ICO (UK) - Royal Mail Group Limited
|ICO (UK) - Royal Mail Group Limited|
|Relevant Law:||Article 4(11) GDPR|
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
|Parties:||Royal Mail Group Limited|
|National Case Number/Name:||Royal Mail Group Limited|
|European Case Law Identifier:||n/a|
|Original Source:||ICO (in EN)|
The UK DPA issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
English Summary[edit | edit source]
Facts[edit | edit source]
Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”.
Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign. However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.”
The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. Before the ICO, Royal Mail submitted the following:
It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent.
In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email.
In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.”
At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.”
Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence.
Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized.
Holding[edit | edit source]
The ICO determined as follows:
Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers.
Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent.
For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.”
The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”.
Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.”
Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.”
The ICO considered the following aggravating factors:
Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance.
The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR.
The ICO considered the following mitigating factors:
Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices.
This was an isolated accident resulting due to human error.
Royal Mail itself reported the incident, despite there being no legal requirement for the same.
The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE To: Royal Mail Group Limited Of: 185 Farringdon Road, London, United Kingdom, EC1A 1AA 1. The Information Commissioner (“the Commissioner”) has decided to issue Royal Mail Group Limited (“Royal Mail”) with a monetary penalty under section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in relation to a serious contravention of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 2. This notice explains the Commissioner’s decision. Legal framework 3. Royal Mail, whose registered office address is given above (Companies House Registration Number: 04138203) is the organisation stated in this notice to have transmitted unsolicited communications by means of electronic mail to individual subscribers for the purposes of direct marketing contrary to regulation 22 of PECR. 4. Regulation 22 of PECR states: 1, “(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that person’s similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contravention of paragraph (2).” 5. Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines direct marketing as “the communication (by whatever means) of 2, advertising or marketing material which is directed to particular individuals”. This definition also applies for the purposes of PECR (see regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 6. Consent in PECR is defined by reference to the concept of consent in the UK GDPR as defined in section 3(10) of the DPA 2018 [1: see regulation 2(1) of PECR, as amended by Part 3 of Schedule 3, paragraph 44 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419. Article 4(11) of the UK GDPR sets out the following definition: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” . 7. Recital 32 of the GDPR materially states that “When the processing has multiple purposes, consent should be given for all of them” . Recital 42 materially provides that “For consent to be informed, the data subject should be aware at least of the identity of the controller” . Recital 43 materially states that “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case”. 8. “Individual” is defined in regulation 2(1) of PECR as “a living individual and includes an unincorporated body of such individuals”. [1The UK GDPR is therein defined as Regulation (EU) 2016/679 of the European Parl iament and of the Council of 27 April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. 3,9. A “subscriber” is defined in regulation 2(1) of PECR as “a person who is a party to a contract with a provider of public electronic communications services for the supply of such services”. 10. “Electronic mail” is defined in regulation 2(1) of PECR as “any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service”. 11. The term "soft opt-in" is used to describe the rule set out in in Regulation 22(3) of PECR. In essence, an organisation may be able to e-mail its existing customers even if they haven't specifically consented to electronic mail. The soft opt-in rule can only be relied upon by the organisation that collected the contact details. 12. Section 55A of the DPA (as applied to PECR cases by Schedule 1 to PECR, as variously amended) states: “(1) The Commissioner may serve a person with a monetary penalty if the Commissioner is satisfied that – (a) there has been a serious contravention of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the person, (b) subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person – (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention.” 