The ICO exists to empower you through information.

In detail

What is the relationship between PECR and the data protection regime?

PECR sits alongside the data protection regime, which is the UK GDPR and Data Protection Act 2018 (DPA 2018). Data protection and PECR aim to protect people’s privacy. Data protection complements PECR. You may find that complying with PECR helps you comply with data protection requirements and vice versa.

PECR takes some of its definitions from data protection. For example, it takes the UK GDPR’s standard of consent and the DPA 2018 definition of direct marketing.

Data protection also applies, if you are using personal data when making live marketing calls (eg you know the name of the person you’re calling). This means you must make sure you comply with the data protection rules as well as PECR.

Likewise, if during the call you collect personal data from the person you are speaking to, you must make sure that your collection and use complies with data protection.

Further reading

What do the data protection rules mean for live marketing calls?

If you are using personal data when making live marketing calls, you must ensure that your direct marketing complies with data protection as well as PECR.

For example, this means ensuring that what you are doing is fair, lawful and transparent, as well as complying with people’s data protection rights (such as the right to object).

Fairness means not doing things with personal data that people would find unexpected, misleading or detrimental. For example, if you have bought-in a list of people and their telephone numbers to use for live marketing calls, you should satisfy yourself that the list was created fairly. Likewise, you can’t make a live marketing call to a number that you originally collected for an entirely different purpose.

Example

A bank records information about people who are shareholders of its corporate account customers. The bank collect and hold this information to comply with its duties under anti-money laundering regulations. Unless the bank obtains their consent, it is unfair to use this information to make marketing calls inviting them to open personal accounts.

Transparency means being clear, open and honest about what you want to do with personal data. For example, you must make it clear to people when collecting their details that you want to make live marketing calls. People have the “right to be informed” about what you intend to use their personal data for.

Lawfulness includes having a valid data protection reason (known as a “lawful basis”) when you use personal data to make the live marketing calls. There are six of these to choose from in the UK GDPR. It’s likely that consent and legitimate interests are the most relevant ones in the context of live marketing calls. Your choice of these two depends on factors, such as:

  • the type of live call you are making; and
  • whether they give you permission to call their TPS-registered number.

For example, as you must have consent under PECR to make a live marketing call about claims management services, then it’s likely that you would use consent as your UK GDPR lawful basis. Likewise, if you ask for someone’s permission to override their TPS registration, it’s likely that your lawful basis for using their personal data is also consent.

However, you may be able to rely on legitimate interests as your lawful basis if you are using personal data when calling a number that is not on the TPS or CTPS and there is no previous objection to your calls. See our separate guidance on legitimate interests for help.

People also have the absolute data protection right to object to you using their personal data for direct marketing purposes (including using their personal data to make live marketing calls). If someone exercises this right, you must stop using their personal data for direct marketing purposes. There are no grounds for you to refuse.

You should add them to your suppression or ‘do not contact’ list to make sure that you don’t inadvertently call someone who has exercised this right. You can only make further live marketing calls to that person if they subsequently decide to consent to such marketing from you.

Further reading

  • The ICO has produced lots of guidance on how to comply with data protection law. You can find it in the Guide to the UK GDPR, which includes topics such as fairness, transparency, lawful bases and rights.
  • We also have separate guidance on business-to-business marketing.

What happens if we don’t comply with PECR when making live marketing calls?

The ICO’s aim is to help and empower you to comply with the law. In cases where you refuse or fail to comply voluntarily, we have a range of options available for taking formal action, where this is necessary.

We take a risk-based, effective and proportionate approach to enforcement. Our aim is to create an environment which protects people, while supporting organisations to ensure they can operate and innovate efficiently in the digital age. We will be as robust as necessary in upholding the law, while ensuring that enterprise is not constrained by red tape, or by concern that we would use sanctions disproportionately.

We have several ways of taking action to change the behaviour of anyone who breaches PECR. This includes serving an enforcement notice that requires an organisation to stop sending direct marketing that is in breach of PECR. We can also serve a monetary penalty notice by imposing a fine of up to £500,000 which we can issue against the organisation or its directors. These powers are not mutually exclusive. We can use them in combination, where justified by the circumstances.

Further reading