DPA 1998 Section 10 notice, next steps after company ignores notice

[pussycat10]

After some advice and any feedback from anybody who has needed to seek a court order to have their data ceased being processed.

 

 

I have issued a S. 10 notice that was delivered by hand to the director of a small company,

they have so far attempted to involve a third party to put pressure on me to back off but have failed to abide by the notice.

 

 

I have also sent a Subject access request which I am expecting them to ignore as well.

 

 

Being a small company this could just be down to not knowing what to do etc

 

 

however I am now in the position of having to decide my next steps.

 

 

Has anyone pursued a S.10 notice as far as the courts ?

[renegadeimp]

Can you give more info. Why do you want them to stop processing it? who is the company? In some issues, the company may be required by law to hold data for 6 years, and if subject to CCA, record it on credit files.

 

As for the SAR, if they ignore it, you can take them to court and claim costs involved, and force them to comply. If they still refuse, the courts will come down hard as they would have ignored a court order.

[pussycat10]

Its a small local business,

they have collated my personal data on a list that has subsequently been passed to several of their customers.

 

 

I have no dealings with the said business in a commercial way other than one of the directors seems to have some vendetta against me.

 

 

The personal data on the list is quite damaging to my local reputation hence my wanting them to cease processing my data.

[renegadeimp]

You send a cease and desist letter. Then if they do not comply you get your solicitor on their backs

[martin2006]

OP has sent a s10 cease processing impy.

 

Have a look here,

 

https://ico.org.uk/media/about-the-ico/policies-and-procedures/1873/section_10_guidance_for_staff.pdf

[renegadeimp]

Yep. But he may need to get solicitor involved to show how serious it is. It would stop the director in his tracks

[martin2006]

I very much doubt there would be a solicitor who deals with this particular area impy, if the OP wishes he could either issue a claim via the courts himself or involve the ICO, that said if the OP needs a speedy resolve then maybe court action is the best way

[silverfox1961]

Hi, this is my take on it.

 

You have no financial association with this small company so the only way they could have legally passed on your details is via two means.

 

1. With your express permission

2 For the detection or prevention of a crime

 

If you have used a different company and agreed to some form of data processing then that company may have had the right to use your data and pass it on to 'selected third parties' including the one you mention however so long as there is no valid reason to be processing your data a s10 notice must be adhered to.

 

If this is some form of blacklist, the ICO must be informed as a separate complaint as these lists are unlawful. There was a case a few years back where building companies held a shared blacklist of troublesome subcontractors who were checked against th list and if on there, they didn't get the job. The subcontractors got a sizeable sum in compensation.

 

While I appreciate that you don't want to put too much on the net, it is difficult to give precise advice. Processing someone's data without their permission is in direct breach of the DPA 1998 and you could sue them but please follow pre action conduct before you get that far.

[pussycat10]

a quick update.

 

The company responded on the 21st day and the letter arrived several days outside the 21 day deadline.

 

 

They have essentially now asked me to prove they are processing my data and are stating the matter does not fall within DPA 1998 and have ejected the s.10 notice.

 

 

In addition I made a schoolboy error with the date on the letter and put 2015 not 2016 which again they are stating the notice is a year out of date.

 

 

The letter was delivered by hand, personally to the director, on the correct date on the letter but the wrong year.

 

 

Any advice on the legality of this would be appreciated as I had intended to do the 14 day pre litigation letter then take legal action.

 

 

They have also rejected the Subject Access Request citing the matter is not relevant to DPA 1998.

 

 

At the very least I know I am named in several emails sent from the director to third parties.

[renegadeimp]

If they hold info on you then they have to provide all info pertaining to you.

[GrumpyToSayTheLeast]

How do you know THEY supplied the data to third parties?

What sort of data do you believe was sent?

About you personally or your business? If business, sole trader or ltd?

Does the company actually hold any DATA, or does the director just know things about you personally?

When you say its affecting your reputation, how is it affecting it?