Children’s Code - transitionary period

Children’s Code transitionary period ends in less than 6 months

The children’s code transitionary period, which saw its inception on 2nd September 2020, ends in less than 6 months. All online services are expected to be in compliance with this code by September 2021. 

Last year, we reported that the Children’s Code, then known as the Age Appropriate Design Code was about to come into effect on September 2, 2020. Since then, we have been in a transitionary period during which all online services are expected to come into compliance with this code. The ICO has just released a statement urging businesses to ensure that they are in full compliance by the end of this transitionary period, in less than 6 months. 

This code is a statutory code of practice laying out 15 standards which are aimed at ensuring children’s best interest online.

The Children’sCode lays out 15 standards to ensure that children’s best interest is at the forefront. These standards include principles governing the best interest of the child, data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimization, data sharing, geolocation, parental controls, profiling, knowledge techniques, connected toys and devices, and online tools. During this transitionary period, online services are expected to take steps to bring their services into full compliance with this code, ensuring that all principles are considered and that their services support the rights of the child.

This code applies to any online product or service likely to be accessed by children and is not limited to only those aimed at children.

This code will apply to every online service that is likely to be accessed by children. This means that not only are services made for children expected to come into compliance but every service that may be accessed by children will need to as well. Online services may take a risk based approach to recognizing the age of their individual uses to ensure that the standards in this code will be applied to child users. Unless the age of the individual users can be established with a level of certainty, this code should be applied to all users on the platform.

The ICO has launched initiatives to detect businesses’ readiness for compliance with this code, as well as educating and sensitizing on the topic of the children’s  code. 

The ICO recently conducted a survey to gauge general understanding of the age-appropriate design code. Some 500 services were part of this survey from which findings show, so far, that about 75% of businesses are aware of this code. The ICO has set up what is called the Children’s Code hub with a range of resources for organizations to understand the code and to know whether they are in the scope of it. The regulator has also been holding webinars and will also be hosting a workshop at the Festival of UX and Design 2021 to help raise awareness within the design community and explain how this code can be applied to innovative projects. The ICO has also launched a call for transparency champions which will consist of organizations, designing projects using privacy information in a way that is tailored to children’s understanding. 

Does your company offer online services likely to be accessed by minors? If so, it will be imperative that you adhere to the UK Data Protection Code once it is effected. Aphaia’s data protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Aphaia provides GDPR adaptation consultancy services and CCPA compliance, including EU AI Ethics assessments. Contact us today.

Two companies fined

Two companies fined by the ICO, for sending millions of nuisance text messages during the COVID-19 pandemic.

The ICO has issued fines to two companies for over 2.7 million spam messages sent out during the pandemic. 


Between May and July, 2020, two companies sent out a total of 2.7 million spam text messages in the midst of the global COVID-19 pandemic. This resulted in several thousand complaints, including a record 10,000 complaints from one of the two companies. A total of £330,000 in fines has been issued to the two companies by the ICO.


The first of the two companies fined by the ICO is a West Sussex-based company whose messages resulted in a record number of complaints.


A West Sussex-based company, Lead Works has incurred a fine of £250,000, and an enforcement notice from the ICO. The company sent more than 2.6 million nuisance text messages to customers between 16 May and 26 June 2020,  without their valid consent. These messages resulted in over 10,000 complaints, a record high. 


A lead company for financial and debt management products was also fined for sending messages attempting to profiteer from the pandemic. 


Valca Vehicle Ltd, a company in Manchester, has been fined £80,000. The Company currently operating as ‘Debtquity’, generating leads for debt management products, managed to send more than 95,000 text messages from June to July 2020 without the consent of the recipients. These messages were designed to appeal to individuals whose finances were adversely affected by the health crisis, and resulted in several complaints to the ICO. 

The companies fined by the ICO violated the PECR, and in the Commissioner’s opinion, attempted to profit from the health crisis. 


Regulation 22 of the Privacy and Electronic Communications Regulations (PECR) prohibits the sending of unsolicited communications by means of electronic mail, as well as text messages to individual subscribers, with very few exceptions.  Under the PECR, the ICO has the power to impose penalties of up to £500,000. The messages sent by these companies referenced the pandemic and lockdown, and in the Commissioner’s view, were a clear attempt to profit from and capitalize on the current health crisis. Some of these messages resulted in a record number of complaints. 


Both companies were fined and issued enforcement notices ordering them to stop sending those messages.


Andy Curry, ICO Head of Investigations, said “We have issued a number of fines recently to companies that have used the pandemic as a way of making money. Businesses think that they can exploit the pandemic in this way should think again. We can fine you and take action to recover that fine where necessary.” In addition to the fines, both of the companies involved have been issued enforcement notices and ordered to stop sending those messages. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, PECR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

banned by the Insolvency Service

Marketing Executive banned by the Insolvency Service for thousands of unsolicited marketing calls.

