Jump to content

 

BankFodder BankFodder


Redmountie

GDPR - Nissan head office data disclosure Issues

Recommended Posts

I submitted a SAR to Nissan Customer Services (Head Office) on 09-01-2020. I had an email from them on 10-01-2020 to acknowledge receipt of my SAR request. 
 
I calculated that 1 calendar month would mean the SAR was due on Thursday 9 February 2020. 
 
I haven’t heard anything back from them until yesterday, when i received an email to say they were still processing my request and that they were hoping to have it done by 20 February
 
I am annoyed that
(a) they didn’t communicate there was going to be a delay in their compliance until a week after the statutory deadline has expired and
(b) they have failed to comply with their statutory obligations. 
 
What’s my next steps? 
 
I am happy to submit an N1 but do i need to give them an LBA before i submit an MCOL and what do i need to put in the claim? 
 
Any help would be really appreciated. 

Share this post


Link to post
Share on other sites

pers I wouldn't start waving court papers around just yet.

yes ok they've not met the deadline

and yes you could push for compo etc etc.

but I've a feeling that will be the least of your issues.

 

 


please don't hit Quote...just type we know what we said earlier..

 

if everyone stopped blindly paying DCA's tomorrow

the biggest financial industry in the UK, the whole DCA industry would collapse overnight.

 

 

Share this post


Link to post
Share on other sites

Well today is the 20th so let us know if you have had a disclosure by the end of the day.
 

Of course you can bring a claim for breach of statutory duty – but in order for it to be a small claim you would have to claim an amount in financial compensation. Luckily under the data protection laws you can claim for distress without having to prove any physical damage or economic loss.
I happen to know that you have some experience of bringing a successful data protection claim in the past - which was settled quite advantageously out-of-court.

If you want to bring a small claim then I would suggest that you would have to alleged the distress and claim for, say, £50 – but it is a bit early to do this.

You certainly would have to send them a letter of claim and give them 14 days.


Share this post


Link to post
Share on other sites

Has there been any disclosure?


Share this post


Link to post
Share on other sites

**Please note this thread relates to my DSAR with NISSAN (Head Office) UK and not an independent dealer (seperate thread)**

 

09-01-2020 - SAR submitted to Nissan Customer Services (Head Office) on 09-01-2020 (compliance date 10-01-2020). 

10-01-2020 - Acknowledgement receipt of SAR request. 

10-02-2020 - Niassan fails to provide SAR within prescribed timeframe (no communication to advise of delay). 

17-02-2020 - Email from Nissan Customer Services (Head Office) apologising for delay in SAR request. Still working on it.  

19-02-2020 - Emailed Nissan Customer Services (Head Office) advising they had failed to comply and advising I was going to be submitting an N1 POC and asking the ICO for a statutory assessment in relation to there non-compliance.  Received an email receipt notification from them. 

19-02-2020 - Completed ICO Complaint Form and submitted to Casework email address.

22-02-2020 - Email response from ICO Case Officer advising that they believe Nissan has infrigned the DPA by failing to respond to my SAR within the prescribed timeframe.  They state they are writing to them to explain there view. 

25-02-2020 - Data stick containing SAR arrives but at wrong address (told them in my email on 19-02-2020 they had been sending me previous communication to an old address - yet they still sent my SAR (data stick) to that old address).  Luckily i still have a 12 month Royal Mail Re-Direction in place, otherwise i would never have received the SAR. 

 
So now they have made full disclosure, via the USB stick. 
 
However, I still haven't had any acknowledgement to my email dated 19-02-2020. 
 
What do you think my next steps are? 
 

Share this post


Link to post
Share on other sites

So we have two data breaches. Firstly they failed to comply with the statutory deadline – relatively minor – but distressing all the same if you don't know where you stand.
Secondly they have committed a far more serious data breach by sending your data to 1/3 party address. It's only by chance that your personal data didn't fall into the hands of a stranger. This itself could be distressing

When did you first tell them about your address change? Do you have evidence?


Share this post


Link to post
Share on other sites

Hi BF,

 

So I have now reviewed the SAR data on the USB data stick Nissan provided. 

