ICO (UK) - Tempcover Ltd

From GDPRhub
Revision as of 15:20, 9 February 2022 by 49.36.183.250 (talk) (Formatting changes)
ICO (UK) - Tempcover Ltd
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Data Protection Act 1998
Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.02.2022
Published: 09.02.2022
Fine: 85,000 GBP
Parties: Tempcover Ltd
National Case Number/Name: Tempcover Ltd
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: gauravpathak

The UK DPA (ICO) fined Tempcover Ltd £ 85,000 for making unsolicited direct marketing messages in violation of Regulation 22 PECR.

English Summary

Facts

Tempcover Ltd is a company that provides short term motor insurance and is the data controller. Mobile UK is an entity representing the interests of mobile subscribers in the UK. Mobile UK has a Spam Reporting Service, and subscribers can report a spam message by forwarding the spam message to Mobile UK. Mobile UK compiles the spam reports on a monthly basis and provides a report to the ICO.

In May 2020, upon analysing the monthly reports provided by Mobile UK, the ICO ascertained “that between 1 November 2019 and 18 May 2020 there were a total of 13 complaints received from which Tempcover could be identified; of these, 12 were made via the 7726 service, and 1 was made directly to the Commissioner.” Accordingly, the ICO initiated an investigation against Tempcover.

Before the ICO, Tempcover submitted the following:

1. It sent direct marketing text messages and subscribers could see that they were sent by Tempcover.

2. A total of 1905,776 direct marketing text messages were sent between 26 May 2019 and 26 May 2020. However, it had the data only from 26 November 2019 to 26 May 2020 as per its data retention policy.

3. It had obtained the data of subscribers directly from them when they had sought to obtain a quotation from Tempcover’s website. It claimed that the subscribers got a clear link to its privacy policy and terms and conditions which state-

“By submitting your information to the Tempcover Site (“Our Site”) you are consenting to the processing of your information by us and our agents in accordance with this Privacy Policy. By obtaining a quote from us, you consent to Tempcover contacting you, by email and/or SMS, with details of our new products, services and promotions. You can opt out from this at any time by contacting us on contactus@tempcover.com or following the ‘unsubscribe/opt-out’ link in your email or SMS.”

4. Before the data provided by subscribers could get captured, they had to click on “'AGREE AND CONTINUE” to show their acceptance to privacy policy and terms and conditions.

5. It operates an internal suspension list, which is updated in real-time.

6. It provides Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) training to its staff. Before starting with the SMS campaign, it had conducted a Legitimate Interest Assessment, which had been reviewed by its Data Protection Officer (DPO) and the Marketing Department.

7. Between 26 May 2019 and 26 May 2020, it also sent “29,156,023 emails, and that, of those, 28,822,172 were successfully delivered to a recipient.”

Upon further enquiry, Tempcover submitted that subsequently it had undertaken a host of measures, “amongst which would be a separate button allowing individuals to select their marketing preferences at the point of consent being obtained.”

Holding

The ICO concluded as following:

1. Between 26 May 2019 and 26 May 2020, taking into account both text messages and emails, subscribers received 29,970,419 unsolicited direct marketing messages that were sent by Tempcover. These messages were in violation of Regulation 22 PECR.

2. In order to be compliant with PECR, Tempcover should have either held valid consent, or had a soft opt-in mechanism on its website. By failing to provide an opportunity of opting out from direct marketing and making the ‘agreement to marketing a condition of service’, it cannot be said that the consent obtained by Tempcover from the subscribers was “freely given”.

3. The subscribers were automatically enlisted for both email and SMS marketing, without being given an option to specify the medium of their choice. Accordingly, the consent that Tempcover sought to rely upon could was not sufficient and not be considered to be “specific”.

4. As Tempcover did not provide an option to subscribers to refuse to marketing, Tempcover was within the ambit of Regulation 22(3)(c) PECR.

5. "Legitimate Interest" is not a lawful basis under PECR, and there must be a valid consent, or a soft opt-in mechanism.

