Penalties
Data Protection Commission Case Studies
Marketing offences by MTS Property Management Limited – prosecution
We received a complaint in February 2013 from an individual who received marketing SMS messages from MTS Property Management Limited advertising the company’s property-management services. The complainant informed us that she had dealt with the company on one occasion over five years previously but she did not consent to her mobile phone number being used for marketing purposes. She also pointed out that the SMS messages that she received did not provide her with a means of opting out.
Our investigation of this complaint became protracted as the company denied knowledge of the mobile number to which the SMS messages were sent and it denied knowledge of the account holder of the sending phone number. However, our investigation established sufficient evidence to satisfy itself that MTS Property Management Limited was responsible for the sending of the marketing SMS messages to the complainant. We decided to prosecute the offences.
MTS Property Management Limited had come to our attention previously in the summer of 2010 when two individuals complained about unsolicited marketing SMS messages sent to them without consent and without the inclusion of an opt-out mechanism. Following the investigation of those complaints, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 at any future time.
At Dublin Metropolitan District Court on 23 February 2015, MTS Property Management Limited pleaded guilty to one charge of sending an unsolicited marketing SMS without consent and it pleaded guilty to one charge of failing to include an opt-out mechanism in the marketing SMS. The Court convicted the company on both charges and it imposed two fines of €1,000 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Marketing offences by Greyhound Household – prosecution
In May 2014, we received a complaint against Greyhound Household from an individual who received an unsolicited marketing phone call on his mobile telephone from the company’s sales department. The same individual had previously complained to us in December 2013 as he was receiving marketing SMS messages from Greyhound Household that he had not consented to receiving. He informed us that he had ceased being a customer of the company in May 2013. Arising from the investigation of the previous complaint, Greyhound Household had undertaken to delete the former customer’s details and it apologised in writing to him. On that basis, we concluded the matter with a formal warning to the effect that any future offences would likely be prosecuted.
On receipt of the latest complaint, we commenced a further investigation. Greyhound Household admitted that a telephone call was made to the complainant’s mobile phone number without consent but it was unable to explain why his details had not been deleted in line with the company’s previous undertaking. We decided to prosecute the offence.
At Dublin Metropolitan District Court on 23 February 2015, Greyhound Household pleaded guilty to one charge of making an unsolicited marketing phone call to a mobile phone number without consent. The Court applied Section 1(1) of the Probation of Offenders Act subject to the defendant making a charitable donation of €1,000 to Pieta House. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Marketing offences by Imagine Telecommunications Business Limited – prosecution
In March 2015, we received a complaint against Imagine Telecommunications Business Limited from a company that had received unsolicited marketing telephone calls. The same company had previously complained to us in 2014 about repeated cold calling to its offices. Despite having submitted an opt-out request to Imagine Telecommunications Business Limited, it continued to receive marketing phone calls. Following our investigation of the first complaint, and having been assured that the phone number of the complainant company had been removed from the marketing database, we issued a formal warning to Imagine Telecommunications Business Limited that any future offences would likely be prosecuted.
On investigating the current complaint, we were informed by Imagine Telecommunications Business Limited that it had failed to mark the telephone number concerned as ‘do not contact’ on the second of two lists on which it had appeared. This led to the number being called again in March and June 2015. It stated that the only reason the number was called after the previous warning was due to this error and it said that it took full responsibility for it.
We prosecuted the offences at Dublin Metropolitan District Court on 2 November 2015. Imagine Telecommunications Business Limited pleaded guilty to one charge of making an unsolicited marketing telephone call without consent. The Court applied Section 1(1) of the Probation of Offenders Act conditional upon a charitable donation of €2,500 being made to the Merchant’s Quay Project. Prosecution costs were recovered from the defendant.
Marketing offences by Eircom Limited – prosecution
We received complaints from two individuals in February and April 2015 concerning marketing telephone calls that they had received on their landline telephones from Eircom Limited. In both cases, and prior to lodging their complaints, the individuals had submitted emails to Eircom Limited requesting that they not be called again. Eircom’s Customer Care Administration Team replied to each request and informed the individuals that their telephone numbers had been removed from Eircom’s marketing database. Despite this, each individual subsequently received a further marketing telephone call in the following months, thus prompting their complaints to this Office.
Eircom informed our investigations that the agents in its Customer Care Administration Team who handled the opt-out requests had not updated the system to record the new marketing preference after sending out the replying email to the individuals concerned. It undertook to provide the necessary refresher training to the agents concerned.
Separately, a former customer of Eircom complained in May 2013 that he continued to regularly receive unsolicited marketing phone calls from Eircom on his landline telephone despite clearly stating to each caller that he did not wish to receive further calls. He stated that the calls were numerous and that they represented an unwarranted intrusion into his privacy. Eircom continued to make a further ten marketing telephone calls to the individual after the commencement of our investigation of this complaint. Our investigation subsequently established that this former customer had received over 50 marketing contacts from Eircom since 2009 when he ceased to be an Eircom customer. Eircom explained that the continued calls arose from a misunderstanding of what systems the former customer’s telephone number was to be opted out from.
In October 2014, an Eircom customer complained that he had received a marketing SMS from Eircom that did not provide him with a means to opt out of receiving further marketing SMS messages. Eircom informed our investigation of this complaint that the inclusion of an opt-out is the norm in all of its electronic-marketing campaigns but, in this instance, and due to human error, the link to the necessary opt-out had not been set properly. Our investigation established that this error affected over 11,600 marketing messages that were sent in the campaign concerned.
We proceeded to prosecute the offences identified on foot of the complaints received in the aforementioned cases. At Dublin Metropolitan District Court on 2 November 2015, Eircom Limited pleaded guilty to six charges of making unsolicited marketing calls without consent and it pleaded guilty to one charge of sending a marketing SMS without a valid address to which the recipient may send an opt-out request. The Court applied Section 1(1) of the Probation of Offenders Act conditional on the defendant making donations amounting to €35,000 as follows: €15,000 to Pieta House, €10,000 to LauraLynn (Children’s Hospice) and €10,000 to Our Lady’s Children’s Hospital, Crumlin. The company agreed to pay the prosecution costs incurred by this Office.
