Jump to content


vortexvelocity

SAR - proof of ID & ICO

style="text-align:center;"> Please note that this topic has not had any new posts for the last 396 days.

If you are trying to post a different story then you should start your own new thread. Posting on this thread is likely to mean that you won't get the help and advice that you need.

If you are trying to post information which is relevant to the story in this thread then please flag it up to the site team and they will allow you to post.

Thank you

Recommended Posts

Hello Caggers just after a bit of guidance,

 

I have sent a SAR to HSBC and pretty much been ignored

ended up lodging complaints to FOS and ICO, the end game is all about PPI.

 

I am corresponding with ICO and they will only get involved if HSBC have refused or ignored my request.

 

I told the ICO my request has been ignored and sent them a signed receipt for the SAR delivered into a HSBC branch for delivery through internal mail system to HSBC data controller.

 

The ICO have now come back and said this is not proof the bank have received the SAR and not proof the bank have been given proof of ID.

Is this similar to other folks experience with ICO.

 

How can I prove when the SAR was delivered to HSBC with my proof of ID that's exactly what it was and nothing else.

 

Happy to provide more info from the ICO email TIA.

Edited by dx100uk
Spacing

Share this post


Link to post
Share on other sites

I thought you were abroad?


PLEASE DONT HIT QUOTE IF THE LAST POST IS THE ONE YOU ARE REPLYING TOO.

MAKES A THREAD TWICE AS LONG TO SCROLL THROUGH!

please do not post jpg images directly to a topic..USE PDF ....READ UPLOAD.

 

WE CAN'T GIVE ADVICE BY PM - IF YOU SEND ME A LINK TO YOUR THREAD - I WILL BE HAPPY TO OFFER HELP THERE

Single Premium PPI Q&A Read Here

Reclaim mis-sold PPI Read Here

Reclaim Bank Account, Loan & Credit Card Charges Read Here

The CAG Interest Tutorial Read Here

spreadsheets 

 

Share this post


Link to post
Share on other sites
I thought you were abroad?

 

Certainly am, so my options are slightly limited, i really thought a signed stamped receipt from HSBC addressed to their data controller was proof enough I have sent them a SAR and being ignored but ICO ar not accepting this just makes it harder than it needs to be.

Share this post


Link to post
Share on other sites

why did you send your sar into a branch

why not head office UK


PLEASE DONT HIT QUOTE IF THE LAST POST IS THE ONE YOU ARE REPLYING TOO.

MAKES A THREAD TWICE AS LONG TO SCROLL THROUGH!

please do not post jpg images directly to a topic..USE PDF ....READ UPLOAD.

 

WE CAN'T GIVE ADVICE BY PM - IF YOU SEND ME A LINK TO YOUR THREAD - I WILL BE HAPPY TO OFFER HELP THERE

Single Premium PPI Q&A Read Here

Reclaim mis-sold PPI Read Here

Reclaim Bank Account, Loan & Credit Card Charges Read Here

The CAG Interest Tutorial Read Here

spreadsheets 

 

Share this post


Link to post
Share on other sites

It doesn’t matter. It was delivered to HSBC as required by the GDPR, the GDPR does not state that the SAR has to be delivered to the actual DPO in order to be taken as delivered. I would go back to the ICO and tell them that the SAR was delivered to the bank in line with the GDPR and as per the receipt you have and that the ICO is obligated under their statutory duty to investigate this lack of compliance. Inform them if they do not then you will be escalating to the information tribunal. Get ICO to reply in writing that they will not investigate the matter any further and then you have 28 days to refer to the tribunal. I have done this with the ICO previously and it got the matter sorted more quickly.

Share this post


Link to post
Share on other sites
why did you send your sar into a branch

why not head office UK

I sent a SAR recorded delivery and Royal Mail lost it so I thought it was a guaranteed way of making sure it got there but as far as the case worker at ICO is concerned it only prooves the branch had a letter and not its content and proof of ID.

Share this post


Link to post
Share on other sites

The ICO caseworker is wrong. There is no obligation for ID. It only required at the discretion of the controller where they are unsure of the data subject requesting the info. And the fact that you sent a letter and state it was a SAR is sufficient to meet the GDPR. Otherwise no company or controller would ever have to reply to a SAR thus totally defeating the objective

Share this post


Link to post
Share on other sites

to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

 

HSBC use to be hot on that and probably still are


:mad2::-x:jaw::sad:

Share this post


Link to post
Share on other sites
to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

 

HSBC use to be hot on that and probably still are[/quote

It all depends on the relationship between the data subject and the controller. The request for I’d must meet the objective of reasonableness and proportionality. The art 29 working party states

“Thus you should ask for enough information to judge whether the person making the request is the individual to whom the personal data relates whilst at the same time being reasonable and not simply requesting large amounts of information just “because that’s what your system requires”.

 

Thus, if the identity of the person making the request is obvious or you have an ongoing relationship with them (for example as an existing client, employee or currently used contractor) then simpler checks would be more appropriate than if the person had not been in contact with your firm for some time. On the other hand not asking for verification when there is scope for fraud or misuse would be unwise.“

Share this post


Link to post
Share on other sites

Does the bank's receipt say what it is a receipt for? ie does it specifically state it is a receipt for an SAR + proof id? If, for example, it just said it was a receipt for an envelope addressed to xyz bank plc could ICO be arguing that it could have been anything in the envelope?

 

 

What's the exact wording of the receipt (personal details removed)?

Share this post


Link to post
Share on other sites

HSBC - a few years back made a statement to ICO = That all SAR Request will be timed" after a complaint by me to ICO, = a commitment by HSBC to ICO:- new it was lies as usual from that in-ept Bank


:mad2::-x:jaw::sad:

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    No registered users viewing this page.


  • Have we helped you ...?


×
×
  • Create New...