ICO (UK) - Energy Suite Limited: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...")
 
(Changed the short summary for the newsletter, and changed the last line a tiny bit. Really clear clear summary otherwise, thank you and well done for a first one!)
 
Line 52: Line 52:
}}
}}


The UK's Information Commissioner’s Office (ICO) fined Energy Suite £2000 for making unsolicited calls for direct marketing, thereby contravening Regulation 21 of Privacy and Electronic Communications (EC Directive) Regulations 2003.  
The UK DPA (ICO) fined Energy Suite £2000 for making unsolicited direct marketing calls in violation of Regulation 21 PECR.  


== English Summary ==
== English Summary ==
Line 68: Line 68:
The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low.  
The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low.  


Eventually, the ICO issued a monetary penalty of £2,000 (two thousand pounds) on Energy Suite,  
Thus, the ICO issued a monetary penalty of £2000 (two thousand pounds) against Energy Suite,  


== Comment ==
== Comment ==

Latest revision as of 16:29, 25 January 2022

ICO (UK) - Energy Suite Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Directive 2002/58
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Investigation
Outcome: Violation Found
Started:
Decided: 18.01.2022
Published: 24.01.2022
Fine: 2000 GBP
Parties: n/a
National Case Number/Name: Energy Suite Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Gauravpathak

The UK DPA (ICO) fined Energy Suite £2000 for making unsolicited direct marketing calls in violation of Regulation 21 PECR.

English Summary

Facts

Energy Suite is a company marketing "boiler, heating, insulation, glazing and other energy-saving grants to homes under government-funded schemes." Between 1 March and 13 November 2020, Energy Suite connected at least 1,246 calls to subscribers whose numbers were listed on the TPS (Telephone Preference Service Ltd) register. Three complaints were made against Energy Suit during this period as it called people who had not given their no-objection to receive marketing calls.

Before the ICO, Energy Suite claimed that it had purchased "details of 11,005 live, validated landlines and 88,995 live HLR-checked mobiles" from third parties, without conducting any in-house checks.

Holding

The ICO found that Energy Suite had contravened Regulation 21 of Privacy and Electronic Communications (EC Directive) Regulations 2003 by calling numbers that were registered on the TPS. On the balance of probabilities, it found out that at least 1246 calls made by Energy Suite got connected. The ICO referred to another complaint made outside the investigation period to conclude that Energy Suite's compliance with Privacy and Electronic Communications (EC Directive) Regulations 2003 has been lax.

The ICO concluded that "unsolicited direct marketing calls were made to subscribers who had registered with the TPS at least 28 days prior to receiving the calls, and who for the purposes of regulation 21(4) had not notified Energy Suite that they did not object to receiving such calls." This contravention was considered to be serious due to multiple violations as Energy Suite made some 15,000 calls in total, many of which did not connect. Consequently, the ICO concluded that Energy Suite had been negligent and the "condition (b) from section 55A (1) DPA is met".

The ICO considered the aggravating factors of Energy Suite's action being for financial gain, claiming ignorance of the law, inadequacy in record keeping, continued non-compliance etc. At the same time, the ICO also considered the mitigating factors of Energy Suite being a small company, its cooperation with the investigation, and the number of calls being comparatively low.

Thus, the ICO issued a monetary penalty of £2000 (two thousand pounds) against Energy Suite,

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                           •

                                                           ICO.
                                                           Information Commissioner's Office


                    DATA PROTECTION     ACT 1998


   SUPERVISORY    POWERS OF THE INFORMATION       COMMISSIONER



                    MONETARY    PENAL TY NOTICE




To:  Energy Suite Limited

Of:   Lomeshaye Bridge Mill
     Bridge Mill Road
     Nelson
     BB9 7BD



1.   The InformationCommissioner ("the Commissioner") has decided to

     issue Energy Suite Limited ("Energy Suite") with a monetary penalty
     under section SSA of the Data Protection Act 1998 ("DPA"). The penalty

     is in relation to a serious contraveof regulation 21 of the Privacy

     and Electronic Communications(EC Directive) Regulations 2003
     (" PECR").


