Cordery

Legal.Compliance.

Client Alert: Tribunal upholds fixed penalty for non-payment of data protection fee after “innocent mistake” (First Tier Tribunal) (Information Rights)

Introduction

It’s a point often missed that whilst GDPR abolished data protection registrations the UK maintained the requirement to register in UK law. The registration must be made with the Information Commissioner’s Office (ICO) and a recent case shows that forgetting to do this won’t stop an organisation being fined.

What was the case about?

The First Tier Tribunal (Information Rights) has dismissed an appeal by an organisation against a penalty notice from the ICO for non-payment of the data protection fee. Many organisations are required to pay an annual fee under the Data Protection (Charges and Information) Regulations 2018.

The parties did not dispute the facts; the appellant implicitly accepted that it had not paid the required fee of £40 and that it had received a reminder and Notice of Intent to issue the penalty notice. The appellant said that the direct debit set up to pay the fee was cancelled by mistake. It did not provide any evidence as to how the mistake had happened or why it did not realise that the fee had not been paid.

What is the law?

A breach of the Regulations falls under s.149(5) Data Protection Act 2018 (DPA 2018) and the ICO can serve a penalty notice under section 155(1) of the DPA 2018.

What are the lessons learned?

The tribunal concluded that the appellant had not offered a reasonable excuse for its failure to comply.

Organisations should have systems in place to comply with their obligations under the law. Here the consequences can sometimes be greater than the fine itself – registrations often feature as a key element of due diligence and collecting data without a registration in place could be a breach of Principle (a) of GDPR since data may not have been obtained lawfully and transparently.

This was a point made by the Tribunal Judge Moira Macmillan saying:

We conclude that a reasonable data controller would have systems in place to comply with the Regulations and that the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller.”

Organisations should make sure they have processes in place to maintain their registrations. Cordery provides a registration renewal service for a fixed fee here http://www.corderycompliance.com/solutions/privacy-registration-and-renewal/.

For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.

Image courtesy of gov.uk website

Jonathan Armstrong
Cordery
Lexis House
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
jonathan.armstrong@corderycompliance.com		 Andre Bywater
Cordery
Lexis House
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785
andre.bywater@corderycompliance.com

 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.