Prosecutions: Private Investigators
This Office initiated prosecutions in the private investigator/tracing-agent sector for the first time in 2014. These prosecutions arose from a detailed investigation that commenced in the summer of 2013. Arising from audits carried out in a number of credit unions at that time, the Office became concerned about the methods employed by some private investigators hired by credit unions to trace the current addresses of members who had defaulted on their loans. The Office launched a major investigation to identify the sources from which the private investigators had obtained the current address data. This investigation involved a wide range of public bodies and private companies. As a result of our findings, the Office established that personal data on databases kept by the Department of Social Protection, the Primary Care Reimbursement Service of the Health Service Executive, An Garda Síochána and the Electricity Supply Board had been accessed unlawfully and the information was disclosed thereafter to credit unions. Details of the prosecutions that ensued are as follows:
M.C.K. Rentals Limited and its Directors
M.C.K. Rentals Limited (trading as M.C.K. Investigations) was charged with 23 counts of breaches of Section 22 of the Data Protection Acts 1988 and 2003 for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Department of Social Protection (7 cases) and by the Primary Care Reimbursement Service of the Health Service Executive (16 cases). In all cases, the personal data was disclosed to various credit unions in the state.
The two directors of M.C.K. Rentals Limited, Ms Margaret Stuart and Ms Wendy Martin, were separately charged with 23 counts of breaches of Section 29 of the Data Protection Acts 1988 and 2003 for their part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, the company directors or other officers.
At Bray District Court on 6 October 2014, M.C.K. Rentals Limited pleaded guilty to five sample charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court convicted the company in respect of each of the five charges and it imposed a fine of €1,500 per offence. Company Secretary and Director Ms Margaret Stuart pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Stewart in respect of that offence and imposed a fine of €1,500. Company Director Ms Wendy Martin pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Martin in respect of that offence and it imposed a fine of €1,500.
This was the first occasion on which company directors were prosecuted by the Data Protection Commissioner for their part in the commission of data-protection offences by their company, and the proceedings in this case send out a strong warning to directors and other officers of bodies corporate that they may be proceeded against and punished in a court of law for criminal offences committed by the body corporate.
The investigation of this company uncovered wholesale and widespread “blagging” techniques used by the offenders, and this was the first prosecution by the Data Protection Commissioner of offenders engaged in such practices. The findings of the investigation carried out in this case expose the constant threat to the security of personal data that is in the hands of large data controllers and the vigilance that is required by front-line staff at all times to prevent unlawful soliciting of personal data, in particular by means of telephone contact, by unscrupulous agents. Data controllers across the state should regularly review their data-protection procedures to maximise the effectiveness of their security protocols in order to counter such criminal activity. They must ensure that all staff, and particularly those at the front line who handle telephone calls, are fully trained in the security protocols in order to be able to recognise and deal with the threat of information blagging or pretext calling if it arises.
Michael J. Gaynor
Michael J. Gaynor (trading as MJG Investigations) was charged with 72 counts of breaches of the Data Protection Acts 1988 and 2003. Twelve charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Electricity Supply Board (9 cases) and by An Garda Síochána (3 cases). In all cases, the personal data was disclosed to various credit unions in the state. A further 60 charges related to breaches of Section 16(2) of the Data Protection Acts in respect of the processing of personal data of a number of individuals in circumstances where no record was recorded in respect of the accused in the public register maintained by the Data Protection Commissioner. Mr Gaynor is a former member of An Garda Síochána.
On 25 November 2014, at Dublin Metropolitan District Court, Michael J. Gaynor was convicted on two charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court imposed a fine of €2,500 in each of these two charges. Separately the defendant pleaded guilty to 69 charges (60 of which related to breaches of Section 16(2)) and these were taken into consideration in the sentence imposed.
This was the first prosecution to be completed by the Data Protection Commissioner of a data processor for processing personal data without having registered as a data processor on the public register of the Office of the Data Protection Commissioner. The investigation in this case uncovered access by the defendant to customer data held on databases held by the Electricity Supply Board. To access the personal data, the defendant used a staff contact in the Electricity Supply Board, which he had established during his previous Garda career.
These prosecutions send a strong message to private investigators and tracing agents to comply fully with data-protection legislation in the conduct of their business, and that if they fail to do so they will be pursued and prosecuted for offending behaviour. They also serve to remind all companies and businesses who hire private investigators or tracing agents that they have onerous responsibilities under the Data Protection Acts to ensure that all tracing or other work carried out on their behalf by private investigators or tracing agents is done lawfully. Specifically, in this regard, those operating in the credit union, banking, financial services, legal and insurance sectors should review their engagement of private investigators and tracing agents to ensure they have fully safeguarded all personal data against unlawful forms of data processing.
These investigations uncovered serious issues in relation to the hiring of private investigators or tracing agents by credit unions, particularly in respect of a lack of awareness on their part of how the private investigators were tracing members and, in some cases, in relation to the disclosure of PPS numbers by credit unions to private investigators. This Office has pursued all of these issues with the credit unions concerned and with their representative bodies in recent months. In addition, we have undertaken a range of follow-up work with the Department of Social Protection, the Health Service Executive, An Garda Síochána and the Electricity Supply Board on the implications of the data-security breaches that occurred in their organisations and on the measures required to deal with those breaches and to prevent a recurrence. This Office welcomes the fact that the Private Security Authority has proposed the introduction of regulation of private investigators.
Prosecutions: Marketing Offences
Pure Telecom Limited
We received a complaint in March 2013 from an individual who received two marketing phone calls from Pure Telecom Limited on his landline telephone. The individual’s telephone number was listed on the National Directory Database opt-out register. It is an offence to make a marketing call to a telephone number listed on that register.
Pure Telecom Limited informed our investigators that it used the services of a third-party representative to make the marketing calls and it explained that the agent sourced the individual’s number themselves rather than using marketing data provided by Pure Telecom Limited. The company admitted that the third-party agent did not have consent to contact the complainant for marketing purposes.
At Dublin District Court on 3 February 2014, Pure Telecom Limited pleaded guilty to two charges concerning breaches of Regulation 13 (5)(b) of S.I. 336 of 2011 relating to two marketing phone calls to a phone number listed on the opt-out register. The Court imposed a conviction in respect of both charges and a fine of €500. It further ordered payment of the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had a previous conviction from 2010 for a similar offence.
Next Retail Limited
In February 2013, this Office received a complaint from an individual who received a number of unsolicited marketing emails from Next Retail Limited after she requested the company not to send her any more such emails. The complainant claimed to have unsubscribed firstly by using the unsubscribe link that was provided in a marketing email sent by the company and, following this, in four separate emails to the company requesting not to be contacted with marketing emails again.
