ICO (UK) - Brazier Consulting Services Ltd
From GDPRhub
| ICO (UK) - Brazier Consulting Services Ltd | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 4(11) GDPR Regulations 21 of PECR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 25.06.2021 |
| Published: | 01.08.2021 |
| Fine: | 200000 GBP |
| Parties: | n/a |
| National Case Number/Name: | Brazier Consulting Services Ltd |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Information Commissioner's Office (in EN) |
| Initial Contributor: | n/a |
The ICO fined a claims management service approximately €235,000 for making more than 11 million unsolicited direct marketing calls over a six month period.
English Summary
Facts
The UK DPA (the Information Commissioner's Office, 'ICO') initiated an investigation into Brazier Consulting Services ('BCS') following a significant number of complaints from individuals in relation to marketing calls about claims management and insurance services.
Holding
The ICO found that BCS violated Regulation 21A of the Privacy and Electronic Communications Regulations, implementing the e-Privacy Directive in the UK, which requires organisations to obtain consent from individuals in order to make calls related to claims management services.
Between 1 February 2019 and 31 July 2019, BCS used a public electronic communications service for the purpose of making 11,489,873 unsolicited calls for direct marketing purposes to individuals in relation to claims management services. These calls were made to who had not given their prior consent to BCS to receive such calls.
The ICO issued a fine of £200,000 for this violation.
The ICO considered that the conditions for the imposition of a monetary penalty section 55A of the UK Data Protection Act are met, namely: the convention was sufficiently serious (since there were because multiple breaches over a six month period) as well as negligent (since BCS knew or ought reasonably to have known that there was a risk that these contraventions would occur)
With regards to the amount of the fine, the ICO stated that the fact that BCS did not fully cooperate during the investigation, and was not completely open and transparent regarding information provided, was an aggravating feature. It did not identify any mitigating features.
The ICO also issued BCS with an Enforcement Notice compelling them to stop their illegal marketing activity and informing them that failure to do is a criminal offence.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
•
ICO.
Information Commissioner's Office
DATA PROTECTION ACT 1998
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER
MONETARY PENAL TY NOTICE
To: Brazier Consulting Services Ltd Limited
Of: 7 Victoria Court, Bank Square, Leeds, West Yorkshire, LS27 9SE
1. The Information Commissioner ("Commissioner") has decided to issue
Brazier Consulting Services Limited ("BCS") with a monetary penalty
under section SSA of the Data Protection Act 1998 ("DPA"). The penalty
is being issued because of serious contraventiof regulation 21A of
the Privacy and Electronic Communication(EC Directive) Regulations
2003 ("PECR").
2. This notice explains the Commissioner's decision.
Legal framework
3. BCS, whose registered office is given above (Companies House
RegistrationNumber: 10531983) is the organisation stated in this
notice to have used a public electronic communicatiservice for the
purpose of making unsolicited calls for the purposes of direct marketing
in relation to claims managemenservices contrary to regulation 21A of
PECR.
4. Regulation 21A paragraph (1) of PECRprovides that:
1 •
ICO.
Information Commissioner's Office
"(l) A person must not use, or instigate the use of, a public electronic
communications service to make unsolicited calls for the
purposes of direct marketing in relation to claims management
services except in the circumstances referred to in paragraph
(2)."
5. Regulation 21A paragraphs (2), and (3) provide that:
"(2) Those circumstances are where the called line is that of a
subscriber who has previously notified the caller that for the time
being the subscriber consents to such calls being made by, or at
the instigation of, the caller on that line
(3) A subscriber must not permit the subscriber's line to be used in
contravention of paragraph (l)."
6. Regulation 21A paragraphs (4), and (5) materially state that:
"( 4) In this regulation "claims management services" means the
following services in relation to the making of a claim-
(a) advice;
(b) financial services or assistance;
(c) acting on behalf of, or representing,a person;
(d) the referral or introductionof one person to another;
(e) the making of inquiries.
(5) In paragraph (4), "claim" means a claim for compensation,
restitution,repayment or any other remedy or relief in respect of
loss or damage or in respect of an obligation, whether the claim is
made or could be made-
2 •
ICO.
