Jump to content


  • Tweets

  • Posts

    • ROFL - says a minister of the government that lets its politicians promote their agendas unchallenged and well paid on the UK's version of Russia Today translated UK deputy PM launches global push to mask their election rigging "The UK is following Russia and China on a government minister and MP led process to get paid vast sums to put our message out to the plebs unchallenged, funded via right wing billionaires, AI from foreign states, and misuse of taxpayer money.   reuters.com WWW.REUTERS.COM  
    • Yes, but the process starts here... https://ico.org.uk/make-a-complaint/data-protection-complaints/what-to-expect/ This involves making a complaint to GS first before approaching ICO. However, at the time of the complaint, I beleive we'd advise the complainant to ask for some compensation and take it from there. @FTMDave?? No, I meant this forum, The Consumer Action Group, where you're posting right now.😄 (We're in the slow process of rebranding as The National Consumer Service.)
    • And yes, they state their client is EON and that they can return the debt to EON who can either register a default or take me to court. 
    • Thank you. The npower debt was from 2019/2020 until EON took over the account late 2021.   npower had set a DCA on me even though I owed them nothing. I spoke to a customer service agent, following up by email, who confirmed I was in credit . I made a complaint to head office who sent a barrage of emails, changing the amounts each time. According to them, I owed £279.   The debt grew to what it is now as first npower and then EON subsequently failed to put a payment arrangement and direct debit in place to pay off this supposed sum and my ongoing bills.   I was very ill with Covid, struggling in lockdown with a disabled child and informed them of all this.   EON stopped their legal action when I took them to the ombudsman as this was part of my complaint and requested remedy but I have not received a notice of discontinuance.    I would like to set up my own dd to pay them off but am concerned they could still take legal action. I am on a low income and can’t afford to pay them more than a token amount each month.   
    • Thank you guys! @lookinforinfo thank you for the case, it seem to similar with my case which is gold. @Nicky Boy shouldn't be ICO?   Personal data breaches: a guide ICO.ORG.UK   For CAG I found this  The Confidentiality Advisory Group (CAG) is an independent body which provides expert advice on the use of confidential patient information. This includes providing advice to us, the Health Research Authority (HRA) for research uses. It also provides advice to the Secretary of State for Health for non-research uses.
  • Recommended Topics

  • Our picks

    • If you are buying a used car – you need to read this survival guide.
      • 1 reply
    • Hello,

      On 15/1/24 booked appointment with Big Motoring World (BMW) to view a mini on 17/1/24 at 8pm at their Enfield dealership.  

      Car was dirty and test drive was two circuits of roundabout on entry to the showroom.  Was p/x my car and rushed by sales exec and a manager into buying the mini and a 3yr warranty that night, sale all wrapped up by 10pm.  They strongly advised me taking warranty out on car that age (2017) and confirmed it was honoured at over 500 UK registered garages.

      The next day, 18/1/24 noticed amber engine warning light on dashboard , immediately phoned BMW aftercare team to ask for it to be investigated asap at nearest garage to me. After 15 mins on hold was told only their 5 service centres across the UK can deal with car issues with earliest date for inspection in March ! Said I’m not happy with that given what sales team advised or driving car. Told an amber warning light only advisory so to drive with caution and call back when light goes red.

      I’m not happy to do this, drive the car or with the after care experience (a sign of further stresses to come) so want a refund and to return the car asap.

      Please can you advise what I need to do today to get this done. 
       

      Many thanks 
      • 81 replies
    • Housing Association property flooding. https://www.consumeractiongroup.co.uk/topic/438641-housing-association-property-flooding/&do=findComment&comment=5124299
      • 160 replies
    • We have finally managed to obtain the transcript of this case.

      The judge's reasoning is very useful and will certainly be helpful in any other cases relating to third-party rights where the customer has contracted with the courier company by using a broker.
      This is generally speaking the problem with using PackLink who are domiciled in Spain and very conveniently out of reach of the British justice system.

