ICO (UK) - Royal Mail Group Limited: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO (UK) |DPA_With_Country=ICO (UK) |Case_Number_N...")
 
m (spacing errors)
Line 58: Line 58:


=== Facts ===
=== Facts ===
Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”.  
Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”.
 
Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign.  However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.”  
Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign.  However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.”  
The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error.  
 
Before the ICO, Royal Mail submitted the following:
The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. Before the ICO, Royal Mail submitted the following:  
• It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent.  
 
• In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email.  
• It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent.
• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.”
 
• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.”
• In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email.
• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence.  
 
• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.”  
 
• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.”  
 
• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence.
 
• Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized.  
• Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized.  




=== Holding ===
=== Holding ===
The ICO determined as follows:
The ICO determined as follows:
• Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers.  
• Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers.  
• Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent.  
• Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent.  
• For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.”
• For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.”
• The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”.
• The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”.
• Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.”  
• Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.”  
• Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.”
• Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.”
The ICO considered the following aggravating factors:
The ICO considered the following aggravating factors:
• Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance.
• Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance.
• The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR.
• The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR.
The ICO considered the following mitigating factors:
The ICO considered the following mitigating factors:
• Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices.
• Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices.
• This was an isolated accident resulting due to human error.
• This was an isolated accident resulting due to human error.
• Royal Mail itself reported the incident, despite there being no legal requirement for the same.  
• Royal Mail itself reported the incident, despite there being no legal requirement for the same.  
The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.
The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.



Revision as of 11:15, 10 March 2022

ICO (UK) - Royal Mail Group Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Investigation
Outcome: Violation Found
Started: 03.06.2021
Decided: 07.03.2022
Published: 08.03.2022
Fine: 20,000 GBP
Parties: Royal Mail Group Limited
National Case Number/Name: Royal Mail Group Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: gauravpathak

The UK DPA issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.

English Summary

Facts

Royal Mail is the British postal service and is the data controller. On 29 April 2021, Royal Mail submitted a written breach report to the UK DPA (ICO) that due to a technical error, its marketing actions might have sent emails to “215,202 parties who had expressed a desire to no longer receive marketing from [Royal Mail]”.

Royal Mail explained that it had a list of 245,850 potential recipients, out of which “30,648 had provided valid and existing consent to receive the direct marketing messages, with 215,202 being deemed to have opted out.” On 20 April 2021, at the time of transmission of the marketing email, Royal Mail had sent the email to 30,648 persons while putting 215,202 in a holding step of the campaign. However, on 27 April 2021, “due to an internal routing error, the 215,202 individuals who had been moved to the “holding step” were accidentally sent a “reminder email” which had been intended only for the 30,648 individuals who had been sent, but had not opened or engaged with, the initial email on 20 April 2021.”

The ICO opened an investigation and sought details about the volume of messages and an explanation of the routing error. Before the ICO, Royal Mail submitted the following:

• It uses an automated system called Eloqua to send marketing emails. Royal Mail maintains a single master database of all individuals, i.e. those who have provided their consent to receive marketing emails and also those who have not consented to receive marketing emails. The single database is maintained to keep it updated as per the latest status of consent.

• In a campaign, marketing emails are sent by Eloqua to those who have provided their consent. Individuals who have not given their consent are put at the end of the campaign, and the stage of sending them emails is bypassed. A reminder email is sent to persons who have given their consent but have not interacted with the original email.

• In the present instance, 215,202 customers who were sent the reminder marketing email fell into two groups, “One group was made up of 91,736 customers who were registered with Royal Mail. This group had previously been presented with Royal Mail’s Fair Processing Notice at the point of registering, and subsequently opted out of marketing emails. The second group comprising the remaining 123,466 individuals were customers who had not registered for a Royal Mail account and had, at the time of using a Royal Mail service, checked out as a ‘guest’. These individuals were not asked about their marketing preferences and had not provided consent to receive future direct marketing.”

• At the stage of sending reminder emails, details of persons who had not given their consent were fed to Eloqua due to a human error. Accordingly, persons who had not given their consent received the reminder email, even as they were not sent the original email. However, of “the 215,202 messages sent, the number delivered was “no more than 213,191”.”

• Since the incident, Royal Mail has introduced several checks to minimize the risk of potential recurrence.