4,13. The Commissioner has issued statutory guidance under section 55C (1) of the DPA about the issuing of monetary penalties that has been published on the ICO’s website. The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe that the amount of any penalty determined by the Commissioner must not exceed £500,000. 14. PECR were enacted to protect the individual’s fundamental right to privacy in the electronic communications sector. PECR were subsequently amended and strengthened. The Commissioner will interpret PECR in a way which is consistent with the Regulations’ overall aim of ensuring high levels of protection for individuals’ privacy rights. 15. The provisions of the DPA remain in force for the purposes of PECR notwithstanding the introduction of the DPA18: see paragraph 58(1) of Schedule 20 to the DPA18. Background to the case 16. On 29 April 2021, Royal Mail submitted a written breach report to the Commissioner as it was aware that its actions in respect of a particular marketing campaign may have breached PECR. It was confirmed at this time that on 27 April 2021, due to an apparent technical error, Royal Mail had sent direct marketing emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”. 17. Royal Mail explained as background that on 20 April 2021 it sent a direct marketing email in respect of one of its ‘special stamp series’ campaigns to previous customers, and to those who had previously 5, expressed an interest in receiving marketing from Royal Mail. The direct marketing email concerned Royal Mail’s ‘War of the Roses’ campaign. In preparing to send this email, Royal Mail had identified 245,850 potential recipients, and proceeded to cross reference their details against its internal “Marketing Permissions Master Database” to ensure that the intended recipients had not, since the time of initially providing their details to Royal Mail, subsequently opted out of direct marketing. Of the 245,850 potential recipients, Royal Mail determined that 30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out. 18. On 20 April 2021, Royal Mail transmitted its direct marketing email to 30,648 individuals, with those 215,202 identified as having opted out being “moved to a holding step in the campaign”. Royal Mail explained that on 27 April 2021, due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidently sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021. 19. Royal Mail explained that the 215,202 individuals “who were identified as being opted out (and who were not sent marketing in the first round of emails) were placed at the wrong hold point in the routing map which resulted in the being caught in the ‘reminder population on 27 th April”. 20. An initial investigation letter was sent to Royal Mail on 3 June 2021 outlining the Commissioner’s concerns with the reported incident, and requesting further details in relation to the volume of messages which 6, had been received by individuals, along with an explanation for the cause of the routing error which had been identified. 21. Royal Mail responded on 23 June 2021 and provided a copy of the particular direct marketing email which had been sent on 27 April 2021 and which invited recipients to purchase commemorative stamp sets and souvenirs. Royal Mail provided an explanation for the routing error, stating: “The system used by Royal Mail (Eloqua) to send electronic marketing communications to customers of our stamps and collectibles products uses an automated journey to segment customers to whom we are permitted to send marketing communications from the others. We retain details of both permissioned and non-permissioned customers to ensure that we have the latest and most up-to-date permission record from our master marketing permission repository, which updates from multiple source systems. Prior to a campaign starting, Eloqua connects with our master marketing permission repository to collect the up-to-date permissions set for the in-scope customers. Permissioned customers then enter Eloqua’s automated journey, in the course of which they are sent the relevant marketing communications (in this case, both the initial email and the reminder). Non–permissioned customers are routed to the end of the campaign journey, bypassing the stage at which marketing communications are sent. This process has been used successfully since May 2018, for circa 25 campaigns a month, without error. Sending reminder emails is a recent innovation deployed for some marketing, known as non-responder campaigns. We use these where stamps and collectibles items have a window of interest due to external 7, events (e.g. the commemorative edition of stamps to celebrate the life of The Duke of Edinburgh) or there may be a restricted number of items, such as special product sets. In these campaigns we send a reminder email to permissioned customers who have not interacted with the original communication to give them a further chance to engage. We have used this approach successfully on six occasions. However, for the Wars of the Roses campaigns, the non-permissioned set of customers were referred to the stage of the automated Eloqua journey which triggers the reminders, rather than to the end of the journey. This resulted in the reminder email being sent to those customers. 