The ICO has fined three companies for nuisance marketing

The ICO has fined three companies for a total of £415,000 due to nuisance marketing practices after receiving several complaints.

 

The ICO has fined three companies a total of £415,000 for nuisance marketing. Colour Car Sales Limited, Solarwave, and LTH Holdings were fined for various offenses including unsolicited calls and spam text messages. Many of the individuals receiving phone calls complained that they had been on the telephone preference service and should not have been receiving them. In all cases, the companies lacked the valid consent required in order to send direct marketing to customers. This is a violation of the Privacy and Electronic Communications Regulations (PECR). Under the PECR, the ICO has the power to impose a fine of up to £500,000 on a data controller for various violations of privacy rights in relation to electronic communications.

 

Colour Car Sales Ltd was found to have been sending spam text messages directing people to various car finance websites.

 

A credit intermediary for used car finance, Colour Car Sales Limited of Stroke-on-Trent was found to have sent several spam text messages between October 2018 and January 2020. These messages were sent to numerous people directing them to various car finance websites. Several complaints were made by the recipients of those text messages, to the ICO. This was a violation of regulation 22 of the PECR. Regulation 22 applies to the transmission of unsolicited communications via electronic mail to individual subscribers. This regulation prohibits the sending or initiating of unsolicited communications for the purposes of direct marketing by email. This form of communication is only allowed in instances where the contact information was received from the individual during the course of negotiations or a sale, and the recipient has been given a free and simple means of refusing the use of their contact details for those purposes.

 

Solarwave Ltd was fined for making unsolicited marketing calls about solar panel maintenance to people registered with the TPS.

 

Solarwave Limited, a Solar energy company in Grays, Essex was found to have made over 73,000 unsolicited marketing phone calls. These calls were made between January and October 2020. These calls were made to people who should not have been receiving phone calls at all, as they were all registered with the Telephone Preference Service (TPS) list. This list clearly outlines those individuals who have rightfully opted out of receiving unsolicited marketing calls and it is imperative to ensure that this list is adhered to, so as to avoid violating that right. Various complaints were made against the company, claiming that the company consistently called customers and even ignored stop requests. The company was found to have violated regulation 21 of the GDPR. This regulation applies to the making of unsolicited calls which can only be made if an individual has given their consent to that company to receive such calls, if the number is registered with the Telephone Preference Service.

 

Over the course of a year, LTH Holdings was found to have been making unsolicited calls selling funeral plans to people who are registered with the TPS.

 

1.4 million calls were made between May 2019 and May 2020 by LTH Holdings, a telephone marketing company from Cardiff. The ICO also received 41 complaints against this company and has reported that the company’s marketing techniques had become persuasive, aggressive and coercive which raised much concern. What was found to be of particular concern is the fact that the target market possibly included people who tend to have been more vulnerable. LTH holdings was also found to be in violation of regulation 21 of the PECR. The ICO commissioner maintains a list of registered numbers belonging to subscribers who have notified them that they do not wish to receive unsolicited calls at the moment, under regulation 26 of the PECR. The TPS is a limited company who operates on the commissioners behalf maintaining this register. Businesses a.m. to make direct marketing phone calls can subscribe to the TPS for a fee, and stay up-to-date on this list to ensure that they do so within regulation.

 

The companies were fined a total of £415,000 for the various offenses.

 

After receiving several complaints of misconduct against the three companies the ICO issued enforcement notices ordering them to stop marketing until consent has been obtained. A fine of 170,000 pounds was imposed on Colour Car Sales Limited for the spam text messages, while Solarwave and LTH Holdings were fined £100,000 and £145,000 respectively, for making unsolicited phone calls. This is a total of £415,000 which the ICO has fined and will be working to recover from the three companies. Under the PECR, the ICO has the power to impose a fine on a data controller of up to £500,000 on individual companies.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Amazon faces possible fines

Amazon faces possible fines for alleged GDPR violations

Amazon faces possible fines totaling €350 million for alleged GDPR violations.

 

Luxembourg’s privacy regulator, the CNPD is proposing a fine of at least €350 million on Amazon.com Inc, relating to alleged violations of the GDPR. Before this draft decision can become final, it must first be approved by other EU privacy regulators. A final decision could take months and may result in a fine higher or lower than the proposed amount. This possible fine has the potential to be the bloc’s biggest penalty yet. While the amount is roughly 2% of the company’s reported net income for 2020, and the latest proposed sanction this far, some other EU regulators argue that it may not be enough. The alleged violations are related to Amazon’s collection and use of personal data. 

 

The alleged violations by Amazon are related to the company’s collection and use of personal data. 

 

The draft decision for the sanction has been circulated among the bloc’s 26 other authorities. Because Amazon’s EU headquarters is based in the Grand Duchy, the CNPD, Luxembourg’s data protection commission is the lead authority issuing this fine. The proposed fine is related to alleged violations of the EU’s GDPR, with regard to Amazon’s collection and use of personal data, however this is not linked to his cloud computing business, or Amazon Web services. Months ago, whistles were blown on the tech giant regarding privacy and compliance issues from former information security employees. According to Politico, three individuals were anonymously interviewed and identified as former high level employees of the company, who raised flags over issues relating to the security of customers’ information not being prioritized as it should. Due to the status of legal proceedings however, the privacy regulator was unable to provide very many details on the specifics of the alleged violations being brought against the tech giant. 

 

According to the whistle-blowing former information-security employees, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it. As a result it would be severely difficult for Amazon to fulfill a request from a customer wanting to exercise their right to erasure,as it would be impossible for the company to identify all of the places where every bit of information is stored. Article 17 of the GDPR states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Representatives from Amazon maintain that the privacy of its customers is a priority and that it complies with the laws of the countries where it operates. 