Information Commissioner's Office
(a) by way of legal proceedings,
(b) in accordance with a scheme of regulation (whether
voluntary or compulsory), or
(c) in pursuance of a voluntary undertaking.
7. Prior to 29 March 2019, the European Directive 95/46/EC defined
'consent' as "any freely given specific and informed indication of his
wishes by which the data subject signifies his agreement to personal
data relatingto him being processed".
8. Consent in PECRis now defined, from 29 March 2019, by reference to
the concept of consent in Regulation 2016/679 ("the GDPR"):
regulation 8(2) of the Data Protection, Privacy and Electronic
Communications (Amendments etc) (EU Exit) Regulations 2019. Article
4( 11) of the GDPR sets out the following definitio"'consent' of the
data subject means any freely given, specific, informed and
unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmativaction, signifies
agreement to the processing of personal data relating to him or her".
9. A "subscriber"is defined in regulation 2(1) of PECRas "a person who is
a party to a contract with a provider of public electronic
communications services for the supply of such services".
10. Section 122(5) of the DPA 2018 defines "direct marketing" as "the
communication (by whatever means) of any advertising material which
is directedo particular individuals". This definition also applies for the
purposes of PECR.
11. Under section SSA (1) of the DPA (as amended by the Privacy and
Electronic Communications (EC Directive) (Amendment) Regulations
3 •
ICO.
Information Commissioner's Office
2011 and the Privacy and Electronic Communications (EC Directive)
(Amendment) Regulations 2015) the Commissioner may serve a
person with a monetary penalty notice if the Commissioner is satisfied
that -
"(a) there has been a serious contraventionof the requirementsof the
Privacy and Electronic Communications (EC Directive) Regulations
2003 by the person, and
(b) subsection (2) or (3) applies.
(2) This subsection applies if the contraventiwas deliberate.
(3) This subsection applies if the person -
(a) knew or ought to have known that there was a risk that
the contravention would occur, but
(b) failed to take reasonable steps to prevent the
contravention."
12. The Commissioner has issued statutory guidance under section SSC (1)
of the DPA about the issuing of monetary penalties that has been
published on the ICO's website. The Data Protection (Monetary
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe
that the amount of any penalty determined by the Commissioner must
not exceed £500,000.
13. PECRimplements Directive 2002/58/EC, and Directive 2009/136/EC
which amended the earlier Directive. Both the Directive and PECRare
"designed to protect the privacy of electronic communicationusers":
4 •
ICO.
Information Commissioner's Office
Leave.EU & Eldon Insurance Services v InformatioCommissioner
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to
interpret and apply PECRin a manner consistent with the purpose of
the Directive and PECRof ensuring a high level of protection of the
privacy of individuals, and in particular the protections provided from
receiving unsolicited direct marketing communicatiwhich the
individual has not consented to receive.
14. The provisions of the DPA remain in force for the purposes of PECR
notwithstandingthe introductioof the Data Protection Act 2018 (see
paragraph 58(1) of Part 9, Schedule 20 of that Act).
Background to the case
15. BCS first came to the attention of the Commissioner in July 2019
following the receipt of a significant number of complaints from
subscribers about marketing calls regarding claims management
services and/or insurance. The majority of complainants were able to
identify that the calls were made by BCS, or a variant of the name.
16. Between 2 May 2018 and 26 July 2019, the ICO received 414
complaints about unsolicited direct marketing calls made by BCS. In
addition, between 5 June 2018 and 20 May 2019 a further 26
complaints were received by the Telephone Preference Service ("TPS").
17. The Commissioner, through enquiries with the relevant
Communications Service Provider ("CSP"), was able to establish that
the CLI's identified within the complaints were allocated to BCS.
18. The Commissioner sent an initial investigatiletter to BCS on 1
August 2019, setting out her concerns with the organisation's
5 •
ICO.
Information Commissioner's Office
compliance with PECR,attaching details of all the complaints, and
requesting information about its business and marketing activities
which would assist in her investigation.
