Banner1.png
Banner3.png

ICO (UK) - AMEX

From GDPRhub
ICO (UK) - AMEX
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Article 7(4) GDPR
Regulation 22 of the Privacy and Electronic Communications (EC Directive
Regulations 2003 PECR
Section 122(5) of the Data Protection Act 2018
Type: Complaint
Outcome: Upheld
Decided: 17.05.2021
Published: 20.05.2021
Fine: 90000 GBP
Parties: American Express Services Europe Limited
American Express Services Europe Limited
National Case Number/Name: AMEX
European Case Law Identifier: AMEX
Appeal: n/a
Original Language(s): English
English
Original Source: ICO (in EN)
ICO (in EN)
Initial Contributor: Tara Taubman-Bassirian

The UK ICO fined American Express ('AMEX') £90,000 for sending 4,098,841 direct marketing communications to customers who had opted out from receiving these.

English Summary[edit | edit source]

Facts[edit | edit source]

Between 1 June 2018 to 31 May 2019, a total of 4,098,841 direct marketing messages were sent to subscribers who had opted-out to receiving marketing emails by, or at the instigation, of AMEX. These messages contained direct marketing material for which subscribers had not provided adequate consent. AMEX says the emails had not been classified as "marketing emails" but "servicing" emails " feeling that Card Members would be at a disadvantage if they were not aware of these campaigns and promotional periods". They consequently argued such emails did not demand consent under the UK PECR.

Holding[edit | edit source]

The ICO was satisfied that these emails constituted "direct marketing" as defined by section 122(5) of the UK Data Protection Act 2018, because each of the emails encouraged customers to use their AMEX credit cards to make purchases. One category of emails (the AMEX app emails) also encouraged customers to download and/or use the AMEX app. Additionally, the ICO pointed out that AMEX's "International Email Policy - United Kingdom" indicates that "servicing" emails involve advertising and marketing content.

The ICO considered that the contravention was serious as between the 12-month period, a confirmed total of 4,098,841 direct marketing messages were sent containing direct marketing material for which subscribers had not provided adequate consent. Further, AMEX had failed to take reasonable steps to prevent the contraventions.

The ICO therefore fined AMEX £90,000.

Comment[edit | edit source]

Despite several customers complaints, AMEX failed to review its marketing model. Customers are becoming increasingly aware of their rights. The best marketing could become respecting customers options. ICO has reacted particularly promptly to the complaints in this case.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                              •


                                                             ICO.
                                                             Information Commissioner's Office


                     DATA PROTECTION      ACT 1998


   SUPERVISORY     POWERS OF THE INFORMATION         COMMISSIONER



                     MONETARY     PENAL TY NOTICE


To:   American Express Services Europe Limited

Of:   Belgrave House, 76 Buckingham Palace Road, London, SWl W 9AX



1.   The Information Commissioner ("Commissioner")    has decided to

      issue American Express Services Europe Limite("AMEX")  with a
      monetary penalty under section SSA of the Data Protection Act 1998

      ("DPA") .1 The penalty is in relation to a serious contraveofion

      Regulation 22 of the Privacy and Electronic Communication(EC

      Directive) Regulations 200("PECR").


2.   This notice explains the Commissioner's decision.


      Legal framework



3.    AMEX, whose registered office is given above (Companies House
      Registration Number: 01833139) is the organisation stated in this

      notice to have transmitteor instigated the transmissioof unsolicited

      communications  by means of electronic mail to individual subscribers
      for the purposes of direct marketing contrary to Regulation 22 of PECR.





1The provisions of the Data Protection Act 1998 remain in force for the purposes of
PECRnotwithstandingthe introductioof the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of the 2018 Act).

                                    1                                                              •

                                                             ICO.
                                                             Information Commissioner's Office
4.    Regulation 22 of PECRstates:



       "(1)This regulation applies to the transmission of unsolicited
       communications by means of electronic mail to individual subscribers.


       (2) Except in the circumstances referred to in paragraph (3), a

      person shall neither transmit, nor instigate the transmission of,
       unsolicited communications for the purposes of direct marketing by

       means of electronic mail unless the recipient of the electronic mail has
      previously notified the sender that he consents for the time being to

      such communications being sent by, or at the instigation of, the

      sender.


       (3) A person may send or instigate the sending of electronic mail for
       the purposes of direct marketing where-


       (a) that person has obtained the contact details of the recipient of

       that electronic mail in the course of the sale or negotiations for the
      sale of a product or service to that recipient;



       (b) the direct marketing is in respect of that person's similar products
      and services only; and


       (c) the recipient has been given a simple means of refusing (free of

       charge except for the costs of the transmission of the refusal) the use
       of his contact details for the purposes of such direct marketing, at the

       time that the details were initially collected, and, where he did not

      initially refuse the use of the details, at the time of each subsequent
       communication.




                                    2                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

       (4) A subscriber shall not permit his line to be used in contravention
       of paragraph (2)."


5.    Section 122(5) of the Data Protection Act 201("DPA 2018")   defines

      direct marketing as "the communication(by whatever means) of
      advertising or marketing material which is directed to particular

      individuals"This definition also applies for the purposes of PECR(see

      DPA 2018 Schedule 19, paragraphs 430 and 432(6)).


6.    Consent is defined in Article 4(11) the General Data Protection
      Regulation 2016/679 ("GDPR")   as "any freely given, specific, informed

      and unambiguous indication of the data subject's wishes by which he

      or she, by a statement or by a clear affirmataction, signifies
      agreement to the processing of personal data relating to him or her".


7.    Article 7(4) of the GDPR provides:



       "When assessing whether consent is freely given, utmost account
       shall be taken of whether ... the performance of a contract, including

       the provision of a service, is conditional on consent to the processing
       of personal data that is not necessary for the performance of that

       contract."


8.    Recital 43 of the GDPR states:


       "Consent is presumed not to be freely given ... if the performance of a

       contract, including the provision of a service, is dependent on the
       consent despite such consent not being necessary for such

       performance."




                                    3                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

9.    "Individual"is defined in Regulation 2(1) of PECRas "a living individual
      and includes an unincorporated body of such individuals".



