Breach of GDPR - County Court Claim ***WON***

[AnotherLegend]

in regards to issuing against the individual it state in GDPR article 82 that the controller is liable for the damage caused

 

But the controller is the company, not an individual. There is a big difference between a data controller and a data protection officer.

 

I think you've made a big mistake here.

 

Also in regards to the ID, as the OP the company has had no problems with emailing me about the alleged account or responding to complaints to the same email address.

 

The problem you will have is the judge will ask the question - why did you refuse to provide your identity to the data controller?

 

If I was defending a claim like this, I would put emphasis on the fact that we tried to verify your identity, but you refused to comply.

 

I certainly don't think it's open and shut.

[steveod]

There is no reason,

and it not specified in the GDPR that it needs to be CERTIFIED identity documents.

 

in fact the ICO and the Article 29 working party state that the requesting of identity documents, such as passports, should only be required where there is no relationship between the parties as the obtaining of that ID involves further processing of the data subjects personal data. It should not be used

as a delaying tactic.

 

There is NO OBLIGATION to provide identity UNLESS the data controller has a REASONABLE cause to require confirmation of identity such as in the case where no contractual or other relationship exist.

 

It would be for the controller to prove such a reasonable doubt as to the identity of the data subject making the request. they cannot just ask for ID as a default position. article 29 working party guidance

[andy023]

i agree i have sent out utility bills to identify myself

[nucky]

There is NO OBLIGATION to provide identity UNLESS the data controller has a REASONABLE cause to require confirmation of identity such as in the case where no contractual or other relationship exist. It would be for the controller to prove such a reasonable doubt as to the identity of the data subject making the request. they cannot just ask for ID as a default position. article 29 working party guidance

 

Thank you for this information, hoever I have gone through article 29 working party guidance documents (many PDF downloads) and cannot find this. Could you tell me where I can find it please?

 

There is no reason, and it not specified in the GDPR that it needs to be CERTIFIED identity documents. in fact the ICO and the Article 29 working party state that the requesting of identity documents, such as

passports, should only be required where there is no relationship between the parties as the obtaining of that ID involves further processing of the data subjects personal data. It should not be used

as a delaying tactic.

 

Thank you, however after going through a plethora of PDF files relating to the Working Party Article 29 I cannot find where this is referred to, do you have a reference?

[dx100uk]

always best to sent CTAX bill IMHO

[nucky]

I certainly agree that you should report them to the ICO immediately. However, even if the ICO sort it out I think you should sue them anyway for a very modest amount – say £50.

 

Of course they will try to settle and if I were you I would refuse any settlement and proceed to judgement. Then send a copy of the judgement to the ICO and also to the FCA.

 

This is the only way to deal with these people and to deliver a lesson.

 

Your claim form would broadly be

 

The defendants have now filed a full defence on the basis that I have not supplied the certified ID they requested. This is in spite of the fact that they ignored my SAR for more than 1 month after receiving it and then sent the request for certified ID after receiving my LBA. In my opinion the defence is invalid, even if they require ID which I can argue they do not require it then they should have requested that within the 30 day period. I now have to complete a directions questionnaire and send a copy to the Court and one to the defendant. Advice would be greatly appreciated.

[jon8214]

could you upload a redacted copy of their defence?

[jon8214]

A1 - yes to mediation

C1 - yes to small claims

D1 - your local court

D2 - no

D3 - 1 (yourself)

D4 - fill out as required

[nucky]

could you upload a redacted copy of their defence?

 

Hello

Sorry for the long delay. I can't upload the claim but here is what its says:

[Defendant] wrote to [Claimant] on 3 July asking for valid proof of ID. [Claimant] believes the right to require proof of ID is legitimate as set out in GDPR recital 64. We believe asking for certified ID and a recent utility bill is necessary as information we provide under the SAR includes bank details, NI number and DOB.

 

I would point out that I think this defence is futile, the company sent this over a month after I submitted my SAR, in other words they had already breached the rules on 1 month to respond before sending this out. I would also point out that their request for certified ID was a response to my LBA. MY SAR request, a gentle reminder 14 days after the original SAR and my LBA were all delivered and signed for by recorded delivery so they cannot deny receiving them. In this respect could I ask that the court do not accept the defence that they have submitted?

[Old Cogger]

companies are oblidged to ensure request are from the stated individual and a utility bill even copy passport , council tax is all they need, they can go beyond 30 days but have a good reason to, there is no good not giving identity check as that is required under regulation already set before, try going to court and see the possible consequences, you want a SAR then follow deligatmite request!

[jon8214]

companies are oblidged to ensure request are from the stated individual and a utility bill even copy passport , council tax is all they need, they can go beyond 30 days but have a good reason to, there is no good not giving identity check as that is required under regulation already set before, try going to court and see the possible consequences, you want a SAR then follow deligatmite request!