 

Amazon faces possible fines of record-breaking status, which could possibly climb higher by the time a final decision is reached. 

 

While the proposed amount of this fine would be a record-breaking fine for EU regulators, due to the size of the company among other factors some regulators feel that this may not be enough. According to the GDPR, a fine of up to 4% of the company’s annual revenue may be imposed for violations. The proposed fine is only 2% of Amazons reported net income for 2020, which totaled approximately €17.5 billion. While the final decision may feature a higher or lower fine, the decision making process, which could take several months, does have the potential to double the proposed fine amount, according to the GDPR. This draft decision is one of many privacy enforcement above being taken against tech giants like Amazon. Ireland’s privacy regulator has also expressed intent to make draft decisions against other tech giants, the likes of which may include Facebook, Google and Apple, which are all headquartered in Ireland. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

EU Cloud Code of Conduct

EU Cloud Code of Conduct approved by the EDPB

EU Cloud Code of Conduct approved by the EDPB to ensure GDPR compliance for the cloud industry in Europe.

Two Codes of Conduct have recently been approved for the cloud industry, to ensure GDPR compliance for cloud services in Europe. Euractiv recently reported that the EDPB has approved Codes of Conduct on cloud service providers and cloud infrastructure last month. EDPB Chair Andrea Jelinek said “We welcome the efforts made by the code owners to elaborate codes of conduct, which are practical, transparent and potentially cost-effective tools to ensure greater consistency among a sector and foster data protection compliance.” The two Codes of Conduct are the first of their kind to be formally approved by data protection authorities and will provide a blueprint for compliance with data protection regulation in Europe.

All Cloud Service Providers are invited to join the EU Cloud Code of Conduct which covers the full spectrum of cloud services.

The new EU Cloud Code of Conduct covers the full array of services- software (SaaS), platform (PaaS) and infrastructure (IaaS). The code was drafted together with authorities of the European Union, and is intended for cloud service providers, to provide guidance for data protection compliance while securing trust from customers for their cloud services. There are various membership options depending on the interest of the Cloud Service Provider, and providers will be able to declare their services as being adherent to the code. The codes are expected to increase transparency and trust in the European cloud computing market. Both Codes will appoint independent monitoring bodies that will ensure their application of the Codes is GDPR compliant. These monitoring bodies will provide external auditing and will be accredited by the relevant data protection authority.

These codes of conduct are expected to boost the cloud computing industry, bringing greater certainty to both EU companies and citizens.

While cloud computing is sill not used by several EU companies, uncertainty around judicial applicability and data protection are seen as barriers to many companies. This major step towards providing clear guidance to EU companies is expected to address those issues, as cloud computing is becoming increasingly popular. As an added benefit businesses will now be able to avoid the uncertainty created by Schrems II, although these codes cannot be used in the context of international data transfers, customers will be able to request the storage of their data within the EU. EU citizens will enjoy the benefits of greater control over their personal data, transparency on where their data is stored, and greatest certainty surrounding the use of their data.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New SCCs adopted

New SCCs adopted for international data transfers

New SCCs adopted by the European Commission last week introduce more legal and privacy safeguards for data transfers. 

 

Since the CJEU‘s Schrems II decision last July, affecting transfers outside the EU via Standard Contractual Clauses, SCC’s have been the topic of much discussion regarding data transfers. These SCCs have been used by numerous companies for the transfer of data for several purposes including, but not limited to cloud storage, hosting, finance and marketing. The announcement was made last Wednesday, that the European Commission would be adopting new Standard Contractual Clauses come Friday, June 4th. Justice Commissioner Didier Reynders said that these new SCCs “incorporated some elements of transparency, accountability in full compliance with the GDPR”, adding that the goal was to avoid a “Schrems III”.

 

The European Commission has adopted two sets of Standard Contractual Clauses reflecting the new requirements under the GDPR. 

 

The new SCCs adopted by the European Commission for the transfer of personal data to third countries take into account the details of the Schrems II judgment by the CJEU, and offer more legal predictability to European businesses. The new SCCs are expected to help small to medium enterprises in particular, to ensure compliance with safe data transfer requirements. They will provide companies with a template which is easy to implement, allowing data to move freely across borders, without legal barriers. 

 

The European Commission has also adopted another set of SCCs for use between controllers and processors within the EU.

 

The new SCCs are more practical and flexible and cover a broad range of transfer scenarios.

 

The new Standard Contractual Clauses include an overview of the different steps that companies will have to implement in order to comply with the Schrems II judgment, complete with examples of possible supplementary measures which may be necessary to ensure compliance. These supplementary measures are intended to strengthen protection of data transferred to third countries which are not regarded as having adequate protection. These additional safeguards include encryption and pseudonymized personal data, which would prevent the personal data from being attributed to a specific individual, without the use of additional details. The new SCCs adopted by the European Commission cover a broad range of various transfer scenarios, all in one practical toolbox. 

 

A transition period of 18 months is provided for processors and controllers that are currently using old SCCs.

Many companies, since the CJEU’s judgment last summer, have been using Standard Contractual Clauses to facilitate their third country personal data transfers. When the EU-US Privacy Shield was invalidated last July, the court confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU. However, this did not come without complications, as in various cases it was found that for data transfers to the US and other third countries, the SCCs did not provide sufficient protection for personal data. These, now old SCCs are currently in use by the majority of companies who transfer data to third countries. The European Commission has now verified that these SCCs can continue to be used for the next 18 months, as companies transition to using the new SCCs adopted last Friday. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.