 

They have encrypted several phone calls on the USB and given me the password seperately.  Having successfully used the password to gain entry to the folder containing the calls, when i click on the links (via a webiste called hightail) it takes me to a landing page, which then says the page you are viewing does not exist.  So in my opinion, I still haven't got full disclosure. 

 

In relation to having proof I told them i have changed address, yes i have this.  The SAR notes they have provided, clearly shows that i told them of the change of address, via a telephone call I made to them on 10-01-2020.  I again advised them of the change of address, in my DSAR non-compliance complaint email, which i sent to them on 19-02-2020. 

Edited by Redmountie

Share this post


Link to post
Share on other sites

So a third  data breach. Even more distressing.

Of course if it were a bank they will be extremely keen not to have this kind of judgement recorded against them and so they might well offer you a settlement far greater than your initial claim. Because this is a car dealer, it won't seem as important to them. However, you don't seem to have suffered any economic loss, luckily under the data protection legislation you can sue for distress caused to you and your family by any breaches of the data protection rules.

So it's up to you. I would have thought that you could try suing them for a couple of hundred quid – in the expectation that they realise that they have screwed it up and they won't defend. If they did defend innuendo hearing then of course you would risk your claim fee and your hearing fee and you would have to explain to a judge the extent of your distress and why you considered that that it was worth £200.

I think the chances are that Nissan would put their hands up. Especially in view of the fact that you have got this very helpful letter from the ICO.

I would start off immediately by making further complaints to the ICO – using the same reference number because that will probably speed things up. I'm extremely impressed that you've managed to get a response back from the ICO so quickly. Maybe they have got new resources.

After that, the next move is down to you. Do you want to sue them for a couple of hundred quid on the Small Claims Court for these breaches of the data protection act?


Share this post


Link to post
Share on other sites

BF,

 

As always sound advice - thank you. 
 

I am really disappointed with the continued level of poor service From Nissan UK, not to mention there fragrant disregard of there statutory obligations. 
 

Are you able to help me draft a POC please? As you know I have done one previously but this was under DPA 1998 and your feedback was the wording could have been better. Happy to do an MCOL and get cracking. 
 

Do I need to go back to Nissan and tell them that there files are corrupted and that i can’t gain access - therefore the SAR is not fully complete? 

 

i will redact and post up the ICO response as soon as i can access my laptop. 

Share this post


Link to post
Share on other sites
Quote

This claim is in respect of the defendants breaches of the Data Protection Act 2018. On XXX date the claimant made a request to the defendant for a statutory data disclosure. The defendant breached their statutory duties in that: they failed to provide the disclosure within the statutory period of 30 days. The disclosure was incomplete. They sent the disclosure to a an address which was not the claimant's. The information Commissioner has offered a preliminary view that the defendant has breached their statutory duty in failing to comply with the statutory time limit.This has caused distress to the claimant. The ICO is considering the other breaches. The claimant seeks £250 in compensation.

 

I suggest that you click the tick box to say that you are going to send further particulars of claim. You should draft the particulars claim numbered by paragraph – chronologically – explaining the breach is a little more clearly but without too much narrative. Explain the distress in numbered paragraphs.

If you like to draft and post it here then we can have a look.

 

As I have said, make the other complaints to the ICO immediately. Even if you don't hear back – get underway so that you can refer to it in your claim.


Share this post


Link to post
Share on other sites

In the

xx xx Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Nissan Motor (GB) Limited, The Rivers Office Park, Denham Way, Maple Cross, Rickmansworth, Hertfordshire, WD3 9YS.

 

Brief details of claim
Damages???? (Just this)
 

Value

£225

 

Particulars of claim

1. This claim is in relation to the Respondents breaches of the Data Protection Act 2018. 

 

2. The Respondent is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Applicant is a Subject.  

 

3. On 09 January 2020, the Applicant made a request for to the Respondent for a statutory data disclosure.  The statutory timeframe for compliance was 10 February 2020. 

