and fine on Outsource Strategies Ltd came alongside a a €116,292 (GBP 100,000) fine against Dr Telemarketing Ltd. The companies made a total of over 1.4 million calls to people on the UK’s ‘do not call’ register.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.