2.   This notice explainse Commissioner's intended decision.



      Legal framework


3.   Energy Suite, whose registered office is given above (Companies House

     Registration Number: 09999446) is the organisation stated in this
     notice to have used a public electronic communicatservice for the

     purpose of making unsolicited calls for the purposes of direct marketing
     contrary to regulation 21 of PECR.



                                   1                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

4.    Regulation 21 applies to the making of unsolicited calls for direct
      marketing purposes. It means that if a company wants to make calls

      promoting a product or service to an individual who has a telephone
      number which is registered with the Telephone Preference Service Ltd

      ("TPS"),then that individual must have notified the company that they
      do not object to its calls.



5.    Regulation 21 paragraph (1) of PECRprovides that:


      "(1)A person shall neither use, nor instigate the use of, a public
      electronic communications service for the purposes of making

      unsolicited calls for direct marketing purposes where-


      (a)     the called line is that of a subscriber who has previously

              notified the caller that such calls should not for the time being
              be made on that line; or


      (b)     the number allocated to a subscriber in respect of the called

              line is one listed in the register kept under regulation 26."


6.    Regulation 21 paragraphs (2), (3),(4) and (5) provide that:


    "(2)  A subscriber shall not permit his line to be used in contravention

           of paragraph (1).


     (3) A person shall not be held to have contravened paragraph (1)(b)

         where the number allocated to the called line has been listed on the
         register for less than 28 days preceding that on which the call is

         made.




                                     2                                                            •

                                                            ICO.
                                                            Information Commissioner's Office

    (4) Where a subscriber who has caused a number allocated to a line of
         his to be listed in the register kept under regulation 26 has notified

        a caller that he does not, for the time being, object to such calls
         being made on that line by that caller, such calls may be made by

         that caller on that line, notwithstathat the number allocated
         to that line is listed in the said register.



     (5) Where a subscriber has given a caller notification pursuant to
        paragraph (4) in relation to a line of his-


           (a) the subscriber shall be free to withdraw that notification at

           any time, and

           (b) where such notification is withdrawn, the caller shall not
           make such calls on that line."



7.   Under regulation 26 of PECR,the Commissioner is required to maintain
     a register of numbers allocated to subscribers who have notified them

     that they do not wish, for the time being, to receive unsolicited calls for
     direct marketing purposes on those lines. The TPS is a limited company

     which operates the register on the Commissioner's behalf. Businesses

     who wish to carry out direct marketing by telephone can subscribe to
     the TPS for a fee and receive from them monthly a list of numbers on

     that register.


8.   Section 122(5) of the Data Protection Act 2018 ("DPA18") defines

     direct marketing as "the communication(by whatever means) of
     advertising or marketing material which is directed to particular

     individuals". This definition also applies for the purposes of PECR(see
     regulation 2(2) PECR& Schedule 19 paragraphs 430 & 432(6) DPA18).




                                   3                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

9.    "Individual"is defined in regulation 2(1) of PECRas "a living individual
      and includes an unincorporated body of such individuals".


10.   A "subscriber"is defined in regulation 2(1) of PECRas "a person who is

      aparty to a contract with a provider of public electronic
      communications  services for the supply of such services".


11.   Section SSA of the DPA (as applied to PECRcases by Schedule 1 to
      PECR, as variously amended) states:



      "(1)The Commissioner may serve a person with a monetary penalty if
          the Commissioner is satisfied that -

              (a) there has been a serious contraventioof the requirements

                 of the Privacy and Electronic Communications (EC

                 Directive) Regulations 2003 by the person,

              (b) subsection (2) or (3) applies.

      (2) This subsection applies if the contraventiowas deliberate.

      (3) This subsection applies if the person -
              (a)  knew or ought to have known that there was a risk that

                   the contravention would occur, but

              (b)  failed to take reasonable steps to prevent the
                   contravention."


12.   The Commissioner has issued statutory guidance under section SSC (1)

      of the DPA about the issuing of monetary penalties that has been

      published on the ICO's website. The Data Protection (Monetary
      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

      that the amount of any penalty determined by the Commissioner must
      not exceed fS00,000.




                                     4                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

13.   PECRwere enacted to protect the individual's fundamentalright to
     privacy in the electronic communicationssector. PECRwere

     subsequently amended and strengthened.   The Commissioner will
     interpret PECRin a way which is consistent with the Regulations'

     overall aim of ensuring high levels of protection for individuals' privacy

      rights.


