The Company recognises the importance of PECR and developed this policy to ensure that employees understand their obligations and that users and subscribers know their rights. We have developed policies, procedures, controls and measures to ensure compliance with the Regulation, including staff training, procedure documents, audit measures and assessments.
Ensuring and maintaining the security and confidentiality of personal information and electronic communication and marketing is one of our top priorities and we are proud to operate a 'Privacy by Design' approach..
The purpose of this policy is to ensure that the company meets its legal, statutory and regulatory obligations under the PECR and where applicable, the UK GDPR. As the company provides a service or uses technology that comes under the remit of the PECR, we have a duty to implement and maintain specific policies, controls and measures to ensure the security and compliance of all activities.
This policy applies to all staff within the company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory.
- “Bill” includes an invoice, account, statement or other document of similar character
- “Call” means a connection established by a telephone service allowing two-way communication in real time
- “Communication” means any information exchanged or conveyed between parties by means of a public electronic communications service (excluding where part of a programme service, except where the information relates to the identifiable subscriber or user receiving the information
- “Communications Provider” means a person who provides an electronic communications network or an electronic communications service as per the meaning given by section 405 of the Communications Act 2003
- “Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- “Corporate Subscriber” means a subscriber who is: -a company formed and registered under the Companies Act 1985 (or any former Companies Acts, excluding a company registered under the Joint Stock Companies Acts
- a company incorporated in pursuance of a royal charter or letters patent
- a partnership in Scotland
- a corporation sole
- any other body corporate or entity which is a legal person distinct from its members.
- “Electronic Communications Network” means (as per the meaning given by section 32 of the Communications Act 2003):
- -a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description; and
- such of the following as are used, by the person providing the system and in association with it, for the conveyance of the signals:
- -apparatus comprised in the system
- apparatus used for the switching or routing of the signals
- software and stored data
- other resources, including network elements which are not active.
- “Electronic Communications Service” means (as per the meaning given by section 32 of the Communications Act 2003) a service of any of the types specified in below provided by means of an electronic communications network, except so far as it is a content service:
- -an internet access service
- a number-based interpersonal communications service
- any other service consisting of, or having as its principal feature, the conveyance of signals, such as a transmission service used for machine-to-machine services or for broadcasting.
- “Electronic Mail or Email” means any text, voice, sound or image message sent over a public electronic communications network which can be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient and includes messages sent using a short message service (SMS).
- “Individual” means a living individual and includes an unincorporated body of such individuals.
- “Information Society Service” means any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service:
- ‘at a distance’ means that the service is provided without the parties being simultaneously present
- ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means
- ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.
- “The Commissioner” means the Information Commissioners Office (ICO) who are responsible for oversight and enforcing the PECR.
- “Traffic Data” means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication.
- “UK GDPR” means the United Kingdom General Data Protection Regulation, tailored by the Data Protection Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/2020
- “User” means any individual using a public electronic communications service.
What is the PECR?
The Privacy and Electronic Communications Regulations 2003 (PECR) implemented European Directive 2002/58/EC into UK law and provides rules and specific privacy rights in relation to electronic communications. The Regulations sit alongside the UK's data protection framework and relate specifically to: -
- Marketing by electronic means:
- The privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services and directory listings.
The Regulations have been designed to complement the data protection framework and apply to the specific privacy rights of individuals regarding electronic communications. They also set out the measures and safeguards organisations must take in relation to the security of such services and technologies.
With the vast increase in the provision and use of digital and electronic mediums, there is a direct requirement to provide rules for security and protection. The PECR ensures that organisations are compliant and considerate when carrying out any of the activities covered by the Regulations.
The PECR and Data Protection
The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. Depending on the services provided or technology used, an organisation may need to comply with both the UK GDPR and PECR or just the PECR.
Providers of services or technologies that rely on consent or legitimate interest and process personal data must comply with both the PECR and the UK GDPR. Where marketing or cookies do not involve the processing of personal information, an organisation must still comply with the PECR.
The Information Commissioners' Office (ICO)
The Information Commissioners Office (ICO) (hereinafter referred to as the Commissioner), is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes: -
- The UK GDPR (tailored by the Data Protection Act 2018)
- The Privacy and Electronic Communications Regulations (PECR)
- Freedom of Information Act 2000
- The Environmental Information Regulations 2004
The Commissioners’ mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.
Under the PECR, the Commissioner is responsible for the oversight and enforcement of the Privacy and Electronic Communications Regulations 2003 and for responding to complaints with regards to UK GDPR and those firms located solely in the UK.
We are committed to ensuring that all electronic communications activities and personal data processed by the Company is done so in accordance with the PECR and where relevant, the UK GDPR. We also adhere to any associated guidelines or codes of conduct set out by the Commissioner and local law.