 

4. The Respondent breached their statutory duties in that:  they failed to provide the data disclosure within the statutory timeframe of thirty days.  The data disclosure was eventually provided on 25 February 2020. 

 

5. The data disclosure that has been provided by the Respondent is incomplete. 

 

6. The Respondent sent the disclosure to an address that was not the Applicant’s.  The Applicant provided the Respondent with the correct address on 10 January 2020 and again on 19 February 2020.   

 

7. The Applicant has made a complaint to the Information Commissioner’s Office (ICO) asking for a statutory assessment to be carried out.  The ICO has offered a preliminary view that the Respondent has breached their statutory duty in failing to comply with the statutory time limit. 

 

8. By virtue of the Respondent’s failure to comply with the Subject Access Request the Applicant has suffered distress.

 

9. The distress caused is:

 

Extra costs incurred in addition to Court costs, due to the Respondent’s failure to comply.  This includes the cost of additional correspondence and time spent preparing documents and seeking legal advice.  I estimate this cost to be £200.  (do I need to elaborate on this more)???

 

10. Damages and costs within the discretion of the Court. (does this need to be included)???

Share this post


Link to post
Share on other sites
1 hour ago, Redmountie said:

In the

xx xx Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Nissan Motor (GB) Limited, The Rivers Office Park, Denham Way, Maple Cross, Rickmansworth, Hertfordshire, WD3 9YS.

 

Brief details of claim
Damage for distress caused by the defendants data protection breaches of statutory duty
 

Value

£225

 

Particulars of claim

1. This claim is in relation to the defendants breaches of the Data Protection Act 2018. 

 

2. The Respondent is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Applicant is a Subject.  

 

3. On 09 January 2020, the Applicant made a request for to the Respondent for a statutory data disclosure.  The statutory timeframe for compliance was 10 February 2020. 

 

4. The Respondent breached their statutory duties in that:  they failed to provide the data disclosure within the statutory timeframe of thirty days.  The data disclosure was eventually provided on 25 February 2020. 

 

5. The data disclosure that has been provided by the Respondent is incomplete. 

 

6. The Respondent sent the disclosure to an address that was not the Applicant’s.  The Applicant provided the Respondent with the correct address on 10 January 2020 and again on 19 February 2020.   

 

7. The Applicant has made a complaint to the Information Commissioner’s Office (ICO) asking for a statutory assessment to be carried out.  The ICO has offered a preliminary view that the Respondent has breached their statutory duty in failing to comply with the statutory time limit. 

 

8. By virtue of the Respondent’s failure to comply with the Subject Access Request the Applicant has suffered distress.

 

9. The distress caused is:

 

Extra costs incurred in addition to Court costs, due to the Respondent’s failure to comply.  This includes the cost of additional correspondence and time spent preparing documents and seeking legal advice.  I estimate this cost to be £200.  (do I need to elaborate on this more)???

 

10. Damages and costs within the discretion of the Court. (does this need to be included)???

 

Distress is not predicated on costs which have been incurred. Distress is simply the anxiety and difficulty which you or your family have experienced as a result of the breaches. I don't think you'll be able to claim for time spent dealing with it – you would have to explain exactly how that time had cost you pecuniary loss.

If you claim damages within the discretion of the court then you open it up to maximum of £10,000 which means the claim could cost you huge amount of money. You need to have a finite sum and at the top you have said £225. Maybe £175 would be more palatable. It's up to you.

I think you need to itemise the breaches –
1
2
3

so that is clear that you are dealing with three breaches and you need to give a paragraph and then subparagraphs to each one so that it would be

1 - fail to comply with statutory time limit
a- the claimant submitted a statutory status" request on X X X date blah blah blah blah

b - the defendant blah blah

 

2 - the defendants data disclosure was incomplete
a
b

 

3 - the defendant sent the data to an address which was not the address of the claimant data subject

 

 

 

Use the word defendants – not respondent

 

At some point early on say that the claimant is a data subject within the meaning of the data protection act 2018

Use the word claimant – not applicant

Let's have a look when you've edited it


Share this post


Link to post
Share on other sites

In the

Bristol Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Nissan Motor (GB) Limited, The Rivers Office Park, Denham Way, Maple Cross, Rickmansworth, Hertfordshire, WD3 9YS.