14.  The provisions of the DPA remain in force for the purposes of PECR

     notwithstanding the introductionof the DPA18: see paragraph 58(1) of
     Schedule 20 to the DPA18.


     Background to the case


     Complaints

15.   Energy Suite is a company that markets boiler, heating, insulation,

     glazing and other energy-saving grants to homes under government­
     funded schemes.


16.  Complaints data from the TPS in September 2020 indicated that a

     complaint had been made about calls made from Calling Line Identity

     ("CLI") 01282612211.  A third-partyinformationnotice was sent to
     British Telecommunications PLC (BT) on 3 September 2020. BT

     responded on 20 October 2020, identifying Energy Suite as the person
     to whom the CLI was allocated.



17.  Further analysis identified that there had been three complaints in
     respect of Energy Suite, namely (i) three complaints to the TPS

     between 6 March and 20 July 2020 and (ii) one complaint to the

     Commissioner on 3 August 2020, by a complainant not registered for
     TPS. The complaints included the following comments:



                                    5                                                             •

                                                            ICO.
                                                            Information Commissioner's Office
           "Cold call re eligibility for new boiler and underfloor heating ...gov

           scheme (you don't list energy saving in your list to the right of

           this box!) ... men asking for my husband by name. Saying they
           were calling about the gov boiler scheme. Asked lots of questions

           about the house and any qualifying benefits. Said they check
           with the gov that the person i said gets benefits really does and

           then when that is confirmed they will send a letter and call back
           to make an appt to survey. Didn;t ask for any money or financial

           info. Sounded like a scam but not sure. however it was in total
           breach of TPS. Oh and all the info I gave them was untrue

           anyway!!" [sic][Complaintto TPS]


           "Calling as they were informed my boiler was in need of

           replacement and I could have a grant from the government.
           They kept asking whether my boiler was over7years old. I

           asked where they had got my personal information from (full
           name and telephone number), I was told from a 3rd party but

           they refused to disclose who as it was company policy to keep it
           secret. They ended the call and I called back to try and get more

           details they put me on hold and ended the call twice. I told the

           caller that I would be reporting this incident to the ico."]

18.  Two further complaints to the TPS did not give details, save that the

     company that had called them was Energy Suite. Although the
     complaint from the consumer not registered for TPS does not in itself

     indicate a breach of regulation 21, it is included as it gives an example
     of the type and content of call in issue.


19.  It is possible that more complaints would have been received but for

     Energy Suite's practice of making a significant volume of calls via

                                  (as to which, see below).

                                   6                                                            •

                                                           ICO.
                                                           Information Commissioner's Office


     The Commissioner's investigation


20.  After conducting his initial investigthe Commissioner wrote to

     Energy Suite on 13 November 2020 to state that he had opened an
     investigationto set out the complaints in issue, and to ask some initial

     questions about Energy Suite's business.


21.  On 2 December 2020 Energy Suite replied stating that:

           a. Energy Suite had made some 15,000 attempted calls, of

             which 6,000 had connected, in the period from 1 March to 13

             November 2019;
           b. these had been made from the aforementionedCLI as well as

             from three mobile phone numbers and from


           c. Energy Suite had purchased the telephone numbers in
             question from third parties including



           d. allf the data in question had been sourced through third
             parties rather than the contact form on Energy Suite's

             website;
           e. Energy Suite did not screen these numbers in-house to assess

             whether they appeared on the TPS register, but rather
             purchased the numbers pre-screened.


22.  Energy Suite provided a data processing agreement wi1111 and a

     supplier privacy notice of unclear provenance, entitled "PRIV". The data

     processing agreement from -   suggests that Energy Suite purchased
     details of 11,005 live, validated landlines and 88,995 live HLR-checked

     mobiles.

                                   7                                                            •

                                                           ICO.
                                                           Information Commissioner's Office


23.  On 16 December 2020, the Commissioner wrote back to Energy Suite

     to request further informationamely:

           a. precise call volumes, or details of the dialler operator if

             volumes were not known;
           b. details of how opt-ins were obtained;

           c. clarification of the source of the document entitled "PRIV";
           d. training documents; and

           e. evidence of the consent relied upon for the calls made to the
             complainants (i.e. notice that they did not object).