• Royal Mail received six responses/complaints from subscribers who had received the unsolicited marketing email, in reply to which it apologized.


Holding

The ICO determined as follows:

• Royal Mail contravened Regulation 22 PECR as 213,191 unsolicited marketing emails were received by subscribers.

• Royal Mail accepted that it did not have the consent for sending the unsolicited marketing emails as it did not have the consent of those persons, or those persons had used services of Royal Mail as a guest, and were never given an opportunity to provide their consent.

• For 123,466 persons who had used Royal Mail’s services as a guest, Royal Mail cannot rely on “the soft opt-in as it cannot be said that individuals were given “a simple means of refusing […] the use of [their] contact details for the purposes of such direct marketing, at the time that the details were initially collected”.”

• The contravention was considered to be serious as the emails “contained direct marketing material for which subscribers had not provided valid consent”.

• Royal Mail did not deliberately contravene PECR. However, its actions were considered to be negligent as “storing all consented and non-consented email addresses on the same system from which direct marketing emails were sent, and given the risk of human error which could (and indeed did) occur, it is reasonable to think that Royal Mail ought to have been aware of the risk that direct marketing emails could be sent to customers who had opted out of marketing communications.”

• Since the incident, Royal Mail took steps to remove the risk of human error. However, Royal Mail ought to have taken have these steps before in order to prevent the incident. Accordingly, “Royal Mail failed to take reasonable steps to prevent the contraventions.”

The ICO considered the following aggravating factors:

• Six responses/complaints from persons who had received unsolicited marketing emails demonstrate a level of annoyance.

• The ICO in 2018 had taken action against Royal Mail for contravening Regulation 22 PECR, and Royal Mail had got clear advice for compliance with PECR.

The ICO considered the following mitigating factors:

• Royal Mail undertook to conduct a full internal Data Protection audit of its direct marketing practices.

• This was an isolated accident resulting due to human error.

• Royal Mail itself reported the incident, despite there being no legal requirement for the same.

The ICO said, “The sending of unsolicited direct marketing messages is a matter of significant public concern. A monetary penalty in this case should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices. The issuing of a monetary penalty will reinforce the need for businesses to ensure that they are only messaging those who specifically consent to receive direct marketing.” Thus, the ICO issued a €23,850 (GBP 20,000) fine against Royal Mail for sending unsolicited direct marketing emails in violation of provision 22 of the UK Privacy and Electronic Communications (EC Directive) Regulations 2003.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE




To:   Royal Mail Group Limited


Of:   185 Farringdon Road,
      London,
      United Kingdom,
      EC1A 1AA


1.    The Information Commissioner (“the Commissioner”) has decided to

      issue Royal Mail Group Limited (“Royal Mail”) with a monetary penalty

      under section 55A of the Data Protection Act 1998 (“DPA”). The penalty

      is in relation to a serious contravention of Regulation 22 of the Privacy

      and Electronic Communications (EC Directive) Regulations 2003
      (“PECR”).



2.    This notice explains the Commissioner’s decision.



      Legal framework


3.    Royal Mail, whose registered office address is given above (Companies

      House Registration Number: 04138203) is the organisation stated in

      this notice to have transmitted unsolicited communications by means

      of electronic mail to individual subscribers for the purposes of direct

      marketing contrary to regulation 22 of PECR.


4.    Regulation 22 of PECR states:


                                     1,      “(1) This regulation applies to the transmission of unsolicited

           communications by means of electronic mail to individual

           subscribers.

      (2) Except in the circumstances referred to in paragraph (3), a person

           shall neither transmit, nor instigate the transmission of, unsolicited

           communications for the purposes of direct marketing by means of
           electronic mail unless the recipient of the electronic      mail has

           previously notified the sender that he consents for the time being

           to such communications being sent by, or at the instigation of, the

           sender.

      (3) A person may send or instigate the      sending of electronic mail for
           the purposes of direct marketing where—

               (a) that person has obtained the contact details of the recipient

                  of that electronic mail in the course of the sale or

                  negotiations for the sale of a product or service to that

                  recipient;

               (b) the direct marketing is in respect of that person’s similar
                  products and services only; and

               (c) the recipient has been given a simple means of refusing

                  (free of charge except for the costs of the transmission of

                  the refusal) the use of his contact details for the purposes

                  of such direct marketing, at the time that the details were
                  initially collected, and, where he did not initially refuse the

                  use of the details, at the time of each subsequent

                  communication.

