Breach of GDPR - County Court Claim ***WON***

[BankFodder]

You're quite right that an injunction would normally be an order to prevent somebody from doing something. However, I seem to recall that there are positive injunctions where an order can compel somebody to do something. Specific performance, I believe, is a positive injunction which order somebody to carry out the terms of the contract. A duty under the DPA/GDPR would not be a contractual duty.

 

At the end of the day, once you manage to get in front of the judge then whether it is part seven part eight, the judge has a huge amount of discretion and is bound by the prime objective which is to do justice. However, I can certainly imagine that maybe some judges are a bit up themselves and start to become a bit fussy about using the right form form and paying the correct fee.

 

In principle, those judges would be wrong because they are not following the prime objective. However, it's difficult to start arguing with the judge

[andy023]

We need some clarity on this point, i am going down the route of the ICO taking the company to court. once successful i will then proceed.

[AnotherLegend]

This is what the ICO's old document said in their Data Protection Act - Taking Someone to Court document:

 

If you apply for action to be taken to comply with a specific right, this is known as a claim for specific performance. If you are not asking for damages as well, there are two possible procedures the court could adopt to deal with your claim:

 

It listed Part 7 and Part 8 claims, the essential difference between the two being whether there is a dispute of facts or not.

 

You would think that as it's a legal advice document, it would have been drafted by solicitors and barristers who know the court rules.

 

Once you go down the Part 8 claim route, it's really expensive and risky for someone to bring a claim. I believe it's £308 to initiate the claim, then a further £1,090 for the hearing. In my opinion, it's a route someone should only take with legal advice.

 

A Part 7 claim heard in the Small Claims Court, would be £35 for the claim (less than £300 in damages) and £25 for the hearing.

Edited July 5, 2018 by AnotherLegend

[BankFodder]

Well we have several potential claims going and so far I've been advising people to sue for a very small amount of money – but not ask for any order. In other words the claim is simply a claim for distress and any other losses that I'm suggesting to people that they ignore any attempt to settle and that they insist on going for judgement. You are entitled to do this without fear of suffering costs if you refuse the offer of your claim, if it is reasonable to continue. My view is that where you have a breach of statutory duty then it is reasonable to continue even in the face of a full offer. I think there is a public interest.

 

I also figure that once there is a judgement against his people for breach of GDPR rules and they are obliged to pay some small amount, that they will quickly comply with whatever requests have been made. If they failed to do that then you simply send another letter before claim and through them again – and again. Once you get a judgement you send a copy to the ICO and if they are regulated firm then you send a copy to the FCA as well.

 

That's the plan. We'll see what happens

[BankFodder]

… and by the way, I think the ICO definition of specific performance is wrong. I'm sure that is the enforcement of a contractual duty by means of an equitable order. I fail to see how equity can have anything to do with statutory duties. – Although technically an injunction can be an equitable order as well.

 

Despite my own confusion, I'm sure that the ICO is wrong.

[AnotherLegend]

Despite my own confusion, I'm sure that the ICO is wrong.

 

I certainly seem to remember that specific performance related to contract law.

 

I am surprised though if the ICO has got it wrong, especially as the Ministry of Justice was actively referring to their document about taking court action under the DPA.

 

In terms of the new DPA and compliance orders, this is what the law says:

 

167 Compliance orders

 

(1) This section applies if, on an application by a data subject, a court is satisfied that there has been an infringement of the data subject’s rights under the data protection legislation in contravention of that legislation.

 

(2) A court may make an order for the purposes of securing compliance with the data protection legislation which requires the controller in respect of the processing, or a processor acting on behalf of that controller—

 

(a) to take steps specified in the order, or

 

(b) to refrain from taking steps specified in the order.

 

(3) The order may, in relation to each step, specify the time at which, or the period within which, it must be taken.

 

(4) In subsection (1)—

 

(a) the reference to an application by a data subject includes an application made in exercise of the right under Article 79(1) of the GDPR (right to an effective remedy against a controller or processor);

 

(b) the reference to the data protection legislation does not include Part 4 of this Act or regulations made under that Part.

 

(5) In relation to a joint controller in respect of the processing of personal data to which Part 3 applies whose responsibilities are determined in an arrangement under section 58, a court may only make an order under this section if the controller is responsible for compliance with the provision of the data protection legislation that is contravened.

 

I will be talking to someone next week who should know the court procedure for bringing an action to force compliance.

[nucky]

Here is an update on my claim.

 

The compnay failed to comply so I sent an LBA by recoded delivery.

Up until them receiving the LBA they had failed to respond to me in at all.

 

They responed immediately to the LBA by sending me a form to complete for the SAR and also a request for certified ID.

They say once they have the completed forms and ID they will respond under GDPR rules.

 

They are already in breach anyway because my request to them was made 5 weeks ago.

In my opinion they do not need my ID, they have corresonded with me at my address for many years even to the point of posting out to me a user name and password to enable me to log into my online account.