24.  On 13 January 2021 Energy Suite replied stating that it:


           a. did not have a dialler, dialled manually, and did not hold

             details of call volumes;
           b. did not have any means for checking whether a number was

             TPS registered or had opted into contact from Energy Suite;
           c. had received the 'PRIV' document from OFGEM, which

             governed the schemes that Energy Suite marketed;

           d. did not have a PECRpolicy or any training records, but would
             welcome guidance from the Commissioner in that regard;

           e. had believed that it had consent to call the call recipients on
             the basis of the terms on which it had purchased their data.


25.  On 14 January 2021, the Commissioner wrote again to Energy Suite to

     seek:


           a. clarification of the point at which the data in question was

             screened against the TPS register; and
           b. confirmation of how the data that Energy Suite had purchased

             had been obtained by those who supplied it.
                                   8                                                             •

                                                            ICO.
                                                             Information Commissioner's Office


26.  On 27 January 2021 Energy Suite responded to say that it did not

     check the data against the TPS as it believed the data supplier to be
     reputable, and had been told that the leads in question were not on the

     TPS and had opted in. Energy Suite explained that they did not know
     how the leads had been obtained.


27.  On 5 February 2021, the Commissioner requested copies of any due

     diligence documents held by Energy Suite, and confirmation of whether
     the -      numbers that had called customers




28.  On the same date, the Commissioner also reviewed the websites of the
     data suppliers. As to those:


           a. -   was found to have a website at                The
              precise source of-data     was unclear from its website,

              although it did state that the data was sourced from lifestyle
              surveys, online comparisons, competition sites and strategic

              partners, and was TPS verified;


           b.               was found to have a website at

                                      There were no clear details on the
              website of how the data sold had been obtained;


           c. similarly,           website was unclear about the
              provenance of the company's data, although it did give an

              assurance that the data was accurate and up to date and had
              been provided directly by the potential client.






                                   9                                                              •

                                                              ICO.
                                                              Information Commissioner's Office

29.   On 19 February 2021 Energy Suite replied to say that the numbers in
      question were                                but provided no new

      due diligence documents.


30.   On 25 February 2021, the Commissioner sent BT a third-party

      informationnotice seeking call detail records for the calls from the
      above CLI. BT responded on 26 March 2021, and following further

      communications  redirected the Commissioner to             which

      serviced the CLI in question. On 9 April 2021, the Commissioner sought
      call records from             which providedthem later the same

      day.

31.  The records confirmed that Energy Suite had made 3,415 connected

      calls from the aforementionedCLI between 1 March and 13 November

      2020, although some of these may have gone to voicemail. Of those
      calls,,202 were made to numbers registered with the TPS, and 44

      were made  to numbers registered to the Corporate TPS. The most
      recent registration was 89 days before the call in question. Thus,

      36.5% of the calls made from the CLI in question were to customers

      who had been registered with the TPS (and for at least 28 days by the
     time of the call).


32.  The Commissioner did  not consider it appropriate to seek call records

      from the mobile phone numbers or landlines used, given that they
      were                   However, in light of Energy Suite's

      representationthat 6,000 calls had connected, in the relevant period,
      across alllls, at least 2,585 connected calls would appear to have

      been made from


33.   On 29 April 2021, the Commissioner emailed Energy Suite to advise
     that the case would be reviewed, which it was. In further email on 4

      May 2021, the Commissioner requested details of the personal data

                                    10                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

      purchased and held by Energy Suite, and whether any leads had been
      sourced through its website.


34.   On 11 May 2021, Energy Suite replied to explain that the data

      purchased included name, address and telephone number.  It stated
      that leads were generated via Energy Suite's website as well as via

      purchased data.

35.   On the same day, the Commissioner wrote to Energy Suite to request

      the volume of leads generated via Energy Suite's websiteIt

      responded to say that 2,033 enquiries had come in via that route, and
      that all of these would have been contacted.


36.   On 19 May 2021, the Commissioner replied to Energy Suite to seek

      informationabout whether this figure was for connected or attempted
      calls, and how many of those called were TPS registered. On 21 May

      2021 Energy Suite replied statinghat it did not hold this information.
      However, it seems inherently unlikely that every single such lead, of

      2,033 in total, answered the phone when called (even if called multiple

      times). The Commissioner therefore assumes that the number 2,033
      representsthe number of people whom Energy Suite tried to contact,

      not the number whom it contacted successfully (whether via voicemail
      or otherwise).


