banned by the Insolvency Service

Marketing Executive banned by the Insolvency Service for thousands of unsolicited marketing calls.

Marketing executive banned by the Insolvency Service for six years after making 75,500 unsolicited marketing calls.

A former director of a marketing company has been banned from acting as a director or directly or indirectly becoming involved, in the promotion, formation or management of a company, without the permission of the court. For the next 6 years Elia Bols who now lives in Australia, is not to be involved in any such activity after AMS Marketing, of which he was a director, was found to be in violation of Regulation 21 of the Privacy and Electronic Communications Regulations. The ICO reported that the 32 year old Australian native was banned by the Insolvency Service, as of November 2020.

After several complaints to the Telephone Preference Service (TPS) and the ICO, Bols was informed that AMS Marketing would be hit with a fine.

Between October 2016 and October 2017, TPS received 71 complaints of unsolicited marketing by AMS, while the ICO received an additional 32 complaints. The company was subsequently issued a fine  of over 100,000 Euros. AMS Marketing Limited allegedly did not use the TPS list before making those calls to remove the numbers of individuals who had elected not to receive unsolicited contact. The company ended up in court in April of 2019, while the fine remained unpaid. 

The disqualification undertaking came after Bols did not dispute causing his company to breach Regulation 21 of the Privacy and Electronic Communications Regulations. 

Elia Bols was made to face a disqualification undertaking on October 28th, 2020,when he did not dispute causing his company to breach Regulation 21 of the Privacy and Electronic Communications Regulations. 

The regulation states; “A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where— (a)the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or (b)the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.” 

By failing to verify that the numbers being called were not included on the TPS list of individuals who had elected not to receive unsolicited contact, Bols and AMS Marketing breached this regulation. As a result, from 18 November 2020, Elia Bols is disqualified for 6 years from acting in business.

The ICO and Insolvency Service worked together to address this issue, when the company failed to pay the initial fine issued by the ICO. 

 The Insolvency Service, a Government agency addressing financial wrongdoing and maximising returns to creditors, worked with the ICO in dealing with this situation after AMS Marketing failed to pay the fine for their actions. Robert Clarke, Chief Investigator at the Insolvency Service, said “Elia Bols had a complete disregard of protective regulations and thanks to the joint work with the ICO, we have secured a ban which reflects the seriousness of this offence. When directors of a company do not comply with regulations that are designed to protect the public, we will fully investigate the circumstances and take action where appropriate.” The disqualification order issued to Elia Bols, subjects him to a range of restrictions detailed here

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

ICO provides SAR guidance

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance to simplify the process for, and give better understanding to organizations receiving subject access requests.

 

The ICO published information last month, geared at giving guidance to organizations who may receive subject access requests (SARs). As the weight of personal data becomes more apparent to individuals, more people are exercising their right to information on what exactly is happening to their personal data. The right of access, also referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other additional information. The ICO, having realized how important it is that an organization should be able to deal with subject access requests efficiently and effectively, has launched this guide, which was published in the form of a list of frequently asked questions, can be found here

 

The initial consultation for this guidance published by the ICO, generated lots of engagement, and received an overwhelmingly positive response.

 

The process of creating this right of access detailed guidance started back in December 2019, with a consultation which received an overwhelming reaction, comprised of over 350 responses from various organisations. While those responses consisted of mainly positive feedback, there were also requests for examples, explanations and additional content. Based on the feedback, there were some key changes made, and content added to the original version published. 

 

The ICO provides SAR guidance, complete with situational examples for reference.

 

This guidance published by the ICO last month includes details on what right of access is, why it is important, and also what specific information an individual is entitled to. The information provided in this guidance also includes direction on who should be handling requests and in what manner requests should be handled, complete with relatable examples, which the individuals in an organisation can follow and apply to their circumstances to gain a better understanding of how things should proceed.

 

The ICO was able to clarify a few key points raised by organisations during the guidance consultation phase. 

 

There were a few key points raised for clarification by the organisations regarding their obligations, which the ICO cleared up. For one, stopping the timer on response time, when clarification is needed to provide a response is definitely now allowed. The ICO also clarified what a manifestly excessive request is, and offered guidance on how to navigate dealing with those, including when and how an admin fee may be applied to some requests.

The ICO has further plans to create several resources for business on the topic of SARs.

 

The ICO has plans on creating a suite of resources. This will include an even more simplified guide for small businesses regarding subject access requests with key information from the general guide which would specifically benefit them. This information is viewed as essential to organisations, to ensure trust from individuals, in the way an organisation handles their personal data, and by extension in the organisation itself.

 

Do you know how to handle DSARs and the rest of data subjects rights granted by the GDPR? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

A data broking investigation

A data broking investigation by ICO results in enforcement action against Experian.

A data broking investigation conducted over the past two years has resulted in an enforcement action against the company Experian.