19. Responses to the Commissioner were provided by a company whom
BCS explained were its compliance officers. The first substantive
response, dated 25 August 2019, stated that BCS had been "locked
out" of their old servers due to a dispute with their former dialler
provider, and that it had changed its dialler system in June 2019. BCS
stated that calls are screened through their dialler, meaning that calls
should not have been made to any number on the TPS register.
20. A further response on 19 September 2019 explained that BCS obtained
leads though a data broker -
(''-") - using the website www.
was supplied with 1,000 opt-ins per 100,000 records, including date,
time stamp, IP address and opt-in statement. In relation to call
volume, due to previously identified issues with the call dialler, BCS
said it was unable to provide any information apart from the period 31
May to 31 July 2019, when it provided the number of attempted calls.
BCS also provided copies of its training assessments and manual,
which indicated that the calls made by BCS were in relation to PPL No
explanation or comments were provided in relation to the specific
complaints and no evidence of consent supplied.
21. At this stage it is noteworthy that during representations to the
Commissioner's Notice of Intent, BCS advised that it had also sourced
data from two additional brokers of which the Commissioner was
previously unaware. BCS was unable to identify the website used by
one of the brokers from which consent was acquired and accordingly no
evidence of consent was provided. For the avoidance of doubt, the
6 •
ICO.
Information Commissioner's Office
focus of Commissioner's investigationand subsequently this Notice, is
upon unsolicited marketing calls made to data sourced from
-/ . BCS informed the Commissioner in
representations that it sourced data from - from end January
2019 to 29 August 2019.
22. Open source research was conducted by the Commissioner on the
website
23. The website includes a consentstatement, which states:
"I would like to have offers from xxx and its partners including xxx,
xxx, xxx, Brazier Consulting Services Ltd. (authorised and regulated by
the Financial Conduct Authority in respect of regulated claims
management activity FRN:829743) (...)".
BCS also appear in the site's privacy policy and partners list, however
the latter is extensive, with 435 named companies listed in alphabetical
order. This means that individuals would not easily be able to view all
companies within a specific sector and would be required to research
the entirety of the list in order to establish the nature of each
company. Individuals are unable to select which sectors or individual
companies they wish to provide consent to, therefore, users would be
consenting to receive correspondence from all 435 partners.
Furthermore, use of the site appeared to be conditional on agreeing to
at least one form of marketing.
24. It was apparent that the means by which consent was obtained did not
allow for it to be freely given, specific, or informed. Further, the
Commissioner considered that individuals could not reasonably expect
7 •
ICO.
Information Commissioner's Office
to receive PPI marketing calls within the context of a general offer
website.
25. A further response from BCS dated 20 December 2019 to additional
enquiries from the Commissioner explained that it had not conducted
any marketing activity since 29 August 2019 when the PPI calling ban
came into effect. Evidence of "consent" for 25 complaints was provided
together with an indication of connected call volumes for June and July
2019.
26. On 4 February 2020, BCS provided a limited response to the
spreadsheet of all the complaints previously provided by the
Commissioner. BCS confirmed that all of the calls it made during the
campaign were marketing calls for the purpose of PPL BCS confirmed
that some of the complaints were in relation to calls made by BCS, but
due to previously identified issues with their previous dialler provider,
they were unable to check any records prior to 1 June 2019.
27. Accordingly, on 20 February 2020, the Commissioner issued a 3PIN to
the previous dialler provider for call volumes, for the period 1 January
2019 - 31 July 2019. The call dialler responded on 2 March 2020 and
confirmed that whilst it could not provide the volume of attempted
calls, it was able to provide details of connected calls per month, which
totalled 22,762,863 over the entire period (including June and July
2019). The call dialler later clarified that the figure for connected calls
included voicemailsas it was unable to differentiabetween calls
which were answered and those which went to voicemail.
28. BCS had previously informed the Commissioner that it did not use its
previous dialler provider in June and July 2019, which was inconsistent
with evidence provided from the call dialler itself, and so the
8 •
ICO.
Information Commissioner's Office
Commissioner asked BCS to clarify the call volumes for June and July
2019, to which BCS responded on 20 March 2020. The response
however was inconsistent with both those previously provided by BCS,
and the dialler provider, and BCS has not provided any further
convincing evidence to support its position.