      Frankly I don't think that is any accident.

      One of the points that the judge made was that the customers contract with the broker specifically refers to the courier – and it is clear that the courier knows that they are acting for a third party. There is no need to name the third party. They just have to be recognisably part of a class of person – such as a sender or a recipient of the parcel.

      Please note that a recent case against UPS failed on exactly the same issue with the judge held that the Contracts (Rights of Third Parties) Act 1999 did not apply.

      We will be getting that transcript very soon. We will look at it and we will understand how the judge made such catastrophic mistakes. It was a very poor judgement.
      We will be recommending that people do include this adverse judgement in their bundle so that when they go to county court the judge will see both sides and see the arguments against this adverse judgement.
      Also, we will be to demonstrate to the judge that we are fair-minded and that we don't mind bringing everything to the attention of the judge even if it is against our own interests.
      This is good ethical practice.

      It would be very nice if the parcel delivery companies – including EVRi – practised this kind of thing as well.

       

      OT APPROVED, 365MC637, FAROOQ, EVRi, 12.07.23 (BRENT) - J v4.pdf
        • Like
  • Recommended Topics

Breach of GDPR - County Court Claim ***WON***


style="text-align: center;">  

Thread Locked

because no one has posted on it for the last 1755 days.

If you need to add something to this thread then

 

Please click the "Report " link

 

at the bottom of one of the posts.

 

If you want to post a new story then

Please

Start your own new thread

That way you will attract more attention to your story and get more visitors and more help 

 

Thanks

Recommended Posts

You're quite right that an injunction would normally be an order to prevent somebody from doing something. However, I seem to recall that there are positive injunctions where an order can compel somebody to do something. Specific performance, I believe, is a positive injunction which order somebody to carry out the terms of the contract. A duty under the DPA/GDPR would not be a contractual duty.

 

At the end of the day, once you manage to get in front of the judge then whether it is part seven part eight, the judge has a huge amount of discretion and is bound by the prime objective which is to do justice. However, I can certainly imagine that maybe some judges are a bit up themselves and start to become a bit fussy about using the right form form and paying the correct fee.

 

In principle, those judges would be wrong because they are not following the prime objective. However, it's difficult to start arguing with the judge

Link to post
Share on other sites

  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

This is what the ICO's old document said in their Data Protection Act - Taking Someone to Court document:

 

If you apply for action to be taken to comply with a specific right, this is known as a claim for specific performance. If you are not asking for damages as well, there are two possible procedures the court could adopt to deal with your claim:

 

It listed Part 7 and Part 8 claims, the essential difference between the two being whether there is a dispute of facts or not.

 

You would think that as it's a legal advice document, it would have been drafted by solicitors and barristers who know the court rules.

 

Once you go down the Part 8 claim route, it's really expensive and risky for someone to bring a claim. I believe it's £308 to initiate the claim, then a further £1,090 for the hearing. In my opinion, it's a route someone should only take with legal advice.

 

A Part 7 claim heard in the Small Claims Court, would be £35 for the claim (less than £300 in damages) and £25 for the hearing.

Edited by AnotherLegend
Link to post
Share on other sites

Well we have several potential claims going and so far I've been advising people to sue for a very small amount of money – but not ask for any order. In other words the claim is simply a claim for distress and any other losses that I'm suggesting to people that they ignore any attempt to settle and that they insist on going for judgement. You are entitled to do this without fear of suffering costs if you refuse the offer of your claim, if it is reasonable to continue. My view is that where you have a breach of statutory duty then it is reasonable to continue even in the face of a full offer. I think there is a public interest.

 

I also figure that once there is a judgement against his people for breach of GDPR rules and they are obliged to pay some small amount, that they will quickly comply with whatever requests have been made. If they failed to do that then you simply send another letter before claim and through them again – and again. Once you get a judgement you send a copy to the ICO and if they are regulated firm then you send a copy to the FCA as well.

