Jump to content


Registered Users

Change your profile picture
  • Content Count

  • Joined

  • Last visited

Community Reputation

1 Neutral

About AnotherLegend

  • Rank
    Basic Account Holder
  1. Did Glide state in their SAR response the basis upon which they are processing your daughter's personal data? If not, you can go back to them and push them on this. They will need to be very careful with their response because they do not have her consent. I would also raise a complaint to Glide about the fact that your daughter told them she was not going to use their services and yet they still continued to try and provide a service. You should also speak to the Energy Ombudsman (https://www.ombudsman-services.org/sectors/energy) and see what they advise to do. When the LA responds
  2. These issues, in my opinion, aren't anything to do with data protection. You should look at OFGEM's rules and possibly OFCOM (if telecom is involved as well) as I would imagine there are some rule breaches that have occurred regarding the transfer of service. I don't believe this is a data breach or misuse of personal data. However, you need to look at the LA's relationship with Glide. There is an incentive for the LA (commission) to sign up tenants with Glide, so did the LA deliberately try to keep your daughter with Glide, despite being told she was using Akasa? T
  3. Because as a utility supplier, they will continue providing a service until they are told otherwise. In order for them to know who to charge, they will need to process personal data and they have a legitimate reason to do this (someone cannot live there and not pay the utility bills). I'll give you a very simple example - you buy a property and move in. The existing gas supplier will continue to provide gas, even if you haven't agreed to them setting up an account or providing you with a service. This is known as deemed consent. Your issue here is going to be with the LA. If you can
  4. Which personal data are you referring to? If you're looking for the email between the LA and Glide containing the spreadsheet, then you will not get this because: 1) Your daughter is not the data subject of the email 2) Your daughter's personal data is not in the actual wording of the email 3) The email contains the personal data of other people and providing it to you would infringe their rights
  5. Report them for what though? Their response looks well constructed and completely compliant with the new DPA. It's a common misconception that companies need your explicit consent to process your personal data. Your issue is that the LA passed your daughter's personal data over to Glide, a third party data controller. So if you raise a complaint, you will need to be able to show that: 1) The LA did not have explicit permission to transfer your daughter's personal data to Glide 2) The LA cannot rely on the 'legitimate interests' basis for processing your daughter's personal
  6. Just to make you aware, a data controller does not need explicit permission to provide personal data to a third party (if that third party is a data processor). However, it should be listed in the LA's privacy policy who they share personal data with and some basis for this.
  7. It's reasonable to ask for this information to verify the person making the right of request is actually that person. Every letting agent agreement I've ever seen has given permission for data to be shared with third parties. Are you 100% sure that the agreement did not allow this?
  8. As I stated above, your claim has two elements: 1) Has the data controller complied with the law? It appears by their own admission that they responded 1 day beyond the one month deadline. 2) If they did not comply with the law, have you suffered distress as a result? You need to be able to demonstrate and prove this for your case to be successful.
  9. This is not good advice at all because there are no grounds to strike out their defence. It's a valid defence in terms of it containing facts and being provided within the deadline. You might disagree with what they've said, but that's ultimately up to the judge to decide. The other thing to remember is that this is a claim for distress. In order for that to succeed you have to demonstrate both that the defendant has not complied with the law (this looks straightforward in terms of the response times) and as a result, you have suffered distress that can be quantified. It's really im
  10. You can always send a SAR to the person who dealt with the tenancy and ask for it to be passed to their data protection officer or the person who deals with data protection matters.
  11. This is not correct. If a data controller provides your personal data to a third party, in most cases they will be a data processor rather than a data controller. There are some scenarios when a third party will be a data controller and this will be determined by the relationship with the original data controller (the ICO may well ask to see the contract between the parties to establish the nature of the relationship). If a third party is a data processor, they do not have to provide you with your personal data and they should just forward any SAR back to the original data controller
  12. If you were to actually bring proceedings for this, then a judge would likely see your actions as nothing more than vexatious. Cabot have, rightfully, asked for further information to confirm your identity. This essentially puts your right of access request on hold until you respond. It appears that you haven't responded to their request for further information.
  13. But the controller is the company, not an individual. There is a big difference between a data controller and a data protection officer. I think you've made a big mistake here. The problem you will have is the judge will ask the question - why did you refuse to provide your identity to the data controller? If I was defending a claim like this, I would put emphasis on the fact that we tried to verify your identity, but you refused to comply. I certainly don't think it's open and shut.
  14. But the ICO's guidance recommends data controllers use a form... I don't think it's unreasonable for them to ask for your ID, or at least further information to verify that it was you making the SAR. They need to know it is you sending the SAR and there is no way of them knowing that the person behind the email account is actually you. You issued the claim against the individual rather than the company? Why did you do this?
  15. Who did you sent the SAR to? Was it a named individual? I believe they would need to demonstrate they have had doubts about your identity. Where a controller— (a)reasonably requires further information— (i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or (ii)to locate the information which that individual seeks, and (b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information.
  • Create New...