ICO (UK) - Yes Consumer Solutions Ltd

From GDPRhub
Revision as of 12:38, 16 August 2021 by RRA (talk | contribs) (→‎Facts)
ICO (UK) - Yes Consumer Solutions Ltd
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 4(11) GDPR
Regulation 21 PECR
Regulation 26 PECR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.08.2021
Fine: 170000 EUR
Parties: Yes Consumer Solutions Ltd
National Case Number/Name: Yes Consumer Solutions Ltd
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Information Commissioner's Office (in EN)
Initial Contributor: n/a

The UK DPA fined a controller €200,000 (£170,000) for contacting almost 200,000 individuals registered with the Telephone Preference Service who had not given prior consent to receive marketing calls. In particular, the controller failed to check datasets purchased from 11 third-party data providers against the TPS.

English Summary

Facts

The UK DPA ('Information Commissioner's Office', or 'ICO') began investigating Yes Consumer Solutions Limited ('YCSL') after receiving 13 complaints.

YCSL sell nuisance call blocking systems. It purchases individuals' data indirectly via third parties, which it uses to engage in direct marketing calls.

The ICO investigation revealed that between 29 October 2018 and 29 October 2019, YCSL made 188,493 unsolicited direct marketing calls to customers not registered with the Telephone Preference Service Ltd ("TPS"). Regulation 21 of PECR, which implements the e-Privacy Directive in the UK, establishes that companies cannot contact individuals for direct marketing purposes who have registered their intent not to receive such calls with the TPS, where users have been on the list for longer than 28 days.

YCSL admitted to not having screened a dataset which it purchased from Yes Media Solutions Limited against the TPS. It claimed that the 188,493 direct marketing calls were only made to individuals whose data was contained within this dataset.

YCSL also obtained the records of 210,472 individuals between 29 October 2018 and 29 October 2019 from ten third party data providers. After reviewing the privacy policies of these providers, the ICO's investigation concluded that it was not possible for an individual to give valid consent via these sites to be contacted by YCSL for direct marketing purposes.

Holding

The ICO found that LTH contravened Regulation 21 of PECR, and issued a £170,000 fine.

The ICO stated that the conditions for the imposition of a monetary penalty, under section 55A of the UK's Data Protection Act, were met.

Firstly, the contravention was 'sufficiently serious' since a substantial number of calls were made over a 12 month period. Moreover, although YCSL had claimed that the unsolicited marketing calls were only made to individuals in the dataset it obtained from Yes Media Solutions, it had not provided the ICO with any evidence that marketing calls were not also made to individuals whose data was provided by the ten other third party data providers.

The contravention was also deemed to be 'deliberate.' This is because YCSL's sole director is known to the ICO, with one of his previous companies having been subject to an investigation for suspected unlawful direct marketing. Despite these prior interactions, YCSL appears to have been content to be wholly reliant on indirect consent, and conducted minimal due diligence on the data that it purchased.

The ICO accounted for a number of aggravating features when assessing the fine amount, including the fact that YCSL's responses lacked sufficient content to assist the investigation, as it maintained incomplete records, poor audit trails, and was unable to provide satisfactory responses regarding data obtained from third-party data providers.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.