Marketing executive banned by the Insolvency Service for six years after making 75,500 unsolicited marketing calls.

A former director of a marketing company has been banned from acting as a director or directly or indirectly becoming involved, in the promotion, formation or management of a company, without the permission of the court. For the next 6 years Elia Bols who now lives in Australia, is not to be involved in any such activity after AMS Marketing, of which he was a director, was found to be in violation of Regulation 21 of the Privacy and Electronic Communications Regulations. The ICO reported that the 32 year old Australian native was banned by the Insolvency Service, as of November 2020.

After several complaints to the Telephone Preference Service (TPS) and the ICO, Bols was informed that AMS Marketing would be hit with a fine.

Between October 2016 and October 2017, TPS received 71 complaints of unsolicited marketing by AMS, while the ICO received an additional 32 complaints. The company was subsequently issued a fine  of over 100,000 Euros. AMS Marketing Limited allegedly did not use the TPS list before making those calls to remove the numbers of individuals who had elected not to receive unsolicited contact. The company ended up in court in April of 2019, while the fine remained unpaid. 

The disqualification undertaking came after Bols did not dispute causing his company to breach Regulation 21 of the Privacy and Electronic Communications Regulations. 

Elia Bols was made to face a disqualification undertaking on October 28th, 2020,when he did not dispute causing his company to breach Regulation 21 of the Privacy and Electronic Communications Regulations. 

The regulation states; “A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where— (a)the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or (b)the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.” 

By failing to verify that the numbers being called were not included on the TPS list of individuals who had elected not to receive unsolicited contact, Bols and AMS Marketing breached this regulation. As a result, from 18 November 2020, Elia Bols is disqualified for 6 years from acting in business.

The ICO and Insolvency Service worked together to address this issue, when the company failed to pay the initial fine issued by the ICO. 

 The Insolvency Service, a Government agency addressing financial wrongdoing and maximising returns to creditors, worked with the ICO in dealing with this situation after AMS Marketing failed to pay the fine for their actions. Robert Clarke, Chief Investigator at the Insolvency Service, said “Elia Bols had a complete disregard of protective regulations and thanks to the joint work with the ICO, we have secured a ban which reflects the seriousness of this offence. When directors of a company do not comply with regulations that are designed to protect the public, we will fully investigate the circumstances and take action where appropriate.” The disqualification order issued to Elia Bols, subjects him to a range of restrictions detailed here

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

ICO provides SAR guidance

ICO provides SAR guidance for organizations receiving requests.

ICO provides SAR guidance to simplify the process for, and give better understanding to organizations receiving subject access requests.


The ICO published information last month, geared at giving guidance to organizations who may receive subject access requests (SARs). As the weight of personal data becomes more apparent to individuals, more people are exercising their right to information on what exactly is happening to their personal data. The right of access, also referred to as subject access, gives individuals the right to obtain a copy of their personal data from you, as well as other additional information. The ICO, having realized how important it is that an organization should be able to deal with subject access requests efficiently and effectively, has launched this guide, which was published in the form of a list of frequently asked questions, can be found here


The initial consultation for this guidance published by the ICO, generated lots of engagement, and received an overwhelmingly positive response.


The process of creating this right of access detailed guidance started back in December 2019, with a consultation which received an overwhelming reaction, comprised of over 350 responses from various organisations. While those responses consisted of mainly positive feedback, there were also requests for examples, explanations and additional content. Based on the feedback, there were some key changes made, and content added to the original version published. 


The ICO provides SAR guidance, complete with situational examples for reference.


This guidance published by the ICO last month includes details on what right of access is, why it is important, and also what specific information an individual is entitled to. The information provided in this guidance also includes direction on who should be handling requests and in what manner requests should be handled, complete with relatable examples, which the individuals in an organisation can follow and apply to their circumstances to gain a better understanding of how things should proceed.


The ICO was able to clarify a few key points raised by organisations during the guidance consultation phase. 


There were a few key points raised for clarification by the organisations regarding their obligations, which the ICO cleared up. For one, stopping the timer on response time, when clarification is needed to provide a response is definitely now allowed. The ICO also clarified what a manifestly excessive request is, and offered guidance on how to navigate dealing with those, including when and how an admin fee may be applied to some requests.

The ICO has further plans to create several resources for business on the topic of SARs.


The ICO has plans on creating a suite of resources. This will include an even more simplified guide for small businesses regarding subject access requests with key information from the general guide which would specifically benefit them. This information is viewed as essential to organisations, to ensure trust from individuals, in the way an organisation handles their personal data, and by extension in the organisation itself.


Do you know how to handle DSARs and the rest of data subjects rights granted by the GDPR? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.