37.   On 24 May 2021, the Commissioner wrote to Energy Suite to say that it

      had concluded its investigatioand would consider whether
      enforcement action would be appropriate.



38.  The Commissioner is satisfied that the 1,246 calls were all made for the
      purposes of direct marketing as defined by section 122(5) DPA18.





                                    11                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
39.  The Commissioner has made the above findings of fact on the

     balance of probabilities.


40.  The Commissioner has considered whether those facts constitute a

     contravention of regulation 21 of PECRby Energy Suite and, if so,
     whether the conditions of section SSA DPA are satisfied.


     The contravention


41.  The Commissioner finds that Energy Suite contravened regulation 21 of

     PECR.


42.  The Commissioner finds that the contraventiowas as follows:


     Between 1 March and 13 November 2020, Energy Suite used a public

     telecommunications service for the purposes of making, on the balance
     of probabilities, at least 1,246 connected calls to subscribers whose

     number was listed on the TPS register. In that regard:


           a. it appears that 1,246 connected calls from Energy Suite's

              main CLI, given above, were made to numbers that had been
              on the TPS register for at least 28 days prior to the call;

           b. whilst it is possible that some of those called may have opted
              into marketing calls by submitting an enquiry on Energy

              Suite's website, Energy Suite was unable when asked
              provide any detail of the calls made via website leads;

           c. in the absence of any evidence at all from Energy Suite in that

              respect, the Commissioner concludes from the available
              evidence that, on the balance of probabilities, most or all of

              the numbers on the TPS register were not allocated to people


                                   12                                                   •

                                                   ICO.
                                                   Information Commissioner's Office

   who had notified Energy Suite, via the contact form on its
   website,that they did not object to being contacted;

d. further, given (i) the volume of additional calls made - some
   2,585 from                             (ii) Energy Suite's

   inability to provide any evidence of notices of non-objection
   from the holders of the numbers called, or records of these

   calls, and (iii) the very large number of telephone numbers on

   the TPS register (c.18 million), on the balance of probabilities
   at least some of the additional calls - i.e. calls not made from

   the CLI given above - were likely to have been to numbers
   registered with TPS for at least 28 days prior to the call;

e. the Commissioner's conclusions in this regard are fortified by

   the fact that it has seen three complaints about Energy Suite
   in the relevant period from the holders of numbers registered

   on the TPS. The Commissioner considers that:
      i. those who complained to the TPS about Energy Suite

        would  not have opted in via the company's website; and
     ii. as a matter of common sense and inherent probability,

        only a very small number of those who receive

        unsolicitedmarketing calls will in fact complain;
     iii. the Commissioner therefore infers from the three

        complaints made that a much larger number of
        unsolicited calls were in fact made to numbers

        registered on the TPS;

f. the Commissioner has been referred to a further complaint
   made on 6 April 2021, outside the period under investigation.

   This further complaint fortifies the Commissioner's conclusion
   that Energy Suite's compliance with PECRhas been lax, and in

   turn that it has likely not taken effective steps to screen
   numbers called for TPS registration.



                         13                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

43.   The Commissioner is also satisfied for the foregoing reasons that, for
      the purposes of regulation 21, these unsolicited direct marketing calls

      were made  to subscribers who had registered with the TPS at least 28
      days prior to receiving the calls, and who for the purposes of regulation

      21(4) had not notified Energy Suite that they did not object to

      receiving such calls.


44.   For such notification to be valid under regulation 21(4), the individual

      must have taken a positive action to override their TPS registration and
      indicatetheir willingness to receive marketing calls from the company.

      The notificatioshould reflect the individual's choice about whether or
      not they are willing to receive marketing calls. Therefore, where

      signing upto use a product or service is conditional upon receiving

      marketing calls, companies will need to demonstratehow this
      constitutes a clear and positive notification of the individual's

      willingnessto receive such calls.

45.   The notification must clearly indicate the individual's willingness to

      receive marketing calls specifically. Companies cannot rely on

      individuals opting into marketing communicationsgenerally, unless it is
      clear that this will include telephone calls.