      (4) A subscriber shall not permit his line to be used in contravention of

           paragraph (2).”


5.    Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines

      direct marketing as “the communication (by whatever means) of


                                        2,      advertising or marketing material which is directed to particular

      individuals”. This definition also applies for the purposes of PECR (see

      regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of

      the DPA18).


6.    Consent in PECR is defined by reference to the concept of consent in

      the UK GDPR as defined in section 3(10) of the DPA 2018         [1: see

      regulation 2(1) of PECR, as amended by Part 3 of Schedule 3,

      paragraph 44 of The Data Protection, Privacy and Electronic

      Communications (Amendments etc) (EU Exit) Regulations 2019/419.

      Article 4(11) of the UK GDPR sets out the following definition:

      “‘consent’ of the data subject means any freely given, specific,

      informed and unambiguous indication of the data subject's wishes by

      which he or she, by a statement or by a clear affirmative action,

      signifies agreement to the processing of personal data relating to him
      or her” .



7.    Recital 32 of the GDPR materially states that “When the processing has

      multiple purposes, consent should be given for all of them” . Recital 42

      materially provides that “For consent to be informed, the data subject

      should be aware at least of the identity of the controller”       . Recital 43

      materially states that “Consent is presumed not to be freely given if it

      does not allow separate consent to be given to different personal data

      processing operations despite it being appropriate in the individual case”.


8.    “Individual” is defined in regulation 2(1) of PECR as “a living individual

      and includes an unincorporated body of such individuals”.





[1The UK GDPR is therein defined as Regulation (EU) 2016/679 of the European Parl iament and of the Council of 27
April 2016 (“GDPR”) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue

of section 3 of the European Union (Withdrawal) Act 2018.

                                          3,9.    A “subscriber” is defined in regulation 2(1) of PECR as “a person who is
      a party to a contract with a provider of public electronic

      communications services for the supply of such services”.



10.   “Electronic mail” is defined in regulation 2(1) of PECR as “any text,

      voice, sound or image message sent over a public electronic

      communications network which can be stored in the network or in the
      recipient’s terminal equipment until it is collected by the recipient and

      includes messages sent using a short message service”.



11.   The term "soft opt-in" is used to describe the rule set out in in

      Regulation 22(3) of PECR. In essence, an organisation may be able to
      e-mail its existing customers even if they haven't specifically consented

      to electronic mail. The soft opt-in rule can only be relied upon by the

      organisation that collected the contact details.



12.   Section 55A of the DPA (as applied to PECR cases by Schedule 1 to

      PECR, as variously amended) states:


      “(1) The Commissioner may serve a person with a monetary penalty if

           the Commissioner is satisfied that –

               (a) there has been a serious contravention of the requirements

                  of the Privacy and Electronic Communications (EC
                  Directive) Regulations 2003 by the person,

               (b) subsection (2) or (3) applies.

      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –

               (a) knew or ought to have known that there was a risk that the

               contravention would occur, but
               (b) failed to take reasonable steps to prevent the

                  contravention.”


                                        4,13.   The Commissioner has issued statutory guidance under section 55C (1)

      of the DPA about the issuing of monetary penalties that has been

      published on the ICO’s website. The Data Protection (Monetary

      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

      that the amount of any penalty determined by the Commissioner must

      not exceed £500,000.


14.   PECR were enacted to protect the individual’s fundamental right to

      privacy in the electronic communications sector. PECR were

      subsequently amended and strengthened. The Commissioner will

      interpret PECR in a way which is consistent with the Regulations’
      overall aim of ensuring high levels of protection for individuals’ privacy

      rights.



15.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the DPA18: see paragraph 58(1) of

      Schedule 20 to the DPA18.


      Background to the case



16.   On 29 April 2021, Royal Mail submitted a written breach report to the

      Commissioner as it was aware that its actions in respect of a particular
      marketing campaign may have breached PECR. It was confirmed at this

      time that on 27 April 2021, due to an apparent technical error, Royal

      Mail had sent direct marketing emails to “215,202 parties who had

      expressed a desire to no longer receive marketing from [Royal Mail]”.



