Telephone marketing rules post-Brexit

Many UK businesses are planning to shift to telephone marketing. In this blog we go through the requirements that should be met in order to do it in compliance with the ePrivacy rules.

UK businesses are no longer clearly protected by ePrivacy country of origin rule when marketing directly in EU countries, so many of them are now looking for alternatives. Are the rules on telephone marketing less strict than the ones on electronic mail marketing?

What does the ePrivacy Directive say about unsolicited communications?

Pursuant to the ePrivacy Directive “Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing […] are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation”.

Accordingly, national implementation of the ePrivacy Directive in each Member State regulates the rules that apply in each country.

ePrivacy country of origin rule principle allows the sender to rely on the benefit of the own country less strict rules as long as there is single market. However, this does not apply to UK businesses anymore after Brexit, therefore the rules of the destination country should be considered before marketing directly in EU countries.

Automated calls

Automated calls are subject to stricter requirements. Pursuant to the ePrivacy Directive, the use of automated calling systems without human intervention (automatic calling machines) and facsimile machines (fax) for the purposes of direct marketing is only allowed in respect of subscribers who have given their prior consent.

General consent for marketing, or even consent for live calls, is not enough and it needs to cover automated calls specifically.

Telephone marketing from the UK through live calls

In EU countries

UK businesses that wish to market other businesses or individuals in EU countries should check national laws in order to confirm the following elements: 

  1. Whether consent is required;
  2. Where consent is not required, whether the number is listed in the national opt-out register or whether the data subject has explicitly objected to receiving calls from that particular business.

Most EU countries have implemented opt-out registers rather than the consent requirement, but this must be assessed on a case by case basis in order to ensure full compliance.

In the UK

UK businesses that wish to market other businesses or individuals in the UK should take the following steps:

  1. Check whether the number is registered with the TPS or CTPS.
  2. Check whether the data subject has objected to receiving calls from them.

In a nutshell, marketing calls can be freely made unless the person has opted-out from them or is registered with the TPS or CTPS. No marketing calls should be made to any number listed on TPS or CTPS unless that person has specifically consented to calls from the particular business. Telephone marketing is also prohibited when it is for the purpose of claims management services, unless the person has specifically consented to them.

Calls in relation to pension schemes are subject to special rules.

Additional requirements

Once determined that the call can be made in compliance with the relevant rules, a set of additional requirements should be applied, namely: 

  • Say who is calling;
  • Allow the number (or an alternative contact number) to be displayed to the person receiving the call;
  • Explain where the controller’s privacy policy can be found and 
  • Provide a contact address or freephone number if asked.

EU ePrivacy rules update

As reported in one of our latest blogs, earlier this month EU Member States agreed upon a negotiating mandate for revised ePrivacy rules, which would repeal the current ePrivacy Directive, starting to apply two years after its publication in the EU Official Journal. The ePrivacy Regulation may introduce new rules on telephone marketing, such as the obligation to present the calling line identification assigned to them or use a specific code or prefix identifying the fact that the call is a direct marketing call. 


Do you make telephone marketing? Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Memorandum of Understanding

Memorandum of Understanding signed between the ICO and the National Privacy Commission of the Philippines

A Memorandum of Understanding has been signed between the UK’s ICO and the Philippines’ NPC, effective January 12th 2021.

The UK’s ICO and the Philippines’ NPC have recently signed a Memorandum of Understanding in a move to strengthen their current relations. Recognizing the nature of this globalized economy, and the fact that they perform similar roles in their respective countries, the ICO and NPC decided on this memorandum, which is not legally binding, and is not applicable in circumstances which would breach either party’s legal responsibilities. Each organisation is expected to continue enforcing their respective legislations, but may collaborate on any joint enforcements, and aid in the enforcement of their respective laws, as long as it is not in contravention of national security or other relevant laws. 


The Memorandum of Understanding provides several opportunities for collaboration and cooperation. 

This Memorandum of Understanding signed by the ICO and NPC sets forth the intention to implement joint research projects and exchange information on best practices for data protection policies and training programmes. They will be coming together for bilateral meetings annually, or as decided. There will be no sharing of personal data, however, the ICO and NPC do intend to exchange information concerning potential or ongoing investigations, within their respective jurisdictions. The memorandum also encourages jointly investigating any cross border personal data breaches or other security incidents which involve organisations in both jurisdictions, as well as any other areas of cooperation decided on by both parties. 


This Memorandum does not create an obligation to share information and does not allow for the sharing of personal information. 

This agreement is not legally binding, and neither of the parties are under an obligation to cooperate or to share information, particularly information which is outside the scope of this memorandum, or which may compromise their legal responsibilities. While these parties agree to share certain information, this does not imply the transfer of ownership of, or rights to the shared information. There is no intention for the parties to share personal information, however this term is defined in each party’s domestic law. However, if the ICO or NPC wishes to share personal information and deem it necessary, as may be the case in sharing any information regarding a cross border personal data breach, this should not in any way compromise compliance with the respective parties’ own data protection laws.


The Memorandum of Understanding will be continuously monitored and reviewed, settling any disputes amicably through negotiations. 