 

That's the plan. We'll see what happens

Link to post
Share on other sites

… and by the way, I think the ICO definition of specific performance is wrong. I'm sure that is the enforcement of a contractual duty by means of an equitable order. I fail to see how equity can have anything to do with statutory duties. – Although technically an injunction can be an equitable order as well.

 

Despite my own confusion, I'm sure that the ICO is wrong.

Link to post
Share on other sites

Despite my own confusion, I'm sure that the ICO is wrong.

 

I certainly seem to remember that specific performance related to contract law.

 

I am surprised though if the ICO has got it wrong, especially as the Ministry of Justice was actively referring to their document about taking court action under the DPA.

 

In terms of the new DPA and compliance orders, this is what the law says:

 

167 Compliance orders

 

(1) This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.

 

(2) A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—

 

(a) to take steps specified in the order, or

 

(b) to refrain from taking steps specified in the order.

 

(3) The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.

 

(4) In subsection (1)—

 

(a) the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the GDPR (right to an effective remedy against a controller or processor);

 

(b) the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.

 

(5) In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.

 

I will be talking to someone next week who should know the court procedure for bringing an action to force compliance.

Link to post
Share on other sites

Here is an update on my claim.

 

The compnay failed to comply so I sent an LBA by recoded delivery.

Up until them receiving the LBA they had failed to respond to me in at all.

 

They responed immediately to the LBA by sending me a form to complete for the SAR and also a request for certified ID.

They say once they have the completed forms and ID they will respond under GDPR rules.

 

They are already in breach anyway because my request to them was made 5 weeks ago.

In my opinion they do not need my ID, they have corresonded with me at my address for many years even to the point of posting out to me a user name and password to enable me to log into my online account.

Link to post
Share on other sites

Yes, they have already breached the DPA 2018/GDPR by failing to provide your personal data within 1 month of your request.

 

On the issue about identity, the ICO says on their website, "You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request."

 

Are they registered as a data controller on the ICO website?

I would send them an email, giving them 5 working days to respond to your SAR.

 

You could attach a copy of your driving licence if you want, but in your case it seems like the existing communication is sufficient for them to identify who you are.

Link to post
Share on other sites

They cannot require you to fill in a form.

 

If your request was very vague then I suppose they could ask you for clarification as to what data you wanted.

 

I don't think they can require that you send them certified copies of your ID either although I don't think it's unreasonable for them to want some proof of identity.

 

I make a point of sending photocopies of my passport and a recent bank statement with my SAR letter.

 

Assuming you have already provided proof of identity and your communications were sufficiently detailed then they are compounding their initial breach by these throwing up these delaying tactics

Link to post
Share on other sites

The ICO also gives further guidance surrounding the requirement for ID, which says...

 

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

 

The important point of that sentence would appear to be "If you have doubts", I'd be asking why they have any doubt as to your identity :wink:

 

As for their form, well, whilst I'll admit that I am particularly bloody minded when it comes to things like this, they've got absolutely no right to insist that you use anything that they provide you with. Which is an argument that I've just had (and won) with my local authority. The people on the 'public facing' counter said (more or less) that I had to use their form when I made an SAR verbally. So I emailed the Data Protection Officer directly.

 

Incidentally, they would not give me that email address, so I rang up the local authority while sitting in front of them and got the email address. They were not happy!

 

The upshot of that is... They are now processing my SAR :lol:

Please note that my posts are my opinion only and should not be taken as any kind of legal advice.
In fact, they're probably just waffling and can be quite safely and completely ignored as you wish.

Link to post
Share on other sites

  • 3 weeks later...

Update on my claim:

I sent a complaint to the ICO on the 6 July but apart from an acknowledgement have heard nothing from them, though the acknowledgement did say that it could be up to 3 weeks before I get a response. Phoning the ICO is a waste of time, I gave up after being on hold for 40 minutes.