The above contravention was considered to be serious because of the high number of messages. However, the ICO concluded that Tempcover did not deliberately set out to contravene the PECR. Nevertheless, Tempcover was considered to be negligent as “Tempcover knew or ought reasonably to have known that there were risks inherent in its direct marketing activities given that during the investigation the Commissioner was provided with copies of Tempcover’s own training materials which made specific reference to PECR, and the need for compliance with the legislation.” In addition, the ICO concluded that Tempcover “failed to take reasonable steps to prevent the contraventions.”

The ICO considered the aggravating factor of Tempcover having financial benefit from the messages, and also the mitigating factor of incorporating new mechanisms which allow subscribers to opt out of unsolicited direct marketing at the point which consent is obtained.

Thus, the ICO issued a monetary penalty of £85,000 (eighty-five thousand pounds) against Tempcover.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE




To:   Tempcover Ltd


Of:   Second Floor,
      Admiral House,
      Harlington Way,
      Fleet,
      Hampshire,

      England, GU51 4BB


1.    The Information Commissioner (“the Commissioner”) has decided to

      issue Tempcover Ltd (“Tempcover”) with a monetary penalty under
      section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in

      relation to a serious contravention of Regulation 22 of the Privacy and

      Electronic Communications (EC Directive) Regulations 2003 (“PECR”) .



2.    This notice explains the Commissioner’s decision.


      Legal framework



3.    Tempcover, whose registered office address is given above (Companies

      House Registration Number: 09923259) is the organisation stated in

      this notice to have transmitted unsolicited communications by means
      of electronic mail to individual subscribers for the purposes of direct

      marketing contrary to regulation 22 of PECR.



4.    Regulation 22 of PECR states:

                                     1,“(1) This regulation applies to the transmission of             unsolicited

     communications by means of electronic mail to individual

     subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person

     shall neither transmit, nor instigate the transmission of, unsolicited

     communications for the purposes of direct marketing by means of
     electronic mail unless the recipient of the electronic mail has

     previously notified the sender that he consents for the time being

     to such communications being sent by, or at the instigation of, the

     sender.

(3) A person may send or instigate the      sending of electronic mail for
     the purposes of direct marketing where—

         (a) that person has obtained the contact details of the recipient

            of that electronic mail in the course of the sale or

            negotiations for the sale of a product or service to that

            recipient;

         (b) the direct marketing is in respect of that person’s similar
            products and services only; and

         (c) the recipient has been given a simple means of refusing

            (free of charge except for the costs of the transmission of

            the refusal) the use of his contact details for the purposes

            of such direct marketing, at the time that the details were
            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent

            communication.

(4) A subscriber shall not permit his line to be used in contravention of

     paragraph (2).”







                                  2,5.    Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines
      direct marketing as “the communication (by whatever means) of

      advertising or marketing material which is directed to particular

      individuals”. This definition also applies for the purposes of PECR (see

      regulation 2(2) PECR and paragraphs 430 & 432(6) to Schedule 19 of

      the DPA18).


6.    At the material time, consent was defined by reference to the concept

      of consent in Regulation 2016/679 (“the GDPR”): regulation 8(2) of the

      Data Protection, Privacy and Electronic Communications (Amendments

      etc) (EU Exit) Regulations 2019. Article 4(11) of the GDPR sets out the

      following definition: “‘consent’ of the data subject means any freely
      given, specific, informed and unambiguous indication of the data

      subject's wishes by which he or she, by a statement or by a clear

      affirmative action, signifies agreement to the processing of personal

      data relating to him or her”.



7.    Recital 32 of the GDPR materially states that “When the processing has
      multiple purposes, consent should be given for all of them”    . Recital 42

      materially provides that “For consent to be informed, the data subject

      should be aware at least of the identity of the controller”    . Recital 43

      materially states that “Consent is presumed not to be freely given if it

      does not allow separate consent to be given to different personal data
      processing operations despite it being appropriate  in the individual case”.



8.    “Individual” is defined in regulation 2(1) of PECR as “a living individual

      and includes an unincorporated body of such individuals ”.


9.    A “subscriber” is defined in regulation 2(1) of PECR as “a person who is

      a party to a contract with a provider of public electronic

      communications services for the supply of such services”.