29. On 30 March 2020 the Commissioner wrote to BCS requesting evidence
of due diligence in relation to data supplied by its third party data
provider, details of the personal data purchased, call volume data from
its current dialler, and enquiring whether BCS were still trading. As this
information was not forthcoming,the Commissioner issued an
Information Notice on BCS to which a response was received on 26
August 2020. BCS provided details of the data it purchased, explaining
"as discussed and evidenced previously, we received opt-ins for the
data on selected clients, which included IP address, statemDate
and Time stamp". BCS also confirmed it was no longer marketing PPI
claims albeit still operational as a business. BCS failed to provide any
evidence of call volumes from its current dialler provider nor when it
ceased using the services of their previous dialler provider.
30. In the period 1 February 2019 - 31 July 2019, during which time BCS
sourced data from - , a total of 319
complaints were received by the ICO and a further 9 by the TPS.
Despite detailed representationto the Notice of Intent in relation to
complaints, save for any adjustment to account for duplicates, the
Commissioner remains satisfied that the complaints relied upon relate
to calls made by BCS. Deducting 12 complaints as probable duplicates,
this amounts to a total of 316 complaints in relation to unsolicited
direct marketing calls made by BCS.
9 •
ICO.
Information Commissioner's Office
31. Complaints received by the Commissioner relating to Clls allocated to
BCS include:
• "PPI claims company - I toldthem clearly I was not interested and
asked where they got my data from. Refused to tell me and said it
was obtained legally and they were FCAauthorised and GDPR
compliant. I asked to not be contacted again and remove me from
their listing but then got another call 24/07/19."
• "It was an aggressive, intimidatincall aimed at making a PPI claim.
This was another of a long list of calls. I told them repeatedly that I
have never had PPI and did not wish to claim. Alter several calls
they said that they would send out documents that would allow
them to check for PPI . I said that they were wasting their time but
if they wished to send out the documents that was up to them. I did
not complete or return any of the documents. They are now telling
me that because the documents have been sent out , it is effectively
a contract and they suggested that I would face a charge if I
cancelled. I asked " how can I cancel something I have not asked
for". The advisor ( xxx ) was aggressive in manner and I felt quite
threatened by his attitude. I am now worried that they intend to
charge me for a service that I do not want , have never contacted
them regarding PPI , and I have not signed any documents to the
contrary. All I want is for them to stop these aggressive phone
calls." [sic]
• "I was asked if I had made any PPI claims. I then asked for the
caller to remove my number from the system. She then said that
she was not allowed to remove numbers from the system, and that
I would have to do it myself. I asked her if she was aware of the
GDPR regulations and she said, "Of course, but are you on the
GDPR?'"'
10 •
ICO.
Information Commissioner's Office
• "I have been called by Brazier Consulting many times (though they
generally say they are BCS Consulting which is a different firm).
Every time I have told this firm to remove me from the data base. I
have not consented to be called by this firm. Today I was told by
the agent that she could not remove me from the data base. I
would have to be placed on hold and speak to a manager. I was
placed on hold. The manager said I could not be removed from the
data base until I had been told about the urgency of PPL"
• "I asked where they got my number and was told that all numbers
are opt-in by default when issued by network providers".
32. It is notable that the complaints made to the Commissioner indicate
that not only did BCS make initial calls in breach of PECR,but also
continued to call individuals who had specifically asked not to be
contacted. Comments made by complainants suggest that BCS
employees refused to comply with requests made by individuals to
either remove their number from the database, or confirm where they
had obtained their details, and it is apparent that there was a lack of
knowledge in respect of PECR,GDPR and marketing in general.
Comments also indicate that these calls caused great distress to some
individuals.
33. In representations to the Commissioner's Notice of Intent, BCS
informed the Commissioner in relation to call volumes that calls made
during the contraventionperiod were not solely for the purpose of PPI
marketing; as a handler of PPI claims, BCS also made a significant
number of service calls. BCS did not advise whether any of the Clls
were dedicated to service calls as opposed to marketing, nor was it
11 •
ICO.