10.   A "subscriber"is defined in Regulation 2(1) of PECRas "a person who
      is a party to a contract with a provider of public electronic

      communications  services for the supply of such services".


11.   "Electronic mail" is defined in Regulation 2(1) of PECRas "any text,

      voice, sound or image message sent over a public electronic
      communications  network which can be stored in the network or in the

      recipient's terminal equipment until it is collected by the recipient and
      includes messages sent using a short message service".



12.   Section SSA of the DPA (as amended by the Privacy and Electronic
      Communications  (EC Directive) (Amendment)  Regulations 2011 and

      the Privacy and Electronic Communications (Amendment)   Regulations
      2015) states:



      "(1) The Commissioner may serve a person with a monetary penalty
      if the Commissioner is satisfied that -



      (a) there has been a serious contraventioof the requirements of the
      Privacy and Electronic Communications (EC Directive) Regulations 2003

      by the person,


      (b) subsection (2) or (3) applies.


      (2) This subsection applies if the contraventwas deliberate.


      (3) This subsection applies if the person -



                                     4                                                             •

                                                            ICO.
                                                            Information Commissioner's Office

     (a) knew or ought to have known that there was a risk that the
     contravention would occur, but


     (b) failed to take reasonable steps to prevent the

     contravention."


13.  The Data Protection (Monetary Penalties) (Maximum Penalty and

      Notices) Regulations 2010 prescribe that the amount of any penalty
      determined by the Commissioner must not exceed £500,000.


14.  The Commissioner has issued statutory guidance under section 55C(l)

      of the DPA about the issuing of monetary penalties that has been

      published on her website.


15.   PECRimplemented   European legislation (Directive 2002/58/Eaimed
      at the protection of the individual's fundameright to privacy in the

      electronic communicationssector. PECRwere amended for the purpose

      of giving effect to Directive 2009/136/which amended and
      strengthenedthe 2002 provisions. For the purposes of this notice, as

      EU law applied at the time of the breaches of PECR,the Commissioner
      approaches PECRso as to give effect to the Directives.


     Background to the case



16.  AMEX is a financial services company which is well-known for providing
     a range of credit card services, including premium cards with annual

     fees.It is a wholly owned subsidiary of American Express Company, its
     US-based  parent company, and was incorporated on 16 July 1984.

     AMEX's registered office is at Belgrave House, 76 Buckingham Palace

     Road, London, SWl W 9AX. There are currently 9 active officers on
     Companies House, with 55 resigned officers. AMEX has been registered

                                   5                                                             •

                                                            ICO.
                                                            Information Commissioner's Office

     with the InformationCommissioner's Office ("ICO") since 19 June
     2006 (registrationnumber Z9506659).


17.  The unsolicited marketing in question first came to the Commissioner's

     attention after she received three complaints from AMEX customers in
     April and May 2019. Each individual had continued to receive

     marketing emails from AMEX despite opting-out from receiving them.


18.  The first and second complaints concerned emails containing
     promotions which linked to AMEX webpages containing offers available

     to AMEX customers. The third complaint related to an email
     encouraging the subscriber to download the AMEX app to view their

     loyalty points balance and explore the latest products and savings

     available to them.

19.  Two of these complainants had complained directly to AMEX before

     complaining to the Commissioner. They provided AMEX's response to
     their complaints (dated 26 March 2019 and 9 May 2019 respectively).

     AMEX stated that, though the subscribers were opted-out from

     receiving marketing emails, the emails had not been classified as
     "marketing emails" (defined by AMEX as emails "providing customers

     with informationin relation to extra products or services, or to renew
     contracts that are coming to an end"). Instead, AMEX classified the

     emails as "servicing" emails and dismissed the two complaints on this

     basis. In one of its responses, AMEX stated that, "we feel that Card
     Members would be  at a disadvantage if they were not aware of these

     campaigns and  promotional periods".

20.  The Commissioner sent an initial investigatiletter to AMEX on 3 June

     2019. This letter set out the relevant provisions of PECR,the

     Commissioner's powers, details of the complaints, and the


                                   6                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      Commissioner's concerns. The letter requested that AMEX provide
      various piecesof information and evidence.


21.  AMEX requested an extension until the 4 July 2019. This was granted.


22.  Two  further complaints were made to the Commissioner in June and
     July 2019 by individuals who had opted-out of marketing emails. The

      first of these complaints concerned marketing emails received from
     AMEX between 22 February 2019 and 25 April 2019. As with previous

      complainants,the complainant had initially contacted AMEX and

      received a responsejustifyinthe emails on the basis they were
     "servicing"rather than "marketing" in nature. AMEX's response to the

      complaint stated that "we feel that Card Members would be at a

      disadvantage if they were not aware of these campaigns and
      promotional periods". The second complaint concerned marketing

      emails from AMEX between November 2018 and April 2019. Again, the
      complainant initially contacted AMEX. On 1 May 2019, they received a

      response which stated"the emails you are receiving are logged as

      benefits reinforcementrather than marketing materials.As discussed
      inour telephone call, all correspondence classed as marketing has been

      opted-out for your account".


23.  AMEX responded to the Commissioner on 5 July 2019. This letter

      stated, in summary:


           a. AMEX differentiatesitself in the marketplace by offering

              benefits and rewards;the fee level chosen dictating "the level
              of the type of included benefits and rewards". AMEX's

              research showed  that "benefits and rewards" were the key
              drivers in the selection of their products.




                                    7                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

           b. Its customer terms and conditions provide that AMEX will
              contact customers with product features, benefits and

              rewards. The "servicing" emails in question were "required to
              be sent based on legal and contractual requirementsThese

              emails were "reinforcementmessages to ensure it is clear how
              such benefits work, to ensure Cardmembers to get value for

              money and avoid any disappointment  or detriment".Such

              "servicing" emails "do not promote cardmembers to buy
              additional products or services from Amex but outline[ ...] how

              to get the most of the rewards, such as -,      -or
              Membership Rewards". Each "servicing" email contained a

              footer stating that "You are being sent this service related

              email as it contains information about an integral benefit of
              your Card."


           c. In response to the Commissioner's letter, AMEX had instigated
              an independent internal review of its practices related to

              electronic communications.Whilst that review was ongoing, it

              had placed an "interim hold" on "servicing" emails sent to
              individuals who had opted-out of direct marketing emails.


