ICO (UK) - Virgin Media Limited: Difference between revisions

From GDPRhub
No edit summary
Line 26: Line 26:
|GDPR_Article_Link_1=Article 4 GDPR#11
|GDPR_Article_Link_1=Article 4 GDPR#11


|EU_Law_Name_1=Article 22 Directive 2002/58/EC
|EU_Law_Name_1=Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003
|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN
|EU_Law_Link_1=https://www.legislation.gov.uk/uksi/2003/2426/regulation/22/made


|National_Law_Name_1=Section 122(5) Data Protection Act 2018
|National_Law_Name_1=Section 122(5) Data Protection Act 2018

Revision as of 18:50, 10 December 2021

ICO (UK) - Virgin Media Limited
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 22 Privacy and Electronic Communications (EC Directive) Regulations 2003
Section 122(5) Data Protection Act 2018
section 55A Data Protection Act 1998
Type: Complaint
Outcome: Upheld
Started:
Decided: 06.12.2021
Published: 08.12.2021
Fine: 50000 GBP
Parties: Virgin Media Limited
National Case Number/Name: Virgin Media Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ico.uk.org (in EN)
Initial Contributor: Mitali Kshatriya

The ICO fined a telecommunications company £50,000 for sending 451,217 direct marketing emails containing marketing preference reminders to users who had opted out of marketing communications.

English Summary

Facts

Virgin Media sent 1,964,562 emails concerning a price freeze (Price Freeze Emails). Of these 451,217 emails were sent to persons who had previously opted out of marketing communications with a reminder telling them that they can change their marketing preference (marketing preference emails). The UK DPA (the Information Commissioner's Office, 'ICO') received a complaint against the marketing preference emails and started an investigation.

Holding

The Price Freeze Emails containing the Marketing Preference Reminder fell within the definition of direct marketing emails under Section 122(5) of the Data Protection Act, 2018.

The marketing preference emails were sent without obtaining consent and therefore violated Regulation 22 of Directive 2002/58/EC. Paragraph 194 of ICO Direct Marketing Guidance states that users might change their marketing preference and such list should be up-to-date. However, this does not act as an exception to Regualtion 22 as in Paragraph 193 the Guidance clearly provides that "Organisations must not contact people on a suppression list at a later date to ask them if they want to opt back into receiving marketing. This contact would involve using their personal data for direct marketing purposes and is likely to breach the Data Protection Act, 1998 and will also breach Directive 2002/58/EC if the contact is by phone, text or email".

The ICO issued a fine of £50,000 for this violation.

The ICO considered that the conditions for the imposition of a monetary penalty section 55A of the UK Data Protection Act, 1998 are met, namely: the convention was sufficiently serious (since 451,217 direct marketing messages were sent without obtaining consent) as well as deliberate (as Virgin Media knew that the recipients did not consent to receive direct marketing emails) and negligent (since ICO Direct Marketing Guidance gives clear advice against marketing preference emails).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                      DATA PROTECTION ACT 1998



   SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER



                      MONETARY PENALTY NOTICE


To:   Virgin Media Limited


Of:   500 Brook Drive, Reading RG2 6UU


1.    The Information Commissioner (“the Commissioner”) has decided to

      issue Virgin Media Limited (“Virgin Media”) with a monetary penalty
      under section 55A of the Data Protection Act 1998 (“DPA”). The penalty

      is in relation to a serious contravention of Regulation 22 of the Privacy

      and Electronic Communications (EC Direc tive) Regulations 2003

      (“PECR”).



2.    This notice explains the Commissioner’s intended decision.


      Legal framework



3.    Virin Media, whose registered office address is given above

      (Companies House Registration Number: 02591237) is the organisation
      stated in this notice to have transmitted unsolicited communications by

      means of electronic mail to individual subscribers for the purposes of

      direct marketing contrary to regulation 22 of PECR.



4.    Regulation 22 of PECR states:







                                     1“(1) This regulation applies to the transmission of unsolicited
     communications by means of electronic mail to individual

     subscribers.