 

Brief details of claim
Damages

 

Value

£225

 

Particulars of claim

1. This claim is in relation to the Defendants breaches of the Data Protection Act 2018.

(a) Failure to comply with the statutory time limit.

(b) The Defendants data disclosure was incomplete.

(c) The Defendant sent the data to an address which was not the address of the

     Claimant data Subject. 

 

2. The Defendant is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Claimant is a Subject.  

 

3. On 09 January 2020, the Claimant made a request for to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 10 February 2020. 

 

4. The Defendant breached their statutory duties in that:  they failed to provide the data disclosure within the statutory time limit of thirty days.  The data disclosure was eventually provided on 25 February 2020. 

 

5. The data disclosure that has been provided by the Defendant is incomplete. 

 

6. The Defendant sent the disclosure to an address that was not the Claimant’s.  The Claimant provided the Defendant with the correct address on 10 January 2020 and again on 19 February 2020.   

 

7. The Defendant has made a complaint to the Information Commissioner’s Office (ICO) asking for a statutory assessment to be carried out.  The ICO has offered a preliminary view that the Defendant has breached their statutory duty in failing to comply with the statutory time limit. 

 

8. By virtue of the Defendant’s failure to comply with the Subject Access Request the Claimant has suffered distress.

Share this post


Link to post
Share on other sites

You haven't taken up all the points I made my previous post


Share this post


Link to post
Share on other sites

Is this better?

 

 

Quote

 

In the

Bristol Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Nissan Motor (GB) Limited, The Rivers Office Park, Denham Way, Maple Cross, Rickmansworth, Hertfordshire, WD3 9YS.

 

Brief details of claim
Damages

 

Value

£225

 

Particulars of claim

1. The Defendant is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Claimant is a Subject.  

 

2. This claim is in relation to three breaches of the Data Protection Act (2018) by the Defendant.

(a) Failure to comply with the statutory time limit.

(b) The Defendants data disclosure was incomplete.

(c) The Defendant sent the data to an address which was not the address of the

     Claimant data Subject. 

 

3. The Defendant has failed to comply with the statutory time limit and is therefore in breach of the Data Protection Act (2018).

(a) On 09 January 2020, the Claimant made a request for to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 10 February 2020. 

 

4. The Defendants data disclosure is incomplete. 

(a) The Defendant has provided data disclosure on 25 February 2020.  However, the data disclosure that has been provided by the Defendant is incomplete. 

 

5. The Defendant sent the disclosure to an address that was not the Claimant’s.

(a) The Claimant provided the Defendant with the correct address to send the Subject Access Request to on 10 January 2020 and again on 19 February 2020.   

 

6. The Claimant has made a complaint to the Information Commissioner’s Office (ICO) asking for a statutory assessment to be carried out.  The ICO has offered a preliminary view that the Defendant has breached their statutory duty in failing to comply with the statutory time limit. 

 

7. By virtue of the Defendant’s failure to comply with the Subject Access Request the Claimant has suffered distress.

 

 

Share this post


Link to post
Share on other sites

Well you still haven't taken in all the points which I have suggested.

On 26/02/2020 at 20:32, Redmountie said:

In the

Bristol Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Nissan Motor (GB) Limited, The Rivers Office Park, Denham Way, Maple Cross, Rickmansworth, Hertfordshire, WD3 9YS.

 

Brief details of claim
Damage for distress caused by the defendants data protection breaches of statutory duty

Value

£225

 

Particulars of claim

1. The Defendant is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Claimant is a Subject.  

 The claimant is a data subject

 

2. This claim is in relation to three breaches of the Data Protection Act (2018) by the Defendant.

(a) Failure to comply with the statutory time limit.

(b) The Defendants data disclosure was incomplete.

(c) The defendant's disclosure of claimant's data to unauthorised third party

 

 

3. The Defendant has failed to comply with the statutory time limit and is therefore in breach of the Data Protection Act (2018).