The Company has developed the below objectives to meet its public electronic communications obligations and to ensure continued compliance with the legal and regulatory requirements.
The Company will ensure that: -
- We have dedicated PECR related policies and procedures in place to ensure ongoing awareness and compliance with the rules.
- We have up to date Data Breach Procedures and a Data Breach reporting system in place to comply with the PECR.
- Users and subscribers are provided with specific information about our use of traffic data and/or location data and, where applicable, consent is obtained to process such data.
Staff are provided with training on the PECR requirements and the Company’s obligations.
- Direct marketing mediums contain the relevant information required by the PECR and where such marketing is unsolicited, we always obtain consent from the user or subscriber.
Any cookies used on our website are clearly marked and information about the cookies and the users’ rights are provided to every visitor as per the PECR requirements. Options to accept or reject non-essential cookies are always provided.
- Procedures and controls to comply with the PECR are reviewed on a regular basis to ensure ongoing compliance with the Regulation.
- All forms of electronic marketing are reviewed by the Head of Marketing prior to being implemented.
The Company has a dedicated Direct Marketing Policy that details our obligations and procedures in relation to marketing as defined in the PECR. We recognise the requirement to obtain consent and provide specific information when sending unsolicited marketing, either by phone, email, fax, text or any other form of electronic communication.
We have consent controls in place that aim to comply with the UK GDPR requirements and ensure that all forms of marketing communication adhere to the PECR rules. As the areas of direct marketing has numerous rules and regulations, we utilise a standalone policy for this purpose, to ensure that employees have a clear understanding of the rules and their responsibilities.
Please refer to the Company’s Direct Marketing Policy for full details of our marketing procedures and controls.
Cookies and Similar Technologies
The PECR requires that detailed, clear, and relevant information is provided to the user regarding the existence of any cookies, including what each cookie does and why it is used. Consent must then be obtained from the user to allow cookie(s) to be stored on their device.
The Regulation provides an exception to cookie consent where the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or where the cookie is strictly necessary to provide a service requested by the user (i.e., cookies used to remember a user’s goods in an online basket or that are essential for regulatory or legal compliance).
Where the company would like to request access to any data or personal information stored within the individual’s terminal equipment, we utilise a pop-up screen notice upon initial visit to the website to ensure that the subscriber or user: -
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- has given his or her consent.
Where the above information has already been provided to the subscriber or user, the Company can also utilise the consent of a subscriber or user who amends or sets controls on the internet browser that they are using or by using another application or programme to signify consent. All forms of consent are collected and maintained in accordance with the consent rules set out in the UK GDPR.
The Company reserve the right not to obtain consent for access to subscriber or user data or personal information where it relates to the technical storage of, or access to, information: -
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network
- where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
Public Electronic Communications Service and Network
Electronic communications service as defined in the PECR has the same meaning as that of section 32 of the Communications Act 2003 "a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except insofar as it is a content service."
The same Act provides a definition of an electronic communications network as "a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description [where the] following as are used, by the person providing the system and in association with it, for the conveyance of the signals: -
- apparatus comprised in the system
- apparatus used for the switching or routing of the signals
- software and stored data
- other resources, including network elements which are not active."
An electronic communications service allows individuals to sign up to a service with a view to sending or receiving electronic signals (i.e. sounds, images, data etc). An electronic communications network is the transmission system that makes the electronic communications services available to the users or subscribers.
The PECR describes the individuals to whom the rules apply as subscribers or users. The term user describes any individual who makes use of a public electronic communications service.
However, a subscriber is party to a contract with a provider for the provision of the electronic communications services.
There is also a difference between a corporate subscriber and individual subscribers. The former covers subscribers that are a corporate body with separate legal status (i.e. Ltd, LLP etc). The latter is any individual customer and also overs sole traders and partnerships.
Where the company provides a public electronic communications service, we ensure that we have adequate and appropriate technical and organisational measures in place to safeguard the security of that service. Details of the measures and controls in place are set out in our Information Security & Usage Policy. In conjunction with this policy, please refer to the information security & usage policy.
The Company aims to comply with the PECR which states the minimum mandatory security requirements for electronic communications services. Our security policies set out the measures and controls used to ensure privacy and security. The procedures include (but are not limited to): -
- Ensuring that personal data can only be accessed by authorised personnel for legally authorised purposes.
- Protecting personal data stored or transmitted against accidental or unlawful destruction, accidental loss, or alteration, and unauthorised or unlawful storage, processing, access, or disclosure.
- Ensuring that the security policies are compliant and maintained in accordance with the relevant rules and regulations with respect to the processing of personal data.
Provision of Information
The Company provides information about the processing of traffic data to users and subscribers, prior to obtaining consent to process such data. The information and opt-in, granular consent mechanism is provided on the company’s websites.