24.  Attached to AMEX's response was 11 distinct terms and conditions
     contained in the credit agreementsfor the different cards that it

     provides ("Credit Agreements").   Under the heading "Contacting

     You", each of the Credit Agreements contain the following (emphasis
     added):


      "We may send you important messages and other communications

     (including alerts about certain activity on your account) about your
     account, card or card benefits in line with your preferences. This could

     be by email or SMS, on your statements or by posting them in the


                                    8                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

      online account centre, for example, we may send you an alert to
      confirm that you've updated your contact information"



25.   AMEX provided its 'Cardmember Privacy Statement',  which is provided
      to UK personal cardmembers when they open an account with AMEX.

      Under the heading "Use of information",the policy states that (original
      emphasis in bold, added emphasis  underlined):



      "We use your Personal Information:    (i)where it is necessary for the
      performance of a contract or compliance with a legal obligation (e.g.,

      due diligence financial institutions are required to perform before
      approving card accounts); (ii) for our legitimate interests, such as to

      establish, exercise or defend legal claims, prevent fraud and/or

      enhance our products or services; or (iii) where we have obtained your
      consent, such as for marketing purposes. More specifically, we use

      your Personal Information   to do the following:


      •  deliver products and services, including to:


        •  administer and manage your account, such as whether to

           approve individual transactions;

        •  communicate with you through email, SMS or any other
           electronic methods about your accounts, products, and services

           and to update you about new features and benefits attached to
           the products or services that you requested;

        •  service and manage any benefits and insurance programmes

           provided along with the products or services that you requested;


      • advertise and market products and services for the American
        Express Group of Companies and our Business Partners,

         including to:

                                     9                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

        •  present content that is personalised in accordance with your
           preferences;


        •  communicate promotions and offers to you (by mail, e-mail,

           telephone, SMS, via the internet or using other electronic means)
           in relation to products and services that may interest you or

           which are similar to your existing American Express products and

           services; ..."


26.  AMEX provided the Commissioner with its procedures for the sending of
     advertisements, financial promotions or other communications.These

      included itsInternationalEmail Policy - United Kingdom", dated

     August 2018. The Commissioner notes the following elements of this
      policy in particular:


           a. Section 1 of the policy describes the PECRand how it applies

              to email marketing, and includes the statemen that "For non­

              marketing messages, no consent is required therefore
              American Express is not required to either obtain an opt-in or

              give the opportunityto opt-out of any other type of
              messages".


           b. Section 2 is titled "Marketing Emails - General" and states

              that "Marketing emails include, but are not limited to, email

              messages with the primary purpose of acquisition, cross­
              selling, includingmmunications  provided to promote an

              American Express Product or Service". Section 2 goes on to
              state that "American Express will generally need an

              individual's consent before we can sendarketing emails".




                                    10                                                             •

                                                            ICO.
                                                             Information Commissioner's Office
           c. Section 8 is titled "Servicing and Operational Emails". It

              employs the following definitions:


              "Operational Emails are defined as:
                      • Purely factualoperational communication with no

                      content promoting products or services to recipient
                      including information promoting services and/or

                      benefits associated with American Express product
                      held by recipient - e.g. account alerts


              Servicing Emails are defined as:

                      • Communication including information promoting

                      services and/or benefits associated with American
                      Express product held by recipient - e.g. benefit

                      awareness/  reinforcement


              Marketing Emails are defined as:
                      • Communication promoting products and services

                      not held by recipient"


           d. Section 8 goes on to state that "Without exception all

              Marketing and Servicing emailsust be reviewed by the UK
              Advertising Review Team".


           e. The policy does not, at any stage, repeat the definition of

              "direct marketingfrom section 122(5) of the DPA 2018.


27.  AMEX provided a PDF titled "Prospect Journey", which included a

     screenshot of the initial marketing preferences page presented to a
     customer when they open an account with AMEX online. The consent

     wording reads as follows:

                                   11                                                              •

                                                             ICO.
                                                             Information Commissioner's Office


     "Please tick this box to get the most out of your new American Express

     Card. We will keep you informed via email about promotions associated

     with your Card, such as Cardmember events, exclusive presales and
     offers. We will not share your email address with other companies to

     market their own products or services.The preference you make here
      will also apply to other American Express cards if they use the email

     address you have provided as part of this applicatioYou can update

     your preferences later if you wish."


28.  In the 5 July 2019 response, AMEX also provided details of its internal
     training procedures, including examples of training materials. The

     "Communications  and Financial Promotions Training" for the "UK

     Advertising Review Team" materials were the only materials provided
     by AMEX which appear (at internal page 24 of the document) to refer

     to obligations relating to direct marketiHowever, this reference is
     indirect and brief, and the material is largely focused on clear, fair and

     accurate marketing and compliance with requirements regulated by the

     Financial Conduct Authority and Advertising Standards Authority.


29.  AMEX provided a spreadsheet of all complaints received regarding

     unsolicited emails between 1 June2018 and 31 May 2019. AMEX stated
     that, during this period, it had received "22 complaints resulting from

     the approximately forty-fourmillion servicing communicationsent to
     our            cardmember base"; and that, in its view, a number of

     the complaints regarded the frequency, rather than content, of the

     emails. On the Commissioner's reading, most of these complaints
     appear to concern the receipt of marketing emails by customers who

     had opted-out from receiving such emails.




                                   12                                                                  •


                                                                 ICO.
                                                                 Information Commissioner's Office
30.   AMEX provided copies of all emails which it had classified as "servicing"

      emails, excluding those that were "sent in response to specific legal or
      regulatory requirements, such as fraud prevention or credit application

      assessment".


31.   In total, AMEX provided 352 emails which had been classified as

      "servicing", totalling 50,388,228 individual emails.

32.   Following review of these emails by the Commissioner, a total of 83

      distinct emails sent between 1 June 2018 and 31 May 2019 were

      identified as falling within scope of PECR.These emails can be grouped
                                                         2
      into 9 categories, which are now addressed in turn.