Next Retail Limited informed our investigators that as it no longer used the services of the company that it had engaged to process unsubscriptions it was unable to explain what happened to the first unsubscribe request. With regard to the emails containing unsubscribe requests, the company confirmed that they did reach its complaints inbox but it was unable to trace where the emails went afterwards.
At Dublin District Court on 3 February 2014, Next Retail Limited pleaded guilty to two charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 relating to the sending of two unsolicited marketing emails without consent. The Court imposed a conviction in respect of one charge, with the second charge taken into consideration. A fine of €100 was imposed. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Next Retail Limited subsequently appealed the severity of the sentence. On 19 March 2014, the Circuit Court affirmed the conviction and penalty previously imposed by the District Court and it noted the appellant’s intention to discharge the Data Protection Commissioner’s reasonable costs for the appeal.
Airtricity Limited
In May 2013, this Office received a complaint against Airtricity Limited from a person who received an unsolicited marketing phone call on his landline telephone, which was listed on the National Directory Database opt-out register. The complainant informed us that the purpose of the marketing call was to encourage him to switch energy supplier to Airtricity.
In response to our investigation, Airtricity admitted that the phone call had been made by a third-party contractor acting on its behalf. It explained that the error occurred when an old PC, on which the 2009 phone book was installed, was re-commissioned by the contractor. A spreadsheet containing the complainant’s phone number was still on the old PC and this led to the number being dialled in error.
At Dublin District Court on 3 February 2014, Airtricity Limited pleaded guilty to one charge concerning a breach of Regulation 13(5)(b) of S.I. 336 of 2011 relating to one marketing phone call to a phone number listed on the opt-out register. The Court imposed a conviction in respect of the charge and a fine of €75. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
The Carphone Warehouse Limited
In March 2013, we received a complaint from a customer of The Carphone Warehouse Limited after he received marketing text messages from the company despite having ticked the marketing opt-out box when he had previously made a purchase in one of its stores. The company informed our investigators that a systems error resulted in the customer being incorrectly included in its marketing list.
In April 2013, we received a complaint from another customer of The Carphone Warehouse Limited who received regular offers by text message from the company even though he had called the company on at least three occasions, asking that it stop. The company told our investigators that its system temporarily did not recognise the customer’s preference not to receive marketing due to an internal issue within the electronic filter process and this resulted in the customer’s phone number being accidentally selected for marketing campaigns.
At Dublin District Court on 3 March 2014, The Carphone Warehouse Limited entered a guilty plea in respect of five charges concerning breaches of Regulations 13(1) and 13(4) of S.I. 336 of 2011. The court imposed convictions in respect of four charges, with the fifth charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had two previous convictions from 2012 in relation to the sending of unsolicited marketing emails.
Valterous Limited (trading as Therapie Clinic and/or Therapie)
A former customer of Valterous Limited (trading as Therapie Clinic and/or Therapie) complained to this Office in June 2013 after receiving an unsolicited marketing text message despite having opted out of receiving such communications over three months earlier. Therapie explained to our investigators that the complainant’s contact details were on systems in two branches and that when the opt-out request was made the company removed their details from one database and did not realise they were also on another one, thus leading to a further unsolicited text message being sent to the same contact number.
In July 2013, we received a complaint from another former customer of Therapie who had received marketing text messages on several occasions. The complainant informed us that she sent a text message to opt out but the company continued to send her further marketing text messages. Our investigation found no evidence that Therapie had obtained consent at any time for the sending of marketing text messages to this individual. In relation to the sending of text messages after the former customer had opted out, Therapie explained that the individual should have texted the word “STOP” rather than the word “OPTOUT” at the time of attempting to opt out of the marketing database. We did not accept this as a valid excuse as the opt-out instruction on the marketing text message sent to the individual read “OptOut:086…….”.
At Dublin District Court on 3 March 2014, Valterous Limited (trading as Therapie Clinic and/or Therapie) pleaded guilty in relation to three charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 concerning the sending of unsolicited marketing text messages without consent. The Court imposed convictions in respect of two charges, with the third charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to pay the prosecution costs of the Data Protection Commissioner. The Court was told that in 2012 Therapie Laser Clinics Limited (trading as Therapie Clinic and/or Therapie) was convicted for two offences in relation to the sending of unsolicited marketing text messages.
Prosecutions – Marketing Offences
GENERAL
Four Star Pizza (Ireland) Limited
This Office received a number of complaints from individuals regarding unsolicited text messages sent by Four Star Pizza (Ireland) Limited without the consent of the recipients and in some cases without the inclusion of an opt-out facility. The majority of the complainants informed us that they began to receive the unsolicited marketing text messages after placing orders in different Four Star Pizza stores. We had previously formally warned Four Star Pizza (Ireland) Limited that, if further offences were committed, the Commissioner would take prosecution action.
In response to our investigations of the complaints, Four Star Pizza (Ireland) Limited admitted that it had not obtained valid consent to send marketing text messages to the complainants. It was clear that, despite the warning issued to Four Star Pizza (Ireland) Limited, it had not put adequate procedures in place to ensure compliance with the marketing regulations. The Commissioner decided to proceed to prosecution.
At Dublin District Court on 10 June 2013, Four Star Pizza (Ireland) Limited pleaded guilty to six charges under Regulation 13(1) of SI 336 of 2011 for the sending of unsolicited marketing text messages without consent. The Court applied the Probation of Offenders Act and ordered that Four Star Pizza (Ireland) Limited pay €4,000 to Temple Street Children’s Hospital in lieu of a conviction. The Office’s prosecution costs were also recouped from the defendant.
Levet Limited T/A Fast Fit
This Office received a complaint in relation to the sending of unsolicited text messages by Levet Limited T/A Fast Fit. The Office had previously sent a formal warning to Levet Limited T/A Fast Fit in relation to its marketing operations.
In response to our investigations, Fast Fit admitted it did not have any evidence that it had obtained valid consent to send marketing text messages to the individual concerned. The Commissioner decided to prosecute Levet Limited T/A Fast Fit.
At the Dublin District Court on 22 April 2013, Levet Limited T/A Fast Fit pleaded guilty to one charge of sending an unsolicited marketing text message. The Court ordered the defendant to contribute €2,000 to the Jack and Jill Foundation and it applied the Probation of Offenders Act. The defendant agreed to pay the Office’s prosecution costs.