(2) Except in the circumstances referred to in paragraph (3), a person
     shall neither transmit, nor instigate the transmission of, unsolicited

     communications for the purposes of direct marketing by means of

     electronic mail unless the recipient of the electronic mail has

     previously notified the sender that he consents for the time being

     to such communications being sent by, o r at the instigation of, the
     sender.


(3) A person may send or instigate the      sending of electronic mail for

     the purposes of direct marketing where—

         (a) that person has obtained the contact details of the recipient

            of that electronic mail in the course of the sale or

            negotiations for the sale of a product or service to that
            recipient;


         (b) the direct marketing is in respect of that person’s similar

            products and services only; and

         (c) the recipient has been given a simple means of refusing

            (free of charge except for the costs of the transmission of
            the refusal) the use of his contact details for the purposes

            of such direct marketing, at the time that the details were

            initially collected, and, where he did not initially refuse the

            use of the details, at the time of each subsequent

            communication.

(4) A subscriber shall not permit his line to be used in contravention of

     paragraph (2).”






                                  25.    The provisions of the DPA and subordinate legislation made under the
      DPA remain in force for the purposes of PECR notwithstanding the

      introduction of the Data Protection Act 2018 (“DPA18”): see

      paragraphs 58(1) and 58(2) of Schedule 20 to the DPA18.



6.    Section 122(5) of the DPA18 defines direct marketing as “the

      communication (by whatever means) of advertising or marketing
      material which is directed to particular individuals ”. This definition also

      applies for the purposes of PECR (see regulation 2(2) PECR and

      paragraphs 430 & 432(6) to Schedule 19 of the DPA18).


7.    Consent in PECR is now defined, from 29 March 2019, by reference to

      the concept of consent in Regulation 2016/679 (“the GDPR”):

      regulation 8(2) of the Data Protection, Privacy and Electronic
      Communications (Amendments etc) (EU Exit) Regulations 2019. Article

      4(11) of the GDPR sets out the following definition: “ ‘consent’ of the

      data subject means any freely given, specific, informed and

      unambiguous indication of the data subject's wishes by which he or

      she, by a statement or by a clear affirmative action, signifies

      agreement to the processing of personal data relating to him or her”.


8.    Recital 32 of the GDPR materially states that “When the processing has

      multiple purposes, consent should be given for all of them”    . Recital 43

      materially states that “Consent is presumed not to be freely given if it

      does not allow separate consent to be given to different personal data
      processing operations despite it being appropriate in the individual case.”



9.    “Individual” is defined in regulation 2(1) of PECR as “a living individual

      and includes an unincorporated body of such individuals ”.






                                        310.   A “subscriber” is defined in regulation 2(1) of PECR as “a person who is
      a party to a contract with a provider of public electronic

      communications services for the supply of such services”.


11.   “Electronic mail” is defined in regulation 2(1) of PECR as “any text,

      voice, sound or image message sent over a public electronic

      communications network which can be stored in the network or in the

      recipient’s terminal equipment until it is collected by the recipient and
      includes messages sent using a short message service”.



12.   Section 55A of the DPA (as applied to PECR cases by Schedule 1 to

      PECR, as variously amended) states (in material part):



      “(1) The Commissioner may serve a person with a monetary penalty
           notice if the Commissioner is satisfied that –


              (a) there has been a serious contravention of therequirements

                  of the Privacy and Electronic Communications (EC
                  Directive) Regulations 2003 by the person,


              (b) subsection (2) or (3) applies.

      (2) This subsection applies if the contravention was deliberate.

      (3) This subsection applies if the person –


              (a) knew or ought to have known that there was a risk that the
              contravention would occur, but


              (b) failed to take reasonable steps to prevent the

                  contravention.”


13.   The Commissioner has issued statutory guidance under section 55C(1)

      of the DPA about the issuing of monetary penalties that has been

      published on the ICO’s website. The Data Protection (Monetary

      Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe

                                       4      that the amount of any penalty determined by the Commissioner must
      not exceed £500,000.