17.   Royal Mail explained as background that on 20 April 2021 it sent a
      direct marketing email in respect of one of its ‘special stamp series’

      campaigns to previous customers, and to those who had previously


                                       5,      expressed an interest in receiving marketing from Royal Mail. The

      direct marketing email concerned Royal Mail’s ‘War of the Roses’
      campaign. In preparing to send this email, Royal Mail had identified

      245,850 potential recipients, and proceeded to cross reference their

      details against its internal “Marketing Permissions Master Database” to

      ensure that the intended recipients had not, since the time of initially

      providing their details to Royal Mail, subsequently opted out of direct

      marketing. Of the 245,850 potential recipients, Royal Mail determined
      that 30,648 had provided valid and existing consent to receive the

      direct marketing messages, with 215,202 being deemed to have opted

      out.



18.   On 20 April 2021, Royal Mail transmitted its direct marketing email to

      30,648 individuals, with those 215,202 identified as having opted out

      being “moved to a holding step in the campaign”. Royal Mail explained
      that on 27 April 2021, due to an internal routing error, the 215,202

      individuals who had been moved to the “holding step” were accidently

      sent a “reminder email” which had been intended only for the 30,648

      individuals who had been sent, but had not opened or engaged with,

      the initial email on 20 April 2021.


19.   Royal Mail explained that the 215,202 individuals “who were identified

      as being opted out (and who were not sent marketing in the first round

      of emails) were placed at the wrong hold point in the routing map

      which resulted in the being caught in the ‘reminder population on 27    th

      April”.



20.   An initial investigation letter was sent to Royal Mail on 3 June 2021
      outlining the Commissioner’s concerns with the reported incident, and

      requesting further details in relation to the volume of messages which




                                        6,      had been received by individuals, along with an explanation for the
      cause of the routing error which had been identified.



21.   Royal Mail responded on 23 June 2021 and provided a copy of the

      particular direct marketing email which had been sent on 27 April 2021

      and which invited recipients to purchase commemorative stamp sets

      and souvenirs. Royal Mail provided an explanation for the routing error,
      stating:



      “The system used by Royal Mail (Eloqua) to send electronic marketing

      communications to customers of our stamps and collectibles products

      uses an automated journey to segment customers to whom we are
      permitted to send marketing communications from the others. We

      retain details of both permissioned and non-permissioned customers to

      ensure that we have the latest and most up-to-date permission record

      from our master marketing permission repository, which updates from

      multiple source systems.


      Prior to a campaign starting, Eloqua connects with our master

      marketing permission repository to collect the up-to-date permissions

      set for the in-scope customers. Permissioned customers then enter

      Eloqua’s automated journey, in the course of which they are sent the

      relevant marketing communications (in this case, both the initial email
      and the reminder). Non–permissioned customers are routed to the end

      of the campaign journey, bypassing the stage at which marketing

      communications are sent. This process has been used successfully

      since May 2018, for circa 25 campaigns a month, without error.



      Sending reminder emails is a recent innovation deployed for some
      marketing, known as non-responder campaigns. We use these where

      stamps and collectibles items have a window of interest due to external


                                       7,      events (e.g. the commemorative edition of stamps to celebrate the life
      of The Duke of Edinburgh) or there may be a restricted number of

      items, such as special product sets.



      In these campaigns we send a reminder email to permissioned

      customers who have not interacted with the original communication to

      give them a further chance to engage. We have used this approach
      successfully on six occasions. However, for the Wars of the Roses

      campaigns, the non-permissioned set of customers were referred to

      the stage of the automated Eloqua journey which triggers the

      reminders, rather than to the end of the journey. This resulted in the

      reminder email being sent to those customers.


22.   Royal Mail explained that the incident in fact arose due to a manual

      error, rather than a technical fault as had initially been reported. It was

      also explained that it had received six responses to the email from

      customers, with three being categorised as formal complaints and

      three being enquiries from customers around their “permissions”;
      Royal Mail replied to these customers with an apology.



23.   Royal Mail explained that since the incident it had implemented a

      number of measures to minimise the potential of recurrence, including

      additional checks, and all future “non-responder reminder campaigns”
      using a reusable template to remove the risk of human error in

      deploying the automated Eloqua process.



