[2023] UKUT 132 (AAC)

Paragraphs 81 to 87 of the Tribunal’s reasons set out a number of “general conclusions” which included findings of fact. Unless corroborated, the Tribunal treated Mr Budhdeo’s evidence with scepticism because “his credibility as a witness has been diminished by his misleading answers concerning his directorship of Equitable Sustainable Housing Limited…[his] explanation, when presented with contradictory evidence, also lacks credibility” (paragraph 82(vii)). Mr Budhdeo initially denied being a director of that company and that the ‘S Budhdeo’ recorded as a director by Companies House was his brother. When subsequently presented with evidence which showed this to be incorrect, Mr Budhdeo said that he had originally forgotten that he was a director of this company.

In relation to the documentation seized from the Premises, the Tribunal found that the Commissioner’s evidence lacked “important details about the nature of the personal data concerned, not least an accurate calculation of the number of documents recovered”. The Appellant’s solicitor’s audit was a “more reliable source of information”. The Tribunal accepted the audit’s finding that 73,710 documents were seized by the MHRA, of which 12,491 contained personal data and 53,871 special category personal data (paragraph 81 of the Tribunal’s reasons). Unsurprisingly, the Tribunal left out of account the documents that contained no personal data.

The Tribunal’s rejected the Appellant’s argument that most of the documents seized originated from care homes, rather than the Appellant. Mr Budhdeo’s evidence was that, since Joogee Pharma became responsible for collecting and destroying waste medicines, it had used the Premises for that purpose (paragraph 82(i) of the Tribunal’s reasons). The Appellant did not dispute that much of the data recovered related to care home residents nor that the documents themselves were generated by the Appellant’s pharmacies (paragraph 82(ii)). Since some data dated back to 2016, and Mr Budhdeo said Joogee Pharma securely destroyed data within 28 days of receipt, his case was that several care homes, acting independently, recently supplied Joogee with many documents dating back to 2016. This was inherently unlikely, and a “more likely explanation” was “that this is the result of data protection failures by [the Appellant] and/or [Joogee Pharma]” (paragraph 82(iii), (iv)).

The Tribunal found that, for the purposes of the GDPR, the Appellant was the controller of data processed by Joogee Pharma, for the following reasons:

Joogee Pharma’s only stated purpose was to collect medicinal waste on behalf of the Appellant who admitted that these “activities on its behalf constitutes data processing in relation to which [the Appellant] is the controller and [Joogee Pharma] the processor” (paragraph 82(viii) of the Tribunal’s reasons);

Mr Budhdeo gave evidence that the Appellant “stipulates the processes [Joogee Pharma] must follow, describing [its] collection activities as robotic…[and]…confirms that [its] waste disposal agreement with [the Appellant] did not distinguish between personal data and non-data”. The Tribunal found that “[the Appellant] was determining the purposes and means by which any personal data collected by [Joogee Pharma] would be processed” (paragraph 82(viii));

the argument that Joogee Pharma departed from the Appellant’s stipulated processes and thereby assumed the role of controller was rejected. Joogee Pharma “remained the processor rather than the controller of the data it processed”. Article 5(2) of the GDPR provides for the controller to retain responsibility for ensuring compliance with the Article 5(1) principles. While a “tipping point” may be reached, when the processor’s departure from agreed policies “becomes an arrogation of the controller’s role”, this did not happen. Mr Budhdeo was the sole director and shareholder of both companies and “appears to have been responsible for deciding which waste disposal processes [Joogee Pharma] would adopt as [the Appellant’s] agent”. Since the arrangement between the companies was not, before the MHRA’s search, committed to writing and the Appellant’s data processing policies remained incomplete, even after the MHRA’s search, there was “no basis upon which to conclude that [Joogee Pharma] departed to a material extent from any tangible data processing instructions it had received from [the Appellant]” (paragraph 82(ix)).

In relation to GDPR breaches, the Tribunal found as follows:

Joogee Pharma allowed some documents containing data processed on behalf of the Appellant to be stored in unlocked crates in an outside yard. Some documents became wet, and the yard was not an appropriately secure area. Joogee Pharma’s methods of data storage “did not afford sufficient protection against accidental loss or destruction”, and “this was a breach of the integrity and confidentiality requirements of Article 5(1)(f) [of the GDPR] for which [the Appellant] retained responsibility by virtue of Article 5(2)” (paragraph 83 of the Tribunal’s reasons);

at the date of the MHRA’s search, Joogee Pharma “was storing personal data in a form that permitted identification of data subjects for longer than necessary”, shown by the presence of data that was more than two years old. The Tribunal was “satisfied that the retention of this data by [Joogee Pharma] was a breach of the storage limitation requirements of Article 5(1)(e), for which [the Appellant] also retained responsibility by virtue of Article 5(2)”. The Tribunal also found that, apart from Mr Budhdeo’s testimony, there “was no contemporaneous evidence adduced to show when and how [Joogee Pharma] securely destroyed personal data on [the Appellant’s] behalf” (paragraph 84);

the Appellant’s “failure to devise adequate data processing policies contributed to [Joogee Pharma’s] breaches”. In particular, the absence of a retention policy and the lack of a clear explanation of the data destruction processes that Joogee Pharma was required to follow “must have contributed to [Joogee Pharma’s] breaches as it was provided with no appropriate procedures to follow” (paragraph 85);

contrary to Article 24(1) “[the Appellant] failed to implement appropriate and organisational measures to ensure that [Joogee Pharma’s] processing was performed in accordance with the GDPR” (paragraph 86);

the failure to implement such measures was also a breach of Article 32 of the GDPR “in that [the Appellant] failed to implement appropriate measures to ensure a level of security appropriate to the risks” (paragraph 86);

the Appellant accepted that “it breached the requirements of Articles 13 and/or 14 in relation to the provision of information in its Privacy Notice” (paragraph 87).