Wexford Arts Centre
We received a complaint from an individual regarding an unsolicited marketing text message he received from Wexford Arts Centre. This message did not contain an opt-out mechanism for the recipient to opt out of the marketing database. In response to our investigation, Wexford Arts Centre informed us that, due to a combination of human error and technical difficulties, the marketing text message did not contain an opt-out. It told us that it had now removed the phone number from its database. On this basis, Wexford Arts Centre was issued with a formal warning with regard to its future marketing activities.
The same individual subsequently made a new complaint to this Office as he received yet another unsolicited marketing text message from Wexford Arts Centre despite being informed his number had been removed three months earlier. On this occasion, Wexford Arts Centre informed us that it had removed this individual’s phone number but, due to human error, those changes had not saved correctly. The Commissioner decided to prosecute Wexford Arts Centre in relation to two offences:- failure to include an opt-out facility in a marketing text message (in respect of the first complaint) and sending an unsolicited marketing text message without consent (in respect of the second complaint).
At Wexford District Court on 22 July 2013, Wexford Arts Centre Limited entered a guilty plea in relation to both charges. The Court convicted Wexford Arts Centre Limited on one charge, it took the second charge into consideration and it imposed a fine of €500. The Court also ordered the defendant to pay €1,000 to this Office in respect of its prosecution costs.
Patrick Fox Hypnotherapy Limited
This Office received a complaint from an individual regarding an unsolicited marketing text message received from Patrick Fox Hypnotherapy Limited, a hypnotherapy clinic in Co. Meath. The marketing text message did not include an opt-out facility for the recipient to remove their number from the marketing database. The complainant informed us that she attended the clinic over three years previously and that she subsequently requested that her mobile number be deleted from its marketing contact list. We had previously sent a warning to Patrick Fox Hypnotherapy Ltd following a complaint from another individual. In that previous case, the complainant informed us that she received a marketing text message after placing an advertisement (unrelated to hypnotherapy services) containing her phone number in a local newspaper in the West of Ireland. That individual had no previous dealings with Patrick Fox Hypnotherapy Clinic.
In response to our investigation of the current complaint, Patrick Fox Hypnotherapy Clinic informed us that the text message in question was not intended as a marketing text message. However, it was clear to this Office that the message was marketing in nature as it offered discounts and promoted its range of treatments. The Commissioner decided to prosecute the case in light of the company’s failure to heed the formal warning.
At Trim District Court on 26 September 2013, Patrick Fox Hypnotherapy Limited pleaded guilty in relation to the sending of an unsolicited marketing text message. The Court imposed a conviction and a fine of €1,000 on Patrick Fox Hypnotherapy Limited in relation to the sending of an unsolicited marketing text message without consent and it ordered the defendant to pay prosecution costs of €2,009.
Lex Software Limited T/A Legal and General Software
This Office received two complaints with regard to unsolicited marketing emails received from Lex Software Limited T/A Legal and General Software. One of the complainants had made a complaint to this Office about the same entity previously, having received unsolicited marketing emails from it in 2011. On that occasion Lex Software Limited T/A Legal and General Software was issued with a formal warning from us with regard to compliance in its future marketing activities.
In relation to the two current complaints, Lex Software Limited T/A Legal and General Software informed us that the complainants received unsolicited marketing emails due to human error. The Commissioner decided to prosecute the offences.
At Dublin District Court on 14 October 2013, a guilty plea was entered by the company on two charges – one for sending an unsolicited marketing email without consent and the second for failing to include in a marketing email a mechanism for opting out. The Court imposed a conviction in relation to both offences and it imposed fines of €200 on each offence. The defendant also covered this Office’s prosecution costs.
Hanford Commercial Limited T/A The Maldron Hotel, Wexford
A complaint was received in this Office from an individual who informed us that he received an unsolicited marketing text message on his company mobile phone from Hanford Commercial Limited T/A The Maldron Hotel, Wexford. This occurred despite this Office being assured, on foot of a previous complaint from the same person three years previously, that the mobile phone number was removed from the company’s database.
In response to our investigation, Hanford Commercial Limited T/A The Maldron Hotel, Wexford informed us that this error occurred due to a technical error whereby a manual block put on the complainant’s number in 2010 did not carry through to a new account it had set up with its text service provider, Zamano. The Commissioner decided to prosecute Hanford Commercial Limited T/A The Maldron Hotel, Wexford for an offence under Regulation 13(4) of SI 336 of 2011.
On 14 October, 2013 at Dublin District Court, Hanford Commercial Limited T/A The Maldron Hotel, Wexford pleaded guilty to the sending of an unsolicited marketing text message to the complainant’s company mobile phone. The Court convicted Hanford Commercial Limited T/A The Maldron Hotel, Wexford and it imposed a fine of €200. The prosecution costs were recovered by this Office from the defendant company.
Cherryhill Inns Limited T/A The Oliver Plunkett Bar, Cork
A complaint was received from an individual who received an unsolicited marketing email from Cherryhill Inns Limited T/A The Oliver Plunkett. The same individual had cause to complain to this Office regarding unsolicited marketing text messages she received from the same company over a year previously which she could not opt out of. In that previous instance, the company informed us that the complainant had signed up to receiving marketing messages and it produced a ‘sign up’ sheet which had her details entered on it. Having examined the sheet, the complainant informed us that she did not enter her details on it and that the handwriting on it was not hers. During that investigation the company agreed to remove the individual’s contact details and it was issued with a formal warning by this Office with regard to compliance in its future marketing operations.
It was clear from the investigation of the current complaint from the same person that the company did not properly remove her contact details from its database. The Commissioner decided to prosecute the company. At Cork District Court on 22 October, 2013 Cherryhill Inns Limited T/A The Oliver Plunkett pleaded guilty to three charges relating to the sending of an unsolicited marketing text message without consent, the sending of an unsolicited marketing email without consent and the sending of an unsolicited marketing text message without an opt out mechanism. The Court applied the Probation of Offenders Act conditional upon a charitable donation of €750 being made to the Cork Simon Community in respect of each of the three charges. Prosecution costs were recovered from the defendant.
Bord Gáis Éireann
We received a complaint from an individual regarding an unsolicited marketing email he received from Bord Gáis Éireann. This Office had previously issued Bord Gáis Éireann with a warning following the investigation of a complaint concerning unsolicited marketing phone calls made to an individual without his consent.
In response to our investigation, Bord Gáis Éireann informed us that, due to a manual error, an incorrect data file was used to send out the marketing email and, as a result, over nine hundred customers who had previously opted out of marketing communications were affected.