24.   It was also confirmed on 25 June 2021 that of the 215,202 messages

      sent, the number delivered was “no more than 213,191”.


25.   On 6 July 2021 the Commissioner requested further details as to how

      the error took place, together with copies of the six customer


                                       8,      responses which had been received by Royal Mail, and the opt-out
      statement provided to customers when their details are obtained by

      Royal Mail.



26.   On 12 July 2021 Royal Mail provided a copy of its Fair Processing

      Notice; copies of the six customer responses; and a walkthrough of the

      manual error which had occurred in respect of the ‘War of the Roses’
      reminder email. By way of brief summary, each customer who is

      considered for a marketing campaign is uploaded to Eloqua; this

      includes customers that Royal Mail do not hold consent for. A

      marketing email is then configured with a date and time for the email

      to be sent. At this stage the intended recipients are cross referenced
      with Royal Mail’s ‘Permissions’ database. After screening against the

      database, two pathways are created; opted-in customers are further

      checked for relevant permissions and then sent the marketing email,

      and the remaining customers are supposed to be sent to the end of the

      process to ensure they are not included in any marketing emails. In the

      usual course, a reminder email is sent to recipients who did not engage
      with the initial email. In this case the 215,202 customers without the

      relevant marketing permissions were incorrectly and manually routed

      to the area of Eloqua used to send the reminder email. The customers

      who were sent the marketing email in error had not received the initial

      email and had therefore not engaged with this email, which caused
      Eloqua to send the reminder email.



27.   In a subsequent email to the Commissioner of 17 August 2021, Royal

      Mail clarified that the 215,202 customers who were sent the ‘War of

      the Roses’ reminder marketing email fell into two groups: One group

      was made up of 91,736 customers who were registered with Royal
      Mail. This group had previously been presented with Royal Mail’s Fair

      Processing Notice at the point of registering, and subsequently opted


                                       9,      out of marketing emails. The second group comprising the remaining
      123,466 individuals were customers who had not registered for a Royal

      Mail account and had, at the time of using a Royal Mail service,

      checked out as a ‘guest’. These individuals were not asked about their

      marketing preferences and had not provided consent to receive future

      direct marketing.


28.   The responses which Royal Mail received from individuals to its ‘War of

      the Roses’ email reminders included:



         •  “Why am I receiving this email? I have not ever opted-in or

            signed up to any marketing information from Royal Mail.”


         •  ”Please show me where when I ordered stamps that I agreed to

            receive marketing emails. I ALWAYS Make sure I never opt in.”



         •  “Why have I got this as not requested emails from you.”


         •  “I did not subscribe for these mailings. Please ensure that I DO

            NOT receive any further emails of this nature.”



         •  “Why am I getting these emails now? I NEVER had this problem

            before.”


         •  “How were you able to send me the below mail? I opted out of

            marketing for stamps.”



29.   The Commissioner has made the above findings of fact on the

      balance of probabilities.





                                       10,30.   The Commissioner has considered whether those facts constitute
      a contravention of regulation 22 of PECR by Royal Mail and, if so,

      whether the conditions of section 55A DPA are satisfied.



      The contravention



31.   The Commissioner finds that Royal Mail contravened regulation 22 of
      PECR.



32.   The Commissioner finds that the contravention was as follows:



33.   The Commissioner finds that on 27 April 2021 there were 213,191
      direct marketing emails received by subscribers. The Commissioner

      finds that Royal Mail transmitted those direct marketing messages,

      contrary to regulation 22 of PECR.



34.   Royal Mail, as the sender of the direct marketing, is required to ensure

      that it is acting in compliance with the requirements of regulation 22 of
      PECR, and to ensure that valid consent to send those messages had

      been acquired.



35.   In this instance, because of a manual error, Royal Mail sent a total of

      215,202 direct marketing emails to individuals for whom it did not hold
      valid consent. Of those, 213,191 were received by subscribers.



36.   Royal Mail appears to accept that it did not hold valid consent to send

      these messages, either because an individual had taken steps to

      expressly opt out of direct marketing, or because they had used Royal

      Mail’s services as a ‘guest’ and had not been presented with the ‘Fair
      Processing Notice’ and given an opportunity to provide valid consent for

      direct marketing. The Commissioner is satisfied that for those 123,466


                                      11,      individuals who checked out as guests, i.e. those who did not create a
      Royal Mail account, Royal Mail cannot rely on the soft opt-in as it

      cannot be said that individuals were given “a simple means of refusing

      […] the use of [their] contact details for the purposes of such direct

      marketing, at the time that the details were initially collected”.