Processing location data, certain types of traffic data and data used for the purposes of direct marketing or providing value-added services requires the consent of the user or subscriber. The Company adheres to the UK GDPR definition of consent and has set out specific information or controls for consent in the below documents: -
- PECR Policy
- Information Security & Usage Policy
- Direct Marketing Policy
Data processed for any purpose requiring consent is only retained for as long as it is necessary and is subject to the retention and erasure rules set out in the UK GDPR. The user or subscriber is always informed of their right to withdraw consent at any time.
Where processing is based on consent, the Company have reviewed and revised all consent mechanisms to ensure that: -
- Consent requests are transparent, using plain language and is void of any illegible terms, jargon or extensive legal terms.
- It is freely given, specific and informed, as well as being an unambiguous indication of the individual’s wishes.
- Consent is always given by a statement or a clear affirmative action (positive opt-in) which signifies agreement to the processing of personal data.
- Consent mechanisms are upfront, clear, granular (in fine detail) and easy to use and understand.
- Pre-ticked, opt-in boxes are never used.
- Where consent is given as part of other matters (i.e., terms & conditions, agreements, contracts), we ensure that the consent is separate from the other matters and is not a precondition of any service (unless necessary for that service).
- Along with our company name, we also provide details of any other third party who will use or rely on the consent.
- Consent is always verifiable, and we have controls in place to ensure that we can demonstrate consent in every case.
- We keep detailed records of consent and can evidence at a minimum: –
- that the individual has consented to the use and processing of their personal data
- that the individual has been advised of our company name and any third party using the data
- what the individual was told at the time of consent
- how and when consent was obtained
- We have ensured that withdrawing consent is as easy, clear, and straightforward as giving it and is available through multiple options, including: -
- Opt-out links in mailings or electronic communications.
- Opt-out process explanation and steps on website and in all written communications.
- Ability to opt-out verbally, in writing or by email.
- Consent withdrawal requests are processed immediately and without detriment.
- Where age restricted services are offered, age-verification measures have been developed and are in place to obtain consent
Please refer to the Company’s Direct Marketing Policy which contains details of our obligations, procedures and controls.
The PECR requires firms to have measures and controls in place to monitor and report personal data breaches. The Company has robust objectives and controls in place for preventing data breaches and for managing them in the rare event that they do occur. Our procedures and guidelines for identifying, investigating and notification of breaches are detailed in our Data Breach Policy which forms part of our data protection compliance program.
The Company ensures the maximum security of data that is processed, including as a priority, when it is shared, disclosed and transferred. Our Information Security & Usage Policy provides the detailed measures and controls that we take to protect personal information and to ensure its security from start to finish.
Whilst every effort is taken to prevent and reduce the risk of data breaches, the company has dedicated controls and procedures in place for any rare occurrences. The policy includes any notifications to be made to the Commissioner and subscriber(s) (where applicable). The Company use a dedicated PECR Data Breach Incident system and bespoke form to ensure that all of the required details are recorded and maintained. The relevant information is also added to the Data Breach Incident System which enables us the retain an inventory of personal data breaches and to provide this information to the Commissioner.
Audits and Monitoring
This policy and procedure document details the extensive controls, measures and methods used by the Company to comply with the PECR and any associated data protection rules. It is to be read in conjunction with our other UK GDPR and PECR policies.
To ensure continued compliance with the Regulations and to review internal policies and processes, the Company uses a dedicated Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls in place to protect subscribers and users, along with their information at all times.
The Data Protection Officer has overall responsibility for assessing, testing, reviewing and improving the processes, measures and controls in place and reporting improvement action plans to the Board/Directors/Owner/Senior Management Team where applicable.
The aim of internal PECR audits is to: -
- Ensure that the appropriate policies and procedures are in place.
- To verify that those policies and procedures are being followed.
- To test the adequacy and effectiveness of the measures and controls in place.
- To detect breaches or potential breaches of compliance.
- To identify risks and assess the mitigating actions in place to minimise such risks.
- To recommend solutions and mitigating actions for improvements where applicable.
- To monitor compliance with the PECR and UK GDPR and demonstrate best practices
Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the PECR and that they have ongoing training, support and assessments to ensure and demonstrate their knowledge, competence and adequacy for the role.
Our Training & Development Policy & Procedures and Induction Policy detail how new and existing employees are trained, assessed and supported and include: -
- PECR and UK GDPR Workshops & Training Sessions
- Assessment Tests
- Coaching & Mentoring
- 1:1 Support Sessions
- Scripts and Reminder Aids
- Access to the PECR and UK GDPR policies, procedures, checklists and supporting documents
The Company ensures that compliance with the PECR is the responsibility of all employees and provides ongoing support and training to this end. Overall responsibility of PECR compliance has been assigned to the Data Protection Officer, whose role it is to identify and mitigate any risks to the protection of personal data or the privacy rights of users and subscribers.