Raising a claim for incomplete SAR disclosure. How to punish them?

[king12345]

Hi, i submitted a sar to the naughty boys & girls at my management company and of course they didn't comply fully.

So I gave them some more time and pointed out what was missing.

For the past 4 weeks every Thursday I get the same email saying that they're still locating what i asked for and they'll come back to me end of following week.

So far it's been 2 months since my sar and of course at day 32 i reported them to the ico but nothing happened apart from obtaining a confirmation email that the complaint had been submitted.

Just for info, i knew they had dirty emails about me and other leaseholders and a couple of them were erroneously disclosed, so i asked for the replies and they're now panicking. 

Other email which I obtained by their mistake talks about covering up wrongdoings and surely there are replies to it which have not been disclosed.

They initially claimed that all replies were "off-record" (LOL), then that it was "financially sensitive material" (i.e. don't put that in the accounts, otherwise he'll find out we're milking it).+++

How do i take them to court for a nominal £1?

Would this be kicked out of court by upset judge?

Or the fact they breached the legislation forces the judge to find against them?

That considering that I would not accept any negotiations and go for judgement.

Also, should i wait for the ico?

Thanks for any input.

[BankFodder]

You could certainly bring a claim against them in the County Court.

If you want to do it the proper way – although rather more long-winded – you would bring a part 8 claim which is not a money claim and would probably have to be issued over-the-counter at the court.  The claim goes on to the multitrack which means that if you lose then you could be liable for the other side's costs. This would be the way to get a proper finding that they are in breach of their statutory duty. 

The easier way is simply to bring a small claim for a nominal sum – maybe £25 – justified by the distress that you have suffered (presumably you haven't suffered any pecuniary loss). On the basis of what you say this would bring a judgement in your favour and there will be an implication that they were in breach of statutory duty and I would certainly send a copy of the judgement to the ICO. Because it will be subject to the small claims rules then even if you lost you would not have to pay the other side's costs.

[king12345]

Ok, thanks.

I just thought, if i wait for them to disclose more stuff, wouldn't that be hard evidence of their breach?

Would this make the section 8 much less risky?

 

If instead i went for the easy option of small claim £25, isn't there a risk that the judge would get mad, throw the case out and punish me with costs?

Or is a judge strictly bound to punish the party that did not respect the law?

Thanks

[BankFodder]

You seem to be using the word "punish" a lot in this thread.

It's got nothing to do with punishment. It's simply about compensating you for your loss. Unusually, with data protection breaches you are entitled to put in a claim simply for distress that you might have suffered as a result of the breach. Furthermore, in small claims, costs are not order against the loser unless they litigate extremely unreasonably.

 

[king12345]

That's what i mean.

Wouldn't the judge find it unreasonable to take a company to court for £25 without giving them a chance to settle out of court?

 

I use the word "punish" because this is what I want, a punishment for a long standing mick taking from their side.

They've given me most of the last 5 years charges back because their accounts are "incorrect" (so they call them).

Despite this they're always trying new ways to upset leaseholders,  me in particular.

Latest one was an attempted charge of over £500 sent to my wife instead of me, thinking "maybe she'll just pay it".

When challenged they sent a spreadsheet to justify this request,  but unfortunately it had been tampered with by some illiterate monkey and they made the balance £0.

They failed to explain these 2 points.

So, yes, I want to punish them badly, bruise them and if I could shut them down.

Edited June 7, 2019 by king12345

[craigten]

Hi King 12345,

 

I'm running a similar thread (but haven't used the word punish...but I guess I should have, Lol)

 

I've been doing a lot of research on this and I will post two items that you may find of help. I believe they have 'infringed', rather than 'breached':

 

Link here, text below:

https://gdpr.algolia.com/gdpr-article-82

Art. 82 GDPR

Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. 1Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. 2A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.
6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

 

Also, I use 'Live chat' with the ICO and it's really helpful. They advise that it can take up to three months for them to investigate...but it is hugely beneficial to go to court with that judgement behind you! Best to be safe than sorry!

 

I had this helpful post from mrabody on my other thread regarding quantifying compensation:

Take a look at Halliday v Creation Consumer Finance Limited. The claimant was awarded £750 for distress for what the court held to be a minor breach. 

 

https://www.hempsons.co.uk/news-articles/damages-distress-awarded-breach-data-protection-act/

 

In your case I would suggest the breach is considerably more serious as HSBC has lost your data.   They think it may have been destroyed but they have no proof. The fact is they have no clue as to where it is or who has it.   So in addition to the potential loss of your PPI refund I think the distress component is considerably higher than in Halliday. How much higher I cannot say - but you need to start canvassing the case law on damages for distress.   

 

What I would love to know is whether anyone has gone the small claims route for infringement (failing to supply all the data)...I'm going to start a fresh thread asking this now....

By the way, my former employer asked for a £900 fee to find all emails with my name included in them. I have had a rather tumultuous 11 months since then but am now back on this so will report them to the ICO tomorrow. 

[king12345]

Interesting,  thanks.

I had read the £750 sentence and it's just right that large organisations pay this kind of money for minor distress, this would in time set a very high compensation rate for serious breaches/infringements.

So banks need to be aware.

I am playing a waiting game.

After the first 30 days, they kept on sending me an email every thursday saying that they will make the rest of the disclosure next week.

This has happened for 4 weeks already.

Of course i submitted a complaint to ICO on day 32 but heard nothing yet.

