Data controllers cannot subcontract their legal responsibility for the handling of personal data.
In July 2015, we posted this article: Charity cold calling Investigation: You can't subcontract liability. This week, an energy company promoting "Free" Solar panels has been fined for irresponsible use of personal data, via a data processor.
"Christopher Graham, the information commissioner,
dismissed the company lawyer’s attempts to blame a
third party company for the breach."
A green energy company which made six million nuisance calls has been handed a record £200,000 fine.
Glasgow-based Home Energy & Lifestyle Management Ltd (Helms) was investigated by the Information Commissioner after 242 consumers contacted the Information Commissioner's Office (ICO) in two months to complain about the calls.
The company blamed a third party firm it hired to make calls and said it was appealing against the ruling.
In this case, the firm "Helms" (data controller) is liable for their sub-contractor's (data processor) technology failures that resulted in the breach of rules, despite, as the firm claims that they had no control over the sub-contractors technology. As the firm is liable they will incur the £200,000 penalty.
Download centre: What is the Data Protection Act?