Organisations are regularly fined for using data sourced from brokers or other suppliers without ensuring consent has been captured correctly, or without establishing another lawful basis for processing.

With rare exceptions, the organisation is censured but not the supplier of the data. In fact, whilst the enforcement notice usually names the data supplier, they are typically redacted when published.

The ICO’s recently published guide to outbound telemarketing clarifies their position:

“It is the ‘caller’ or the ‘instigator’ of the call who has responsibility for complying with the rules.”

And later:

“If you get a telephone marketing list from a third party and they claim to have checked it against the TPS or CTPS, you should make sure that this happened recently.”


“if the third party says that the list is of ‘consented’ numbers, you must make sure that the consent is valid.”

Until now, it would seem that responsibility has sat emphatically with the marketer.

However, on Monday 3rd October 2022, four enforcement notices against separate organisations were posted by the ICO for conducting outbound telemarketing to telephone numbers listed on the TPS without specific consent. But there was a marked change. These notices heralded a shift in emphasis from the ICO by naming the data suppliers who had supplied the data which later led to enforcement. This published transparency may suggest that the ICO are now holding both the data supplier and the marketer responsible.

We haven’t had any published censure for these data suppliers yet, but the notifications appear to be a clear “buyer beware” from the ICO. It is a public statement issued without details around what rules have been broken specifically by whom. It is unclear what briefing was given to the data supplier by the marketing organisation, or what due diligence the data supplier conducted on the marketing organisation to ensure appropriate use of the data.

At the same time, it is hard for a data supplier to argue a case for supplying telephone numbers on the TPS without claiming specific consent has been captured. The consent may never have existed or may have simply fallen short of the standard required by the GDPR.

Who’s in the wrong? Well, it’s clear the marketer is because they have been fined, but I wouldn’t bet against more fines being issued. Maybe naming the suppliers is less “Buyer Beware” and more “Seller Beware.”

Ultimately, it is a useful reminder that the buyer and the seller must always engage in clear and open communication to ensure data processing is in accordance with the regulation.