      -     newsletter



33.   The-      newsletter was sent to holders of AMEX-cards.           11
      distinct emails were sent to subscribers between June 2018 and May

      2019. The -     newsletter consists of promotions for exclusive events

      bookable through the AMEX Concierge service, some of which were
      complimentary,  but many of which were paid for. The footer of each of

      email stated: "All paid offers are subject to availabilibooked on a

      first come first served basis and must be booked using your American

      Express-          Card® through your-           Concierge service".


34.   In total, 297,410 of these emails were sent to subscribers who had

      opted-out from receiving direct marketing emails.


     -          offers emails3



2
3AMEX has indicated to the Commissioner that these emails concerned promotional offers
over and above the intrinsic rewards scheme which is part of thCard services it
offers customers.

                                      13                                                                 •


                                                                 ICO.
                                                                 Information Commissioner's Office
35.   A key benefit of many of the cards provided by AMEX is'-'·

      -         is obtained on purchases made via the customer's AMEX
      card, with a flat rate of-offered        on all purchases and special

      rates on specific promotions.AMEX sent 3 distinct emails to customers

      regarding -offers.         For example, one of the special promotions
      offered byAMEX was that, should a customer spend £500 in -

     _,       they would receive £50 -          These emails were titled

      "award-winning  offers just for you" and contained links to the offers
      page of the AMEX website, which would allow individuals to load an

      offer on to their card before making a purchase.


36.   Of the 5 complaints to the ICO referred to above, 4 concerned this

      category of email.


37.   In total, 907,656 of these emails were sent to subscribers who had

      opted-out from receiving direct marketing emails.


      'Come back to_,          emails4



38.   10 distinct emails titled '         to-,,        were sent to
      customers who had not used their                               card

      for a period of time. These emails were worded to encourage the

      customer to use their card in order to take advantage of the -
      feature and other AMEX offers and benefits. For example, one of these

      emails states:


      "Remember your American Express®

      Credit Card? It could still help you to earn-       on all your
      purchases and reconnect you with many more benefits.



4Ibid.

                                     14                                                                  •

                                                                 ICO.
                                                                 Information Commissioner's Office


      Have you discovered Amex Offers? You can sign up to save on
      shopping, dining and entertainment  offers from big brands, direct to

      your Card."


39.   In total, 36,214 of these emails were sent to subscribers who had

      opted-out from receiving direct marketing emails.

                     5
     ?   card emails


40.   AMEX operates a                       branded card, which allows
      customers to accumulate -          points upon use of the card. AMEX

      sent 6 distinct emails t?   Card customers. The content of these
      emails was aimed  at promoting the use of the card.


41.   4 emails were sent on the 12 April 2019, before the Easter bank

      holiday, and were titled "'going away this bank holiday? Don't forget
      your                         Card". For example, one of these emails

      stated the following in the body of the email:


      "Your                American Express®    Credit Card provides you with
      rewards and benefits which you can use both at home and on trips

      abroad.


      Discover below some of the great benefits your Card has to offer

      before, during and even after your trip.


      Remember, don't go abroad without it."



5For sake of completeness: the.caremails were sent by AMEX alone, without the
involvement of
                                      15                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

42.  Two emails were sent with the internal AMEX description
     "Reactivation".They appear to have been sent to customers who were

      not using their cards. They were titled "Bring your next holiday closer
     with your everyday spending". The emails affirmed the benefits of

      using the-AMEX    card, stating:


      "Are you getting the most from your Card?


      Your               American Express®  Credit Card is your passport

      to a more rewarding world.


      From your daily coffee purchases, streaming services, or your annual

      season ticket - whenever you use your Card, you collect-·
      Redeem your collected-     for flights, hotels, or car hire, or even use

      your -for    part payment towards an unmissable experience."


43.  In total, 302,409 of the• card emails were sent to subscribers who

      had opted-out from receiving direct marketing emails.


     'Explore' emails


44.  AMEX conducted a campaign where it sent emails to customers
      regarding the use of their card in specific locations abroad (e.g. Paris).

      36 distinct emails of this kind were sent regarding different locations.

     As set out below, AMEX has confirmed that these emails were targeted
     to locations individuals had travelled to. These emails encouraged the

     customer to use the card overseas, rather than merely reminding them
     of the ability to use their card. The standard wording used was "Don't

     explore [location] without it. From [location] to [locatlive like a

      local when youvisit [location]The emails then went on to provide a
     city guide of locations where an AMEX card could be used.

                                    16                                                           •

                                                           ICO.
                                                           Information Commissioner's Office


45.  In total, 219,514 of these emails were sent to subscribers who had
     opted-out from receiving direct marketing emails.


     'Card iswelcome' emails



46.  Consumers  may be discouraged from using an AMEX card because of
     concerns that it will be less widely accepted than cards supplied by

     other providers. AMEX sent 4 distinct emails to customers regarding
     the availability of, and rewards and benefits of using, their card. These

     emails were worded in a way which encouraged the customer to make
     purchase on their card. For example, one of these emails stated:


     "From grabbing lunch to the weekly shop, your American Express®

     Card is welcomed at your favourite supermarkets.


     And what's even better, whenever you make purchases you can enjoy
     the rewards and protection that come with your Card, even when you

     buy online.


     So make sure you don't miss out on being rewarded at places like
     these: [5 well-known supermarkets]"



47.  In total, 330,361 of these emails were sent to subscribers who had
     opted-out from receiving direct marketing emails.


     'Save your card details'


48.  AMEX sent 7 distinct emails titled "save your new card details to every

     online account". These emails were designed to encourage individuals


                                  17                                                           •

                                                           ICO.
                                                           Information Commissioner's Office
     to make purchases on their cards, rather than merely reminding them

     to update details which may have expired. Each email stated:


     "Check out faster whenever you shop online at websites like

                              or-         by saving your new Card
     details today.on't miss out on earning Membership Rewards® points

     on every eligible purchase that you make.


     A more rewarding way to shop online


     Get points for every pound you spend, extra points on selected

     purchases and redeem for a wide range of shopping, travel and gift
     cards."


49.  In total, 10,751 of these emails were sent to subscribers who had

     opted-out from receiving direct marketing emails.