The Memorandum of Understanding is regarded as a statement of intent, and it is anticipated that it will be continuously monitored, and reviewed biennially, seeking to resolve any disputes amicably, through the use of consultations and negotiations and without any legislative forum. The agreement does not imply any legally binding commitments. Therefore any issues which arise are to be handled by first notifying the point of contact for each party, and after the negotiating process, the agreement can be amended with changes agreed upon by both parties, and signed into the memorandum. The respective points of contact are expected to maintain open communication to ensure that the agreement remains effective and serves its purpose. 


Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

UK treaty with EU

UK treaty with EU: This agreement will allow an extended period for personal data flows.

The UK government has recently announced a treaty with the EU, which essentially allows for an extension in the transitionary period, allowing free personal data flows. 


Last month, we reported on the impending termination of the transitionary period and the need for UK businesses to ensure compliance to data protection law by December 31st 2020. Since then, the UK government has announced a treaty with the EU allowing for personal data to flow freely from the EU (and EEA) to the UK, including law enforcement agencies. This arrangement will stand until adequacy decisions take effect, for a period no longer than six months.


The UK government announces the new treaty, which allows free cross-border flow of information between the UK, and the EU and EEA. 


The announcement made by the UK government, provides in depth details on what this would mean for digital trade. The agreement is meant to ensure that the UK and the EU will collaborate on digital trade issues in future, including emerging technologies. The agreement will prohibit requirements to store or process data in a specific location, allowing for free cross-border flow of information. This is the first time that the EU has made provisions for data in a free trade agreement. This agreement is expected to promote trust in the digital economy, and prevent the imposition of costly requirements for UK businesses.


This UK treaty with the EU also features a totally new provision, inspired by recent WTO discussions, allowing open government data. This encourages governments to make available non personal and anonymised data, in easily accessible and machine readable formats. It also guarantees that neither the UK nor the EU will discriminate against electronic signatures or electronic documents, solely on the basis that they are in digital form, ensuring that contracts

can be completed digitally, with very few exceptions.


The agreement is expected to provide greater consumer protection, as it contains special exceptions to preserve policy space for the UK or the EU to protect online users. It includes online consumer protection and anti-spam provisions. This agreement also goes on to guarantee against the forced transfer of source code, ensuring companies, and valuable intellectual property are protected. 


The ICO has released a statement advising UK businesses  and organisations to arrange alternative transfer mechanisms.


The ICO has released an updated statement, urging businesses and organisations who transfer data to EU and EEA organisations to put alternative transfer mechanisms in place, during this period, to safeguard against an interruption in their data flow. Information Commissioner, Elizabeth Denham said in this recent statement “This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.” The ICO is expected to release an additional statement updating the ICO guidance on their website to reflect the extended provisions and ensure businesses know what happens next.


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.

ICO urges UK businesses

ICO urges UK businesses: ensure compliance to data protection law before the end of the UK’s transition.

ICO urges UK businesses to ensure compliance to data protection law before the end of the UK’s transition on December 31st 2020. 


December 31st 2020 will officially end the transitionary period for the UK, out of the EU, and the ICO is calling on UK businesses to ensure that if they are impacted by data protection law, that they should take the necessary steps to ensure continued lawful data flow from the EU. The ICO advises that any businesses receiving data from organisations in the EU or European Economic Area (EEA, which includes the EU, Iceland, Norway and Liechtenstein) will need to take action to ensure the flow of data doesn’t stop. 


Many SMEs depend on the flow of personal data to operate, and the ICO seeks to aid these businesses during the transition. 

Personal data applies to anything that relates to an identifiable individual whether it be information on customers or staff. HR records, customer details, payroll information and information collected through cloud services are all classified as personal data and will possibly be affected. The ICO recognises that sharing personal data is essential to running the majority of SMEs and that smaller organisations may not have dedicated data protection officers or specialists to help with the preparations. They have, as a result, published a statement advising businesses on steps they can take before January 1st to ensure continued compliance. 

The ICO urges UK businesses to maintain compliance with the DPA 2018 and the GDPR, and to double check their privacy information.


Businesses in the UK will need to continue to ensure compliance with the GDPR and DPA 2018. However, as it relates to the exchange of data between entities in the UK and the EU, as of January 1st 2021, businesses will need to ensure that they have safeguards in place to ensure that the continued flow of data is lawful. The ICO has gathered some guidance and resources on its website and urges businesses to make use of this to determine the actions they may need to take if they use personal data. In addition, businesses should review their privacy information and other documentation for possible changes that need to be made at the end of the transition period.


For most businesses and organisations, the ICO suggests Standard Contractual Clauses (SCCs) to keep data flowing on EU-approved terms. 

The ICO statement suggests that standard contractual clauses or SCCs may be the best option for businesses that use personal data and want to ensure their data transfers are EU-approved. As businesses in the UK will officially be treated as non EU processors or controllers, come January first, SCCs which have proven to be a sufficient safeguard for the transfers for data between controllers and processors within the EU and internationally, have been recommended as the best option for UK businesses to adopt post-transition. 


Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcingContact us today.