14.   PECR were enacted to protect individuals ’ fundamental right to privacy

      in the electronic communications sector. PECR were subsequently

      amended and strengthened. The Commissioner will interpret PECR in a

      way which is consistent with the Regulations’ overall aim of en suring
      high levels of protection for individuals’ privacy rights.



15.   The provisions of the DPA remain in force for the purposes of PECR

      notwithstanding the introduction of the DPA18: see paragraph 58(1) of

      Schedule 20 to the DPA18.


      Background to the case



16.   This Notice concerns 451,217 marketing emails sent to persons who

      had previously opted out of marketing communications from Virgin

      Media.


17.   Virgin Media is a British telecommunications company. It first came to

      the attention of the ICO in connection with this matter on 10 August

      2020. The ICO received a complaint (the “Complaint”) from someone

      complaining about a direct marketing email they had received from
      Virgin Media on 4 August 2020.



18.   The email stated (in material part, with emphasis added):



           “We want to let you know that we won’t be raising your price this

           year.





                                      5          This means the price you pay for your current package right now
          will stay the same in 2020.


          We’d like to stay in touch about all the great Virgin Media

          stuff we have on offer for you. You have currently said no
          to receiving marketing messages from us, which means

          that we are not able to keep you up to date with our latest

          TV, broadband, phone and mobile news, competitions,

          product and bundle offers via online, email, post, SMS,

          phone.

          You can change your preferences by simply registering or

          signing in to virginmedia.com/optin. Click ‘My Profile’, then

          ‘My Preferences’.”


19.   The text in bold will be referred to in this document as the “Marketing

      Preference Reminder”.



20.   The complainant said that this email was “basically a service message
      dressed up as an attempt to get me to opt back in to marketing

      communications”.



21.   The ICO opened an investigation.


22.   In outline, the correspondence proceeded as follows:


            a. On 13 August 2020, the ICO sent an initial investigation letter

               to Virgin Media. This letter explained the relevant legislation,

               set out the ICO’s powers, and made some requests for
               information.








                                     6            b. On 5 October 2020, Virgin Media provided its responseto the
               ICO’s letter of 13 August 2020. The material details of that

               response are set out further below.


            c. On 16 October 2020, the ICO responded seeking further

               information (including evidence of Virgin Media’s consent

               statements).


            d. On 21 October 2020, the ICO spoke with Virgin Media. Virgin

               Media asked why the ICO needed to see its consent

               statements. The ICO explained that it needed to assess
               whether Virgin Media had obtained the requisite consent for

               the Marketing Email.


            e. On 23 October 2020, Virgin Media provided its response to the

               ICO’s letter of 16 October 2020. The material details of that

               response are set out further below.


            f. On 24 November 2020, the ICO asked Virgin Media to provide

               further information.


            g. On 8 December 2020, Virgin Media provided its response to

               the ICO’s letter of 24 November 2020. The material details of
               that response are set out further below.


            h. On 10 December 2020, the ICO sent an end of investigation

               letter to Virgin.



23.   The ICO notes the followingmaterial facts, as supplied by Virgin Media

      in the correspondence summarised above:







                                       7a. On 4 August 2020, Virgin Media sent 1,964,562 emails
   concerning a price freeze (the “Price Freeze Emails”). Of

   these:



      i. Virgin Media sent 1,303,671 Price Freeze Emails to

         customers who had opted in to marketing

         communications (“opt-in customers”), 1,303,361 of
         which were received.



      ii. Virgin Media sent 209,376 Price Freeze Emails to

         customers who had opted out to marketing

         communications (“opt-out customers”) without the
         Marketing Preference Reminder, 209,254 of which were

         received.


     iii. Virgin Media sent 451,515 Price Freeze Emails to opt-out

         customers with the Marketing Preference Reminder,

         451,217 of which were received. The email received by

         the individual who had complained to the ICO was

         within this category.


b. The data for the Prize Freeze Emails was obtained directly
   from customers.


c. Virgin Media stated that it received “feedback” from customers

   (it is not specified how many) that “ a number of them would

   like to be informed about packages, products and discounts

   that may be available and some customers are unaware that

   they have not opted-in to all forms of marketing.”


d. Virgin Media stated that, based on that feedback, and the ICO

   Direct Marketing Guidance at paragraph 32 below, it “selected


                           8   a segment of opted-out customers who we reasonably
   considered might have changed their marketing preferences.