     AMEX app emails


50.  AMEX sent 14 distinct emails regarding the AMEX app. 11 of these

     emails provided the customer with information regarding administrative
     tasks which could be completed via the app. However, 3 of these

     emails encouraged customers to use or download the app to access
     information regarding rewards and offers. They also promoted the app

     with a view to encouraging customers to make purchases on their card.


51.  One of these 3 emails stated:


     "There's a lot on offer

     Your offers are loaded, ready to be redeemed.


                                  18                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
     As a Cardmember, you have access to personalised offers wherever

     you are, all on the go with the Amex App - so you'll never miss a

     saving while you're out and about again.


     Visit the Offers tab discover savings near you."


52.  The remaining 2 emails both stated:


     "Rewarding your loyalty
      Watch your points increase everyday.



     Get up-to-date informationon your current rewards points balance,
     explore the latest products and savings available, and earn even more

     rewards by referring friends and family.


     So whether you are earning Membership Rewards® or_,      visit the
     Membership tab today to keep track of your rewards."


53.  In relation to these 3 emails, 1,296,123 in total were sent to

     subscribers who had opted-outfrom receiving direct marketinemails.


     'Shop Small' emails


54.  AMEX runs a promotion called "Shop Small". This is a promotional

     period available to AMEX cashback cardholders during which an
     improved rate of cashback (e.g. £5 cashback for every £10 pounds

     spent) is offered for purchases at certain "small" retailers.


55.  AMEX  sent a series of emails regarding "Shop Small":


           a. An initial email, informing the subscriber of the campaign;

                                   19                                                          •

                                                          ICO.
                                                          Information Commissioner's Office


           b. A notification of registration to the scheme;


          c. Three reminder emails about the scheme to those who had
             signed upto it; and


          d. A thank you email to subscribers for purchasing something

             through the scheme.


56.  The initial email stated:


     "Shop Small celebrates the small businesses that do big things in our
     local communitieswhile also rewarding Cardmembers for showing

     their support for where they live.


     The offer ... incentivises Cardmembers to support their local small
     businesses by shopping small frequently, giving them a £5 statement

     credit where they have saved the Offer to a qualifying American
     Express Card and use it to make a qualifying purchase for at least £10

     at participatismall businesses .


     ... Cardmembers can earn a maximum of £50 back in statement credits
     during this December's Shop Small.".


57.  In total, 698,403 of the initial emails were sent to subscribers who had

     opted-out from receiving direct marketing emails.








                                 20                                                          •

                                                         ICO.
                                                         Information Commissioner's Office
     Summary of direct marketing emails internally classified as "servicing"


58.  A summary of the direct marketing emails internally classified by AMEX
     as "servicingsent between 1 June 2018 and 31 May 2019 is provided

     inthe table below, sorted by subject matter.

      Subject        Distinct emails      Total sent  Total sent to
      matter         involving direct                 opt-out
                     marketing

                     11                   660,859     297,410
      -ewsletter
                     3                     1,872,260  907,656
      -ffers
      'Come,back to  10                   76,893      36,214


      •card          6                    633,520     302,409
      'Explore'      36                   375,955     219,514
      'Card is       4                    464,876     330,361
      welcome'

      'Save your     7                    22,965      10,751
      card details'
      AMEX app       3                    2,704,536   1,296,123
      'Shop Small'   1                    727,820
                                                      698,403
      Total          83                   7,539,684   4,098,841


59.  Following analysis of the emails provided by AMEX, the Commissioner
     sent a further request on 26 July 2019 requesting (a) volumes of

     receipts for the emails sent to customers who had opted-out of direct
     marketing emails in the period between 1 June 2018 and 31 May 2019
     (i.e. how many emails were successfully delivered), and (b) a

     screenshotof users' marketing preferences page.


60.  AMEX responded on 2 August 2019. It confirmed that it does not
     capture receipt informatiso was unable to comply with the first part

                                 21                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

     of the Commissioner's request. However, it was able to provide a
     screenshot of the customer marketing preferences page. The consent

     wording reads as follows:


     "How may we contact you with promotions on getting the most out of
     your American Express Card, such as Cardmember events, exclusive

     presales and offers? We will not share your email address with other

     companies to market their own products or services:


     Email [yes/no] ..."


61.  Allthe above "servicing" emails were sent to subscribers who had

     either (a) decided not to opt-in to promotional email on the initial
     marketing preferences page (set out at paragraph 27 above) at the

     time of opening their account, or (b) afterwards checked "no" in the
     "email" box in the marketing preferences page set out in the paragraph

     immediately above.


62.  The Commissioner sent a further request for information to AMEX on

     20 August 2019 for clarifications on the information it had previously
     provided. AMEX responded on 9 September 2019. In summary, AMEX

     explained:

           a. The procedure via which communications are sent. Marketing,

              operational and producteams within AMEX work together to

              produce the content across all communication channels and
              classify emails they have drafted as either "marketorg"

              "servicing" messages. Only those classed as "marketinare
              scrubbed against the global marketing suppression list. All

              emails are then subject to a review and approval process from

              relevant stakeholders, including AMEX's compliance

                                   22                                                          •

                                                          ICO.
                                                          Information Commissioner's Office
             department. The emails are then sent by third party vendors

             with whom contracts are held.


           b. The proportion of customers opted-out from marketing
             communications.



             these customers had opted-ino receive marketing. 49.8%
             had either opted-out or not opted-in.


          c. The "Credit and Charge Card Agreements" for each type of
             card, which cardholders must sign before accessing AMEX

             services, were drafted by the in-house AMEX legal team, with
             advice from external counsel.


           d. The "come back to-"       emails were sent to­
                               card customers who had had no spend or

             balance for three consecutive months. AMEX said that the
             emails were sent as a "reinforcememessage to ensure

             these Cardmembers are getting the most from their product".

          e. The 'Explore ...' emails were "triggered upon the first physical

             transaction in the city that the email refers to". AMEX justified
             the sending of these emails on the basis that these messages

             constituted "servicing" communications which were intended

             to "raise awareness of card coverage", noting that "our
             customers will not purchase products from American Express

             unless they find value in doing so."

63.  An end of investigation letter was sent to AMEX on 10 October 2019.






                                 23                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

64.   In conclusion, the Commissioner is satisfied that, between 1 June 2018
      and 31 May 2019, AMEX transmitted  4,098,841 marketing emails to

      subscribers who had opted-out to receiving marketing emails.


