I, (NAME REMOVED), (JOB TITLE REMOVED) of Virgin Media Limited (“Virgin
Media”), 160 Great Portland Street, London W1W 5QA for and on behalf of Virgin
Media hereby acknowledge the details set out below and undertake to comply with the
terms of the following undertaking:
1. Virgin Media (“Virgin Media”), is the data controller as defined in section 1(1) of
the Data Protection Act 1998 (the “Act”), in respect of the processing of
personal data carried out by Virgin Media and is referred to in this Undertaking
as the “data controller”. Section 4(4) of the Act provides that, subject to section
27(1) of the Act, it is the duty of a data controller to comply with the data
protection principles in relation to all personal data in respect of which it is a
data controller.
2. The Information Commissioner (the “Commissioner”) was provided with a
report from (NAME REMOVED), (JOB TITLE REMOVED) acting on behalf of
the data controller, regarding the loss of a compact disc that was passed to
them by Carphone Warehouse (the "data processor"). The data processor had
been engaged to collect the personal data of individuals interested in opening a
Virgin Media account within its Carphone Warehouse stores. The compact disc
contained the personal data of 3,383 customers and was not encrypted.
3. The Commissioner has considered the data controller’s compliance with the
provisions of the Act in the light of this matter. The relevant provision of the Act
is the Seventh Data Protection Principle. This Principle is set out in Schedule 1
Part 1 of the Act.
4. Following consideration of the remedial action that has been taken by the data
controller and the fact that the data controller recognises the seriousness of the
matter, it is agreed that in consideration of the Commissioner not exercising his
powers to serve an Enforcement Notice under section 40 of the Act, the data
controller undertakes as follows:-