Santander - Breach of GDPR - Data Subject Access Request (DSAR)

[BankFodder]

Okay, I sort of remember. Thanks. I'm afraid that I get so much coming my way and I'm pretty disorganised anyway.

Let's hope the same tactic helps with Santander.

Please could you respond to the other questions I have put – about the £100 and also about your £200 reward.

[Redmountie]

12 hours ago, BankFodder said:

I've made a few edits in red.

Also, did you eventually get your £200 reward – and was it straightforward?

Santander have confirmed that I have met their criteria for the £200 reward incentive.  However, they have yet to make the payment into my account and have advised it can take up to 30 days from when I met the criteria.  That end date being 30/04/23.  I guess that element is just a waiting game, but rest assured as soon as it's deposited into my account, I will be moving my business to another bank/building society.  

Can you just go over again the basis on which they have already offered you £100?

I've posted a screenshot of the final response letter Santander sent me with the £100 "Goodwill Gesture" which they made entirely without any admission of liability.  

You said that previously we have claimed £200 and settled for 800. Can you refresh my memory about this please.  

I can see you have managed to find my original post to my previous Breach of SAR which I won against Lloyds back in 2018.  They paid out and I issued a Notice of Discontinuance.  

 

Santander Executive Office Complaint Response Final Letter - 28-03-23.pdf

[BankFodder]

So it seems as if the £100 was offered unconditionally. Has it been credited into your account ?

Secondly, as you say that the date for the reward payment is the 30th, I'm wondering whether it might be worth waiting until then to see if it actually does go in.

If it doesn't go in then that gives an additional string to your bow and we might think about adding allegation so the claim and increasing the amount claimed.

 

I noticed that the main arguement in their letter is that you failed to meet the security requirements in your original phone calls.

Do you have to say about that?

During those phone calls, did you answer security questions and were you then permitted to discuss your account?

Is that recorded in the disclosure which you have eventually received ?

 

If their position is that you didn't satisfy their security requirements then they will have to show that in court and you will have to disprove it in court.

 

What evidence do you have that you did satisfy the security requirements at the time.

 

 

 

 

 

 

[Redmountie]

Bristol Civic Justice Centre

 

Claimant name and address

xxxxxxxx xxxxxx

xx xxxxxx xxxx

xxxxxxxxxxx

xxxxxxxxxxxxxx

xxxx xxx

 

Defendants name and address

Santander UK Plc, Santander House, 201 Grafton Gate East, Milton Keynes, MK9 1AN

 

Brief details of claim
Damage for distress caused by the defendants data protection breaches of statutory duty 

 

Value

£235

 

Particulars of claim

1. The Defendant is a Data Controller within the meaning of the Data Protection Act 2018 and is responsible for the processing of data of which the Claimant is a data Subject.  

 

2. This claim is in relation to two breaches of the Data Protection Act (2018) by the Defendant.

(a) Failure to comply with the statutory time limit dated 12 March 2023

(b) Failure to comply with the statutory time limit dated 28 March 2023

 

3. The Defendant has failed to comply with the statutory time limit on two occasions and has therefore committed two breaches of the Data Protection Act (2018).  

(a) On 10 February 2023, the Claimant made a request to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 12 March 2023.  Despite being fully aware of the Subject Access Request, the Defendant has never made any disclosure as a result of this request.  

(b) On 26 February 2023, the Claimant made a request to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 28 March 2023.  Despite being fully aware of the Subject Access Request, the Defendant has never made any disclosure as a result of this request.  

(c) On 11 March 2023, the Claimant made a request to the Defendant for a statutory data disclosure.  The statutory timeframe for compliance was 08 April 2023.  The Claimant received data disclosure on 29 March 2023, but only in relation to this third data disclosure request.  

  

4. The Claimant seeks £200 damages for distress caused by virtue of the Defendant's breaches of their statutory duty to disclose personal data, within 30 days, in response to two Subject Access Requests.

(a) Purpose of the Subject Access Requests

 

The Claimant made the Subject Access Requests in order to start the process of understanding and resolving problems with his new bank account, which had been caused by the negligence and contractual breaches of the Defendant.

The Defendant's negligence/breach of contract are not at the moment a subject of this court action. 

The failure by the Defendants to conduct the Claimant's account correctly and also to communicate with the Claimant's fairly at all is a breach of the Banking (Conduct of Business) Regulations - BCOBS - which were made pursuant to the Financial Services and Markets Act 2000 - although those breaches are not currently the subject of this present legal action.  

The Claimant opened a new bank account with the Defendant on 02 February 2023. 

The account was important to the Claimant because this was his main bank account in which he conducted all of his financial business.    

It had been the intention of the Claimant to move his banking business to the Defendant’s bank because they offered a £200 reward incentive and cashback on bills.

An essential element of the opening of the new account was effectively the transfer of his financial life from his previous bank account to the Defendant’s bank. 

The Claimant relied on the Defendants use of the Current Account Switch Service (CASS) in order to achieve a seamless transfer and without any disruption to his own life, the life of his creditors or the organisations to whom he was scheduled to make regular payments. 

The Current Account Switch Service (CASS) is designed to let the customer switch their current account from one bank or building society to another in a simple, reliable and stress-free way.  It will only take seven working days.  