65.  The Commissioner has made   the above findings of fact on the
      balance of probabilities.


66.  The Commissioner has considered  whether those facts constitute

      a contraventionof Regulation 22 of PECRby AMEX and, if so, whether

      the conditions of section SSA DPA are satisfied.


     The contravention


67.  The Commissioner finds that AMEX contravened Regulation 22 of PECR.


68.  The Commissioner finds that the contravention was as follows:



69.   Between 1 June 2018 and 31 May 2019 there were 4,098,841 direct
      marketing emails received by subscribers. The Commissioner is

      satisfiedhat these emails constituted "direct marketing" as defined by
      section122(5) of the DPA 2018 because each of the emails encouraged

      customers to use their AMEX credit cards to make purchases. One

      category of emails (the AMEX app emails) also encouraged customers
     to download and/or use the AMEX app.


70.  AMEX internally classified the emails in question as "servicrather
     than "marketing". However, the fact that the emails engaged in

      advertising and marketing can be seen from their content. None of the

      emails in question were neutrally worded and purely administratiin
      nature. Instead, each email sought to encourage the customer to make

      purchases on their AMEX card (and, in the case of the AMEX app


                                    24                                                        •

                                                        ICO.
                                                        Information Commissioner's Office
emails, also to make use of this product). In relation to specific

categories of emails:


      a. The -    newsletter emails encouraged customers to book
        tickets for exclusive events, many of which were paid for.


      b. The -        offers emails encouraged customers to make

        purchases on their cards which qualified for special -
        offers.


      c. The "come back to-'         emails encouraged customers to

        make purchases on their                             cards,
        where they had not used those cards for a period of time, by

        highlightingthe-feature         of the card, as well as other
        AMEX offers and benefits.


      d. The.   card emails encouraged customers to make purchases
        on their card by highlighting the rewards and benefits

        resulting from such purchases, including the benefits of

        accruing -     points. Two of these emails sought to
        encourage customers not using the card to start making

        purchases on it.

      e. The "explore ..." emails encouraged individuals to make

        purchases on their cards when travelling abroad (rather than
        merely reminding them of their ability to use the card), in

        particular by providing a city guide of locations where the card
        could be used.



      f. The "card is welcome" emails encouraged customers to make
        purchases on their cards, not only seeking to allay doubts

        about the availability of the card, but also by highlighting the

                              25                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

              benefits and rewards that would result from making such
              purchases.



           g. The "save your card details" emails encouraged customers to
              make purchases on their cards (rather than merely reminding

              them to update details which may have expired) by
              highlighting the rewards resulting from purchases.



           h. Of the 11 AMEX app emails, 3 prompted customers to
              download and/or use the app to access informationregarding

              their eligibility for rewards and offers, including personalised
              offers. Twoof these emails sought to encourage uptake of the

              app by promising rewards if customers referred family and

              friends.As well as promoting the app in its own right, these
              emails promoted the app with a view to encouraging

              customers to make purchases on their cards.


           i. The initialShop Small" emails encouraged customers to make
              purchases on their cards at select "small" retailers by

              communicating  the existence of-offers        on such
              purchases.



71.  In any event, AMEX's "InternationalEmail Policy - United Kingdom"
      indicates that "servicing" emails involve advertising and marketing

     content. The policy defines such emails as "Communicationincluding
      informationpromoting services and/or benefits associated with

     American Express product held by recipient" (emphasis added). This

      definition can be contrasted with the definition of "operatiemails:
     "Purely factual / operational communicationwith no content promoting

      products or services to recipient including informapromoting



                                    26                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

      services and/or benefits associated with American Express product held
      byrecipient" (emphasis added).



72.   Furthermore, in letters responding to customer complaints, AMEX
      stated that "we feel that Card Members would be at a disadvantage if

     they were not aware of these campaigns and promotional periods".
     AMEX accepted here that "servicing" emails include advertising or

      marketing material.


73.  The Commissioner finds that AMEX transmitted or instigated the
     transmission of the direct marketing messages sent, contrary to

      Regulation 22 of PECR.


74.  AMEX, as the transmitter or instigator of the direct marketiis,
     required to ensure that it is acting in compliance with the requirements

     of Regulation 22 of PECR,and to ensure that valid consent to send
     those messages had been acquired.


75.  The  4,098,841 emails in question were sent to subscribers who had

     opted-out from receiving direct marketing communicationsby email.
     This is not disputed by AMEX.


76.  AMEX states that the emails in question were "required to be sent

      based on legal and contractualequirements" arising from its Credit
     Agreements with customers. The Commissioner has rejected this

      suggestion for the following reasons.


           a. The "legal and contractual requirementsreferred to by AMEX

              cannot override the statutory protection afforded by PECR
              Regulation 22 to explicit opt-out decisions made by

              customers.



                                   27                                                    •

                                                   ICO.
                                                   Information Commissioner's Office

b. The "legal and contractual requirements"referred to by AMEX
   are worded in a way which is sensitive to the customer's

   marketing preferences. In particular, the Credit Agreements

   statethat AMEX "may send you important messages and
   other communications  ... about your account, card or card

   benefitsin line with your preferences" (emphasis added).
   Further, AMEX's privacystatement provides that "We use your

   Personal Information ... (iii) where we have obtained your

   consent, such as for marketing purposes" (emphasis added).


c. Considered alone, the "legal and contractual requirements"
   referred to by AMEX do not satisfy the requirement for valid

   consent. In particular:


      i. Consent to receive direct marketing emails is not "freely
         given" where it is a condition of receiving AMEX's

         servicesin circumstances where such consent is not

         necessary for contractual performance by AMEX.


     ii. Nor is consent"freely given" where customers are
         unable to withdraw it in the future. The ability of

         individuals to withdraw consent is explicitly recognised

         at Regulation 22(2) of PECR,which refers to a person
        "consent[ing] for the time being" (emphasis added).


     iii. Consent isot "informed" where the "legal and

         contractualrequirements" relied on by AMEX are not set

         out prominentlyand separated from other terms and
         conditions, but are contained within overall terms and

         conditions.