37.   The Commissioner is therefore satisfied from the evidence he has seen
      that Royal Mail did not have the necessary valid consent for the

      213,191 direct marketing messages received by subscribers.



38.   The Commissioner has gone on to consider whether the conditions

      under section 55A DPA are met.


      Seriousness of the contravention



39.   The Commissioner is satisfied that the contravention identified

      above was serious. This is because on 27 April 2021, a confirmed total

      of 215,202 direct marketing messages were sent by Royal Mail, of
      which 213,191 were received by subscribers. These messages

      contained direct marketing material for which subscribers had not

      provided valid consent, furthermore the Commissioner is satisfied that

      Royal Mail cannot rely on the soft opt-in exemption.


40.   The Commissioner is therefore satisfied that condition (a) from

      section 55A(1) DPA is met.



      Deliberate or negligent contraventions



41.   The Commissioner has considered whether the contravention identified
      above was deliberate. The Commissioner does not consider that Royal

      Mail deliberately set out to contravene PECR in this instance.


                                      12,42.   The Commissioner has gone on to consider whether the contravention

      identified above was negligent. This consideration comprises two

      elements:



43.   Firstly, he has considered whether Royal Mail knew or ought reasonably

      to have known that there was a risk that these contraventions would
      occur. This is not a high bar and he is satisfied that this condition is

      met.



44.   The Eloqua system used by Royal Mail for its marketing emails relies on

      Royal Mail storing all customer email addresses regardless of whether it
      has the relevant consent to send marketing communications. The

      Commissioner takes the view that by storing all consented and non-

      consented email addresses on the same system from which direct

      marketing emails were sent, and given the risk of human error which

      could (and indeed did) occur, it is reasonable to think that Royal Mail

      ought to have been aware of the risk that direct marketing emails
      could be sent to customers who had opted out of marketing

      communications.



45.   The Commissioner has published detailed guidance for those carrying

      out direct marketing explaining their legal obligations under PECR.
      This guidance gives clear advice regarding the requirements of consent

      for direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,

      by email, by post, or by fax. In particular it states that organisations

      can generally only send, or instigate, marketing messages to

      individuals if that person has specifically consented to receiving them.
      The guidance also provides a full explanation of the “soft opt-in”

      exemption. The Commissioner has also published detailed guidance on


                                      13,      consent under the GDPR. In case organisations remain unclear on their
      obligations, the ICO operates a telephone helpline. ICO

      communications about previous enforcement action where businesses

      have not complied with PECR are also readily available.



46.   It is therefore reasonable to suppose that Royal Mail should have been

      aware of its responsibilities in this area.


47.   Secondly, the Commissioner has gone on to consider whether Royal

      Mail failed to take reasonable steps to prevent the contraventions.

      Again, he is satisfied that this condition is met.


48.   Royal Mail has, since the time of this incident, taken steps to put in

      place a “templated solution” for those campaigns where ‘reminder

      emails’ are sent, to remove the risk of future human error when

      operating Eloqua; as well as introducing a further ‘permissions’ check

      to ensure that individuals for whom it does not hold valid consent do

      not receive unsolicited direct marketing messages. Particularly with
      reference to the first of those steps, the Commissioner notes that Royal

      Mail has advised that such a solution has been effectively used in other

      ”single contact” campaigns for a number of years. The Commissioner

      therefore respectfully submits that Royal Mail could reasonably have

      been expected to use such a system for all of its campaigns to prevent
      any such contraventions from taking place.



49.   In the circumstances, the Commissioner is satisfied that Royal Mail

      failed to take reasonable steps to prevent the contraventions.



50.   The Commissioner is therefore satisfied that condition (b) from section
      55A (1) DPA is met.




                                       14,      The Commissioner’s decision to issue a monetary penalty


51.   The Commissioner has taken into account the following

      aggravating features of this case:



      •  The six responses / complaints received by Royal Mail from the

         individuals who unlawfully received direct marketing emails
         demonstrate a level of annoyance from recipients.