                                        3,10.   “Electronic mail” is defined in regulation 2(1) of PECR as “any text,

      voice, sound or image message sent over a public electronic

      communications network which can be stored in the network or in the

      recipient’s terminal equipment until it is collected by the recipient and

      includes messages sent using a short message service”.


11.   The term "soft opt-in" is used to describe the rule set out in in

      Regulation 22(3) of PECR. In essence, an organisation may be able to

      e-mail its existing customers even if they haven't specifically consented
      to electronic mail. The soft opt-in rule can only be relied upon by the

      organisation that collected the contact d etails.



12.   Section 55A of the DPA (as applied to PECR cases by Schedule 1 to

      PECR, as variously amended) states:


      “(1) The Commissioner may serve a person with a monetary penalty if

           the Commissioner is satisfied that –

              (a) there has been a serious contravention of therequirements

                  of the Privacy and Electronic Communications (EC

                  Directive) Regulations 2003 by the person,

              (b) subsection (2) or (3) applies.
      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –

              (a) knew or ought to have known that there was a risk that the

              contravention would occur, but

              (b) failed to take reasonable steps to prevent the
                  contravention.”








                                       4,13.   The Commissioner has issued statutory guidance under section 55C (1)
      of the DPA about the issuing of monetary penalties that has been

      published on the ICO’s website.



14.   The Data Protection (Monetary Penalties) (Maximum Penalty and

      Notices) Regulations 2010 prescribe that the amount of any penalty

      determined by the Commissioner must not exceed £500,000.


15.   PECR were enacted to protect the individual’s fundamental right to

      privacy in the electronic communications sector. PECR were

      subsequently amended and strengthened. The Commissioner will

      interpret PECR in a way which is consistent with the Regulations’
      overall aim of ensuring high levels of protection for individuals’ privacy

      rights.



16.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the DPA18: see paragraph 58(1) of

      Schedule 20 to the DPA18.


      Background to the case



17.   Mobile phone users can report the receipt of unsolicited marketing text

      messages to the Mobile UK’s Spam Reporting Serviceby forwarding the

      message to 7726 (spelling out “SPAM”). Mobile UK is an organisation
      that represents the interests of mobile operators across the UK. The

      Commissioner is provided with access to the data on complaints made

      to the 7726 service and this data is incorporated into a Monthly Threat

      Assessment (“MTA”) used to ascertain organisations in breach of PECR.



18.   Tempcover operate within the financial sector as a provider of short

      term motor insurance.

                                       5,19.   In May 2020, from analysing the information within the MTA, the
      Commissioner was able to ascertain that between 1 November 2019

      and 18 May 2020 there were a total of 13 complaints received from

      which Tempcover could be identified; of these, 12 were made via the

      7726 service, and 1 was made directly to the Commissioner . The

      content of the complaints contained text to the following effect 1:



      “Still Driving Occasionally? Get 10-25 Off Temporary Insurance & Only

      Pay for What You Need: http://m0r.at/ipuT &C: http://m0r.at/ipv
      OptOut txt PKLT to 88802”



      “Plan Your Travel Under New Lockdown Driving Rules & Get £10       -£25

      off Temporary Insurance: http://m0r.at/ineT&C: http://m0r.at/inf

      OptOut: txt PKLT to 88802”



      “Driving Less? Get the Cover You Need, When You Need It & Save

      £10-£25 on Temporary Insurance: http://m0r.at/idPT&C:
      http://m0r.at/idQ OptOut txt PKLT to 88802 ”



20.   By following the links within the messages, an individual would be

      directed to Tempcover’s website.



21.   The Commissioner sent an initial investigation letter to Tempcover on

      26 May 2020, outlining concerns regarding its compliance with PECR,

      and asking a series of questions in relation to its direct marketing text
      message campaigns. The Commissioner specifically sought details

      regarding Tempcover’s practices between 26 May 2019 and 26 May

      2020.



1
 This list is non-exhaustive

                                        6,22.   Tempcover provided a response on 11 June 2020, confirming that it

      uses the Calling Line Identity (“CLI”): ‘07860021976’ to send its direct
      marketing text messages, although it advised that the message would

      appear to subscribers as being sent specifically from the named entity:

      ‘Tempcover’.