                         28                                                        •

                                                       ICO.
                                                       Information Commissioner's Office
77.  The Commissioner is therefore satisfied from the evidence she has
     seen that AMEX did not have the necessary valid consent for the
     4,098,841 direct marketing messages received by subscribers.


78.  AMEX has stated that customers would be "at a disadvantage if they
     were not aware of the campaigns and promotional periods". There is no

     exemption under PECRRegulation 22 which allows organisations to
     send marketing emails they consider advantageous for subscribers
     where they have not received prior consent to do so. If there were,

     such an exemption would likely be relied on by all persons in breach of
     the PECRdirect marketing rules.


79.  The Commissioner has gone ono consider whether the conditions
     under section SSA DPA (as extended and modified by PECR)are met.



     Seriousness of the contravention


80.  The Commissioner is satisfied that the contraidentified
     above was serious. This is because, between a 12-month period from 1

     June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct
     marketing messages were sent by, or at the instigation of, of AMEX.

     These messages contained direct marketing material for which
     subscribers hadot provided adequate consent.


81.  The Commissioner isherefore satisfied that condition (a) from
     section SSA(l) DPA (as extended and modified by PECR) is met.•


     -
     Deliberateor negligent contraventions




                                29                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

82.   The Commissioner does not consider that AMEX deliberately set out to
      contravene PECRin this instance.



83.   The Commissioner has gone on to consider whether the contravention
      identified above was negligent. This consideration comprises two

      elements:


84.   First, she has considered whether AMEX knew or ought reasonably to

      have known that there was a risk that these contraventionswould
      occur. She is satisfied that this condition is met for the following

      reasons:

           a. During the period in question, AMEX sent a large number of

              direct marketing emails internally classified as "servicing"

              (7,539,684  in total)Itis clear that direct marketing
              constitutes an important part of AMEX's business. More

              generally, AMEX is one part of a large multinationacompany

              and provides services for a large number of customers
                                                                 Itshould

              therefore have sought to ensure its marketing operations
              complied  with the relevant statutory regime.



            b. AMEX had internal procedures to ensure that marketing
              communications   were sent in accordance with PECR.In

              particular, its "InternationEmail Policy - United Kingdom"
              explicitly referred to PECRand attempted to provide an

              overview of the requirements  imposed by it. AMEX also

              provided internal training for its employees on legal and
              regulatory requirements governing the sending of marketing

              communications.



                                     30                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

           c. Both AMEX's definition of "servicing" emails, and its letters
              responding to customers complaints, indicate AMEX was

              aware that such emails contained advertising and marketing

              content.

           d. During the period of the contraventio(1 June 2018 and 31

              May 2019), AMEX received 22 complaints regarding its
              "servicing" communications.



           e. AMEX has been registered with the ICO since 19 June 2006.
              The Commissioner has published detailed guidance for those

              carrying out direct marketing explaining their legal obligations
              under PECR. This guidance gives clear advice regarding the

              requirements of consent for direct marketing and explains the

              circumstances under which organisations are able to carry out
              marketing over the phone, by text, by email, by post, or by

              fax.In particular it states that organisations can generally

              only send, or instigate, marketing emails to individuals if that
              person has specifically consented to receiving them; and

              highlights the difficulties of relying on indirect consent for
              email marketing. In case organisations remain unclear on

              their obligations, the ICO operates a telephone helpline. ICO

              communications  about previous enforcement action where
              businesses have not complied with PECRare also readily

              available.


85.   It is therefore reasonable to suppose that AMEX should have been
      aware of its responsibilitin this area.


86.   Secondly, the Commissioner has gone on to consider whether AMEX
      failed to take reasonable steps to prevent the contraventioAgain,

      she is satisfiedat this condition is met.

                                    31                                                             •

                                                            ICO.
                                                             Information Commissioner's Office

87.  Reasonable steps in these circumstances may, in particular, have

     included a combination of the following:


           a. Ensuring that its internal procedures were compliant with
              PECR.In particular, AMEX could have ensured that its

              "InternationaEmail Policy - United Kingdom" contained
              consideration of how "direct marketing" is defined for the

              purposes of PECRand how this applied to emails AMEX had
              internally classified at "servicing".



           b. Consulting ICO guidance and/or the ICO telephone helpline to
              ensure its marketing policy was compliant with PECR.


           c. Meaningfully reviewing its approach to marketing following the
              receipt of 22 complaints regarding internally classified

              "servicing" emails.

88.  In the circumstances, the Commissioner is satisfied that AMEX failed to

     take reasonable steps to prevent the contraventions.


89.  The Commissioner is therefore satisfied that condition (b) from section

     SSA(l) DPA (as extended and modified by PECR) is met.



     The Commissioner's   decision to issue a monetary   penalty


90.  The Commissioner has taken into account the following
     aggravating  features  of this case:



           •  As set out above, the breach was negligent.



                                   32                                                               •


                                                              ICO.
                                                               Information Commissioner's Office
           •  There has been deliberate action for financial or personal gain.
              The  emails  in question  were   all designed  to encourage

              customers  to make purchases on their cards, which would

              benefit AMEX financially.


           •  Advice  or guidance  has been ignored   or not acted upon.

              Guidance on Direct Marketing and  in particular, the sending of
              marketing  emails is available on the ICO website. The ICO

              Helpline is also availablefor organisationswho may require

              clarity in their practices.


           •  AMEX failed to review its marketing model in light of complaints
              raised by various individuals.



91.   The Commissioner has also taken into account the following mitigating
      factors:

              •  When  the Commissioner began her investigation, AMEX

                 commenced its own independent internal review and
                 stopped marketing to customers who had opt-out of

                 receiving direct marketing communications by email. AMEX

                 has notified the Commissioner that the independent
                 internal review concluded in December 2019 and that

                 AMEX has made several changes to its processes and
                 procedures to ensure compliance with PECR.AMEX has also

                 confirmed to the Commissioner that it will continue to

                 assess the changes made as a result of the internal review
                 to ensure ongoing compliance.



92.   Forthe reasons explained above, the Commissioner is satisfied that the
      conditions from section SSA(l) DPA have been met in this case. She is



                                    33                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

      also satisfied that the procedural rights under section 55B have been
      complied with.


