The Company recognises the importance of PECR and developed this policy to ensure that employees understand their obligations and that users and subscribers know their rights. We have developed policies, procedures, controls and measures to ensure compliance with the Regulation, including staff training, procedure documents, audit measures and assessments.
Ensuring and maintaining the security and confidentiality of personal information and electronic communication and marketing is one of our top priorities and we are proud to operate a 'Privacy by Design' approach.
The purpose of this policy is to ensure that the company meets its legal, statutory and regulatory obligations under the PECR and where applicable, the UK GDPR. As the company provides a service or uses technology that comes under the remit of the PECR, we have a duty to implement and maintain specific policies, controls and measures to ensure the security and compliance of all activities.
This policy applies to all staff within the company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory.
What is the PECR?
The Privacy and Electronic Communications Regulations 2003 (PECR) implemented European Directive 2002/58/EC into UK law and provides rules and specific privacy rights in relation to electronic communications. The Regulations sit alongside the UK's data protection framework and relate specifically to: -
The Regulations have been designed to complement the data protection framework and apply to the specific privacy rights of individuals regarding electronic communications. They also set out the measures and safeguards organisations must take in relation to the security of such services and technologies.
With the vast increase in the provision and use of digital and electronic mediums, there is a direct requirement to provide rules for security and protection. The PECR ensures that organisations are compliant and considerate when carrying out any of the activities covered by the Regulations.
The PECR and Data Protection
The PECR works in conjunction with the UK GDPR and has been amended to sit alongside the Regulation, including utilising the UK GDPR’s definition of consent. Depending on the services provided or technology used, an organisation may need to comply with both the UK GDPR and PECR or just the PECR.
Providers of services or technologies that rely on consent or legitimate interest and process personal data must comply with both the PECR and the UK GDPR. Where marketing or cookies do not involve the processing of personal information, an organisation must still comply with the PECR.
The Information Commissioners' Office (ICO)
The Information Commissioners Office (ICO) (hereinafter referred to as the Commissioner), is an independent regulatory office who report directly to Parliament and whose role it is to uphold information rights in the public interest. The legislation they have oversight for includes: -
The Commissioners’ mission statement is “to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals” and they can issue enforcement notices and fines for breaches in any of the Regulations, Acts and/or Laws regulated by them.
Under the PECR, the Commissioner is responsible for the oversight and enforcement of the Privacy and Electronic Communications Regulations 2003 and for responding to complaints with regards to UK GDPR and those firms located solely in the UK.
We are committed to ensuring that all electronic communications activities and personal data processed by the Company is done so in accordance with the PECR and where relevant, the UK GDPR. We also adhere to any associated guidelines or codes of conduct set out by the Commissioner and local law.
The Company has developed the below objectives to meet its public electronic communications obligations and to ensure continued compliance with the legal and regulatory requirements.
The Company will ensure that: -
The Company has a dedicated Direct Marketing Policy that details our obligations and procedures in relation to marketing as defined in the PECR. We recognise the requirement to obtain consent and provide specific information when sending unsolicited marketing, either by phone, email, fax, text or any other form of electronic communication.
We have consent controls in place that aim to comply with the UK GDPR requirements and ensure that all forms of marketing communication adhere to the PECR rules. As the areas of direct marketing has numerous rules and regulations, we utilise a standalone policy for this purpose, to ensure that employees have a clear understanding of the rules and their responsibilities.
Please refer to the Company’s Direct Marketing Policy for full details of our marketing procedures and controls.
Cookies and Similar Technologies
The PECR requires that detailed, clear, and relevant information is provided to the user regarding the existence of any cookies, including what each cookie does and why it is used. Consent must then be obtained from the user to allow cookie(s) to be stored on their device.
The Regulation provides an exception to cookie consent where the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network or where the cookie is strictly necessary to provide a service requested by the user (i.e., cookies used to remember a user’s goods in an online basket or that are essential for regulatory or legal compliance).
Where the company would like to request access to any data or personal information stored within the individual’s terminal equipment, we utilise a pop-up screen notice upon initial visit to the website to ensure that the subscriber or user: -
Where the above information has already been provided to the subscriber or user, the Company can also utilise the consent of a subscriber or user who amends or sets controls on the internet browser that they are using or by using another application or programme to signify consent. All forms of consent are collected and maintained in accordance with the consent rules set out in the UK GDPR.
