The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Use of telemarketing company in the management of customer accounts - transfer of data to agent not disclosure - obligation of data processors to register

The complainant received an unsolicited telephone call from a telemarketing service company. The call was in connection with the complainant's account with another company (the 'supplier company'), not the telemarketing company. The complainant raised the matter with my Office, expressing concern that details of his name, address, telephone number and certain details of his account (which was in arrears) had been transferred from the supplier company to the telemarketing company, without the complainant's knowledge or consent. He also said that the telemarketing company was not registered with my Office as required under the Data Protection Act, 1988.

In the course of my investigation, the supplier company indicated that it had engaged the telemarketing company under contract to provide a 'courtesy call' service on the supplier company's behalf. To enable the telemarketing company to carry out this service, the supplier company provided it with customers' personal data on a weekly basis. In the case of new customers, the 'courtesy call' service involved telephoning the customers to welcome them and to verify names, addresses and billing details. In the case of customers whose accounts were in arrears, the telemarketing company would operate a 'customer reminder' service, contacting the customers to alert them to the position before the issue of a final demand for payment. All customer responses would be logged by the telemarketing company onto the customer's computer file. The telemarketing company would also offer to take credit card payments over the phone. The supplier company had concluded a confidentiality agreement with the telemarketing company and required all staff involved with the customer courtesy service to sign a non-disclosure agreement.

It was clear from the terms of the contract between the companies that the telemarketing company was providing its services on an agency basis. Section 1(1) of the Act defines "disclosure" as follows -

"disclosure", in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties ... .

Consequently, the transfer of data to the telemarketing company for the purpose set out in the contract did not constitute disclosure of data within the meaning of the Data Protection Act, and so this aspect of the complaint was not upheld.

The second issue raised by the complainant related to the alleged failure of the telemarketing company to register as required under the Data Protection Act. The telemarketing company was of the view that, as it was acting as an agent for the supplier company, which was registered as a data controller with the Data Protection Commissioner, the telemarketing company was not itself required to register.

Section 16(2) of the Act provides as follows -

The Commissioner shall establish and maintain a register (referred to in this Act as the register) of persons to whom this section applies and shall make, as appropriate, an entry or entries in the register in respect of each person whose application for registration therein is accepted by the Commissioner.

Persons to whom section 16 applies include at subsection (1)(d) -

data processors whose business consists wholly or partly in processing personal data on behalf of data controllers.

Section 1 of the Act defines "data processor" as -

a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.

It was accepted by all parties that the service provided by the telemarketing company amounted to the processing of personal data on behalf of the supplier company. As the provision of such services was a business activity of the telemarketing company, I decided that the company was clearly a data processor which was required to register with my Office. Accordingly, this aspect of the complainant's case was upheld. The telemarketing company subsequently registered as a data processor.