On 22 October 2013 at Cork District Court, Bord Gáis Éireann pleaded guilty to sending an unsolicited marketing email. The Court applied the Probation of Offenders Act conditional upon a charitable donation of €750 being made by the company to The Society of St. Vincent de Paul. Prosecution costs were recovered from the defendant.
Kearys of Cork
A complaint was received in the Office from an individual who received an unsolicited marketing text message from Kearys of Cork which did not include an opt-out option. The complainant said that he attended Kearys of Cork to have a car door fixed but he had not signed up to receive any promotional messages. This Office had previously warned Kearys of Cork with regard to its marketing operations following the investigation of two complaints. In that warning we made it clear that we considered that the company had not obtained valid consent to send marketing communications to these individuals and we instructed it to perform a cleansing exercise on its marketing database to ensure that it was fully compliant with the marketing regulations.
In response to our current investigation, Kearys of Cork informed us that it was under the assumption that, since the complainant was an existing customer, that there was no issue in contacting him. It was apparent that the company had not taken appropriate remedial action following our previous warning with regard to obtaining valid marketing consents from customers and, accordingly, the Commissioner decided to prosecute the latest case.
On 22 October at Cork District Court, Kearys of Cork pleaded guilty to the sending of an unsolicited marketing text message. The Court applied the Probation of Offenders Act upon condition that the company make a charitable donation of €750 to the Cork Simon Community. Prosecution costs were recovered from the defendant.
TELECOMMUNICATIONS SECTOR
Eircom Ltd
We received complaints from two individuals who received unsolicited marketing phone calls from Eircom. The first complainant informed us that he had not been a customer of Eircom for many years and that he had opted out of marketing communications from the company. He made a complaint to Eircom directly and was informed that his details were removed from the telesales area and that it would not be contacting him again. Despite this assurance, Eircom phoned him for marketing purposes again, prompting him to complain to this Office. Of particular concern to us was the fact that the complainant received a further marketing phone call from Eircom several weeks after the commencement of our investigation. In fact, during the course of our investigation, we had asked Eircom on three separate occasions prior to the making of the latest call to confirm that the complainant’s number was removed from the marketing database.
Separately, a complaint was received from an individual who received a marketing phone call from an agent of Eircom on her landline number which was opted out of marketing on the NDD Opt-Out Register. On the same day, the agent called in person to her home as he was working as part of a “Feet on the Street” team. Eircom initially informed our investigation that it had no record of the call taking place. We subsequently traced the calling mobile phone number and we found that it was registered to the sales agent concerned.
In both cases, we were satisfied that Eircom did not have consent to make marketing phone calls to the individuals concerned and the Commissioner decided to prosecute Eircom for offences under Regulations 13(5)(a) and 13(5)(b) of SI 336 of 2011. Eircom pleaded guilty to two charges at Dublin District Court on 2 December, 2013. The Court imposed two convictions and it fined the company €1,500 on both charges. The company agreed to pay the prosecution costs incurred by this Office.
Meteor Mobile Communications Ltd (T/A Meteor)
This was the second successive year that Meteor was prosecuted by the Data Protection Commissioner for marketing offences. Having successfully prosecuted Meteor on 3 December, 2012 (see Case Study 12 in Annual Report 2012) a further offence was committed by Meteor on the following day by the sending of an unsolicited marketing text message to a customer whose mobile phone had been confirmed as having been opted out in November 2012. The individual also produced a copy of his original contract showing that he had opted out of receiving SMS marketing communications from Meteor.
The second case also involved a customer being sent unsolicited marketing text messages. In this case, the customer opted out of marketing in October 2012 and he received confirmation of his opt out from Meteor in November 2012. Despite that, he subsequently received three marketing text messages from Meteor. At the Dublin District Court on 2 December 2013, Meteor pleaded guilty to three charges of breaching Regulation 13(1) of SI 336 of 2011. The Court imposed three convictions and it fined the company €3,000 in respect of each of three charges. The company agreed to pay the prosecution costs incurred by this Office.
Telefónica Ireland Limited T/A O2
Two complaints were made to this Office in January 2013 from customers of O2 who received marketing text messages from O2 despite being opted out of marketing communications. During the course of our investigation of these complaints, O2 admitted that, due to an incorrect application of its consent for marketing rules, over 78,000 customers were sent marketing text messages in contravention of their marketing preferences.
In a separate complaint, an individual reported that he had received a marketing email in December 2012 from O2 to his email address which had been opted out of marketing communications from the company in April 2011. O2 informed our investigation that the agent who dealt with the opt-out request had processed the request on only one of two accounts held by the customer and that this led to him receiving a subsequent marketing email. At the Dublin District Court on 2 December, 2013 the company entered a guilty plea in respect of three charges for offences under Regulation 13(1) of SI 336 of 2011. In lieu of convictions, the Court ordered the defendant to make charitable donations of €2,000 to the Irish Wheelchair Association, €2,000 to the Children’s Hospital, Crumlin and €2,000 to Pieta House. The company agreed to pay the prosecution costs incurred by this Office.
Vodafone
We received several complaints against Vodafone in 2012 and 2013. One customer reported to us in November 2012 that he had received a marketing phone call on his mobile phone despite it having been opted out of receiving marketing calls. The same customer had previously complained to us in February 2012 about receiving marketing calls from Vodafone and during the course of that investigation Vodafone confirmed to us in April 2012 that the customer’s mobile number was now opted out. During the course of our investigation of this customer’s current complaint, Vodafone admitted that its agent was negligent in applying the opt-out reference table when constructing a marketing campaign and this led to marketing calls being made to over 2,000 customers who had previously opted out of marketing.
A customer complained to us that he received marketing text messages even though his mobile phone was not opted-in to marketing. He explained that he was a Vodafone customer for landline and broadband services only and not for mobile phone services. He informed us that he had an issue with his landline on one occasion and he gave his mobile number to Vodafone in order to have an engineer contact him. Vodafone informed us that it had opted-in the mobile phone number to marketing. It confirmed that it opted the number out of marketing on 22 May, 2012. Despite this, the individual received a further marketing text message in June 2012. Vodafone explained that this occurred because the campaign team used an outdated table.
We received a complaint in October 2012 from a Vodafone customer who received marketing phone calls to his mobile phone during that month despite having received confirmation by email from Vodafone in September 2012 that his account had been unsubscribed from all marketing calls. During our investigation, Vodafone initially denied that the calls were made. We extended our investigation and we established from the service provider used by Vodafone that the calls were made as alleged by the complainant. Despite this, Vodafone continued to deny that any breach of the Regulations had occurred. Our investigation established that five offences had been committed in this case.