46.   Further,the notification must demonstrate the individual's willingness
      to receive marketing calls from that company specifically. Notifications

      will not be valid for the purposes of regulation 21(4) if individuals are

      asked to agree to receive marketing calls from "similar organisations",
      "partners","selected third parties" or other similar generic descriptions.



47.   The Commissioner has gone on to consider whether the conditions
      under section SSA DPA are met.




                                     14                                                            •

                                                            ICO.
                                                            Information Commissioner's Office
     Seriousness of the contravention



48.  The Commissioner is satisfied that the contraventidentified
     above was serious. This is because there have been multiple breaches

     of regulation 21 by Energy Suite arising from the organisation's
     activities between 1 March and 13 November 2020 and this led to over

     1,000 unsolicited direct marketing calls being made to subscribers who
     were registeredwith the TPS and who had not notified Energy Suite

     that they were willing to receive such calls, and to three complaints
     being made as a result.



49.  In addition, Energy Suite made some 15,000 calls in total, including
     calls that were not connected to subscribers. Although the

     Commissioner has not been able to screen those numbers against the
     TPS register because111 has not retained records, the numbers were

     called without any due diligence as to their TPS status. Given the lack
     of any such due diligence, it is reasonable to assume that a significant

     number of these numbers will have been registered with the TPS. The
     attempt to contact a large number of other individuals who may well

     have been registered with the TPS, and/or without conducting any due

     diligence as to the same, aggravates the contravention.


50.  The Commissioner is therefore satisfied that condition (a) from
     section SSA (1) DPA is met.


     Deliberate or negligent contraventions



51.  The Commissioner does not consider that Energy Suite deliberately set
     out to contravene PECRin this instance. He has therefore gone on to

     consider whether the contraventionidentified above was negligent.

     This consideration comprises two elements:
                                   15                                                              •

                                                             ICO.
                                                             Information Commissioner's Office


52.  Firstly, the Commissioner has considered whether Energy Suite knew
     or ought reasonably to have known that there was a risk that this

     contravention would occur. He is satisfied that this condition is met, for
     the following reasons:


           a. Energy Suite conducted a very large amount of direct

              telephone marketing as part of its business model, with some

              15,000 attempted calls, and 6,000 connected calls, over a
              periodof some eight and a half months;


           b. in conducting such a large number of calls, Energy Suite ought

              reasonably to have familiarised itself with the legislation

              around direct marketing calls. It failed abjectly to do so -
              indeed,on the evidence, even to attempt to do so;


           c. further, the existence of legal controls on direct marketing and
              of the importance of the TPS register is widely known, and

              public awarenessof wider data protection issues and of the

              importance of using data lawfully is also now widespread.


53.  The Commissioner has published detailed guidance for companies
     carrying out marketing explaining their legal requirements under PECR.

     This guidance explains the circumstances under which organisations
     are able to carry out marketing over the phone, by text, by email, by

     post or by fax. Specifically, it states that live calls must not be made to
     any subscriber registered with the TPS, unless the subscriber has

     specifically notified the company that they do not object to receiving

     such calls.In case organisations remain unclear on their obligations,
     the Commissioner operates a telephone helpline. ICO communications

     about previous enforcement action where businesses have not


                                   16                                                               •

                                                              ICO.
                                                              Information Commissioner's Office

      complied with PECRare also readily available


54.   Standard practiceof the TPS is to contact the organisation making the
      calls on each occasion a complaint is made, and indeed Energy Suite

      toldthe Commissioner in correspondence that TPS had been in contact
      after receipt of the complaints in issue. That there were three

      complaints made to the TPS over the period of the contravention

      should have made Energy Suite aware of the risk that such
      contraventionsmay occur and were indeed occurring.


55.  It is therefore reasonable to suppose that Energy Suite should have

      been aware of its responsibilities in this area.


56.   Secondly, the Commissioner has gone on to consider whether Energy

      Suite failed to take reasonable steps to prevent the contravention.
     Again, he is satisfied that this condition is met.