   The customers selected were those who had opted out over a

   year ago.”


e. Virgin Media does operate a suppression list for marketing

   communications, but the suppression process was only applied

   “for opted-out customers who Virgin Media considered were

   unlikely to have changed their mind about their marketing
   preferences.”


f. Virgin Media uses a “one time opt in to all channels’ sales

   journey”. Virgin Media has the following procedure for

   obtaining consent from customers:


       “a. All sales journeys capture consent preferences which
       are recorded within that journey. A customer is not able to
       complete a sale without confirming whether they consent

       to receiving marketing communications. Virgin Media
       currently operates an opt in approach and new customers
       are required to tick the box to opt-in to marketing
       communications;


       b. A customer’s consent preference is captured and
       recorded within internal Virgin Media systems;

       c. Virgin Media does not have channel (i.e. email SMS)

       specific preference capability, therefore a customer
       consents to all marketing communications as set out in
       the consent statement (which explains that Virgin Media
       may provide marketing information by email or SMS, as
       well as other channels);


       d. A customer can change their marketing preference in
       different ways (speaking to an agent, emailing the DPO,
       through their My VM account on the website), or by

       clicking ‘unsubscribe’ (via email or SMS).”





                           9            g. None of the consent statements presented to individuals by
               Virgin Media (Telesales Inbound, Inbound Retentions, Inbound

               Care, Online, VM store, Bafta Competition, Virgin Media Portal

               General Customer, Virgin Media General Agent), nor the Virgin

               Media account preferences, permit individuals to choose

               specific communications by which to receive marketing

               communications. Virgin Media also stated: “…if an individual
               consents to receive marketing, they are opted in to all

               communication methods. Virgin Media does not cur rently have

               channel (i.e. email, SMS) specific preference capability,

               therefore a customer consents to all marketing

               communications as set out in the consent statement.”


24.   The Commissioner has made the above findings of fact on the
      balance of probabilities.



25.   The Commissioner has considered whether those facts constitute

      a contravention of regulation 22 of PECR by Virgin Media and, if so,

      whether the conditions of section 55A DPA are satisfied.


      The contravention



26.   The Commissioner finds that Virgin Media contravened regulation 22 of

      PECR.


27.   The Commissioner finds that the contravention was as follows:



28.   The Commissioner finds that on or around 4 August 2020 there were

      451,217 direct marketing emails containing the Marketing Preference

      Reminder received by subscribers. The Commissioner finds that Virgin

      Media transmitted those direct marketing messages.


                                      1029.   The Marketing Preference Reminder sought to entice or encourage

      customers to update their marketing preferences. It also marketed
      Virgin Media’s commercial offerings, i.e. “ the great Virgin Media stuff

      we have on offer for you…our latest TV, broadband, phone and mobile

      news, competitions, product and bundle offers.”


30.   As such, the Price Freeze Emails containing the Marketing Preference

      Reminder fell within the definition of direct marketing as set out at

      paragraph 6 above.


31.   Virgin Media, as the sender of the direct marketing, was required to
      ensure that it was acting in compliance with the requirements of

      regulation 22 of PECR, and that valid consent to send those messages

      had been acquired.


32.   In this instance, the requisite consent was not obtained because the

      451,217 recipients of the direct marketing had opted out of marketing

      communications. No issue arises as to whether consent was “freely
      given”, “specific”, “informed” and “unambiguous”, because consent was

      not given.