22. Royal Mail explained that the incident in fact arose due to a manual error, rather than a technical fault as had initially been reported. It was also explained that it had received six responses to the email from customers, with three being categorised as formal complaints and three being enquiries from customers around their “permissions”; Royal Mail replied to these customers with an apology. 23. Royal Mail explained that since the incident it had implemented a number of measures to minimise the potential of recurrence, including additional checks, and all future “non-responder reminder campaigns” using a reusable template to remove the risk of human error in deploying the automated Eloqua process. 24. It was also confirmed on 25 June 2021 that of the 215,202 messages sent, the number delivered was “no more than 213,191”. 25. On 6 July 2021 the Commissioner requested further details as to how the error took place, together with copies of the six customer 8, responses which had been received by Royal Mail, and the opt-out statement provided to customers when their details are obtained by Royal Mail. 26. On 12 July 2021 Royal Mail provided a copy of its Fair Processing Notice; copies of the six customer responses; and a walkthrough of the manual error which had occurred in respect of the ‘War of the Roses’ reminder email. By way of brief summary, each customer who is considered for a marketing campaign is uploaded to Eloqua; this includes customers that Royal Mail do not hold consent for. A marketing email is then configured with a date and time for the email to be sent. At this stage the intended recipients are cross referenced with Royal Mail’s ‘Permissions’ database. After screening against the database, two pathways are created; opted-in customers are further checked for relevant permissions and then sent the marketing email, and the remaining customers are supposed to be sent to the end of the process to ensure they are not included in any marketing emails. In the usual course, a reminder email is sent to recipients who did not engage with the initial email. In this case the 215,202 customers without the relevant marketing permissions were incorrectly and manually routed to the area of Eloqua used to send the reminder email. The customers who were sent the marketing email in error had not received the initial email and had therefore not engaged with this email, which caused Eloqua to send the reminder email. 27. In a subsequent email to the Commissioner of 17 August 2021, Royal Mail clarified that the 215,202 customers who were sent the ‘War of the Roses’ reminder marketing email fell into two groups: One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted 9, out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing. 28. The responses which Royal Mail received from individuals to its ‘War of the Roses’ email reminders included: • “Why am I receiving this email? I have not ever opted-in or signed up to any marketing information from Royal Mail.” • ”Please show me where when I ordered stamps that I agreed to receive marketing emails. I ALWAYS Make sure I never opt in.” • “Why have I got this as not requested emails from you.” • “I did not subscribe for these mailings. Please ensure that I DO NOT receive any further emails of this nature.” • “Why am I getting these emails now? I NEVER had this problem before.” • “How were you able to send me the below mail? I opted out of marketing for stamps.” 29. The Commissioner has made the above findings of fact on the balance of probabilities. 10,30. The Commissioner has considered whether those facts constitute a contravention of regulation 22 of PECR by Royal Mail and, if so, whether the conditions of section 55A DPA are satisfied. The contravention 31. The Commissioner finds that Royal Mail contravened regulation 22 of PECR. 32. The Commissioner finds that the contravention was as follows: 33. The Commissioner finds that on 27 April 2021 there were 213,191 direct marketing emails received by subscribers. The Commissioner finds that Royal Mail transmitted those direct marketing messages, contrary to regulation 22 of PECR. 34. Royal Mail, as the sender of the direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR, and to ensure that valid consent to send those messages had been acquired. 35. In this instance, because of a manual error, Royal Mail sent a total of 215,202 direct marketing emails to individuals for whom it did not hold valid consent. Of those, 213,191 were received by subscribers. 36. Royal Mail appears to accept that it did not hold valid consent to send these messages, either because an individual had taken steps to expressly opt out of direct marketing, or because they had used Royal Mail’s services as a ‘guest’ and had not been presented with the ‘Fair Processing Notice’ and given an opportunity to provide valid consent for direct marketing. The Commissioner is satisfied that for those 123,466 11, individuals who checked out as guests, i.e. those who did not create a Royal Mail account, Royal Mail cannot rely on the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”. 