 

The OP did send a valid DSAR

 

The company failed to comply within the 30 days and only asked for the ID after they received the LBA

 

Yes they can go over the 30 Days but they must inform you within the 30 Day limit that they are going to take longer

 

 

Hello

Sorry for the long delay. I can't upload the claim but here is what its says:

[Defendant] wrote to [Claimant] on 3 July asking for valid proof of ID. [Claimant] believes the right to require proof of ID is legitimate as set out in GDPR recital 64. We believe asking for certified ID and a recent utility bill is necessary as information we provide under the SAR includes bank details, NI number and DOB.

 

I would point out that I think this defence is futile, the company sent this over a month after I submitted my SAR, in other words they had already breached the rules on 1 month to respond before sending this out. I would also point out that their request for certified ID was a response to my LBA. MY SAR request, a gentle reminder 14 days after the original SAR and my LBA were all delivered and signed for by recorded delivery so they cannot deny receiving them. In this respect could I ask that the court do not accept the defence that they have submitted?

 

you can ask for it to be struck out when you do your witness statement

 

the next stage will directions from the court on when the hearing is and it will state when your witness statement is to be sent in

[nucky]

companies are oblidged to ensure request are from the stated individual and a utility bill even copy passport , council tax is all they need, they can go beyond 30 days but have a good reason to, there is no good not giving identity check as that is required under regulation already set before, try going to court and see the possible consequences, you want a SAR then follow deligatmite request!

 

Not helpful and I suggest if you read through the thread from the beginning and see what's gone before then you will understand what the issue is.

[Old Cogger]

pardon = no company will divulge personal info unless they can be sure the individual is the respondent and producing everyday evidence (bills etc) covers them, regarding lateness and or failure does not eliminate the need to produce evidence of proof of genuine ownership any other compalint is another matter, but SAR request failure to check legitamacy of the requester is fatal if document got into the wrong hands , so response is/eas to DSAR request and need for identity proof, any other subject not referred to>

[AnotherLegend]

you can ask for it to be struck out when you do your witness statement

 

This is not good advice at all because there are no grounds to strike out their defence.

 

It's a valid defence in terms of it containing facts and being provided within the deadline. You might disagree with what they've said, but that's ultimately up to the judge to decide.

 

The other thing to remember is that this is a claim for distress. In order for that to succeed you have to demonstrate both that the defendant has not complied with the law (this looks straightforward in terms of the response times) and as a result, you have suffered distress that can be quantified. It's really important to show the distress that has been suffered and have evidence of this.

[nucky]

This is not good advice at all because there are no grounds to strike out their defence.

 

It's a valid defence in terms of it containing facts and being provided within the deadline. You might disagree with what they've said, but that's ultimately up to the judge to decide.

 

The other thing to remember is that this is a claim for distress. In order for that to succeed you have to demonstrate both that the defendant has not complied with the law (this looks straightforward in terms of the response times) and as a result, you have suffered distress that can be quantified. It's really important to show the distress that has been suffered and have evidence of this.

Except in my case nothing was provided in the deadline. That is the basis of the argument. No acknowledgement, no SAR and NO request for ID

[AnotherLegend]

Except in my case nothing was provided in the deadline. That is the basis of the argument. No acknowledgement, no SAR and NO request for ID

 

As I stated above, your claim has two elements:

 

1) Has the data controller complied with the law? It appears by their own admission that they responded 1 day beyond the one month deadline.

 

2) If they did not comply with the law, have you suffered distress as a result? You need to be able to demonstrate and prove this for your case to be successful.

[andy023]

I agree with the statement above they can ask for id i normally send a utility bill, not worth going in court giving them a get out card.

[andy023]

hi Nucky what has happened with this claim did you do money on line claim ?

[nucky]

hi Nucky what has happened with this claim did you do money on line claim ?

 

Hello

I am waiting for the Court to respond to the directions questionnaire that they sent me. The company has put in a defence that they require ID and can't process my SAR request. However they were over the one month limit before they even asked for any ID so as far as I am concerned their defence is not valid. Looks like going to Court so I will let you know how things progress

[andy023]

Nucky did you do claim on line please , i want to help other people with the minimum of cost ,we need to nail these people

[nucky]

***WON***

The Court struck out the defence of made by the company that they required certified ID as this was made after the one month deadline for providing the SAR and awarded judgement in my favour.

[mrabody]

Did the matter actually go to a hearing? Did you need to make an application to have the defence struck out?

[BankFodder]

Well done. This is excellent.

 

When you receive a copy of the judgement it would be very helpful if you would put it up here in PDF format. Please could you tell us who the defendants are.

 

How much money where you awarded?

[andy023]

well done

[craigten]

On 09/01/2019 at 13:19, BankFodder said:

Well done. This is excellent.

 

When you receive a copy of the judgement it would be very helpful if you would put it up here in PDF format. Please could you tell us who the defendants are.

 

How much money where you awarded?

Oh I wish he would post this info.....