33.   In the course of the investigation, Virgin Media stated that in deciding

      (i) which customers would receive Price Freeze Emails      , and (ii) the

      wording for the same, Virgin Media relied on the ICO Direct Marketing

      Guidance (v. 2.3). Virgin Media    noted that th e ICO Direct Marketing

      Guidance provides [at paragraph 194] that people can change their
      minds and that marketing strategies also change, and that there is some

      merit in making sure that the information about people’s preferences is

      accurate and up -to-date. That does not, however, constitute an

      exception to regulation 22 of PECR. Further , it is noted that paragraph

      193 of the same Guidance states: “Organisations must not contact

      people on a suppression list at a later date to ask them if they want to

                                       11      opt back in to receiving marketing. This contact would involve using their
      personal data for direct marketing purposes and is likely to breach the

      DPA, and will also breach PECR if the contact is by phone, text or email.”



34.   Virgin Media also noted that in the two weeks following the Price Freeze

      Emails containing the Marketing Preference Reminder, 6,539 customers
      elected to adjust their preferences and opt in to marketing   . This does

      not constitute an exception to r egulation 22 of PECR either. Rather, the

      fact that Virgin Media had the potential for financial gain from its breach

      of the regulation (by signing up more clients to direct marketing) is an

      aggravating factor, not a defence.


35.   The Commissioner is therefore satisfied from the evidence he has seen

      that Virgin Media did not have the necessary valid consent for the

      451,217 direct marketing messages received by subscribers.



36.   The Commissioner has gone on to consider whether the conditions
      under section 55A DPA are met.



      Seriousness of the contravention



37.   The Commissioner is satisfied that the contravention identified

      above was serious. This is because on one day, a confirmed total of
      451,217 direct marketing messages were sent by Virgin Media. These

      messages contained direct marketing material for which subscribers

      had not provided valid consent.



38.   The Commissioner is therefore satisfied that condition (a) from
      section 55A(1) DPA is met.






                                       12      Deliberate or negligent contraventions


39.   The Commissioner has considered whether the contravention identified

      above was deliberate. In the Commissioner’s view, this means that

      Virgin Media’s actions which constituted that contravention were

      deliberate actions (even if Virgin Media did not actually intend thereby

      to contravene PECR).


40.   The Commissioner considers that in this case Virgin Media did
      deliberately contravene regulation 22 of PECR. Virgin Media does not

      say that it did not know that the 451,217 recipients of the email in

      question had not provided valid consent. On the contrary, its position is

      that these recipients were selected, in part, because they had opted

      out of marketing communications (and, Virgin Media says, because it
      reasonably considered that they might wish to change that preference).

      It is noted that on the same day as the contravention, Virgin Media

      sent 209,254 emails without the Marketing Preference Reminder to

      opt-out customers, and so was self-evidently selecting recipients on

      the basis of known criteria.


41.   For the above reasons, the Commissioner is satisfied that this breach

      was deliberate.



42.   In the alternative, the Commissioner has gone on to consider whether

      the contravention identified above was negligent. This consideration
      comprises two elements.



43.   Firstly, he has considered whether      Virgin Media    knew or ought

      reasonably to have known that there was a risk that the               se

      contraventions would occur.He is satisfied that this condition is met, for

      the following reasons. Unsolicited direct marketing emails are widely


                                      13      known to be a problem. Virgin Media is a large organisation with a
      longstanding, positive working relationship with the ICO.     Further, the

      Commissioner has published detailed guidance for those carrying out

      direct marketing explaining their legal obligations under PECR. This

      guidance gives clear advice regarding the requirements of consent for

      direct marketing and explains the circumstances under which

      organisations are able to carry out marketing over the phone, by text,
      by email, by post, or by fax. In particular it states that organisations can

      generally only send, or instigate, marketing   messages to individuals if

      that person has specifically consented to receiving them            .  The

      Commissioner has also published detailed guidance on consent under

      the GDPR. In case organisations remain unclear on their obligations, the
      ICO operates a telephone helpline. ICO communications about previous

      enforcement action where businesses have not complied with PECR are

      also readily available. Virgin Media could have sought cl arification or

      guidance if it was unsure as to any particular issue.