23.   It was confirmed that between 26 May 2019 and 26 May 2020 there

      were a total of 1,905,776 direct marketing text messages sent by
                  2
      Tempcover    . In advising how many of those messages had been

      received by subscribers, Tempcover advised that its retention policy
      allowed it to access only the relevant data between 26 November 2019

      and 26 May 2020; from this it could determine that 1,148,247 text

      messages were successfully received by subscribers.



24.   Tempcover advised that it obtained the data which it used for its direct

      marketing campaigns directly from individuals who would use its

      website to obtain a quote or to buy temporary insurance. Tempcover

      advised that it provides individuals with a clear link to its privacy policy
      and terms & conditions which state the following:



      “By submitting your information to the Tempcover Site (“Our Site”) you

      are consenting to the processing of your information by us and our

      agents in accordance with this Privacy Policy.



      By obtaining a quote from us, you consent to Tempcover contacting you,

      by email and/or SMS, with details of our new products, services and
      promotions. You can opt out from this at any time by contacting us on





2
 Tempcover advised that its “SMS marketing programme” had actually commenced in August 2019.

                                        7,      contactus@tempcover.com or following the ‘unsubscribe/optout’ link in
      your email or SMS.”



25.   Tempcover went on to advise the Commissioner that “[b]efore

      proceeding to the data capture part of the quote process, the customer

      must click a button which says 'AGREE AND CONTINUE' to show their

      acceptance in proceeding to the quote page knowing that we will
      process their data in accordance with our privacy policy and terms of

      business, which they have been provided access to”.



26.   Tempcover advised that it operates an internal suppression list, which

      is “updated in real-time”.


27.   Tempcover confirmed that, in relation to PECR training, any new

      starters which join its ‘Marketing and Customer Operations &

      Compliance Departments’ receive a PECR training pack to ensure their

      understanding of the regulations. In specific response to the

      Commissioner’s request for any policies or procedures regarding
      Tempcover’s responsibilities under PECR, it advised :



      “Prior to going live with our first outbound SMS campaign in August

      2019, we conducted a Legitimate Interest Assessment. We walked

      through the Purpose Test, Necessity Test and Balancing, before

      deciding whether we could rely on legitimate interest for the

      processing of customers contact details to send them SMS marketing
      communications. This assessment was conducted by our Head of

      Customer Operations & Compliance, who had previously spent

      considerable time on the ICO website researching how to conduct

      LIA’s. The assessment was then shared with and reviewed by our Data

      Protection Officer (DPO) and the Marketing Department to ensure we
      were all in agreement with the result of the assessment; that we could


                                       8,      rely on the grounds of legitimate interest for processing customer
      contact data for SMS communications.”



28.   It is apparent from Tempcover’s response and from the contents of its

      PECR training materials that at the time which an individual provided

      their details, they were not provided with a separate option to either

      opt-in to or opt-out of direct marketing. Rather, Tempcover used an

      individual’s mandatory agreement to the site’s terms and conditions /
      privacy policy as the basis on which to conduct its direct marketing

      campaign, acting under the belief that it could rely on ‘legitimate

      interest’.



29.   As it appeared from Tempcover’s response that it would alsotransmit

      direct marketing emails in addition to text messages, on 10 July 2020
      the Commissioner sent an email with further enquiries to Tempcover,

      specifically seeking details regarding its email marketing campaign,

      and further information regarding its text message campaign.



30.   Tempcover responded on 23 July 2020 and explained that between 26
      May 2019 and 26 May 2020 it sent a total of 29,156,023 emails, and

      that, of those, 28,822,172 were successfully delivered to a recipient.



31.   Tempcover also provided a file containing details of the body of the

      direct marketing text messages and the body of the direct marketing

      emails which were sent between 26 May 2019 and 26 May 2020. The
      Commissioner is satisfied that the content of the direct marketing

      messages which were sent by Tempcover constitutes direct marketing

      within the definition of 122(5) DPA18.