(a) On 09 January 2020, the Claimant made a request for to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 10 February 2020. You need to explain when the disclosure eventually arrived

 

4. The Defendants data disclosure is incomplete. 

(a) The Defendant has provided data disclosure on 25 February 2020.  However, the data disclosure that has been provided by the Defendant is incomplete in that amongst other missing data it does not include blah blah  

 

5. The Defendant sent the disclosure to an address that was not the Claimant’s.

(a) The Claimant provided the Defendant with the correct address to send the Subject Access Request to on 10 January 2020 and again on 19 February 2020 but instead the defendant sent the claimant's personal data to the address of an unknown third party.   

 

6. The Claimant has made a complaint to the Information Commissioner’s Office (ICO) asking for a statutory assessment to be carried out.  The ICO has offered a preliminary view that the Defendant has breached their statutory duty in failing to comply with the statutory time limit. 

The information Commissioner is considering the other complaints 

 

7. By virtue of the Defendant’s failure to comply with the Subject Access Request the Claimant has suffered distress.

 

 

Please look carefully at these. At least one of them was suggested in an earlier post and highlighted in red but you seem to have missed it. Also I made other comments which you didn't incorporate.

You will have to alter the paragraph numbers, of course.


Share this post


Link to post
Share on other sites

BF, thanks for clarifying the above and providing guidance on what to put in the PoC. I was looking to submit this today or tomorrow, however as i am in the process of doing so, i have received an email from Nissan Customer Servicves saying the below: 

 

Quote

 

Dear Redmountie,  

We are in direct contact with the ICO following your complaint, however, we are in a position where we still need to clarify information from yourself in order to help and support with ours and the ICO investigation. 

You have advised that the address we have sent information to is incorrect. I can confirm that during the telephone call with our front office team on the 20/12/2019 you provided the address that we have on file for you. If you can confirm the correct address and advise of which point you provided us with this change of address I would be happy to investigate this further for you and make the appropriate corrections on our system. 

I would also like to clarify what information you feel is missing, this will allow us to check our records and if required update the information we have sent you. 

Kind regards 

Nissan Customer Services Manager

 

 

To clairfy, I have already told them on two seperate occasions about my new address, but they still sent it to the wrong address.

 

I have two points: (1) shall i still proceed with my PoC as nothing has changed as per the above PoC, and (2) is the ICO allowed to collude with Nissan like this? 

Share this post


Link to post
Share on other sites

I suggest that you send them a further SAR telling them that you want details of all their exchanges between themselves and the ICO relating to you.

Of course they aren't allowed to collude with the ICO – but you will find that they have special access and the ICO is far more relaxed about dealing directly with businesses than they are with dealing with data subjects. It shouldn't be that way – but it is. Both the ICO and the FOS tend to have lost sight of the fact that they are meant to be looking after the interests of customers or data subjects.

I suggest that you write to Nissan, enclose evidence of the fact that you have already given them your new address on two separate occasions.

 

Quote

Dear Sir/Mdm
thank you for your email dated X X X.
I have provided your organisation with details of my new address on two separate occasions – on X X X date and again on X X X date and I have attached copies of those notifications to this message.

The fact that you are not aware of this once again points to your flawed data management system and also a further breach of one of the data protection principles in that you are required to process data accurately.

In terms of the data that I consider is missing – my subject access request requires you to provide me with "all data" – and so it's not for me to drop you hints as to what is missing so that you can selectively access data which you think will put an end to my complaint whilst continuing to fail in your statutory duty to provide me with all data.

If your systems are not able to find all the data that you hold on me then it is even more evidence of your breach of the data protection regulations.

 

Please note that I have served you with a further subject access request under separate cover requiring that you disclose to me details of all the exchanges you have had with the ICO about me. Let's hope you haven't lost that yet.

I have served your letter of claim – and the clock is running.

You had better hurry up

Yours faithfully

 

I'm assuming that you have some tangible evidence that you did supply them with your new address


Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 Caggers

    No registered users viewing this page.


  • Have we helped you ...?


×
×
  • Create New...