44.   It is therefore reasonable to suppose that Virgin Mediashould have been

      aware of its responsibilities in this area.


45.   Secondly, the Commissioner has gone on to consider whether Virgin
      Media failed to take reasonable steps to prevent the contraventions.

      Again, he is satisfied that this condition is met.



46.   This is not a case in which communications were sent inadvertently.

      They were targeted at users who had opted out from receiving such

      communications. That demonstrates in itself that no reasonable steps
      were taken to prevent the contraventions. Further, if there was doubt

      about whether the emails in question would contravene reg ulation 22,

      Virgin Media could legitimately have sought advice from the

      Commissioner. It failed to do so.



                                       1447.   In the circumstances, the Commissioner is satisfied that Virgin Media
      failed to take reasonable steps to prevent the contraventions.



48.   The Commissioner is therefore satisfied that condition (b ) from section

      55A (1) DPA is met.



      The Commissioner’s decision to issue a monetary penalty


49.   For the reasons explained above, the Commissioner is satisfied that the

      conditions from section 55A (1) DPA have been met in this case. He is

      also satisfied that the procedural rights under section 55B have been

      complied with. The latter has included the issuing of a Notice of Intent,
      in which the Commissioner set out his preliminary thinking. In reaching

      his final view, the Commissioner has taken into account the

      representations made by Virgin Media on this matter.



50.   The Commissioner is accordingly entitled to issue a monetary penalty
      in this case. The Commissioner has considered whether, in the

      circumstances, he should exercise his discretion so as to issue a

      monetary penalty.



51.   The Commissioner’s underlying objective in imposing a monetary

      penalty notice is to promote compliance with PECR. The sending of
      unsolicited direct marketing messages is a matter of significant public

      concern. A monetary penalty in this case should act as a general

      encouragement towards compliance with the law, or at least as a

      deterrent against non-compliance, on the part of all persons running

      businesses currently engaging in these practices. The issuing of a
      monetary penalty will reinforce the need for businesses to ensure that

      they are only messaging those who specifically consent to receive

      direct marketing.


                                       1552.   For these reasons, the Commissioner has decided to issue a monetary

      penalty in this case.


      The amount of the penalty



53.   In determining the amount of the penalty, the Commissioner first

      considered the nature and seriousness of the contravention. He

      concluded that an appropriate starting point for the penalty should be
      £50,000.



54.   The Commissioner went on to consider whether there were any

      aggravating or mitigating factors which would warrant an increase or

      reduction to this starting point.


55.   The Commissioner identified the following aggravating features of this

      case:



   •  The business generated from the      emails in question would have the

      potential of Virgin Media benefitting from financial gain.


   •  The ICO produces clear guidance via its website on the rules of direct

      marketing and that guidance on current regulations has been in

      existence for a considerable amount of time. The ICO also operates a

      helpline, should organisations be unsure and require further clarification.


56.   The Commissioner did not consider that there are any mitigating

      factors of this case.


57.   The Commissioner also considered the likely impact of a monetary

      penalty on Virgin Media. He has decided on the information that is

      available to him, that Virgin Media has access to sufficient financial

                                       16      resources to pay the proposed monetary penalty without causing
      undue financial hardship and that a penalty remains the appropriate

      course of action in the circumstances of this case.



58.   The Commissioner did not consider that any of the above factors

      warranted an increase or decrease in the starting point for the penalty.


59.   Taking into account all of the above, the Commissioner has decided

      that a penalty in the sum of £50,000 (fifty thousand pounds) is

      reasonable and proportionate given the particular facts of the case and

      the underlying objective in imposing the penalty.


      Conclusion



60.   The monetary penalty must be paid to the Commissioner’s office by

      BACS transfer or cheque by 10 January 2022 at the latest. The

      monetary penalty is not kept by the Commissioner but will be paid into

      the Consolidated Fund which is the Government’s general bank account
      at the Bank of England.