57.  The Commissioner's  direct marketing guidance makes clear that

      organisations acquiring marketing lists from a third party must

      undertake rigorous checks to satisfy themselves that the personal data
      was obtained fairly and lawfully, that their details would be passed

      along for direct marketing to the specifically named organisation in the
      case of live calls, and that they have the necessary notifications for the

      purposes of regulation 21(4)It is not acceptable to rely on assurances

      given by third party suppliers without undertaking proper due
      diligence. No such checks were undertaken here, and a perusal of the

      websites of the companies in question, and of the documents that they
      provided to Energy Suite, does not give any good basis for thinking

     that their data was properly screened against the TPS register.




                                    17                                                               •

                                                              ICO.
                                                               Information Commissioner's Office

58.   Reasonable steps that Energy Suite could have been expected to take
      in these circumstances may also have included:


           a. screening the data in question against the TPS register itself,
              regardless of the assurances given by the third parties in

              question;

           b. ensuring that it had in place an effective and robust
              suppression list;

           c. familiarisinitself with the legislation and ICO guidance

              applicable to marketing calls, and providing training to its staff
              accordingly.


59.   Given the volume of calls and complaints, and indeed Energy Suite's
      own submissions, it is clear that it failed to take those reasonable

      steps.


60.   The Commissioner is therefore satisfied that condition (b) from section

      SSA (1) DPA is met.


     The Commissioner's    decision to issue a monetary   penalty


61.   The Commissioner   has taken into account the following aggravating

      features of this case:


           a. Energy Suite's actions were done deliberately for financial gain,

              in that they aimed to generate sales and therefore profit;
           b. Energy Suite's ignorance of the law was unacceptable given the

              nature of its business and the ready availability of guidance;

           c. although  Energy Suite cooperated with the Commissioner,   it
              was unable to provide    much   of the information  that she

              requested due to the serious inadequacy of its record-keeping;


                                    18                                                              •


                                                              ICO.
                                                              Information Commissioner's Office
           d. Energy Suite's non-compliance appears to have continued alter
              the period of contraventionwith a further complaint about the

              company having been made to the TPS on 6 April 2021;

           e. because of its processes and poor record-keepingEnergy Suite
              was unable  to say whether            calling leads from the

                             might have withheld their numbers when doing

              so, thus raising the possibility that there had also been a breach
              of regulation 24 PECR as well, although   this could not be

              confirmed. Energy Suite's poor processes and record-keeping
              in this regard is itself culpable and raises the possibility that

              some of the calls were also non-compliantwith regulation 24;

           f. one  of the complaints indicates a reluctance on the part of
              Energy Suite's employee to disclose to the subscriber where

              they  had   got  that  subscriber's number,   indicating an

              unwillingness on the company's part to comply with the spirit
              of its obligations under the PECR(see paragraph 17 above).



62.  The Commissioner has taken   into account the following mitigating
     features  of this case:


           a. the company in question is small and may not be able to

              withstand a large penalty;
           b. the company has sought to cooperate to some degree with the

              Commissioner albeit its responses have been unsatisfactory;
           c. the volume of calls in this case is comparativlow compared

              to some of the other cases that have come before the ICO.


63.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section SSA (1) DPA have been met in this case. He is

      also satisfied that the procedural rights under section SSB have been
      complied with.


                                    19                                                             •

                                                            ICO.
                                                             Information Commissioner's Office


64.  The latter has included the issuing of a Notice of Intent, in which the

     Commissioner set out his preliminary thinking. In reaching his final
     view, the Commissioner has taken into account the representations

     made by Energy Suite  on this matter.


65.  The Commissioner is accordingly entitled to issue a monetary penalty
     in this case.


66.  The Commissioner has considered  whether, in the circumstances, he

     should exercise his discretion so as to issue a monetary penalty.


67.  The Commissioner has considered the likely impact of a monetary

     penalty on Energy Suite. He has decided that a penalty remains the
     appropriate course of action in the circumstances of this case.


68.  The Commissioner's underlying objective in imposing aonetary

     penalty notice is to promote compliance with PECR.The making of
     unsolicited direct marketing calls is a matter of significant public

     concern. A monetary penalty in this case should act as a general

     encouragement towards compliance with the law, or at least as a
     deterrent against non-compliance,on the part of all persons running

     businesses currently engaging in these practices. This is an opportunity
     to reinforce the need for businesses to ensure that they are only

     telephoning consumers who are not registered with the TPS and/or
     have specifically indicated that they do not object to receiving such

     calls.


