Who: Information Commissioner’s Office, Telephone Preference Service and Smart Home Protection Ltd
Where: United Kingdom
When: 13 June 2019
Law stated as at: 21 June 2019
What happened:
A small home security company has received a fine from the Information Commissioner’s Officer (ICO) for contraventions of the Privacy and Electronic Communications Regulations 2003 (PECR) relating to a number of unsolicited calls to individuals who had previously registered with the Telephone Preference Service (TPS).
The ICO found that, over a 21 month period from January 2017 to September 2018, Smart Home Protection made “118,006 calls to [TPS] subscribers without conducting any due diligence on the data provided to them“, resulting in 125 complaints to either the TPS or ICO. A number of the complainants also asserted that the content of the calls had been misleading – it had been implied that the call followed up on a previous call made and that the complainant had agreed to receive further calls in the future.
Regulation 21 of PECR prohibits unsolicited calls being made for direct marketing purposes where they are listed on the TPS ‘do-not-call’ list, other than where the called line has been registered with the TPS for less than 28 days.
The ICO found that Smart Home had committed a serious and negligent contravention of Regulation 21 for a number of reasons, including that:
- the company should have been aware that its conduct constituted a potential contravention due to its heavy reliance on direct marketing, as well as the media scrutiny on this form of marketing practice; and
- the company had been informed by the TPS each time a complaint was made and so should have been aware of potential database credibility issues
Smart Home argued that it had purchased the data from a third party and had been assured that the data was “covered for GDPR so it all good” [sic]. However, no due diligence had been conducted against the third party before using it, and the data had not been checked against the TPS ‘do-not-call’ list.
Organisations using lists purchased from third parties have a duty under the GDPR to ensure that the personal data has been obtained fairly and lawfully and, where necessary, that the necessary consents can be evidenced. Also, consent must be validly obtained and be clearly intended to extend to the purchaser specifically or to organisations fitting their description. Smart Home was unable to evidence that any due diligence had been undertaken in this respect.
The ICO issued a monetary penalty to Smart Home Protection of £90,000.
Why this matters:
This ruling provides an important reminder to businesses of their obligations when making direct marketing calls, particularly when using third party data lists.
Firstly, businesses are reminded that they should conduct thorough checks and reviews to satisfy themselves that the personal data has been obtained fairly and lawfully. It is not acceptable to rely on assurances of indirect consent given by data sellers.
Secondly, businesses are reminded that there is no contravention of PECR where individuals have been on the TPS register for less than 28 days. It is therefore important that procedures are in place to ensure that any data source is compared against the register at least every 28 days, and removes any listed numbers where consent has not been obtained
