ICO - CPS Advisory Limited

From GDPRhub
ICO - Monetary Penalty CPS Advisory Ltd
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Directive 2002/58/EC
Directive 2009/136/EC
Regulation 21B PECR
Schedule 20 Part 9 §58 (1) DPA 2018
Section 55A DPA (1998)
Section 31 FSMA
Type: Other
Outcome: n/a
Decided: 04.09.2020
Published: 10.09.2020
Fine: 130000 GBP
Parties: CPS Advisory Limited
National Case Number/Name: Monetary Penalty CPS Advisory Ltd
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: n/a

UK DPA (Information Commissioner’s Office - ICO) issues £130.000 fine for serious contravention to Privacy and E-Communications Regulations (EC Directive) 2003 (PECR) by making unsolicited calls for the purposes of direct marketing in relation to occupational or personal pension schemes.

English Summary[edit | edit source]

Facts[edit | edit source]

CPS Advisory Limited (CPSAL) conducted direct marketing calls in relation to personal pensions. The data CPSAL used to conduct the calls had been purchased from third party data providers, for which it was unable to provide evidence of specific consent, claiming though that consent be “highly likely”.

Dispute[edit | edit source]

Did CPSAL act in contravention of Regulation 21B PECR and, if so, were the conditions of Section 55A of the Data Protection Act 1998 (DPA98) satisfied?

Holding[edit | edit source]

The Information Commissioner (Commissioner) finds that CPSAL made unsolicited calls for the purposes of direct marketing in relation to occupational or personal pensions and thereby violated Regulation 21B PECR. On the basis of Article 55A the Commissioner issues a monetary penalty notice (£ 130.000).

Upon establishing the applicability of Regulation 21B PECR, the Commissioner examines the relevant exemptions as laid out therein. She confirms that none of these apply as CPSAL was neither an “authorised person” nor a trustee or manager of a relevant pension scheme. In particular could it neither be established that CPSAL acted as an ‘Appointed Representative - Introducer’ (IAR) as it had claimed, nor were IARs even included in the relevant list as defined by Section 31 (1) of the Financial Services and Markets Act 2000 (FSMA).

Even if this had been the case, was it evident from a look on the third party data provider websites that “the means by which consent was obtained did not allow for it to be freely given, specific, or informed.”

The Commissioner continues by examining the conditions laid out by Article 55A DPA98.

She confirms the seriousness of the above confirmed contravention of Regulation 21B PECR. The at least 106 987 confirmed conducted calls represent “significant intrusion into the privacy of the recipients”.

Although the contravention was not deliberate, did it have to be seen as negligent, since it was a reasonable expectation for CPSAL to be aware of the prohibition. This be in general, with reference to the specific guidance issued by the ICO, and in particular considering that one of the company’s directors had been subject to regulatory action by the Commissioner for unsolicited direct marketing activities in the past.

Comment[edit | edit source]

Despite having been superseded and repealed by the Data Protection Act 2018 (DPA 2018) and in principle no longer being in effect, the DPA98 applies in this case via specific provisions in the schedule of DPA 2018 and of PECR.

In her decision, the Commissioner confirms that she is applying PECR in a way “so as to give effect to the Directives” it aims to implement (Directive 2002/58/EC; Directive 2009/136/EC).

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.