Halifax-based company fined by the ICO

A Halifax-based company fined by the ICO was found to have been making unlawful pension calls. 

A Halifax-based company, Parker Beach LTD (PBL) has been fined by the ICO, a total of £50,000 for unlawful cold calls regarding pensions, according to this report from the ICO. The ICO’s investigation revealed that the company, which operates under the trading name “Your Pension Options”,  made calls to people regarding their pensions, looking to arrange an introduction to an advisor. These calls were unauthorized, and resulted in 16 complaints to the ICO. The company has admitted to making over 96 thousand calls. Pension cold calling was banned in 2019, specifically to protect vulnerable pensioners and their retirement funds, as cold calls are admittedly one of the more common ways of defrauding people out of pension and retirement funds. 

Pension calls have been outlawed since 2019, and are only allowed under very few, specific conditions. 

Pension calls are outlawed, unless certain conditions apply. If the caller is authorized by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme, or if the recipient has an existing relationship with the caller and has consented to calls, these calls are considered lawful. This stance was taken in 2019, making it illegal for companies to make nuisance cold calls to people regarding pensions schemes. The ICO’s Head of Investigations, Andy Curry has stated that cold calls have been a common tool in fraud, and for that reason, tough action will be taken on companies who utilize this kind of marketing. He said in a statement, “Companies are responsible for knowing the law and following it. We have a range of powers and enforcement action which we can and will take on behalf of the public to put a stop to the activities of unscrupulous companies.”

The ICO fined the company and issued an enforcement notice ordering them to make no further calls. 

In their investigation, the ICO uncovered that PBL sourced the data for its calls from a third party supplier which obtained the data itself from various websites. Signing up on the site required users to agree to possible marketing from an extensive list of organizations from various sectors. It did not appear possible that these users could select which, if any of these organizations, they would like to have their details forwarded to or from which they would like to receive marketing material. This means that PBL did not obtain clear, informed consent. As a result the company was hit with a fine for £50,000, and also an enforcement notice ordering them stop making further calls. Under the Privacy and Electronic Communications Regulations (PECR), the ICO can issue fines of up to £500,000

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Children’s Code - transitionary period

Children’s Code transitionary period ends in less than 6 months

The children’s code transitionary period, which saw its inception on 2nd September 2020, ends in less than 6 months. All online services are expected to be in compliance with this code by September 2021. 

Last year, we reported that the Children’s Code, then known as the Age Appropriate Design Code was about to come into effect on September 2, 2020. Since then, we have been in a transitionary period during which all online services are expected to come into compliance with this code. The ICO has just released a statement urging businesses to ensure that they are in full compliance by the end of this transitionary period, in less than 6 months. 

This code is a statutory code of practice laying out 15 standards which are aimed at ensuring children’s best interest online.

The Children’sCode lays out 15 standards to ensure that children’s best interest is at the forefront. These standards include principles governing the best interest of the child, data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimization, data sharing, geolocation, parental controls, profiling, knowledge techniques, connected toys and devices, and online tools. During this transitionary period, online services are expected to take steps to bring their services into full compliance with this code, ensuring that all principles are considered and that their services support the rights of the child.

This code applies to any online product or service likely to be accessed by children and is not limited to only those aimed at children.

This code will apply to every online service that is likely to be accessed by children. This means that not only are services made for children expected to come into compliance but every service that may be accessed by children will need to as well. Online services may take a risk based approach to recognizing the age of their individual uses to ensure that the standards in this code will be applied to child users. Unless the age of the individual users can be established with a level of certainty, this code should be applied to all users on the platform.

The ICO has launched initiatives to detect businesses’ readiness for compliance with this code, as well as educating and sensitizing on the topic of the children’s  code. 

The ICO recently conducted a survey to gauge general understanding of the age-appropriate design code. Some 500 services were part of this survey from which findings show, so far, that about 75% of businesses are aware of this code. The ICO has set up what is called the Children’s Code hub with a range of resources for organizations to understand the code and to know whether they are in the scope of it. The regulator has also been holding webinars and will also be hosting a workshop at the Festival of UX and Design 2021 to help raise awareness within the design community and explain how this code can be applied to innovative projects. The ICO has also launched a call for transparency champions which will consist of organizations, designing projects using privacy information in a way that is tailored to children’s understanding. 

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Aphaia provides GDPR adaptation consultancy services and CCPA compliance, including EU AI Ethics assessments. Contact us today.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.


A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.


The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.


The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.


The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.


Through the data broking investigation, the ICO uncovered several data protection failures at each company. 


Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 


These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 


While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.


All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 


While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.


Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.


The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.