The Company reserve the right not to obtain consent for access to subscriber or user data or personal information where it relates to the technical storage of, or access to, information: -
Public Electronic Communications Service and Network
Electronic communications service as defined in the PECR has the same meaning as that of section 32 of the Communications Act 2003 "a service consisting of, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except insofar as it is a content service."
The same Act provides a definition of an electronic communications network as "a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description [where the] following as are used, by the person providing the system and in association with it, for the conveyance of the signals: -
An electronic communications service allows individuals to sign up for a service with a view to sending or receiving electronic signals (i.e. sounds, images, data, etc). An electronic communications network is the transmission system that makes the electronic communications services available to users or subscribers.
The PECR describes the individuals to whom the rules apply as subscribers or users. The term user describes any individual who makes use of a public electronic communications service.
However, a subscriber is party to a contract with a provider for the provision of the electronic communications services.
There is also a difference between a corporate subscriber and individual subscribers. The former covers subscribers that are a corporate body with separate legal status (i.e. Ltd, LLP, etc). The latter is an individual customer and also covers sole traders and partnerships.
Where the company provides a public electronic communications service, we ensure that we have adequate and appropriate technical and organisational measures in place to safeguard the security of that service. Details of the measures and controls in place are set out in our Information Security & Usage Policy. In conjunction with this policy, please refer to the information security & usage policy.
The Company aims to comply with the PECR which states the minimum mandatory security requirements for electronic communications services. Our security policies set out the measures and controls used to ensure privacy and security. The procedures include (but are not limited to): -
Provision of Information
The Company provides information about the processing of traffic data to users and subscribers, prior to obtaining consent to process such data. The information and opt-in, granular consent mechanism is provided on the company’s websites.
Processing location data, certain types of traffic data, and data used for the purposes of direct marketing or providing value-added services requires the consent of the user or subscriber. The Company adheres to the UK GDPR definition of consent and has set out specific information or controls for consent in the below documents: -
Data processed for any purpose requiring consent is only retained for as long as it is necessary and is subject to the retention and erasure rules set out in the UK GDPR. The user or subscriber is always informed of their right to withdraw consent at any time.
Where processing is based on consent, the Company has reviewed and revised all consent mechanisms to ensure that: -
Please refer to the Company’s Direct Marketing Policy which contains details of our obligations, procedures, and controls.
The PECR requires firms to have measures and controls in place to monitor and report personal data breaches. The Company has robust objectives and controls in place for preventing data breaches and for managing them in the rare event that they do occur. Our procedures and guidelines for identifying, investigating, and notification of breaches are detailed in our Data Breach Policy which forms part of our data protection compliance program.
The Company ensures the maximum security of data that is processed, including as a priority, when it is shared, disclosed, and transferred. Our Information Security & Usage Policy provides the detailed measures and controls that we take to protect personal information and to ensure its security from start to finish.
Whilst every effort is taken to prevent and reduce the risk of data breaches, the company has dedicated controls and procedures in place for any rare occurrences. The policy includes any notifications to be made to the Commissioner and subscriber(s) (where applicable). The Company uses a dedicated PECR Data Breach Incident system and bespoke form to ensure that all of the required details are recorded and maintained. The relevant information is also added to the Data Breach Incident System which enables us the retain an inventory of personal data breaches and to provide this information to the Commissioner.
Audits and Monitoring
This policy and procedure document details the extensive controls, measures, and methods used by the Company to comply with the PECR and any associated data protection rules. It is to be read in conjunction with our other UK GDPR and PECR policies.
To ensure continued compliance with the Regulations and to review internal policies and processes, the Company uses a dedicated Compliance Monitoring & Audit Policy & Procedure, with a view to ensuring that the measures and controls are in place to protect subscribers and users, along with their information at all times.
The Data Protection Officer has overall responsibility for assessing, testing, reviewing, and improving the processes, measures, and controls in place and reporting improvement action plans to the Board/Directors/Owner/Senior Management Team where applicable.
The aim of internal PECR audits is to: -
Through our strong commitment and robust controls, we ensure that all staff understands, have access to, and can easily interpret the PECR and that they have ongoing training, support, and assessments to ensure and demonstrate their knowledge, competence, and adequacy for the role.
Our Training & Development Policy & Procedures and Induction Policy detail how new and existing employees are trained, assessed, and supported and include: -
The Company ensures that compliance with the PECR is the responsibility of all employees and provides ongoing support and training to this end. The overall responsibility of PECR compliance has been assigned to the Data Protection Officer, whose role is to identify and mitigate any risks to the protection of personal data or the privacy rights of users and subscribers.