32.   Tempcover also confirmed an increase in the frequency of its marketing
      in response to the Covid-19 pandemic, specifically stating:


                                       9,      “We increased the frequency of SMS marketing from once per week to

      twice per week on the 6th April 2020. Due to the Covid:19 crisis, we

      saw a shift in our customer demand weighted from the weekend

      towards the start of the working week, this is why we decided to

      include an additional send on a Monday. This was a reflection of the
      lockdown conditions where leisure travel was minimised, and key

      workers moved away from public to private transport.”



33.   On 5 August 2020 the Commissioner sent further correspondence to

      Tempcover advising of concerns with Tempcover’s compliance with

      PECR, and asking for confirmation of any steps which Tempcover may
      be taking to ensure future compliance with the legislation.



34.   Tempcover responded on 12 August 2020 and advised of a range of

      measures which were currently being implemented to ensure future

      compliance with PECR, amongst which would be a separate button
      allowing individuals to select their marketing preferences at the point

      of consent being obtained.



35.   The Commissioner has made the above findings of fact on the

      balance of probabilities.


36.   The Commissioner has considered whether t hose facts constitute

      a contravention of regulation 22 of PECR by Tempcover and, if so,

      whether the conditions of section 55A DPA are satisfied.



      The contravention







                                      10,37.   The Commissioner finds that Tempcover contravened regulation 22 of
      PECR.



38.   The Commissioner finds that the contravention was as follows:



39.   The Commissioner finds that between 26 May 2019 and 26 May 2020

      there were 1,905,776 unsolicited direct marketing text messages sent
      by Tempcover, of which 1,148,247 were confirmed to have been

      received by subscribers.



40.   The Commissioner also finds that between 26 May 2019 and 26 May
      2020 there were 29,156,023 unsolicited direct marketing emails sent

      by Tempcover, of which 28,822,172 were confirmed to have been

      received by subscribers.



41.   Accordingly, the Commissioner finds that between 26 May 2019 and 26
      May 2020 there were 29,970,419 unsolicited direct marketing

      messages received by subscribers.



42.   The Commissioner finds that Tempcover transmitted those direct

      marketing messages, contrary to regulation 22 of PECR.


43.   Tempcover, as the sender of the direct marketing,is required to ensure

      that it is acting in compliance with the requirements of regulation 22 of

      PECR, and to ensure that either it held valid consent to send those

      messages, or that the soft opt-in applied.


44.   In this instance Tempcover sent unsolicited direct marketing messages

      to subscribers who had entered their details on Tempcover’s website

      with a view to obtaining a quote for insurance. Tempcover failed to

      provide these subscribers with an opportunity to opt-out of direct


                                      11,      marketing when first obtaining their details, and essentially made
      agreement to marketing a condition of service. For this reason, the

      consent to receive unsolicited direct marketing messages cannot be

      said to have been ‘freely given’.



45.   Furthermore, by agreeing to use Tempcover’s service, individuals were

      automatically opted in to receiving both unsolicited direct marketing
      emails and SMS messages, without the ability to specify which, if any,

      of the types of communication they may be willing to receive . In this

      sense, the subscriber was not given an active choice, and the consent

      relied on cannot be said to be sufficiently ‘ specific’.


46.   For the above reasons, Tempcover cannot thereforebe said to have

      held valid consent.



47.   In terms of whether the soft opt-in could apply, the Commissioner

      would observe that Tempcover appeared to have obtained the contact

      details for its intended recipients in the course of a sale (or negotiation
      for a sale) of a product/service; it did not rely on bought-in lists.

      Further, it appeared that Tempcover used the unsolicited direct

      marketing as a way of marketing only its own similar

      products/services. It is likely therefore that Tempcover would be able

      to satisfy the requirements of Regulation 22(3)(a) and 22(3)(b) PECR.


48.   However, it is clear that whilst Tempcover met the criteria of

      Regulation 22(3)(a) and 22(3)(b) PECR, it failed to provide individuals

      with a simple means of refusing the use of their contact details for

      direct marketing at the time that the details were initially collected, and

      therefore Tempcover is unable to satisfy the requirements of
      Regulation 22(3)(c) PECR. Accordingly, it cannot rely on the soft opt-in

      as all three criteria are required to have been met.


