Jump to content


SAR - proof of ID & ICO


vortexvelocity
style="text-align: center;">  

Thread Locked

because no one has posted on it for the last 2072 days.

If you need to add something to this thread then

 

Please click the "Report " link

 

at the bottom of one of the posts.

 

If you want to post a new story then

Please

Start your own new thread

That way you will attract more attention to your story and get more visitors and more help 

 

Thanks

Recommended Posts

Hello Caggers just after a bit of guidance,

 

I have sent a SAR to HSBC and pretty much been ignored

ended up lodging complaints to FOS and ICO, the end game is all about PPI.

 

I am corresponding with ICO and they will only get involved if HSBC have refused or ignored my request.

 

I told the ICO my request has been ignored and sent them a signed receipt for the SAR delivered into a HSBC branch for delivery through internal mail system to HSBC data controller.

 

The ICO have now come back and said this is not proof the bank have received the SAR and not proof the bank have been given proof of ID.

Is this similar to other folks experience with ICO.

 

How can I prove when the SAR was delivered to HSBC with my proof of ID that's exactly what it was and nothing else.

 

Happy to provide more info from the ICO email TIA.

Edited by dx100uk
Spacing
Link to post
Share on other sites

I thought you were abroad?

please don't hit Quote...just type we know what we said earlier..

DCA's view debtors as suckers, marks and mugs

NO DCA has ANY legal powers whatsoever on ANY debt no matter what it's Type

and they

are NOT and can NEVER  be BAILIFFS. even if a debt has been to court..

If everyone stopped blindly paying DCA's Tomorrow, their industry would collapse overnight... 

Link to post
Share on other sites

I thought you were abroad?

 

Certainly am, so my options are slightly limited, i really thought a signed stamped receipt from HSBC addressed to their data controller was proof enough I have sent them a SAR and being ignored but ICO ar not accepting this just makes it harder than it needs to be.

Link to post
Share on other sites

why did you send your sar into a branch

why not head office UK

please don't hit Quote...just type we know what we said earlier..

DCA's view debtors as suckers, marks and mugs

NO DCA has ANY legal powers whatsoever on ANY debt no matter what it's Type

and they

are NOT and can NEVER  be BAILIFFS. even if a debt has been to court..

If everyone stopped blindly paying DCA's Tomorrow, their industry would collapse overnight... 

Link to post
Share on other sites

It doesn’t matter. It was delivered to HSBC as required by the GDPR, the GDPR does not state that the SAR has to be delivered to the actual DPO in order to be taken as delivered. I would go back to the ICO and tell them that the SAR was delivered to the bank in line with the GDPR and as per the receipt you have and that the ICO is obligated under their statutory duty to investigate this lack of compliance. Inform them if they do not then you will be escalating to the information tribunal. Get ICO to reply in writing that they will not investigate the matter any further and then you have 28 days to refer to the tribunal. I have done this with the ICO previously and it got the matter sorted more quickly.

Link to post
Share on other sites

why did you send your sar into a branch

why not head office UK

I sent a SAR recorded delivery and Royal Mail lost it so I thought it was a guaranteed way of making sure it got there but as far as the case worker at ICO is concerned it only prooves the branch had a letter and not its content and proof of ID.

Link to post
Share on other sites

The ICO caseworker is wrong. There is no obligation for ID. It only required at the discretion of the controller where they are unsure of the data subject requesting the info. And the fact that you sent a letter and state it was a SAR is sufficient to meet the GDPR. Otherwise no company or controller would ever have to reply to a SAR thus totally defeating the objective

Link to post
Share on other sites

to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

 

HSBC use to be hot on that and probably still are

:mad2::-x:jaw::sad:
Link to post
Share on other sites

to ascertain that the request is from the said person then controller has need to make sure the person requesting is the named person concerned = there for copy of evidence is required, be it council tax copy/passport etc etc always send 2 items, and handing it into a bank counter the person receiving needs to certify the legitimacy of the customer handing request in:

 

HSBC use to be hot on that and probably still are[/quote

It all depends on the relationship between the data subject and the controller. The request for I’d must meet the objective of reasonableness and proportionality. The art 29 working party states

“Thus you should ask for enough information to judge whether the person making the request is the individual to whom the personal data relates whilst at the same time being reasonable and not simply requesting large amounts of information just “because that’s what your system requires”.

 

Thus, if the identity of the person making the request is obvious or you have an ongoing relationship with them (for example as an existing client, employee or currently used contractor) then simpler checks would be more appropriate than if the person had not been in contact with your firm for some time. On the other hand not asking for verification when there is scope for fraud or misuse would be unwise.“

Link to post
Share on other sites

Does the bank's receipt say what it is a receipt for? ie does it specifically state it is a receipt for an SAR + proof id? If, for example, it just said it was a receipt for an envelope addressed to xyz bank plc could ICO be arguing that it could have been anything in the envelope?

 

 

What's the exact wording of the receipt (personal details removed)?

Link to post
Share on other sites

  • Recently Browsing   0 Caggers

    • No registered users viewing this page.

  • Have we helped you ...?


×
×
  • Create New...