Jump to content

AnotherLegend

Registered Users

Change your profile picture
  • Posts

    25
  • Joined

  • Last visited

Reputation

1 Neutral
  1. Did Glide state in their SAR response the basis upon which they are processing your daughter's personal data? If not, you can go back to them and push them on this. They will need to be very careful with their response because they do not have her consent. I would also raise a complaint to Glide about the fact that your daughter told them she was not going to use their services and yet they still continued to try and provide a service. You should also speak to the Energy Ombudsman (https://www.ombudsman-services.org/sectors/energy) and see what they advise to do. When the LA responds, you will need to carefully review their response. They will need to show that they had your daughter's permission to transfer her personal data to Glide. If they are unable to show this, then your daughter should be able to seek compensation for distress under the new DPA. There is a good blog about this here - https://www.mindmydata.co.uk There is also one final question - if the LA unlawfully provided your daughter's personal data to Glide, does that mean that Glide are equally responsible as the LA? Glide do have a legitimate interest to process personal data, but the question is more about how they acquire that data in the first place (even if they believed it was done with your daughter's consent).
  2. These issues, in my opinion, aren't anything to do with data protection. You should look at OFGEM's rules and possibly OFCOM (if telecom is involved as well) as I would imagine there are some rule breaches that have occurred regarding the transfer of service. I don't believe this is a data breach or misuse of personal data. However, you need to look at the LA's relationship with Glide. There is an incentive for the LA (commission) to sign up tenants with Glide, so did the LA deliberately try to keep your daughter with Glide, despite being told she was using Akasa? There are 3 things you need to look at: 1) Why did the LA provide your daughter's info to Glide without her permission? 2) Why did Glide still try to provide a service or bill your daughter after being told that she was not using their services (I believe this is an OFGEM complaint)? 3) Did the LA fail to ensure that Glide were made aware that your daughter was not going to use their services?
  3. Because as a utility supplier, they will continue providing a service until they are told otherwise. In order for them to know who to charge, they will need to process personal data and they have a legitimate reason to do this (someone cannot live there and not pay the utility bills). I'll give you a very simple example - you buy a property and move in. The existing gas supplier will continue to provide gas, even if you haven't agreed to them setting up an account or providing you with a service. This is known as deemed consent. Your issue here is going to be with the LA. If you can show your daughter did not give explicit consent for the LA to pass her personal data to Glide, her rights will have been infringed. The ICO is not an investigative body - they will not demand to see every email. They will contact Glide and might ask why they have not provided this email, and the answer will be the same as has been provided to you. The ICO will accept this explanation, unless you can produce evidence otherwise. To put it simply, if your daughter cannot be identified from the wording of that email, there is no legal reason for Glide to provide it (redacted or not). Because there is no legal basis for providing that email unless your daughter can be identified from it. Glide have stated this and the ICO will accept this as an explanation, unless you can prove otherwise. The DPO appeared to be responding to you, so I don't see how it's out of the blue? Glide have admitted making a mistake, they corrected it, explained why it happened and what steps they will take to ensure it won't happen again. The ICO will see this as a satisfactory answer and will probably provide further guidance about dealing with personal data which is mixed in with the personal data of other individuals. GDPR is not simple and companies are being extremely cautious because of the potential fines that can be imposed. You can make a FOI request to the ICO and ask this question.
  4. Which personal data are you referring to? If you're looking for the email between the LA and Glide containing the spreadsheet, then you will not get this because: 1) Your daughter is not the data subject of the email 2) Your daughter's personal data is not in the actual wording of the email 3) The email contains the personal data of other people and providing it to you would infringe their rights
  5. Report them for what though? Their response looks well constructed and completely compliant with the new DPA. It's a common misconception that companies need your explicit consent to process your personal data. Your issue is that the LA passed your daughter's personal data over to Glide, a third party data controller. So if you raise a complaint, you will need to be able to show that: 1) The LA did not have explicit permission to transfer your daughter's personal data to Glide 2) The LA cannot rely on the 'legitimate interests' basis for processing your daughter's personal data (this will be difficult to do in my opinion)
  6. Just to make you aware, a data controller does not need explicit permission to provide personal data to a third party (if that third party is a data processor). However, it should be listed in the LA's privacy policy who they share personal data with and some basis for this.
  7. It's reasonable to ask for this information to verify the person making the right of request is actually that person. Every letting agent agreement I've ever seen has given permission for data to be shared with third parties. Are you 100% sure that the agreement did not allow this?
  8. As I stated above, your claim has two elements: 1) Has the data controller complied with the law? It appears by their own admission that they responded 1 day beyond the one month deadline. 2) If they did not comply with the law, have you suffered distress as a result? You need to be able to demonstrate and prove this for your case to be successful.
  9. This is not good advice at all because there are no grounds to strike out their defence. It's a valid defence in terms of it containing facts and being provided within the deadline. You might disagree with what they've said, but that's ultimately up to the judge to decide. The other thing to remember is that this is a claim for distress. In order for that to succeed you have to demonstrate both that the defendant has not complied with the law (this looks straightforward in terms of the response times) and as a result, you have suffered distress that can be quantified. It's really important to show the distress that has been suffered and have evidence of this.
  10. You can always send a SAR to the person who dealt with the tenancy and ask for it to be passed to their data protection officer or the person who deals with data protection matters.
  11. This is not correct. If a data controller provides your personal data to a third party, in most cases they will be a data processor rather than a data controller. There are some scenarios when a third party will be a data controller and this will be determined by the relationship with the original data controller (the ICO may well ask to see the contract between the parties to establish the nature of the relationship). If a third party is a data processor, they do not have to provide you with your personal data and they should just forward any SAR back to the original data controller. However, if a third party is a data controller, then you would need to submit a new SAR to that third party.
  12. If you were to actually bring proceedings for this, then a judge would likely see your actions as nothing more than vexatious. Cabot have, rightfully, asked for further information to confirm your identity. This essentially puts your right of access request on hold until you respond. It appears that you haven't responded to their request for further information.
  13. But the controller is the company, not an individual. There is a big difference between a data controller and a data protection officer. I think you've made a big mistake here. The problem you will have is the judge will ask the question - why did you refuse to provide your identity to the data controller? If I was defending a claim like this, I would put emphasis on the fact that we tried to verify your identity, but you refused to comply. I certainly don't think it's open and shut.
  14. But the ICO's guidance recommends data controllers use a form... I don't think it's unreasonable for them to ask for your ID, or at least further information to verify that it was you making the SAR. They need to know it is you sending the SAR and there is no way of them knowing that the person behind the email account is actually you. You issued the claim against the individual rather than the company? Why did you do this?
  15. Who did you sent the SAR to? Was it a named individual? I believe they would need to demonstrate they have had doubts about your identity. Where a controller— (a)reasonably requires further information— (i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or (ii)to locate the information which that individual seeks, and (b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information. The law isn't quite as stringent as the ICO's guidelines. The first part is wrong. I guess the second part could be argued and the judge would want to know why you did not provide your ID, when requested.
×
×
  • Create New...