 

Today I have submitted my County Court Claim, the defendant has until 13 August to respond.

 

I'll keep you informed of progress

Link to post
Share on other sites

Update on my claim:

I sent a complaint to the ICO on the 6 July but apart from an acknowledgement have heard nothing from them, though the acknowledgement did say that it could be up to 3 weeks before I get a response. Phoning the ICO is a waste of time, I gave up after being on hold for 40 minutes.

 

The ICO is heavily backlogged. They are currently dealing with cases through the end of May 2018, so it will be at least another 6 weeks or so before you complaint even gets assigned to a caseworker.

 

Today I have submitted my County Court Claim, the defendant has until 13 August to respond.

 

You submitted an N1 or N208 claim form? Did you have to pay the £308 non-monetary fee? You realise that a hearing will cost £1,090 (multi-track)?

Link to post
Share on other sites

You submitted an N1 or N208 claim form? Did you have to pay the £308 non-monetary fee? You realise that a hearing will cost £1,090 (multi-track)?

 

No, there is a new type of claim process, you simply fill in the details step by step and the claim is issued. It cost me £25, I have only claimed for expenses and distress in pursuing this following Bankfodders advice.

Link to post
Share on other sites

So you didn't ask for an order for compliance with your SAR?

 

No, at the end of the day they will have to comply, the ICO should make sure they do. If I win the claim then they will have to pay me, then if they fail to comply with their statutory duty to send me my SAR then I will just submit another Court claim for my expenses and distress.

Link to post
Share on other sites

I think in cases where a data controller fails to respond to a SAR, then I probably would file a Part 8 claim. As long as you have evidence the SAR was received, they haven't complied and they are a data controller, then I cannot see what possible argument they could use to defend a claim.

 

The ICO *should* issue an enforcement order if they still don't respond to your SAR, the downside is you could be looking at 6 months+ to get to this stage.

Link to post
Share on other sites

  • 2 weeks later...

Here is an update on my claim,

just to re-iterate

I put in a SAR on the 30 May 2018,

it was received by the company on 31 May 2018 and signed for.

They did not respond whatsoever and never sent me my SAR.

 

As well as reporing them to the ICO for breach of the GDPR

I sent an LBA to the company on the 2 July 2018 received by them and signed for on the 3 July 2018.

 

They responed immediately to the LBA by sending me a form to complete for the SAR and also a request for certified ID saying once the forms are completed and ID provided then they will process my application in 30 days.

At this point they were already in breach as they had not provided my SAR within the 30 day period.

 

In my opinion they do not need my ID,

they have corresponded with me at my address for many years even to the point of posting out to me a user name and password to enable me to log into my online account and also send me monthly statements by post.

 

In any case the request for ID came after the 30 day deadline.

 

I submitted a money claim on the 25 July 2018 for expenses and distress (as per advice from Bankfodder).

 

I have now received a letter from the company stating they will defend any claim for these reasons.

 

1. I sent the SAR request to the wrong person and not the data controller.

 

2. I have not sent in my certified ID.

 

3. The 30 day period for an SAR does not start until I have provided ID regardless of when the request was made

they are inferring that regardless of the fact that it took them well over 30 days to acknowledge my SAR and then request ID they are not in breach because they have requested I provide ID.

 

Comments are welcome,

I am wondering if I should respond to them or just allow them to submit their defence to the Court?

My thoughts are that the Court might take a dim view if I do not try to settle with them prior to a hearing.

 

Incidentally I have still to hear from the ICO, apparently they have a massive backlog.

Edited by dx100uk
spacing
Link to post
Share on other sites

1. I sent the SAR request to the wrong person and not the data controller.

 

Who did you sent the SAR to? Was it a named individual?

 

2. I have not sent in my certified ID.

 

I believe they would need to demonstrate they have had doubts about your identity.

 

Where a controller—

 

(a)reasonably requires further information—

 

(i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)to locate the information which that individual seeks, and

 

(b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information.