                                       12,49.   Whilst Tempcover has previously sought to claim a reliance on

      ‘Legitimate Interest’ as justification for the transmission of its

      unsolicited direct marketing messages, it is the case that ‘Legitimate

      Interest’ is not a lawful basis upon which a person can rely for the

      purposes of PECR. As explained previously, such messages can only be
      sent with valid consent, or where the soft opt-in applies.



50.   The Commissioner is satisfied from the evidence he has seen that

      Tempcover did not have the necessary valid consent for the
      29,970,419 direct marketing messages received by subscribers, nor

      could it rely on the soft opt-in exemption.



51.   The Commissioner has gone on to consider whether the conditions

      under section 55A DPA are met.


      Seriousness of the contravention



52.   The Commissioner is satisfied that the contravention identified

      above was serious. This is because between 26 May 2019 and 26 May

      2020 a confirmed total of 29,970,419 direct marketing messages were

      received by subscribers, having been sent by Tempcover. These
      messages contained direct marketing material for which subscribers

      had not provided valid consent, furthermore, for the reasons explained

      above, the Commissioner is satisfied that Tempcover cannot rely on

      the soft opt-in exemption.


53.   The Commissioner is therefore satisfied that condition (a) from

      section 55A(1) DPA is met.



      Deliberate or negligent contraventions


                                      13,54.   The Commissioner has considered whether the contravention identified

      above was deliberate. The Commissioner does not consider that

      Tempcover deliberately set out to contravene PECR in this instance.



55.   The Commissioner has gone on to consider whether the contravention
      identified above was negligent. This consideration comprises two

      elements:



56.   Firstly, he has considered whether Tempcover knew or ought

      reasonably to have known that there was a risk that these

      contraventions would occur. This is not a high bar, and he is satisfied
      that this condition is met, not least given that the issue of unsolicited

      direct marketing messages have been widely publicised by the media in

      recent years as being a problem.



57.   The Commissioner has published detailed guidance for those carrying
      out direct marketing explaining their legal obligations under PECR.

      This guidance gives clear advice regarding the requirements of consent

      for direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,

      by email, by post, or by fax. In particular it states that organisations

      can generally only send, or instigate, electronic marketing messages to
      individuals if that person has specifically consented to receiving them.

      The guidance also provides a full explanation of the soft opt- in

      exemption. In addition, the Commissioner has published detailed

      guidance on consent under the GDPR. In case organisations remain

      unclear on their obligations, the Commissioner operates a telephone
      helpline. ICO communications about previous enforcement action

      where businesses have not complied with PECR are also readily

      available.


                                       14,58.   The Commissioner is further assured that Tempcover knew or ought

      reasonably to have known that there were risks inherent in its direct

      marketing activities given that during the investigation the

      Commissioner was provided with copies of Tempcover’s own training

      materials which made specific reference to PECR, and the need for
      compliance with the legislation.



59.   It is therefore reasonable to suppose that Tempcover should have been

      aware of its responsibilities in this area .


60.   Secondly, the Commissioner has gone on to consider whether

      Tempcover failed to take reasonable steps to prevent the

      contraventions. Again, he is satisfied that this condition is met.


61.   Tempcover failed to ensure that it held valid consent for the direct

      marketing messages which it sent, or that it met the necessary criteria

      to rely on the soft opt-in provisions of Regulation 22 PECR.Reasonable

      steps in this instance would have included providing potential

      customers with a simple ability to opt out of unsolicited direct

      marketing at the point which their details were taken.


62.   There is no evidence that Tempcover sought to obtain independent

      legal advice, or advice from the Commissioner, prior to engaging in its

      direct marketing campaign, as would be reasonable to do, particularly
      given the gravity of the marketing campaign t hat it embarked upon.



63.   In the circumstances, the Commissioner is satisfied that Tempcover

      failed to take reasonable steps to prevent the contraventions.






                                       15,64.   The Commissioner is therefore satisfied that condition (b ) from section
      55A (1) DPA is met.



      The Commissioner’s decision to issue a monetary penalty



65.   The Commissioner has taken into account the following
      aggravating features of this case:



   •  The Commissioner finds t      hat Tempcover would have benefitted

      financially from its unlawful actions.



