![[2024] UKUT 105 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
The Substituted Enforcement Notice
The Substituted Enforcement Notice
The FTT’s SEN was accordingly in the following terms:
“SUBSTITUTE DECISION NOTICE
1. By the date that is three months after the date of this decision (the “Relevant Date”), Experian must set up a system that enables it to provide all data subjects whose personal data is obtained by Experian from one or more of the Open Electoral Register, the Registry Trust Limited or Companies House (those data subjects being the “Relevant Data Subjects, and those sources together being the "Open Sources”) with a privacy notice (a “Relevant Notice”).
2. The Relevant Notice must: (i) inform the Relevant Data Subject that their personal data has been obtained by Experian and is being processed by it for direct marketing purposes, and (ii) otherwise comply with Article 14 of the UK GDPR. For the avoidance of doubt:
(a) A Relevant Notice may be provided to the Relevant Data Subject by Experian either (i) through any form of direct communication by Experian with the Relevant Data Subject (e.g. through the post or, if Experian has the relevant contact details for the Relevant Data Subject, via email or text message) or (ii) through the medium of the notifications given to Relevant Data Subjects by the Open Sources.
(b) No Relevant Notice is required to be sent where: (i) Experian has obtained personal data about the Relevant Data Subject from its CRA business, its consumer services business or from third party commercial suppliers, or (ii) Experian’s processing of the personal data of the data subject is confined to the retention or sale of the Open Electoral Register, or (iii) Experian’s processing of the personal data of the data subject relates solely to the obtaining and use of directory enquiry databases such as BT OSIS or suppression databases like the TPS, or (iv) Experian ceases to process personal data about the data subject for direct marketing purposes at any time prior to the point at which, pursuant to this Substitute Enforcement Notice, a Relevant Notice would otherwise be required to be sent to the data subject.
3. Subject to paragraph 2 above, the Relevant Notices must be sent to the Relevant Data Subjects as follows:
(a) Within twelve months of the Relevant Date, Experian must provide a Relevant Notice to all data subjects whom it identified as being Relevant Data Subjects as at the Relevant Date.
(b) In circumstances where Experian obtains personal data from the Open Sources in respect of data subjects who: (i) were not identified by Experian as having been Relevant Data Subjects as at the Relevant Date, but (ii) are identified by Experian as being new Relevant Data Subjects, Experian must provide those individuals with a Relevant Notice.
4. Nothing in this Enforcement Notice requires Experian to provide more than one Relevant Notice to a Relevant Data Subject.
5. No financial penalty is imposed.” (Emphasis in the original text.)
In his order granting the Information Commissioner permission to appeal, Upper Tribunal Judge Wikeley suspended the effect of the SEN pending the determination of this appeal.
- Heading
- THE HON. MRS JUSTICE HEATHER WILLIAMS DBE
- Hearing dates: 6-8 February 2024
- The structure of the Upper Tribunal’s decision
- Abbreviations
- Glossary
- The nature of Experian’s data processing
- The Information Commissioner’s Enforcement Notice
- Experian’s appeal to the First-tier Tribunal
- The Information Commissioner’s case before the First-tier Tribunal
- The hearing before the First-tier Tribunal
- The First-tier Tribunal’s decision
- The First-tier Tribunal’s findings
- The First-tier Tribunal’s conclusions
- The Substituted Enforcement Notice
- The Information Commissioner’s grounds of appeal to the Upper Tribunal
- The legal framework
- The Upper Tribunal’s “error of law” jurisdiction
- Adequacy of reasons
- Enforcement notices and appeals against them
- Recitals to the GDPR
- Proportionality
- The European Data Protection Board: decisions and guidelines
- Summary of relevant aspects of the transparency principle in the GDPR
- The parties’ overarching submissions
- Ground 1
- Experian’s submissions
- Alleged overarching errors: discussion and conclusions
- Alleged failure to address Article 5(1)(a) GDPR
- Alleged failure to identify the applicable standard of transparency
- The nature of the processing
- Relevance of the reasonable expectations of data subjects
- Alleged specific errors: discussion and conclusions
- Use of hyperlinks to the CIP
- Suggestion that people do not care about what happens to their data
- How the FTT addressed the reasonable expectations of data subjects
- Concluding observations on Ground 1
- Ground 2
- Experian’s submissions
- Alleged overarching error: discussion and conclusion
- Alleged specific errors: discussion and conclusions
- Article 14(5)(a) and whether the data subject already “has” the information
- The route from the third party suppliers to the CIP
- Article 14(5)(b)
- Concluding observations on Ground 2
- Ground 3
- Experian’s submissions
- Discussion and conclusions
- Ground 5
- Experian’s submissions
- Discussion and conclusions
- Conclusions