37. The Commissioner is therefore satisfied from the evidence he has seen that Royal Mail did not have the necessary valid consent for the 213,191 direct marketing messages received by subscribers. 38. The Commissioner has gone on to consider whether the conditions under section 55A DPA are met. Seriousness of the contravention 39. The Commissioner is satisfied that the contravention identified above was serious. This is because on 27 April 2021, a confirmed total of 215,202 direct marketing messages were sent by Royal Mail, of which 213,191 were received by subscribers. These messages contained direct marketing material for which subscribers had not provided valid consent, furthermore the Commissioner is satisfied that Royal Mail cannot rely on the soft opt-in exemption. 40. The Commissioner is therefore satisfied that condition (a) from section 55A(1) DPA is met. Deliberate or negligent contraventions 41. The Commissioner has considered whether the contravention identified above was deliberate. The Commissioner does not consider that Royal Mail deliberately set out to contravene PECR in this instance. 12,42. The Commissioner has gone on to consider whether the contravention identified above was negligent. This consideration comprises two elements: 43. Firstly, he has considered whether Royal Mail knew or ought reasonably to have known that there was a risk that these contraventions would occur. This is not a high bar and he is satisfied that this condition is met. 44. The Eloqua system used by Royal Mail for its marketing emails relies on Royal Mail storing all customer email addresses regardless of whether it has the relevant consent to send marketing communications. The Commissioner takes the view that by storing all consented and non- consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications. 45. The Commissioner has published detailed guidance for those carrying out direct marketing explaining their legal obligations under PECR. This guidance gives clear advice regarding the requirements of consent for direct marketing and explains the circumstances under which organisations are able to carry out marketing over the phone, by text, by email, by post, or by fax. In particular it states that organisations can generally only send, or instigate, marketing messages to individuals if that person has specifically consented to receiving them. The guidance also provides a full explanation of the “soft opt-in” exemption. The Commissioner has also published detailed guidance on 13, consent under the GDPR. In case organisations remain unclear on their obligations, the ICO operates a telephone helpline. ICO communications about previous enforcement action where businesses have not complied with PECR are also readily available. 46. It is therefore reasonable to suppose that Royal Mail should have been aware of its responsibilities in this area. 47. Secondly, the Commissioner has gone on to consider whether Royal Mail failed to take reasonable steps to prevent the contraventions. Again, he is satisfied that this condition is met. 48. Royal Mail has, since the time of this incident, taken steps to put in place a “templated solution” for those campaigns where ‘reminder emails’ are sent, to remove the risk of future human error when operating Eloqua; as well as introducing a further ‘permissions’ check to ensure that individuals for whom it does not hold valid consent do not receive unsolicited direct marketing messages. Particularly with reference to the first of those steps, the Commissioner notes that Royal Mail has advised that such a solution has been effectively used in other ”single contact” campaigns for a number of years. The Commissioner therefore respectfully submits that Royal Mail could reasonably have been expected to use such a system for all of its campaigns to prevent any such contraventions from taking place. 49. In the circumstances, the Commissioner is satisfied that Royal Mail failed to take reasonable steps to prevent the contraventions. 50. The Commissioner is therefore satisfied that condition (b) from section 55A (1) DPA is met. 14, The Commissioner’s decision to issue a monetary penalty 51. The Commissioner has taken into account the following aggravating features of this case: • The six responses / complaints received by Royal Mail from the individuals who unlawfully received direct marketing emails demonstrate a level of annoyance from recipients. • The Commissioner has previously (in 2018) taken action against Royal Mail for a contravention of Regulation 22 PECR, at which point it would have been provided with clear advice as to its compliance. 52. The Commissioner has taken into account the following mitigating features of this case: • Royal Mail has indicated that it is to undertake a full internal Data Protection audit of its direct marketing practices which is expected to lead to reform. • The Commissioner acknowledges that this was an isolated incident arising from human error. • The Commissioner also recognises Royal Mail’s cooperation in reporting the incident despite there being no statutory requirement to do so. 53. For the reasons explained above, the Commissioner is satisfied that the conditions from section 55A (1) DPA have been met in this case. He is also satisfied that the procedural rights under section 55B have been complied with. 15,54. The latter has included the issuing of a Notice of Intent, in which the Commissioner set out his preliminary thinking. In reaching his final view, the Commissioner has taken into account the representations made by Royal Mail on this matter. 