   •  Tempcover’s own guidance refers to the steps necessary to comply with
      PECR. That Tempcover is alleged within this Notice to have contravened

      Regulation 22 PECR would suggest that it failed to take steps to adhere

      to its own guidance.



66.   The Commissioner has taken into account the following mitigating
      feature of this case:



    •  Tempcover has made changes to its practices in light of the

       Commissioner’s investigation, and now allows subscribers the ability to

       opt out of unsolicited direct marketing at the point which consent is

       obtained.


67.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A (1) DPA have been met in this c ase. He is

      also satisfied that the procedural rights under section 55B have been

      complied with.


68.   The latter has included the issuing of a Notice of Intent, in which the

      Commissioner set out his preliminary thinking. In reaching his final


                                       16,      view, the Commissioner has taken into account the representations
      made by Tempcover on this matter.



69.   The Commissioner is accordingly entitled to issue a monetary penalty

      in this case.


70.   The Commissioner has considered whether, in the circumstances, he

      should exercise his discretion so as to issue a monetary penalty.



71.   The Commissioner has considered the likely impact of a monetary

      penalty on Tempcover. He has decided on the information that is
      available to him that Tempcover has access to sufficient financial

      resources to pay the proposed monetary penalty without causing

      undue financial hardship.



72.   The Commissioner’s underlying objective in imposing a monetary

      penalty notice is to promote compliance with PECR. The sending of
      unsolicited direct marketing messages is a matter of significant public

      concern. A monetary penalty in this case should act as a general

      encouragement towards compliance with the law, or at least as a

      deterrent against non-compliance, on the part of all persons running

      businesses currently engaging in these practices. The issuing of a
      monetary penalty will reinforce the need for businesses to ensure that

      they are only messaging those who specifically consent to receive

      unsolicited direct marketing.



73.   For these reasons, the Commissioner has decided to issue a monetary

      penalty in this case.


      The amount of the penalty




                                       17,74.   Taking into account all of the above, the Commissioner has decided
      that a penalty in the sum of £85,000 (eighty-five thousand

      pounds) is reasonable and proportionate given the particular facts of

      the case and the underlying objective in imposing the penalty.



      Conclusion


75.   The monetary penalty must be paid to the Commissioner’s office by

      BACS transfer or cheque by 9 March 2022at the latest. The monetary

      penalty is not kept by the Commissioner but will be paid into the

      Consolidated Fund which is the Government’s general bank account at

      the Bank of England.


76.   If the Commissioner receives full payment of the monetary penalty by

      8 March 2022 the Commissioner will reduce the monetary penalty by

      20% to £68,000 (sixty-eight thousand pounds). However, you

      should be aware that the early payment discount is not available if you

      decide to exercise your right of appeal.


77.   There is a right of appeal to the First -tier Tribunal (Information Rights)

      against:



      (a) the imposition of the monetary penalty
          and/or;

      (b) the amount of the penalty specified in the monetary penalty

         notice.



78.   Any notice of appeal should be received by the Tribunal within 28 days

      of the date of this monetary penalty notice.


79.   Information about appeals is set out in Annex 1.


                                      18,80.   The Commissioner will not take action to enforce a monetary penalty
      unless:



         • the period specified within the notice within which a monetary

            penalty must be paid has expired and all or any of the monetary

            penalty has not been paid;

         • all relevant appeals against the monetary penalty notice and any
            variation of it have either been decided or with drawn; and

         • the period for appealing against the monetary penalty and any

            variation of it has expired.



81.   In England, Wales and Northern Ireland, the monetary penalty is

      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as
      an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.



Dated the 7 thday of February 2022



Andy Curry
Head of Investigations
Information Commissioner’s Office
Wycliffe House

Water Lane
Wilmslow
Cheshire
SK9 5AF












                                      19,ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that he ought to have exercised
            his discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                  General Regulatory Chamber
                  HM Courts & Tribunals Service
                  PO Box 9300
                  Leicester

                  LE1 8DJ


                                      20,            Telephone: 0203 936 8963
            Email:      grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative (if any);



      b)     an address where documents may be sent or delivered to

      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;



      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time



                                 21,      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First-tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 22