In May 2013, we received a complaint from an individual who continued to receive marketing phone calls to his mobile phone even though he had written confirmation issued to him by Vodafone in September 2012 that his details were removed from its marketing database. After a four months delay, Vodafone informed our investigation that the letter issued in September 2012 confirming the opt-out preference was noted on the system by the agent who did not follow up on the opt-out action.
At the Dublin District Court on 2 December, 2013 Vodafone pleaded guilty to eleven charges – nine concerned breaches of Regulation 13(6) of SI 336 of 2011 in respect of unsolicited marketing phone calls to mobile phone and two concerned breaches of Regulation 13(1) in relation to unsolicited marketing text messages. The Court convicted Vodafone on seven charges and imposed fines of €3,000 on each charge. The Court applied the Probation of Offenders Act on four charges conditional on the defendant making donations of €3,000 to each of the following charities:- Irish Wheelchair Association, Laura Lynn Foundation, Children’s Hospital Crumlin and Pieta House. The company agreed to pay the prosecution costs incurred by this Office.
Prosecutions – Unsolicited Marketing
Advance Tyre Company Limited (trading as Advance Pitstop)
In June 2011, we received a complaint from an individual who received an unsolicited text message from Advance Pitstop in Dundrum. He informed us that he had never given his consent to receive marketing text messages from Advance Pitstop. We had previously sent a formal warning to Advance Pitstop in April 2011 informing it that, if we received any further complaints where offences were committed, we would prosecute it for those offences.
In this case, Advance Pitstop stated to us that it collected customer data via a form which customers were asked to complete in the branch. This included a tick box option for customers’ marketing preferences. Advance Pitstop was unable to find in its records a form filled out by the complainant. The complainant also insisted that he did not fill out such a form. On this basis we decided to take prosecution proceedings against Advance Tyre Company t/a Advance Pitstop under Regulation 13 (1)(b) of SI 535 of 2003 (as amended) for the sending of an unsolicited marketing text message to an individual without consent.
On 11 June, 2012, at the Dublin District Court, Advance Tyre Company Limited pleaded guilty to the sending of an unsolicited text message to the complainant without consent. The Court accepted the guilty plea and it applied the Probation of Offenders Act on condition that Advance Tyre Company Limited pay €1,000 to a charity, the Laura Lynn Foundation. Advance Tyre Company also agreed to pay the prosecution costs incurred by the Office.
Ocsas Holdings Limited (T/A The Fitzgerald Group, etc)
At the same court sitting in the Dublin District Court, Ocsas Holdings Limited faced six charges arising from a complaint we received in July 2011 regarding unsolicited text messages and emails which the complainant received from the Fitzgerald Group. He informed us that he signed up to a loyalty card called “BeneFitz” in December 2010. At the time he said he ticked a box indicating that he did not wish to receive any marketing communications from the company. Shortly afterwards, he began to receive both unsolicited marketing emails and text messages from the group. We had investigated a previous complaint regarding the Fitzgerald Group which resulted in a formal warning to it in February 2011.
The complainant emailed the Fitzgerald Group on two occasions asking to be removed from both the email and text message database of the Fitzgerald Group. He was informed by the Fitzgerald Group on both occasions in January and February 2011 that his details had been removed. However, the complainant then received further unsolicited marketing text messages in June and July 2011, prompting his complaint. It was clear to us that the Fitzgerald Group had not put proper procedures in place to ensure compliance with its obligations with regard to its marketing operations despite the previous warning.
On this basis the Commissioner decided to prosecute the Fitzgerald Group under Regulation 13(1)(b) of SI 535 of 2003 (as amended) in relation to the sending of an unsolicited marketing text message to an individual without consent.
The Court accepted one guilty plea from Ocsas Holdings Limited T/A The Fitzgerald Group, etc. The Court ordered that it pay €1,000 to the Laura Lynn Foundation and it applied the Probation of Offenders Act. Our prosecutions costs were also recouped from the defendant.
Citywest Resort Limited
In early 2012, we received two complaints from individuals regarding unsolicited text messages sent by Citywest Resort Limited (trading as the Citywest Hotel, Conference, Leisure and Golf Resort) without consent and without the inclusion of an opt out option. All marketing emails promoted the Citywest Health and Leisure Club. Both complainants informed us that they had repeatedly contacted the Leisure Club requesting to be removed from the marketing database but they continued to receive further unsolicited marketing text messages. Previously, in August 2010, we had sent a formal warning to Citywest Health and Leisure Club with regard to its future marketing activities.
In response to our investigations, the Leisure Club admitted that it could not confirm that it had consent to send marketing text messages to either complainant. It stated that the numbers were obtained from its system of all active members but that they should not have been included in the marketing campaign. It also informed us that it was not aware that the opt-out option should have been included in the original text message as it always sent a follow up opt out text message.
Having probed this matter further with the service provider who sent the text messages on the Leisure Club’s behalf, there was no evidence to suggest that a follow up opt out message was sent to the complainants. The complainants also informed us that they did not receive such follow up opt out messages. It was clear to us that Citywest Health and Leisure Club had not heeded our previous warning letter of August 2010. The Commissioner decided, therefore, to take prosecutions against Citywest Resort Limited in relation to these offences.
On 19 November 2012, Citywest Resort Limited faced forty six charges at the Dublin District Court. It pleaded guilty to the sending of unsolicited marketing text messages to the two complainants without consent. Citywest Resort Limited was convicted on two counts and a fine of €1,000 was imposed. The prosecution costs were recovered from the defendant.
Therapie Laser Clinics Ltd
In 2010 we received a number of complaints about Therapie Laser Clinics Ltd in relation to the sending of unsolicited marketing text messages without consent and without an opt out facility. In some cases, the marketing messages promoted a sister company, Optilase. Following our investigation, Therapie assured us at the time that it would remove each complainant’s mobile phone number from its database. We issued a formal warning to Therapie in early 2011 to the effect that any further offences committed would be prosecuted.
In 2012 we received two further complaints regarding unsolicited marketing text messages sent by Therapie. One of the complainants was among those who complained in 2010 in relation to the issues described above. The second complainant stated that he had never given his mobile phone number to Therapie previously.