 

A data broking investigation into Experian as well as Equifax and TransUnion and their use of personal data within their data broken businesses has resulted in enforcement action. The ICO published a report earlier this month, on the findings of their extensive investigation into these data broking companies, their processes, and the legislative framework which led to this outcome.

 

The investigation found significant processing of personal data unbeknownst to the data subjects, by the CRAs; Equifax, TransUnion and Experian.

 

The investigation by the ICO uncovered how these three CRAs (Credit Reference Agencies) were trading, enriching and enhancing people’s personal data without their knowledge. This personal data was then used by commercial organizations, political parties and charities to find new customers, build profiles about people, and also identify the people most likely to be able to afford their goods and services.

 

The ICO defines data broking as “the practice of obtaining information about individuals and trading, including by licensing, this information or information derived from it as products or services to other organisations or individuals. Information about individuals is often aggregated from multiple sources, or otherwise enhanced, to build individual profiles.” Collecting and using an individual’s personal data without their knowledge goes against data protection law.

 

Through the data broking investigation, the ICO uncovered several data protection failures at each company. 

 

Through their investigation the ICO found that the personal data provided to each of these CRAs which would then be used to provide the statutory credit referencing function, was also being used for marketing purposes in limited ways. Some of the CRAs also engaged in profiling to generate new information or previously unknown information about the data subjects. 

 

These companies also failed to be transparent. While they did provide some privacy information on their websites, it did not clearly explain what they were doing with people’s data. In addition to this, they were using some lawful bases incorrectly to process the data. 

 

While all three companies were at fault, only Experian was subjected to enforcement action because they did not do enough to improve compliance.

 

All three CRAs made improvements to their Direct Marketing Services business as a result of the work done by the ICO. In addition to this, Equifax and TransUnion withdrew some of their products and services. For this reason the ICO has chosen not to take any further action against them. 

 

While Experian has also made some progress, the ICO found that the company did not go far enough. This CRA does not accept accountability for making changes set out by the ICO, and as a result, were not prepared to issue privacy information directly to data subjects, nor were they prepared to stop using credit reference data for direct marketing purposes.

 

Experian is now expected to make necessary changes to their framework within 9 months or risk further action including being fined.

 

The ICO decided to issue an enforcement notice, as it is seen at the most effective way of achieving compliance in this situation. The notice orders Experian to make the necessary changes within 9 months or risk further action. The company now risks being hit with a fine of up to €20 million or 4% of it’s total annual worldwide turnover. This notice from the ICO also requires Experian to inform people that hold their personal data. The company must also stop using the data derived from the credit referencing side of its business by January 2021.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

CPS Advisory fined

CPS Advisory fined for unauthorized cold calls

CPS Advisory faces ICO fine for making more than 100,000 unauthorized pension-related direct marketing calls. 

 

As technological advances, globalization—and now worldwide health & safety threats (such as COVID-19)—continue to catapult our world further into the remote sphere, more and more businesses are turning to cold calling and other such distanced customer engagement methods to keep their businesses alive. Yet if companies are not diligent, what may seem a prudent, practical, inevitable business development solution—especially in these unprecedented 2020 times—could plunge them into some serious hot water. This is the case for Swansea, UK based company CPS Advisory (CPSAL). 

 

According to the ICO,  an investigation into CPS Advisory’s operations revealed that during the period January 11 2019 to April 30 2019, the company made 106,987 unsolicited direct marketing calls related to occupational pension and/or personal pension schemes contrary to regulation 21B of PECR. 

 

The ICO article summarizes that “under the new law, companies can only make live calls to people about their occupational or personal pensions if:

  • the caller is authorised by the Financial Conduct Authority (FCA), or is the trustee or manager of an occupational or personal pension scheme;
  • the recipient of the call consents to calls, or has an existing relationship with the caller and the relationship is such that the recipient might reasonably envisage receiving unsolicited calls for the purpose of direct marketing in relation to occupational pension schemes or personal pension schemes; and
  • the recipient of the call has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of the recipient’s contact details for the purpose of such direct marketing, at the time that the details were initially collected and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.

 

As a result of this breach, the ICO Monetary Penalty Notice notes that the Information Commissioner decided to issue CPSAL with a monetary penalty under section 55A of the Data Protection Act 1998 (DPA).

 

PECR & GDPR – how do they fit

 

According to the ICO, “the GDPR does not replace PECR, although it changes the underlying definition of consent. Existing PECR rules continue to apply, but use the new GDPR Standard of consent. 

 

“This means that if you send electronic marketing or use cookies or similar technologies, from 25 May 2018 you must comply with both PECR and the GDPR.”

 

Does PECR apply to you & your company? 

 

The ICO offers that although some of the rules apply only to organisations that provide a public electronic communications network or service, PECR will apply to you if you:

  • market by phone, email, text or fax;
  • use cookies or a similar technology on your website; or
  • compile a telephone directory (or a similar public directory)

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.