[AnotherLegend]

Yes, they have already breached the DPA 2018/GDPR by failing to provide your personal data within 1 month of your request.

 

On the issue about identity, the ICO says on their website, "You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request."

 

Are they registered as a data controller on the ICO website?

I would send them an email, giving them 5 working days to respond to your SAR.

 

You could attach a copy of your driving licence if you want, but in your case it seems like the existing communication is sufficient for them to identify who you are.

[mrabody]

They cannot require you to fill in a form.

 

If your request was very vague then I suppose they could ask you for clarification as to what data you wanted.

 

I don't think they can require that you send them certified copies of your ID either although I don't think it's unreasonable for them to want some proof of identity.

 

I make a point of sending photocopies of my passport and a recent bank statement with my SAR letter.

 

Assuming you have already provided proof of identity and your communications were sufficiently detailed then they are compounding their initial breach by these throwing up these delaying tactics

[DragonFly1967]

The ICO also gives further guidance surrounding the requirement for ID, which says...

 

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

 

The important point of that sentence would appear to be "If you have doubts", I'd be asking why they have any doubt as to your identity

 

As for their form, well, whilst I'll admit that I am particularly bloody minded when it comes to things like this, they've got absolutely no right to insist that you use anything that they provide you with. Which is an argument that I've just had (and won) with my local authority. The people on the 'public facing' counter said (more or less) that I had to use their form when I made an SAR verbally. So I emailed the Data Protection Officer directly.

 

Incidentally, they would not give me that email address, so I rang up the local authority while sitting in front of them and got the email address. They were not happy!

 

The upshot of that is... They are now processing my SAR

[nucky]

Update on my claim:

I sent a complaint to the ICO on the 6 July but apart from an acknowledgement have heard nothing from them, though the acknowledgement did say that it could be up to 3 weeks before I get a response. Phoning the ICO is a waste of time, I gave up after being on hold for 40 minutes.

 

Today I have submitted my County Court Claim, the defendant has until 13 August to respond.

 

I'll keep you informed of progress

[AnotherLegend]

Update on my claim:

I sent a complaint to the ICO on the 6 July but apart from an acknowledgement have heard nothing from them, though the acknowledgement did say that it could be up to 3 weeks before I get a response. Phoning the ICO is a waste of time, I gave up after being on hold for 40 minutes.

 

The ICO is heavily backlogged. They are currently dealing with cases through the end of May 2018, so it will be at least another 6 weeks or so before you complaint even gets assigned to a caseworker.

 

Today I have submitted my County Court Claim, the defendant has until 13 August to respond.

 

You submitted an N1 or N208 claim form? Did you have to pay the £308 non-monetary fee? You realise that a hearing will cost £1,090 (multi-track)?

[nucky]

You submitted an N1 or N208 claim form? Did you have to pay the £308 non-monetary fee? You realise that a hearing will cost £1,090 (multi-track)?

 

No, there is a new type of claim process, you simply fill in the details step by step and the claim is issued. It cost me £25, I have only claimed for expenses and distress in pursuing this following Bankfodders advice.

[AnotherLegend]

So you didn't ask for an order for compliance with your SAR?

[nucky]

So you didn't ask for an order for compliance with your SAR?

 

No, at the end of the day they will have to comply, the ICO should make sure they do. If I win the claim then they will have to pay me, then if they fail to comply with their statutory duty to send me my SAR then I will just submit another Court claim for my expenses and distress.

[AnotherLegend]

I think in cases where a data controller fails to respond to a SAR, then I probably would file a Part 8 claim. As long as you have evidence the SAR was received, they haven't complied and they are a data controller, then I cannot see what possible argument they could use to defend a claim.

 

The ICO *should* issue an enforcement order if they still don't respond to your SAR, the downside is you could be looking at 6 months+ to get to this stage.

[Old Cogger]

no do not get carried away = many of us has outstanding complaints from that time -- so wait.

[andy023]

Nucky will follow hope all goes well, please keep posting good luck

 

excellent please update , step by step this is so interesting.

[nucky]

Here is an update on my claim,

just to re-iterate

I put in a SAR on the 30 May 2018,

it was received by the company on 31 May 2018 and signed for.

They did not respond whatsoever and never sent me my SAR.

 

As well as reporing them to the ICO for breach of the GDPR

I sent an LBA to the company on the 2 July 2018 received by them and signed for on the 3 July 2018.

 

They responed immediately to the LBA by sending me a form to complete for the SAR and also a request for certified ID saying once the forms are completed and ID provided then they will process my application in 30 days.

At this point they were already in breach as they had not provided my SAR within the 30 day period.

 

In my opinion they do not need my ID,

they have corresponded with me at my address for many years even to the point of posting out to me a user name and password to enable me to log into my online account and also send me monthly statements by post.

 

In any case the request for ID came after the 30 day deadline.

 

I submitted a money claim on the 25 July 2018 for expenses and distress (as per advice from Bankfodder).

 

I have now received a letter from the company stating they will defend any claim for these reasons.