55. The Commissioner is accordingly entitled to issue a monetary penalty in this case. 56. The Commissioner has considered whether, in the circumstances, he should exercise his discretion so as to issue a monetary penalty. 57. The Commissioner has considered the likely impact of a monetary penalty on Royal Mail. He has decided on the information that is available to him, that Royal Mail has access to sufficient financial resources to pay the proposed monetary penalty without causing undue financial hardship. 58. The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing. 59. For these reasons, the Commissioner has decided to issue a monetary penalty in this case. 16, The amount of the penalty 60. Taking into account all of the above, the Commissioner has decided that a penalty in the sum of £20,000 (twenty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. Conclusion 61. The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 6 April 2022 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England. 62. If the Commissioner receives full payment of the monetary penalty by 5 April 2022 the Commissioner will reduce the monetary penalty by 20% to £16,000 (sixteen thousand pounds). However, you should be aware that the early payment discount is not available if you decide to exercise your right of appeal. 63. There is a right of appeal to the First-tier Tribunal (Information Rights) against: (a) the imposition of the monetary penalty and/or; (b) the amount of the penalty specified in the monetary penalty notice. 17,64. Any notice of appeal should be received by the Tribunal within 28 days of the date of this monetary penalty notice. 65. Information about appeals is set out in Annex 1. 66. The Commissioner will not take action to enforce a monetary penalty unless: • the period specified within the notice within which a monetary penalty must be paid has expired and all or any of the monetary penalty has not been paid; • all relevant appeals against the monetary penalty notice and any variation of it have either been decided or withdrawn; and • the period for appealing against the monetary penalty and any variation of it has expired. 67. In England, Wales and Northern Ireland, the monetary penalty is recoverable by Order of the County Court or the High Court. In Scotland, the monetary penalty can be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. Dated the 7 thday of March 2022 Andy Curry Head of Investigations Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF 18,ANNEX 1 SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 1. Section 55B(5) of the Data Protection Act 1998 gives any person upon whom a monetary penalty notice has been served a right of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the notice. 2. If you decide to appeal and if the Tribunal considers:- a) that the notice against which the appeal is brought is not in accordance with the law; or b) to the extent that the notice involved an exercise of discretion by the Commissioner, that he ought to have exercised his discretion differently, the Tribunal will allow the appeal or substitute such other decision as could have been made by the Commissioner. In any other case the Tribunal will dismiss the appeal. 3. You may bring an appeal by serving a notice of appeal on the Tribunal at the following address: General Regulatory Chamber HM Courts & Tribunals Service PO Box 9300 Leicester LE1 8DJ 19, Telephone: 0203 936 8963 Email: email@example.com a) The notice of appeal should be sent so it is received by the Tribunal within 28 days of the date of the notice. b) If your notice of appeal is late the Tribunal will not admit it unless the Tribunal has extended the time for complying with this rule. 4. The notice of appeal should state:- a) your name and address/name and address of your representative (if any); b) an address where documents may be sent or delivered to you; c) the name and address of the Information Commissioner; d) details of the decision to which the proceedings relate; e) the result that you are seeking; f) the grounds on which you rely; g) you must provide with the notice of appeal a copy of the monetary penalty notice or variation notice; h) if you have exceeded the time limit mentioned above the notice of appeal must include a request for an extension of time 20, and the reason why the notice of appeal was not provided in time. 5. Before deciding whether or not to appeal you may wish to consult your solicitor or another adviser. At the hearing of an appeal a party may conduct his case himself or may be represented by any person whom he may appoint for that purpose. 6. The statutory provisions concerning appeals to the First-tier Tribunal (Information Rights) are contained in section 55B(5) of, and Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 1976 (L.20)). 21