Information Commissioner's Office
able to provide any evidence as to the breakdown of calls made for
marketing purposes.
34. BCS' own estimate isthat 53.6% of calls made were for marketing
purposes, based upon call data provided by its current dialler provider
post 29 August 2019 - the deadline for bringing new PPI claims. The
Commissioner accepts that BCS would have made some service calls,
but considers that this estimate is unlikely to reflect the true volume of
marketing versus service calls. This is because the estimate is based on
service call volumes made after the PPI deadline, and when the focus
of the business would necessarily have switched entirely to servicing
existingPPI claims; prior to 29 August 2021 the Commissioner finds it
reasonable to suppose that the business would have focussed heavily
on acquiring new claims via marketing before the PPI deadline.
Notwithstanding the above, in the absence of any evidence from BCS
to support the exact volume of marketing calls, the Commissioner has
adopted the estimate provided by BCS for the purpose of this Notice.
35. On the basis of evidence provided by BCS' previous call dialler, the
Commissioner is satisfied that 21,436,331 connected calls were made
by BCS between 1 February 2019 and 31 July 2019. Of these, the
Commissioner finds that 11,489,873 were made for the purposes of
marketing 'claims management services' as defined at Regulation
21A(4) PECR.Those calls led to a total of 316 complaints to the
Commissioner and the TPS. BCS has been unable to evidence sufficient
consent to call any of the complainants. The consent relied upon by
BCS is insufficient for the purposes of regulation 21A of PECR.
36. The Commissioner has made the above findings of fact on the
balance of probabilities.
12 •
ICO.
Information Commissioner's Office
37. The Commissioner has considered whether those facts constitute a
contraventionof regulation 21A of PECRby BCS and, if so, whether the
conditions of section SSA DPA are satisfied.
The contravention
38. The Commissioner finds that BCS contravened regulation 21A of PECR.
39. The Commissioner finds that the contraventionis as follows:
40. Regulation 21A was brought into force on 8 September 2018 and
requires that persons/organisatiohold consent from subscribers in
order to make calls relating to claims management services.
41. Between 1 February 2019 and 31 July 2019, BCS used a public
electronicommunications service for the purpose of making
11,489,873 unsolicited calls for direct marketing purposes to
subscribers in relation to claims management services. This resulted in
316 complaintsbeing made to the TPS and the Commissioner.
42. The Commissioner is satisfied for the purposes of regulation 21A that
these calls were made to subscribers who had not given their prior
consent to BCS to receive such calls.
43. The Commissioner is satisfied that BCS was responsible for these
contraventions.
44. The Commissioner has gone on to consider whether the conditions
under section SSA DPA are met.
Seriousness of the contravention
13 •
ICO.
Information Commissioner's Office
45. The Commissioner is satisfied that the contraventionidentified
above were serious. This is because there have been multiple breaches
of regulation 21A by BCS over a six month period. Specifically,
between 1 February 2019 and 31 July 2019 BCS made a total of
11,489,873 connected calls relating to PPI claims management
services. This led to a significant number of complaints.
46. The legislation is clearat TPS registration is not a relevant
consideration in respect of such calls. A subscriber must have
previously notified the caller that for the time being the subscriber
consents to such calls being made by, or at the instigation of, the caller
on that line. The Commissioner is satisfied that BCS did not have the
necessary consent to make these calls.
47. BCS appeared to use aggressive tactics when making the calls to
subscribers, as evidenced by the content of some of the complaints.
48. The Commissioner is therefore satisfied that condition (a) from
section SSA (1) DPA is met.
Deliberate or negligent contraventions
49. The Commissioner has considered whether the contraventions
identified above were deliberatIn the Commissioner's view, this
means that BCS's actions which constituted that contraventiwere
deliberate actions (evenf BCS did not actually intend thereby to
contravene PECR).
50. The Commissioner does not consider that BCS deliberately seout to
contravene PECRin this instance.
14 •
ICO.