 

1. I sent the SAR request to the wrong person and not the data controller.

 

2. I have not sent in my certified ID.

 

3. The 30 day period for an SAR does not start until I have provided ID regardless of when the request was made

they are inferring that regardless of the fact that it took them well over 30 days to acknowledge my SAR and then request ID they are not in breach because they have requested I provide ID.

 

Comments are welcome,

I am wondering if I should respond to them or just allow them to submit their defence to the Court?

My thoughts are that the Court might take a dim view if I do not try to settle with them prior to a hearing.

 

Incidentally I have still to hear from the ICO, apparently they have a massive backlog.

Edited August 8, 2018 by dx100uk
spacing

[AnotherLegend]

1. I sent the SAR request to the wrong person and not the data controller.

 

Who did you sent the SAR to? Was it a named individual?

 

2. I have not sent in my certified ID.

 

I believe they would need to demonstrate they have had doubts about your identity.

 

Where a controller—

 

(a)reasonably requires further information—

 

(i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)to locate the information which that individual seeks, and

 

(b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information.

 

The law isn't quite as stringent as the ICO's guidelines.

 

3. The 30 day period for an SAR does not start until I have provided ID regardless of when the request was made so they are inferring that regardless of the fact that it took them well over 30 days to acknowledge my SAR and then request ID they are not in breach because they have requested I provide ID.

 

The first part is wrong. I guess the second part could be argued and the judge would want to know why you did not provide your ID, when requested.

[jon8214]

I'm having the same issue with Opos

 

Sent in SAR to their DPO, they responded 2 weeks later asking for ID and me to fill in their form

 

I refused stating I didn't have to fill their form in as per the GDPR guidelines

 

Didn't sent any ID in either due to the fact that the company has been conversing with me by the same email address for a number of years and have also answered complaints to the same email address in the past 3 months

 

I have also issued a small claim against the DPO personally and have been told by email that he shall be defending the claim

 

Heres my thread so far - https://www.consumeractiongroup.co.uk/forum/showthread.php?488580-DSAR-Opos-Ltd&p=5138624#post5138624

 

you will see that Opos have tied themselves in Knots with the stuff they have been sending me and I shall not be withdrawing my claim

[AnotherLegend]

Sent in SAR to their DPO, they responded 2 weeks later asking for ID and me to fill in their form

 

I refused stating I didn't have to fill their form in as per the GDPR guidelines

 

But the ICO's guidance recommends data controllers use a form...

 

Didn't sent any ID in either due to the fact that the company has been conversing with me by the same email address for a number of years and have also answered complaints to the same email address in the past 3 months

 

I don't think it's unreasonable for them to ask for your ID, or at least further information to verify that it was you making the SAR.

 

They need to know it is you sending the SAR and there is no way of them knowing that the person behind the email account is actually you.

 

I have also issued a small claim against the DPO personally and have been told by email that he shall be defending the claim

 

You issued the claim against the individual rather than the company? Why did you do this?

[nucky]

Who did you sent the SAR to? Was it a named individual?

 

 

 

I believe they would need to demonstrate they have had doubts about your identity.

 

Where a controller—

 

(a)reasonably requires further information—

 

(i)in order that the controller be satisfied as to the identity of the individual making a request under subsection (1), or

(ii)to locate the information which that individual seeks, and

 

(b)has informed that individual of that requirement, the controller is not obliged to comply with the request unless the controller is supplied with that further information.

 

The law isn't quite as stringent as the ICO's guidelines.

 

The first part is wrong. I guess the second part could be argued and the judge would want to know why you did not provide your ID, when requested.

 

The Judge could argue that but that is irrelevant, the SAR was already over the 30 day period and at no time in that period did they ask for ID. They only asked for ID when I sent the LBA - which was AFTER the deadline had expired.

 

They have asked for ID, the only reason given is to protect the identity of individuals, as I have said they have no problem corresponding with me, they send me monthly statements and als sent me login and password details for my online account ALL BY POST to my home address which is the one I used to get an SAR. Also I have just realised that they had my ID sent to them 2 years ago on the matter of confirming if I was still alive for pension purposes.

[jon8214]

the ICO's guidance states -

 

Should we provide a specifically designed form for individuals to make a SAR

 

Standard forms can make it easier both for you to recognise a SAR and for the individual to include all the details you might need to locate the information they want.

 

Recital 59 of the GDPR recommends that organisations provide means for requests to be made electronically, especially where personal data are processed by electronic means,. You should therefore consider designing a subject access form that individuals can complete and submit electronically

 

However, even if you have a form, you should note that a SAR is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, standard email or verbally.

 

Therefore, although you may invite an individual to use a form, you must make clear that this is not compulsory and do not try to use this as a way of extending the one month time limit for responding.

[jon8214]

in regards to issuing against the individual it state in GDPR article 82 that the controller is liable for the damage caused

 

Also in regards to the ID, as the OP the company has had no problems with emailing me about the alleged account or responding to complaints to the same email address.