 

The law isn't quite as stringent as the ICO's guidelines.

 

3. The 30 day period for an SAR does not start until I have provided ID regardless of when the request was made so they are inferring that regardless of the fact that it took them well over 30 days to acknowledge my SAR and then request ID they are not in breach because they have requested I provide ID.

 

The first part is wrong. I guess the second part could be argued and the judge would want to know why you did not provide your ID, when requested.

Link to post
Share on other sites

I'm having the same issue with Opos

 

Sent in SAR to their DPO, they responded 2 weeks later asking for ID and me to fill in their form

 

I refused stating I didn't have to fill their form in as per the GDPR guidelines

 

Didn't sent any ID in either due to the fact that the company has been conversing with me by the same email address for a number of years and have also answered complaints to the same email address in the past 3 months

 

I have also issued a small claim against the DPO personally and have been told by email that he shall be defending the claim

 

Heres my thread so far - https://www.consumeractiongroup.co.uk/forum/showthread.php?488580-DSAR-Opos-Ltd&p=5138624#post5138624

 

you will see that Opos have tied themselves in Knots with the stuff they have been sending me and I shall not be withdrawing my claim

Link to post
Share on other sites

Sent in SAR to their DPO, they responded 2 weeks later asking for ID and me to fill in their form

 

I refused stating I didn't have to fill their form in as per the GDPR guidelines

 

But the ICO's guidance recommends data controllers use a form...

 

Didn't sent any ID in either due to the fact that the company has been conversing with me by the same email address for a number of years and have also answered complaints to the same email address in the past 3 months

 

I don't think it's unreasonable for them to ask for your ID, or at least further information to verify that it was you making the SAR.

 

They need to know it is you sending the SAR and there is no way of them knowing that the person behind the email account is actually you.

 

I have also issued a small claim against the DPO personally and have been told by email that he shall be defending the claim

 

You issued the claim against the individual rather than the company? Why did you do this?

Link to post
Share on other sites

Who did you sent the SAR to? Was it a named individual?

 

 

 

I believe they would need to demonstrate they have had doubts about your identity.

 

Where a controller—

 

(a)reasonably requires further information—

 

(i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)to locate the information which that individual seeks, and

 

(b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information.

 

The law isn't quite as stringent as the ICO's guidelines.

 

The first part is wrong. I guess the second part could be argued and the judge would want to know why you did not provide your ID, when requested.

 

The Judge could argue that but that is irrelevant, the SAR was already over the 30 day period and at no time in that period did they ask for ID. They only asked for ID when I sent the LBA - which was AFTER the deadline had expired.

 

They have asked for ID, the only reason given is to protect the identity of individuals, as I have said they have no problem corresponding with me, they send me monthly statements and als sent me login and password details for my online account ALL BY POST to my home address which is the one I used to get an SAR. Also I have just realised that they had my ID sent to them 2 years ago on the matter of confirming if I was still alive for pension purposes.

Link to post
Share on other sites

the ICO's guidance states -

 

Should we provide a specifically designed form for individuals to make a SAR

 

Standard forms can make it easier both for you to recognise a SAR and for the individual to include all the details you might need to locate the information they want.

 

Recital 59 of the GDPR recommends that organisations provide means for requests to be made electronically, especially where personal data are processed by electronic means,. You should therefore consider designing a subject access form that individuals can complete and submit electronically

 

However, even if you have a form, you should note that a SAR is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, standard email or verbally.

 

Therefore, although you may invite an individual to use a form, you must make clear that this is not compulsory and do not try to use this as a way of extending the one month time limit for responding.

Link to post
Share on other sites

in regards to issuing against the individual it state in GDPR article 82 that the controller is liable for the damage caused

 

Also in regards to the ID, as the OP the company has had no problems with emailing me about the alleged account or responding to complaints to the same email address.

Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    • No registered users viewing this page.

  • Have we helped you ...?


×
×
  • Create New...