Information Commissioner's Office
51. The Commissioner has gone on to consider whether the contravention
identified above was negligent. This consideration comprises two
elements:
52. Firstly, she has consideredether BCS knew or ought reasonably to
have known that there was a risk that these contraventionswould
occur. She is satisfied that this condition is met, not least because the
issue of unsolicited calls in relation to claims management services has
been widely publicised by the media as being a problem, so much so
that it prompted recent legislative change to prohibit the making of
such calls unless certain conditions are metIt is reasonable to
suppose that any organisation wishing to carry out such activities
should, and indeed must, be aware of its responsibilities in this area.
53. The Commissioner has published detailed guidance on her website for
those carrying out direct marketing calls for the purposes of claims
management services, explaining the strict criteria under which such
calls can be made. This guidance explains such calls must not be made
in relation to claims management services unless the individual being
called has specifically consented to such calls or has a defined existing
client relationship.
54. The Commissioner notes that BCS employed the services of a
compliance company, which, given its extensive background and
history with the ICO, would be reasonable to assume that the
compliance company should also have been aware of the introduction
of regulation 21A and ensured its client was acting in a compliant
manner.
55. Secondly, the Commissioner has gone on to consider whether BCS
failed to take reasonable steps to prevent the contraventionAgain,
she is satisfiedhat this condition is metEvidence suggests that BCS
15 •
ICO.
Information Commissioner's Office
appear to have been relying upon regulation 21 PECRto ensure
compliance, indicating a lack knowledge or understanding of
regulation 21A, which was fundamental to BCS' business model.
Had BCS familiarised itself with the relevant legislation and guidance
and set its due diligence checks accordingly, it would have realised that
it could not lawfully make unsolicited direct marketing calls for the
purposes of claims management services.
56. Furthermore, there is no evidence to suggest that BCS provided any
training to staff in relation to PECRwhatsoever. The training
documents provided during the course of the Commissioner's
investigationdo not contain any reference to PECR.There are only brief
references to the ICO, DPA 98, and Telephone Preference Service, the
latter of which would suggest that BCS felt they only needed to comply
with regulation 21.
57. Given the volume of calls and complaints, it is clear that BCS failed to
take those reasonable steps.
58. The Commissioner is therefore satisfied that condition (b) from section
SSA (1) DPA is met.
The Commissioner's decision to impose a monetary penalty
59. The Commissioner finds that there are the following aggravating
features of this case:
• It became apparent during representations to the
Commissioner's Notice of Intent that neither BCS nor their
compliance advisors fully co-operated during the Commissioner's
investigationand were not completely open and transparent in
16 •
ICO.
Information Commissioner's Office
relation to information provided. For instance, BCS failed to
disclose two further data sources in addition to -· BCS
were unable to identify the website utilised by one of these data
sources to capture consent thus demonstratinglack of due
diligenceon the part of BCS, and thereby also hindering the
Commissioner's investigation.BCS also made no mention of
service calls when providing information about call volumes until
representations,but BCS were unable to provide any evidence as
to the breakdown of call purpose.
60. The Commissioner has taken into account representations by BCS,
however considers that there are no relevant mitigating features of
this case.
61. For the reasons explained above, the Commissioner is satisfied that the
conditions from section 55A(l)DPA have been met in this case. She is
also satisfied that the procedural rights under section 55B have been
complied with.
62. This has included the issuing of a Notice of Intent on 18 February 2021,
in which the Commissioner set out her preliminary thinking, and invited
BCS to make representations in response.
63. The Commissioner has received and considered extensive
Representations in response to the Notice of Intent dated 23 April 2021.
64. The Commissioner is accordingly entitled to issue a monetary penalty in
this case.
65. The Commissioner has considered whether, in the circumstances, she
should exercise her discretion so as to issue a monetary penalty. She
17 •
ICO.
Information Commissioner's Office
has decided that a monetary penalty is an appropriate and proportionate
response to the finding of a serious contraventof regulations 21A of
PECRby BCS.
66. The Commissioner's underlying objective in imposing a monetary
penalty notice is to promote compliance with PECR. The instigatioor
making of unsolicited direct marketingtexts is a matter of significant
public concern. Amonetary penalty in this case should act as a general
encouragement towards compliance with the law, or at least as a
deterrent against non-compliance, on the part of all persons running
businesses currently engaging in these practices. This is an opportunity
to reinforce the need for businesses to ensure that they are only texting
consumers who want to receive these messages.