61.   If the Commissioner receives full payment of the monetary penalty by

      9 January 2022 the Commissioner will reduce the monetary penalty by

      20% to £40,000 (forty thousand pounds). However, you should be
      aware that the early payment discount is not available if you decide to

      exercise your right of appeal.



62.   There is a right of appeal to the First-tier Tribunal (Information Rights)

      against:


      (a) the imposition of the monetary penalty

          and/or;


                                      17      (b) the amount of the penalty specified in the monetary penalty

          notice.


63.   Any notice of appeal should be received by the Tribunal within 28 days

      of the date of this monetary penalty notice.



64.   Information about appeals is set out in Annex 1.


65.   The Commissioner will not take action to enforce a monetary penalty

      unless:



          • the period specified within the notice within which a monetary

            penalty must be paid has expired and all or any of the monetary

            penalty has not been paid;

          • all relevant appeals against the monetary penalty notice and any

            variation of it have either been decided or with drawn; and


          • the period for appealing against the monetary penalty and any

            variation of it has expired.

66.   In England, Wales and Northern Ireland, the monetary penalty is

      recoverable by Order of the County Court or the High Court. In

      Scotland, the monetary penalty can be enforced in the same manner as

      an extract registered decree arbitral bearing a warrant for execution

      issued by the sheriff court of any sheriffdom in Scotland.




Dated the 6 thDecember 2021


Andy Curry
Head of Investigations

Information Commissioner’s Office
Wycliffe House


                                       18Water Lane
Wilmslow
Cheshire
SK9 5AF





















































                                   19ANNEX 1


         SECTION 55 A-E OF THE DATA PROTECTION ACT 1998



  RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER



      1.    Section 55B(5) of the Data Protection Act 1998 gives any person
      upon whom a monetary penalty notice has been served a right of

      appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’)

      against the notice.



      2.    If you decide to appeal and if the Tribunal considers:-


            a)    that the notice against which the appeal is brought is not in

            accordance with the law; or



            b)    to the extent that the notice involved an exercise of

            discretion by the Commissioner, that he ought to have exercised
            her discretion differently,



      the Tribunal will allow the appeal or substitute such other decision as

      could have been made by the Commissioner. In any other case the

      Tribunal will dismiss the appeal.


      3.    You may bring an appeal by serving a notice of appeal on the

      Tribunal at the following address:



                 General Regulatory Chamber
                  HM Courts & Tribunals Service
                 PO Box 9300
                 Leicester

                 LE1 8DJ


                                     20      Telephone: 0203 936 8963
      Email:      grc@justice.gov.uk


      a)    The notice of appeal should be sent so it is received by the

      Tribunal within 28 days of the date of the notice.


      b)    If your notice of appeal is late the Tribunal will not admit it

      unless the Tribunal has extended the time for complying with this

      rule.



4.    The notice of appeal should state:-


      a)    your name and address/name and address of your

      representative (if any);



      b)     an address where documents may be sent or delivered to

      you;


      c)    the name and address of the Information Commissioner;



      d)    details of the decision to which the proceedings relate;


      e)    the result that you are seeking;



      f)    the grounds on which you rely;



      g)    you must provide with the notice of appeal a copy of the

      monetary penalty notice or variation notice;


      h)    if you have exceeded the time limit mentioned above the

      notice of appeal must include a request for an extension of time



                                 21      and the reason why the notice of appeal was not provided in
      time.



5.    Before deciding whether or not to appeal you may wish to consult

your solicitor or another adviser. At the hearing of an appeal a party

may conduct his case himself or may be represented by any person

whom he may appoint for that purpose.


6.    The statutory provisions concerning appeals to the First- tier

Tribunal (Information Rights) are contained in section 55B(5) of, and

Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure

(First-tier Tribunal) (General Regulatory Chamber) Rules 2009
(Statutory Instrument 2009 No. 1976 (L.20)).



































                                 22