69.  For these reasons, the Commissioner has decided to issue a monetary

     penalty in this case.


                                   20                                                            •

                                                            ICO.
                                                            Information Commissioner's Office

     The amount of the penalty


70.  Taking into account all of the above, the Commissioner has decided
     that a penalty in the sum of £2,00(two thousand   pounds) is

     reasonable and proportionategiven the particular facts of the case and
     the underlying objective in imposing the penalty.



     Conclusion


71.  The monetary penalty must be paid to the Commissioner's office by
     BACS transfer or cheque by 17 February 2022 at the latest. The

     monetary penalty is not kept by the Commissioner but will be paid into

     the Consolidated Fund which is the Government's general bank account
     at the Bank of England.


72.  If the Commissioner receives full payment of the monetary penalty by

     16 February 2022 the Commissioner will reduce the monetary
     penalty by 20% to £1,600  (one thousand and six hundred

     pounds).  However, you should be aware that the early payment

     discount is not available if you decide to exercise your right of appeal.


73.  There is a right of appeal to the First-tier Tribunal (InfoRights)
     against:



     (a) the imposition of the monetary penalty
         and/or;

     (b) the amount of the penalty specified in the monetary penalty
         notice.


74.  Any notice of appeal should be received by the Tribunal within 28 days

     of the date of this monetary penalty notice.

                                   21                                                             •

                                                             ICO.
                                                             Information Commissioner's Office


75.  Information about appeals is set out in Annex 1.


76.  The Commissioner will not take action to enforce a monetary penalty

      unless:


         • the period specified within the notice within which a monetary

           penalty must be paid has expired and all or any of the monetary

           penalty has not been paid;

         • all relevant appeals against the monetary penalty notice and any
           variation of it have either been decided or withdrand;


         • the period for appealing against the monetary penalty and any
           variation of it has expired.


77.  In England, Wales and Northern Ireland, the monetary penalty is
      recoverable byOrder of the County Court or the High Court. In

     Scotland, the monetary penalty can be enforced in the same manner as

     an extract registered decree arbitral bearing a warrant for execution
      issued bythe sheriff court of any sheriffdom in Scotland.


Dated the 18thday of January 2022



Andy Curry
Head of Investigations

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF





                                   22                                                           •

                                                           ICO.
                                                           Information Commissioner's Office

ANNEX 1


        SECTION  55 A-E OF THE DATA PROTECTION      ACT 1998


  RIGHTS  OF APPEAL AGAINST     DECISIONS   OF THE COMMISSIONER


     1.    Section 55B(S) of the Data Protection Act 1998 gives any person

     upon whom a monetary penalty notice has been served a right of

     appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
     against the notice.


     2.    If you decide to appeal and if the Tribunal considers:-



           a)   that the notice against which the appeal is brought is not in
           accordance with the law; or


           b)   to the extent that the notice involved an exercise of

           discretion by the Commissioner, that he ought to have exercised

           his discretionfferently,


     the Tribunal will allow the appeal or substitute such other decision as
     could have been made by the Commissioner. In any other case the

     Tribunal will dismiss the appeal.


     3.    You may bring an appeal by serving a notice of appeal on the

     Tribunal at the following address:


                General Regulatory Chamber
                HM Courts &Tribunals Service
                PO Box 9300
                Leicester
                LE1 8DJ


                                  23                                                          •

                                                         ICO.
                                                          Information Commissioner's Office
      Telephone: 0203 936 8963

      Email:     grc@justice.gov.uk


      a)   The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it
      unless the Tribunal has extended the time for complying with this

      rule.


4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative(if any);


      b)    an address where documents may be sent or delivered to
      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)   the result that you are seeking;


      f)   the grounds on which you rely;


      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the
      notice of appeal must include a request for an extension of time

                               24                                                   •

                                                   ICO.
                                                   Information Commissioner's Office
     and the reason why the notice of appeal was not provided in
     time.


5.   Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party
may conduct his case himself or may be represented by any person
whom he may appoint for that purpose.


6.   The statutory provisions concerning appeals to the First-tier

Tribunal (InformatiRights) are contained in section 55B(S) of, and
Schedule 6to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(StatutorInstrument 2009 No. 1976 (L.20)).



























                           25