67. The Commissioner has also considered the likely impact of a monetary
penalty on BCS and in doing so has reviewed financial evidence supplied
alongside its representations.
The amount of the penalty
68. Taking into account all of the above, the Commissioner has decided that
the amount of the penalty is £200,000 (Two hundred thousand
pounds).
Conclusion
69. The monetary penalty must be paid to the Commissioner's office by
BACS transfer or cheque by 28 July 2021 at the latest. The monetary
penalty is not kept by the Commissioner but will be paid into the
Consolidated Fund which is the Government's general bank account at
the Bank of England.
18 •
ICO.
Information Commissioner's Office
70. If the Commissioner receives full payment of the monetary penalty by
27 July 2021 the Commissioner will reduce the monetary penalty by
20% to £160,000 (One hundred and sixty thousand pounds).
However, you should be aware that the early payment discount is not
available if you decide to exercise your right of appeal.
71. There is a right of appeal to the First-tier Tribunal (InforRights)
against:
a) the imposition of the monetary penalty
and/or;
b) the amount of the penalty specified in the monetary penalty
notice.
70. Any notice of appeal should be received by the Tribunal within 28 days
of the date of this monetary penalty notice.
71. Informationabout appeals is set out in Annex 1.
72. The Commissioner will not take action to enforce a monetary penalty
unless:
• the period specified within the notice within which a monetary penalty
must be paid has expired and all or any of the monetary penalty has
not been paid;
• allrelevant appeals against the monetary penalty notice and any
variation of it have either been decided or withdraand
19 •
ICO.
Information Commissioner's Office
• period for appealing against the monetary penalty and any variation of
it has expired.
73. In England, Wales and Northern Ireland, the monetary penalty is
recoverable byrder of the County Court or the High Court. In
Scotland, the monetary penalty can be enforced in the same manner
as an extract registered decree arbitral bearing a warrant for execution
issued by the sheriff court of any sheriffdom in Scotland.
Dated the 25th day of June 2021
Andy Curry
Head of Investigations
InformationCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF
20 •
ICO.
Information Commissioner's Office
ANNEX 1
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER
1. Section 48 of the Data Protection Act 1998 gives any person upon
whom a monetary penalty notice or variation notice has been served a right
of appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
against the notice.
2. If you decide to appeal and if the Tribunal considers:-
a) that the notice against which the appeal is brought is not in accordance
with the law; or
b) to the extent that the notice involved an exercise of discretion by the
Commissioner, that she ought to have exercised her discretion differently,
the Tribunal will allow the appeal or substitute such other decision as could
have been made by the Commissioner. In any other case the Tribunal will
dismiss the appeal.
3. You may bring an appeal by serving a notice of appeal on the Tribunal
at the following address:
GRC & GRPTribunals
PO Box 9300
Arnhem House
31 Waterloo Way
Leicester
LEl 8DJ
a) The notice of appeal should be sent so it is received by the Tribunal
within 28 days of the date of the notice.
b) If your notice of appeal is late the Tribunal will not admit it unless the
Tribunal has extended the time for complying with this rule.
21 •
ICO.
Information Commissioner's Office
4. The notice of appeal should state:-
a) your name and address/name and address of your representative
(if any);
b) an address where documents may be sent or delivered to you;
c) the name and address of the Information Commissioner;
d) detailsof the decision to which the proceedings relate;
e) the result that you are seeking;
f) the grounds on which you rely;
g) you must provide with the notice of appeal a copy of the
monetary penalty notice or variation notice;
h) if you have exceeded the time limit mentioned above the notice
of appeal must include a request for an extension of time and the
reason why the notice of appeal was not provided in time.
5. Before deciding whether or not to appeal you may wish to consult your
solicitor or another adviser. At the hearing of an appeal a party may conduct
his case himself or may be represented by any person whom he may
appoint for that purpose.
6. The statutory provisions concerning appeals to the First-tier Tribunal
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal)
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No.
1976 (L.20)).
22
