The UK Information Commissioner’s Office (ICO) has issued an enforcement notice and imposed a monetary penalty of £160,000 on Zuwyco Limited for contravening regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), which respectively prohibits the use of public electronic communications services for the purpose of making unsolicited direct marketing calls to Telephone Preference Service Ltd (“TPS”) registrees or individuals who have otherwise given notice that they do not consent to such calls; and requires that direct marketing callers provide their names and an address or telephone number where the caller can be reached free of charge.
The enforcement action arises out of three complaints received by the ICO in 2020 regarding unsolicited direct marketing calls which, upon investigation, were confirmed to have originated with Zuwyco or a Zuwyco affiliate. The ICO investigation initially was not able to determine which calls had actually violated the PECR because Zuwyco call handlers had used scripts interchangeably for solicited and unsolicited calls, without differentiating which telephone number was used to dial the calls. In May 2021, the ICO concluded its investigation by issuing guidance to comply with PECR, without taking enforcement action. However, the investigation recommenced in October 2021, following receipt by the ICO of additional complaints.
Ultimately, the ICO found Zuwyco responsible for the activities of Oceana Marketing, that the Zuwyco directors had taken steps to ensure that such activities were not traceable to them or to Zuwyco, and that between January and July 2021, Oceana had made 93,558 calls to numbers registered with the TPS for at least 28 days. The callers provided generic company names (e.g., “Pensions Claims Team”) rather than identifying Zuwyco as the entity directing the calls. Some call recipients received as many as 50 calls from Zuwyco. The ICO determined, further, that the calls, which offered pension transfer services, were made for purposes of direct marketing within the meaning of section 122(5) of the Data Protection Act 2018 (“DPA18”).
The ICO found that Zuwyco’s violations were deliberate, that the company was aware of its responsibilities and failed to take reasonable steps to prevent them – specifically, by failing to undertake rigorous checks to ensure that the personal data furnished by a third party was obtained fairly and lawfully, and by failing to screen the data against the TPS register. In determining whether to issue a monetary penalty, the ICO viewed as aggravating features the possible use of false trade names by Zuwyco; the company’s persistent denial of involvement in, and attempt to conceal, these activities; Zuwyco’s collusion with its communications service provider in an attempt to evade detection, and; the potentially high volume of calls – higher than the number identified by the ICO.
Parallel to the Monetary Penalty Notice, the ICO issued an Enforcement Notice prohibiting Ziwyco from using or instigating the use of a public electronic communications service for the purpose of making unsolicited direct marketing calls to TPS subscribers or individuals who have notified the company not to direct such calls to them. The Enforcement Notice also requires Zuwyco, when making direct marketing calls, to identify itself in accordance with the law.