93.  The latter has included the issuing of a Notice of Intent (dated 18

      February 2021), in which the Commissioner set out her preliminary
      thinking.



94.   In reaching her final view, the Commissioner considered
      representationsreceived by AMEX on 17 March 2021.


95.   Within those representationsAMEX did not seek to challenge the

      Commissioner's intention to impose a monetary penalty of £90,000. As

      AMEX did not advance any new factors in its representationthe
      Commissioner did not alter her position as set out in the Notice of

      Intent.


96.  The Commissioner is accordingly entitled to issue a monetary penalty

      in this case.


97.  The Commissioner has considered whether, in the circumstances, she
      should exercise her discretion so as to issue a monetary penalty.


98.  The Commissioner has endeavoured to consider the likely impact of a

      monetary penalty on AMEX. In the Notice of Intent, the Commissioner

      set out her preliminary conclusion that AMEX has access to sufficient
      financial resourceso pay the proposed monetary penalty without

      causing undue financial hardship; and that this preliminary conclusion
      was unaltered bythe effects of the current Covid-19 pandemic. AMEX

      has not provided any informationin response to the Notice of Intent

      which has caused the Commissioner to alter her position.


                                    34                                                             •

                                                             ICO.
                                                             Information Commissioner's Office

99.   The Commissioner's underlying objective in imposing a monetary
      penalty notice is to promote compliance with PECR.The sending of

      unsolicited marketing emails is a matter of significant public concern. A

      monetary penalty in this case should act as a general encouragement
      towards compliance with the law, or at least as a deterrent against

      non-compliance, on the part of all persons running businesses currently
      engaging in these practices. The issuing of a monetary penalty will

      reinforcehe need for businesses to ensure that they are only

      messaging those who specifically consent to receive marketing.

100.  Overall, the Commissioner considers that a monetary penalty is a

      proportionateand appropriate response to the finding of a serious
      contraventionby AMEX.



      The amount of the penalty


101. Taking into account all of the above, the Commissioner has decided

      that a penalty in the sum of £90,00(Ninety  thousand  pounds) is
      reasonable andproportionate given the particular facts of the case and

      the underlying objective in imposing the penalty.


      Conclusion


102. The monetary   penalty must be paid to the Commissioner's  office by

      BACS transfer or cheque by 17 June 2021 at the latest. The monetary
      penalty is not kept by the Commissioner   but will be paid into the

      Consolidated Fund which is the Government'sgeneral bank account at

      the Bank of England.


103. If the Commissioner receives full payment of the monetary penalty by
      16 June 2021 the Commissioner will reduce the monetary penalty by


                                   35                                                             •

                                                            ICO.
                                                            Information Commissioner's Office
     20% to £72,000   (Seventy-two   thousand  pounds).  However, AMEX

     should be aware that the early payment discount is not available if it

     decides to exercise its right of appeal.

104. There is aright of appeal to the First-tier Tribunal (InforRights)

      against:


      a)   the imposition of the monetary penalty
           and/or;


      b)   the amount of the penalty specified in the monetary penalty

           notice.

105. Any notice of appeal should be received by the Tribunal within 28 days

     of the date of this monetary penalty notice.


106. Information about appeals is set out in Annex 1.


107. The Commissioner will not take action to enforce a monetary penalty
     unless:

           • the period specified within the notice within which a monetary

             penalty must be paid has expired and all or any of the

             monetary penalty has not been paid;


           • all relevant appeals against the monetary penalty notice and
             any variation of it have either been decided or withdraand


          •  the period for appealing against the monetary penalty and any
             variation of it has expired.


108. In England, Wales and Northern Ireland, the monetary penalty is

     recoverable by Order of the County Court or the High Court. In

                                   36                                                       •

                                                       ICO.
                                                       Information Commissioner's Office
     Scotland, the monetary penalty can be enforced in the same manner
     as an extract registered decree arbitral bearing a warrant for execution

     issued bythe sheriff court of any sheriffdom in Scotland.



Dated the 17hday of May 2021


Andy Curry
Head of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF




























                                37                                                            •


                                                            ICO.
                                                            Information Commissioner's Office
ANNEX 1


SECTION   55 A-E OF THE DATA PROTECTION      ACT 1998


RIGHTS   OF APPEAL AGAINST    DECISIONS    OF THE COMMISSIONER


 1.  Section 48 of the Data Protection Act 1998 gives any person upon
 whom a monetary penalty notice or variation notice has been served a right

 of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
 against the notice.

 2.  If you decide to appeal and if the Tribunal considers:-


 a)  that the notice against which the appeal is brought is not in accordance
 with the law; or


 b)  to the extent that the notice involved an exercise of discretion by the
 Commissioner, that she ought to have exercised her discretion differently,

 the Tribunal will allow the appeal or substitute such other decision as could

 have been made by the Commissioner. In any other case the Tribunal will
 dismissthe appeal.

 3.  You may bring an appeal by serving a notice of appeal on the Tribunal

 at the following address:


            GRC & GRPTribunals

            PO Box 9300
            Arnhem House
            31 Waterloo Way
            Leicester

            LEl 8DJ

 a)  The notice of appeal should be sent so it is received by the Tribunal
 within 28 days of the date of the notice.


 b)  If your notice of appeal is late the Tribunal will not admit it unless the
 Tribunal has extended the time for complying with this rule.

                                   38                                                                •

                                                               ICO.
                                                               Information Commissioner's Office


4.   The notice of appeal should state:-

a)   your name and address/name and address of your representative    (if

any);

b)    an address where documents may be sent or delivered to you;


c)    the name and address of the Information  Commissioner;

     d)    detailsof the decision to which the proceedings relate;


     e)    the result that you are seeking;

     f)    the grounds on which you rely;

g)   you must provide with the notice of appeal a copy of the monetary

penalty notice or variation notice;

h)   if you have exceeded the time limit mentioned above the notice of
appeal must include a request for an extension of time and the reason why

the notice of appeal was not provided in time.

5.   Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct

his case himself or may be represented by any person whom he may
appoint for that purpose.

6.   The statutory provisions concerning appeals to the First-tier Tribunal

(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory   Instrument  2009 No.
1976 (L.20)).










                                    3