In response to our investigation, Therapie informed us in March 2012 that it was unable to confirm whether marketing text messages were sent to one complainant’s phone as it could not see the number on its system. We requested information from Therapie’s text service provider in relation to the text messages sent to the complainant. It informed us that Therapie had sent it an email requesting that the complainant’s number be removed form the database. This email was sent on the very same date on which Therapie informed us that it could find no record of the complainant’s number.
The Commissioner decided to prosecute Therapie on eight charges. In the Dublin District Court, the defendant entered a guilty plea on four charges. The Court convicted the defendant on two charges and it took two charges into account. It imposed a total fine of €4,000. The prosecution costs were recovered from the defendant.
Mobile Phone Companies
On 3 December 2012, we prosecuted the following companies at the Dublin District Court.
Meteor Mobile Communications Limited (T/A Meteor)
On the basis of one complaint from a member of the public we summoned Meteor Mobile Communications Limited on seven charges. The company pleaded guilty to one charge of sending an unsolicited marketing text message without consent. Meteor stated that due to human error the normal protocols were lifted in relation to a particular marketing campaign. This resulted in the complainant receiving an unsolicited marketing text message despite being previously opted out.
Of significant concern was the fact that Meteor admitted that unsolicited marketing text messages were sent to between 11,000 and 18,500 individuals due to this human error.
The Court ordered Meteor to make a charitable donation of €5,000 to the Children’s Hospital in Temple Street and the Probation of Offenders Act was applied. The prosecution costs were recovered from Meteor.
Hutchison 3G Ireland Limited
Hutchison 3G Ireland Limited (Three) entered guilty pleas in respect of three out of seven charges for offences concerning an unsolicited marketing text message, an unsolicited marketing email and an unsolicited marketing phone call to different individuals.
In the first case, the complainant received an unsolicited text message to his mobile phone number. This person had previously opted out of receiving marketing communications from Three.
In the second case, the complainant was a former customer of Three who had requested that no direct marketing contact be made to her in any form. Due to what was described as a coding error an unsolicited marketing email was sent to the complainant without consent.
In the third case, the complainant had opted out of receiving marketing phone calls. He received a marketing phone call from a representative on behalf of Three.
The Court ordered Hutchison 3G Ireland Limited to donate €2,500 to the Children’s Hospital in Crumlin and the Probation of Offenders Act was applied. The Office’s prosecution costs were recovered from the defendant.
The Carphone Warehouse Limited
The Carphone Warehouse Limited entered guilty pleas in respect of two out of ten charges relating to the sending of unsolicited marketing emails to two individuals.
In both cases the complainants received unsolicited direct marketing emails without having been opted in to receive same.
The Court convicted The Carphone Warehouse Limited on both counts and it imposed a fine of €1,250 in each case. The prosecution costs were recovered from the defendant.
Stolen Laptops – Phone Companies Prosecuted For Loss of Personal Data
In the first prosecution case of its kind in Ireland, two telecommunications companies, Eircom and Meteor, appeared in the Dublin District Court in September 2012 to face charges relating to the loss of customer personal data which was stored on two unencrypted laptops, which had been stolen several months previously.
Background
A data breach report was received by this Office on 2 February 2012 from Eircom and Meteor. Regulation 4(6) of SI 336 of 2011 obliges telecommunications companies to notify the Data Protection Commissioner of personal data breaches without undue delay. This Regulation also obliges telecommunications companies to notify affected individuals of a data breach where the said breach is likely to adversely affect their personal data or privacy. The breach report informed us that two unencrypted laptops had been stolen from Eircom’s offices at Parkwest in Dublin between 28 December, 2011 and 2 January, 2012.
The report confirmed that the stolen laptops contained information relating to customers, including personal data. It indicated that the number of affected customers were 454 in the case of Meteor and 6,597 in the case of eMobile. The theft of the laptops was discovered on 3 January, 2012 and the matter was reported to the Gardai (national police force) on 4 January, 2012. The breach report was made thirty days after the laptops were reported as stolen. An updated breach report was submitted on 15 March, 2012. This followed intensive contact between ourselves and eircom/Meteor including two meetings on site. The report indicated that, following a second phase of internal investigation, it was found that the number of affected customers was greater than previously reported. The revised figures were 3,944 Meteor customers and 6,295 eMobile customers.
Eircom (trading as eMobile)
6,295 eMobile customers were affected by the data breach. In relation to 142 of these cases, the personal data in question was in the form of customer application forms including proof of identity (e.g. copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills).
The other 6,153 cases contained details such as name, address, telephone and account number. The process of Eircom notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). A large number of affected customers were notified for the first time on 20 March, 2012 (77 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Eircom notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Meteor
3,944 Meteor customers were affected by the data breach. In relation to approx 1,244 of these cases the personal data in question was in the form of proof of identity documents (e.g. copy of passport, driving licence, national identification, Bank Account/Credit Card details, financial statements and utility bills). The other 2,700 cases approx contained details such as name, address and telephone and account number. The process of Meteor notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). An update of the 10 February, 2012 letter was issued on 20 March, 2012. A large number of affected customers were notified for the first time on 16 March, 2012 (73 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Meteor notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Data Security
In relation to the electronic communications services sector, Regulation 4(1) of SI 336 of 2011 places an obligation on providers to take appropriate technical and organisational measures to safeguard the security of their services. Regulation 4(2) details some requirements specific to the electronic communications services sector. It provides that the measures to ensure the level of security shall at least ensure that personal data can be accessed only by authorised personnel for legally authorised purposes, protect personal data stored or transmitted from access or disclosure and ensure the implementation of a security policy with respect to the processing of personal data. We published a comprehensive guidance note on data security on our website in August, 2010.
This included guidance to the effect that encryption is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network. Encryption is the method of converting data from a readable format to an unreadable or unintelligible format so that unauthorised persons are unable to access the data. On a portable device such as a laptop, encrypting data is a method of securing the data to protect it from access by unauthorised persons in the event that the device on which the data is stored comes into the possession of unauthorised persons.
Following this breach, the Eircom Group identified approximately 160 laptops which were not encrypted. All unencrypted laptops were encrypted by 24 February, 2012.
Breach Notification
This Office considers that data breaches of this nature should normally be reported to us within two working days of the data controller becoming aware of the incident. This has been our stated position since a data security breach Code of Practice was published in July 2010. Once we are notified of a breach we can quickly advise the data controller of what steps to take, what areas to focus on, how best to notify affected parties quickly, whether other bodies such as banks need to be informed of the breach, etc. Notification of a data breach to affected individuals quickly is also critical and essential as it allows them to take remedial action to protect themselves and their identities – particularly in cases where financial and identification documentation is stolen.