      •  The Commissioner has previously (in 2018) taken action against

         Royal Mail for a contravention of Regulation 22 PECR, at which point

         it would have been provided with clear advice as to its compliance.


52.   The Commissioner has taken into account the following mitigating

      features of this case:



      •  Royal Mail has indicated that it is to undertake a full internal Data

         Protection audit of its direct marketing practices which is expected
         to lead to reform.



      •  The Commissioner acknowledges that this was an isolated incident

         arising from human error.


      •  The Commissioner also recognises Royal Mail’s cooperation in

         reporting the incident despite there being no statutory requirement

         to do so.



53.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A (1) DPA have been met in this case. He is
      also satisfied that the procedural rights under section 55B have been

      complied with.


                                       15,54.   The latter has included the issuing of a Notice of Intent, in which the

      Commissioner set out his preliminary thinking. In reaching his final

      view, the Commissioner has taken into account the representations

      made by Royal Mail on this matter.



55.   The Commissioner is accordingly entitled to issue a monetary penalty
      in this case.



56.   The Commissioner has considered whether, in the circumstances, he

      should exercise his discretion so as to issue a monetary penalty.


57.   The Commissioner has considered the likely impact of a monetary

      penalty on Royal Mail. He has decided on the information that is

      available to him, that Royal Mail has access to sufficient financial

      resources to pay the proposed monetary penalty without causing

      undue financial hardship.


58.   The Commissioner’s underlying objective in imposing a monetary

      penalty notice is to promote compliance with PECR. The sending of

      unsolicited direct marketing messages is a matter of significant public

      concern. A monetary penalty in this case should act as a general

      encouragement towards compliance with the law, or at least as a
      deterrent against non-compliance, on the part of all persons running

      businesses currently engaging in these practices. The issuing of a

      monetary penalty will reinforce the need for businesses to ensure that

      they are only messaging those who specifically consent to receive

      direct marketing.


59.   For these reasons, the Commissioner has decided to issue a monetary

      penalty in this case.


                                       16,      The amount of the penalty



60.   Taking into account all of the above, the Commissioner has decided

      that a penalty in the sum of £20,000 (twenty thousand pounds) is

      reasonable and proportionate given the particular facts of the case and

      the underlying objective in imposing the penalty.


      Conclusion



61.   The monetary penalty must be paid to the Commissioner’s office by

      BACS transfer or cheque by 6 April 2022 at the latest. The monetary
      penalty is not kept by the Commissioner but will be paid into the

      Consolidated Fund which is the Government’s general bank account at

      the Bank of England.



62.   If the Commissioner receives full payment of the monetary penalty by

      5 April 2022 the Commissioner will reduce the monetary penalty by
      20% to £16,000 (sixteen thousand pounds). However, you should

      be aware that the early payment discount is not available if you decide

      to exercise your right of appeal.



63.   There is a right of appeal to the First-tier Tribunal (Information Rights)
      against:



      (a) the imposition of the monetary penalty

          and/or;

      (b) the amount of the penalty specified in the monetary penalty

         notice.





                                      17,64.   Any notice of appeal should be received by the Tribunal within 28 days

      of the date of this monetary penalty notice.


65.   Information about appeals is set out in Annex 1.



66.   The Commissioner will not take action to enforce a monetary penalty

      unless:


         • the period specified within the notice within which a monetary

            penalty must be paid has expired and all or any of the monetary

            penalty has not been paid;

         • all relevant appeals against the monetary penalty notice and any

            variation of it have either been decided or withdrawn; and

         • the period for appealing against the monetary penalty and any

            variation of it has expired.


67.   In England, Wales and Northern Ireland, the monetary penalty is

      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as

      an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.


Dated the 7 thday of March 2022



Andy Curry
Head of Investigations
Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow
Cheshire

SK9 5AF




                                      18,ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that he ought to have exercised
            his discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                  General Regulatory Chamber
                  HM Courts & Tribunals Service
                  PO Box 9300
                  Leicester

                  LE1 8DJ


                                     19,      Telephone: 0203 936 8963
      Email:      grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative (if any);



      b)     an address where documents may be sent or delivered to
      you;



      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;



      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time



                                 20,      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First-tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 21