I sent the company a response to their delaying email saying that all disclosure must be complete without any form of tampering. 

Just to remind, they sent me (by mistake) a few internal emails in which a manager asked to manage me carefully because i could revealed things to other leaseholders and this would be a problem.  He then asks specific questions on how to shut my campaign down, but apparently nobody ever responded.

I asked for these responses and i think now they are modifying them so to cover their wrongdoings. 

But i am confident that they are of such incompetence that they will screw things up for themselves and produce something damning.

In any case as soon as they send anything i will take them to court as they're now out the month statutory timeframe by 4 weeks.

[craigten]

I had read the £750 sentence and it's just right that large organisations pay this kind of money for minor distress, this would in time set a very high compensation rate for serious breaches/infringements.

So banks need to be aware.

I agree and would never do this to a small organisation that was struggling with the data, but banks, in my opinion, delay deliberately.

 

 

But i am confident that they are of such incompetence that they will screw things up for themselves and produce something damning.

This made me giggle!!

[king12345]

You think i'm joking?

I'm not.

These fools sent me a doctored document to prove i was in arrears and using a calculator the balance was nil.

They are a proper bunch of halfwit pompous monkeys.

No surprise they are neighbours to many politicians in an affluent borough (richmond)

[craigten]

Oh I don’t doubt you, I just find it brilliant and amusing.

 

All I’ll add is don’t be too confident they’ll be foolish forever, be prepared for them getting their act together. No harm in being prepared!!!

[king12345]

It will probably take them a decade.

[jotty]

Done a couple of these recently where companies have failed to send the DSAR info, the first paid me the £75 and sent the info within days and the second one have paid the £100 i claimed but haven’t yet supplied the info so I haven’t cashed the cheque yet and requested judgement based on them not settling fully. They will rogue that the fee charged has been paid by sending me they cheque but i am happy to go to court and make them explain to a judge why i am claiming damages.

[craigten]

Excellent. Good for you!

Interesting to read that the apparent minimum for a breach is £750.....

This from one of my other threads;

 

Take a look at Halliday v Creation Consumer Finance Limited. The claimant was awarded £750 for distress for what the court held to be a minor breach. 

 

https://www.hempsons.co.uk/news-articles/damages-distress-awarded-breach-data-protection-act/

[king12345]

I wouldn't call that a minimum really.

In that case they messed up quite badly by saying that they didn't know if the data was destroyed or lost.

A minimum standard would be set for a couple of documents disclosed late and i don't think it would be any near the £750.

[craigten]

The court held it to be a minor breach.

[craigten]

17 hours ago, jotty said:

Done a couple of these recently where companies have failed to send the DSAR info, the first paid me the £75 and sent the info within days and the second one have paid the £100 i claimed but haven’t yet supplied the info so I haven’t cashed the cheque yet and requested judgement based on them not settling fully. They will rogue that the fee charged has been paid by sending me they cheque but i am happy to go to court and make them explain to a judge why i am claiming damages.

 

I’m intrigued - how did you come to the amounts of £75 and £100, if you don’t mind me asking? 

Cheers.

Edited June 17, 2019 by craigten

[jotty]

They where estimates of the time taken to prepare the requests and then prepare the court papers, much like when they charge me £50 a month in additional admin fees just for pressing send on a keyboard.

 

I could have asked for more but as each company has a cost threshold before they decide to contest I didn't want to incur any further charges by being greedy unlike the companies we have to deal with.

[craigten]

Oh I didn’t know that. Any idea what those thresholds are?

Also, what could they contest - the amount you’re claiming for?(as they couldn’t contest that they have infringed GDPR)

Edited June 17, 2019 by craigten

[jotty]

30 minutes ago, craigten said:

Oh I didn’t know that. Any idea what those thresholds are?

Also, what could they contest - the amount you’re claiming for?(as they couldn’t contest that they have infringed GDPR)

The threshold will vary from company to company but I have worked on the estimate of £1000 and less as to instruct a solicitor to defend would cost more than this, but it depends how serious they are and how sure they feel about not giving out info.

 

Its all about putting them on the spot legally to show that their procedures are flawed and how can we be satisfied they are going to adhere to GDPR rules if they cant even supply the info. Not sure how seriously the ICO would take the fact that any company had a ccj based on their non compliance but am certain it would't do any harm to their investigation.

[craigten]

Well I have to say that I feel that without people like you (and hopefully me) to actually make them pay for not adhering, then they will just carry on not respecting either GDPR or the people making the DSARs. 

[craigten]

It’s strange - this forum have been great but I did post on another forum about the mere possibility of making a claim against organisations that don’t adhere to the timelines of GDPR or who don’t provide all the data and the heat I got from it was incredible. It’s as if doing what we are doing is frowned upon in some way?

[jotty]

We haven't won anything yet, and sadly a lot of people don't know what to look for when they get the documents from the SAR. That's why we all need people like Bankfodder and dx on here.

 

Very important is not to give up and keep asking rather than letting things go as that's what all these companies want.

[king12345]

My earlier question went unanswered,  so here it is again:

 

Wouldn't the judge find it unreasonable to take a company to court for £25 without giving them a chance to settle out of court?

[craigten]

I might be wrong here but the lead up to a small claims court decision IS the chance to settle out of court?

[king12345]

Hence my question. 

But it's been suggested not to give them a chance to settle out of court