 

The payments referred too include:-

1. utilities,
2. mobile phone,
3. water,
4. insurance,
5. rent,
6. council tax,
7. tv licence,
8. vehicle road tax.   

The Defendant failed in their duty to the Claimant in that they failed to issue online banking credentials when the account was opened.  The Defendant has admitted this in there complaint response letter dated 21 February 2023.  

Although the claimant made several phone calls to the Defendant and received undertakings, the Defendant did not remedy there negligent behaviour, and ultimately ended up having to issue online banking credentials on 09 February 2023 (Letter one of two) and 10 February 2021 (Letter two of two), some seven to eight days after the account was opened. 

(b) The Subject Access Requests

 

Subject Access Request Number One
The claimant eventually decided to try and solve the problem himself and began by submitting a Subject Access Request on the 10 February 2023 in order to discover what had happened and to begin the process of sorting out the mess created by the Defendant.
The defendant breached their data protection obligations by failing to respond with a statutory disclosure within the statutory time limit of 30 days.

 

Subject Access Request Number Two
The claimant made a subsequent Subject Access Request on 26 February 2023.
The Defendant breached their data protection obligations a second time by failing to respond with a statutory disclosure within the statutory 30 days.
In respect of both Subject Access Requests, the Claimant received no acknowledgement and no question or enquiry from the Defendant. 
At no point did the Defendant indicate that they required more information in order to satisfy the requirements of the Subject Access Request.
At the time that each Subject Access Request was made, the Claimant had satisfied all of the Defendants requirements as to the ascertainment of his identity in that the Claimant responded to all of the Defendants security questions satisfactorily and was then allowed to discuss his account with them on the telephone.

 

Subject Access Request Number Three

The Claimant made a third subject access request on 11 March 2023.
The Defendant did comply with this subject access request on 29 March 2023. The data which was disclosed as a result of this third Subject Access Request revealed that the Defendant had received the first two Subject Access Requests and had failed to do anything with them. Either the Defendant felt that the Claimant had not satisfied there identity security requirements – despite the fact that they had been happy to speak to him on the telephone about his banking account – or else the request had been incorrectly actioned by staff within the Defendant's business.
In neither case did the Defendant take any action to inform the Claimant that his requests had not been correctly actioned and at the point of making the requests he was not asked for additional verification as to identity – although it is submitted that this would have been unnecessary in the circumstances.

 

(c) Particulars of distress
 

This caused extreme anxiety and distress as well as being very time-consuming. The process of having to deal with this has interrupted the Claimant's normal life and routines and has caused particular anxiety and worry about the possibility of direct debits and standing orders not being correctly setup and therefore falling into default with various companies and the risk of resulting

negative entries on his credit file.  The Claimant’s distress has been exacerbated by the continuing lack of cooperation by the Defendant, the cost of additional correspondence and time spent preparing documents and seeking legal advice. 

[Redmountie]

18 minutes ago, BankFodder said:

So it seems as if the £100 was offered unconditionally. Has it been credited into your account ?

Yes the £100 has been credited into my account. 

 

Secondly, as you say that the date for the reward payment is the 30th, I'm wondering whether it might be worth waiting until then to see if it actually does go in.

If it doesn't go in then that gives an additional string to your bow and we might think about adding allegation so the claim and increasing the amount claimed.

I am happy to wait or continue on the basis of the two breaches of there statutory duty to disclose the data in the Subject Access Requests. 

 

I noticed that the main arguement in their letter is that you failed to meet the security requirements in your original phone calls.

Do you have to say about that?

When I made those respective phone calls, I had already passed security to the point where they were able to discuss my account and complaints.  At no time did either member of staff tell me that I had to go through "enhanced security" or had not cleared sufficient security in order to submit the Subject Access Requests.  They both verbally accepted my Subject Access Request's and told me that they would process them.  I only became aware that I had to be passed through to an additional "enhanced security" team after they had sent me there final response letter to my complaints. 

 

During those phone calls, did you answer security questions and were you then permitted to discuss your account? I believe so but cannot access the encrypted CD Rom which has the calls I made.  This is due to restrictions by my employer and i don't own my own laptop so not sure how I am going to be able to listen to the calls to verify security was or wasn't passed.   

Is that recorded in the disclosure which you have eventually received ?

 

If their position is that you didn't satisfy their security requirements then they will have to show that in court and you will have to disprove it in court.

 

What evidence do you have that you did satisfy the security requirements at the time.

 

 

 

 

 

 

 

[BankFodder]

You say that you can't access the recording of the conversation because of your employers security concerns. I gather from this that you are trying to use your employers equipment to listen to it.

I think that it is really quite essential to know what it says on the audio so you're going to have to sign some other way of dealing with it. We may as well wait until we see what happens on the 30th and that should give you time to take whatever steps are necessary to access the audio.

I think it is essential in bringing an action like this that you are completely on top of the evidence and that nothing is left to chance. I certainly think that if you have got all your ducks in a row that in order to extricate themselves from this, that they will end up offering quite a bit more than you claimed.

[Redmountie]

**update**

 

I have now received the (1) the £200 Reward Incentive for opening my account with Santander, and (2) the £200 I requested in my Letter Before Claim. 

 

I am happy with this outcome and now considered this case won and settled. 

 

Thank you to all the Cag Team and others who have helped me once again.  

[BankFodder]

Thanks for the update – well done.