Court Hearing
At the Dublin District Court on 10 September, 2012 guilty pleas were entered on behalf of each defendant, Eircom and Meteor, in relation to three charges each in respect of offences under Regulation 4(1), Regulation 4(6)(a) and Regulation 4(6)(b) of SI 336 of 2011. These charges related to the failure to protect the personal data on the laptops by means of encryption, the failure to notify the Data Protection Commissioner of the data breach without undue delay and the failure to notify the affected customers of the data breach without undue delay.
After hearing the prosecution evidence, the Court was satisfied that the prosecution case was proven. The Court applied Section 1(1) of the Probation of Offenders Act, conditional upon a charitable donation of €15,000 being made by each Defendant to charities nominated by the Court – the Laura Lynn Foundation in the case of Eircom and Pieta House in the case of Meteor. This Office also recovered from the defendants the legal costs arising from the prosecution.
Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
My Office received complaints from two individuals regarding unsolicited marketing text messages which they received in the spring of 2008 from Map Dance Limited, trading as Jackie Skelly Fitness. One complainant was a former customer of Jackie Skelly Fitness and the other was an existing customer. Both complainants informed me that they had not consented to receiving marketing text messages from this company. Furthermore, the marketing text messages did not contain an opt-out facility as required.
As part of my Office’s investigation into the matter, we sought the traffic records from the third party company used to send the messages on behalf of Jackie Skelly Fitness to the complainants’ mobile phones. We did this to confirm that the messages were sent by Jackie Skelly Fitness and to establish the content of those messages.
The traffic records which we obtained showed that Jackie Skelly Fitness had sent the marketing text messages in question and that the messages did not contain an opt-out facility as required by the regulations in Statutory Instrument 535 of 2003. Following my Office’s investigation, I was satisfied that offences had been committed and I decided to exercise my powers to prosecute Jackie Skelly Fitness in respect of those offences.
In April 2009, at Dublin Metropolitan District Court, Jackie Skelly Fitness pleaded guilty in respect of one charge related to the sending of an unsolicited marketing text message to a customer without consent, in contravention of Regulation 13(1)(b) of S.I. 535 of 2003. The Court recorded a conviction and it imposed a fine of €1,750. Jackie Skelly Fitness also pleaded guilty in respect of one charge related to the sending of a marketing text message to a former customer which did not contain a valid address to which the recipient could send an opt-out request, in contravention of Regulation 13(8) of S.I. 535 of 2003. The Court recorded a conviction and imposed a fine of €1,500. This was the first occasion on which a conviction was recorded in respect of an offence under Regulation 13(8) for failure to include an opt-out facility in a marketing text message.
Prosecution for sending unsolicited marketing faxes
Early in 2009 I received a complaint from an individual concerning unsolicited direct marketing fax messages he had received in November 2008 and January 2009. The faxes were sent to his fax number by Prism Fax Services Ltd promoting various holiday offers, competitions, hotel offers, etc. on behalf of a number of advertisers. In support of his complaint, the complainant supplied copies of the faxes he had received.
Regulation 13(1)(a) of S.I. No. 535 of 2003 (as amended) provides that marketing faxes may not be sent to individuals without their consent.
My Office commenced an investigation by contacting Prism Fax Services Ltd. It informed us that the intended recipient of the fax messages in this case was a school. However, it said that it had entered the fax number of the school incorrectly on its database and, as a result, the faxes were sent to the wrong number. It confirmed to my Office that it had now removed the incorrect fax number from its database. I was satisfied that offences had been committed by Prism Fax Services Ltd and I decided to prosecute the company in respect of those offences arising from previous interactions with it on the sending of unsolicited faxes where the legal requirements in this area were made clear.
In December 2009, in the Dublin District Court, Prism Fax Services Ltd pleaded guilty in respect of one offence under Regulation 13(1)(a) of S.I. No. 535 of 2003 and two offences under Regulation 13(1)(a) of S.I. No. 535 of 2003 (as amended), in respect of the sending of direct marketing faxes to an individual without their consent on dates in November 2008 and January 2009. The Judge accepted the guilty pleas and Prism Fax Services Ltd was convicted and fined a total of €2,250.
This was the first occasion on which I brought prosecution proceedings for an offence in respect of the sending of unsolicited marketing fax messages. Prism co-operated fully with my Office’s investigation of this matter and indicated a willingness to plead guilty at the earliest opportunity, which further assisted matters.
Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages
In July 2008 I received complaints from members of the public regarding marketing text messages that were sent to them by a Dublin based restaurant, Brasserie Sixty6. The complainants alleged that they had not consented to the receipt of the text messages.
My Office investigated the matter as it is an offence for a marketer to send a marketing text message to an individual without prior consent. In the course of our investigation, my Office contacted Brasserie Sixty6 to ascertain what consent they had to send the messages to the individuals concerned. However, Brasserie Sixty6 was unable to provide evidence of such consent. It said that some of the telephone numbers used to make reservations had been added to the marketing text messaging field, instead of the reservation field, on its computer system due to human error. It did, however, advise that those numbers were now deleted from the marketing database.
Unfortunately, one of the individuals concerned continued to receive marketing text messages after this, as his number was not removed from the marketing database as a result of human error.
I was very surprised that Brasserie Sixty6 was the subject of complaints about marketing text messages, given that only one year earlier, in July 2007, my Office had investigated several complaints against Brasserie Sixty6 in relation to direct marketing text messages. Following an investigation of those complaints, my Office found that these complainants had provided their mobile numbers in the context of making a reservation and at no stage in the collection of the numbers was their consent sought to subsequently market them. Following the 2007 investigation, I decided, in line with my normal policy in such matters, to seek to amicably resolve those complaints and not take prosecutions, as these were first offences. By way of amicable resolution, Brasserie Sixty6 had agreed to delete the database and to review its procedures for the collection, storing and use of mobile numbers. It also made a goodwill gesture of a voucher to each of the complainants.
In light of the 2007 investigation in relation to a similar issue, I deemed the subject matter of the 2008 complaints to be repeat offences and I therefore decided to bring a prosecution against Brasserie Sixty6 in relation to four offences which came to my attention.
My Office issued four summonses in the Dublin District Court in relation to these offences. These came before the court in June 2009. Home RBVR Limited, trading as Brasserie Sixty6, pleaded guilty to the charges. Following evidence given by my staff, the Judge recorded four convictions against Home RBVR Limited and imposed a total fine of €3,250.