DSAR Opos Ltd ***Settled in Full***

[jon8214]

Well here's another company failing to adhere to the GDPR

 

I requested a DSAR from Opos on 23/06/18 and have just received the following email -

 

Dear XXXXX

 

I am in receipt of your below email and I have noted the contents accordingly.

 

In order for us to proceed with your request, please complete the attached form and return this, along with the requested documentation, to this email address.

 

Once the completed form and requested documentation is received, we will progress with your request.

 

Regards,

 

Rob Sands

Data Protection Officer

 

So they are failing by asking me to fill out their form and asking for ID even though they have previously contacted me by email and I have raised complaints with them by email. ( its an email address I only use for this sort of stuff so don't care if they have it)

 

Ive let them know that if they continue to ask me to fill out their form and request ID I shall be reporting them to the ICO and if they fail to send me the required info within the 30 Days then I reserve the right to issue proceedings against them

[fkofilee]

Hi Jon8214

 

What does their form consist off?

They still need to verify your I if they send you a DSAR under GDPR.

But there are limits to how restrictive the can be...

[jon8214]

Hi fk, ill attach the form below,

when I requested the SAR I used bank fodders one,

plus they are stating that their 30 days doesn't start until they receive the info,

I sent the SAR to them on 26/6

 

I know they can ask for id if there aren't sure of who I am but as I said above I have communicated with them before from this email address about various issues including complaints, so as far as I'm concerned they know who I am.

OposCom0018_DataSubjectAccessRequestForm.pdf

[fkofilee]

Understandable... Much more can be derived from a DSAR then a simple email etc

Their form is overly restrictive. I recognise the Rob Sands name... Could he be Ex MMF?

 

Essentially their form isnt fit for purpose and is too many hoops to jump through. A simple letter saying what you require with Passport should suffice.

I did a DSAR with the DWP recently to test under GDPR and amazingly didnt need any ID but they spoke to me over the phone...

 

Thats my take however BF is on the thread... Let him assist to

[fkofilee]

**Yep - Rob Sands is ex MMF...

God they do like to jump around dont they...

[jon8214]

who else are you going to get a job with if you've been working for a DCA, another DCA as im sure no one else will touch them

 

conflict of interests anywhere??

[fkofilee]

Lanturn and OPOS have no link - However i do know Lanturn did purchase a Scottish based DCA

But Old Sandy stepped down from MMF sometime ago...

 

COI? No - But the industry does make me laugh... I had the pleasure of visiting Intrum's HQ the other day...

They have a big notice on the door - No Mobiles can be used beyond this point... But the offices they work in are all Glassed into the main atrium with other companies... You can see what everyone is doing along with their Screens

[jon8214]

Hi FK, Opos's 30 days is up on Monday and I don't think they are going to comply, do you think I should email Mr Sands my LBA on Tuesday morning ?

 

I was thinking of giving them 48 hrs as they have already had 30 days to comply

 

Whats your thoughts on this?

[fkofilee]

Go Straight to ICO if they arent complying.

Also tell them that they have failed to comply too...

[jon8214]

I will go to ico as well, but I find them to be swamped and nothing is getting done by them at the minute

 

plus I also want this company to feel some pain after all the crap they put me through few years back

[mrabody]

I think that as per the Direction on pre-action conduct, you need to give them 14 days to comply. https://www.justice.gov.uk/courts/procedure-rules/civil/rules/pd_pre-action_conduct

 

If you are seeking monetary compensation for their breach of the GDPR, it doesn't matter if they send you the requested information, they've already breached the GDPR by asking you to fill in a form and by failing to provide the information within the 30 day time limit. Your rights have already been breached and their belated compliance shouldn't extinguish your claim for compensation. At most it can only mitigate it.

[jon8214]

Well Opos did not act on my DPA but have replied with the following letter after being issued with the Court Claim.

 

Mr XXX

 

The court paperwork has been received and shall be vigorously defended.

 

You have refused to provide us with any identification to prove your identity and have further refused to clarify which information you require, whether you require any further information on the subject of collection and processing of data and whether it is likely to be covered by CCTV or not.

 

You may consider this request extraneous or superfluous, but we do not.

 

We take the protection of our client and customer data very seriously and are acting well within our remit to ensure the individual requesting the information is the data subject prior to disclosing that information.

 

If you refuse to provide that, that is your prerogative. It is my prerogative as Data Protection Officer of this organisation to reasonably request such information.

 

We could avoid this unnecessary court proceeding by you simply proving you are the data subject in question.

 

Should you wish to do so, please arrange for the return of the SAR form at your earliest convenience.

 

All email correspondence shall be retained, where necessary, to protect our legal interests.

 

Regards

 

Rob

[fkofilee]

Oh bless Sands got his knickers in a twist...

Right... What ID have they asked for and have you provided any to them? It's just they seems to suggest you haven't sent them anything. Mm

[jon8214]

I haven’t sent them any id, because my argument to that is they have been contacting me by email and have responded to complaints

 

The request I initially sent the bankfodders sar request

[jon8214]

he has also come back and stated he will be issuing a counterclaim

 

any advice would be appreciated

[fkofilee]

What are you claiming for and how much?

[jon8214]

here's my POC

 

1) On 23/06/18 the claimant sent Mr Rob Sands, the Data Protection Officer, of Opos Limited a Data Subject Access Request (DSAR) under Chapter 3 Article 15 of the General Data Protection Regulations 2018 (GDPR).

2) Under the GDPR Mr Sands had 30 days to supply the required information. To date Mr Sands is in default of this request.

3) Under Chapter 8 Article 82 of the GDPR the claimant claims £250 for damages and distress due to Mr Sands failure to provide the required information.

 

I am going to be relying on case law which I don't want to put public for the justification of the amount. I will pm you it

 

He is also saying they are not the data controller but they are the Data Processor, I know Opos are owned by Kapama and Mr Sands is the registered DPO for Kapama also

[jon8214]

What are you claiming for and how much?

 

could you give me any advice or ask BF to pop in and have a look? Thanks Jon

[jon8214]

here his other email -

 

It is correct to say we have sent you information by email but not all information we hold, and your request is specifically for all information is it not?

 

Furthermore, I think you are mistaking Opos Limited as the Data Controller when it is in fact the Data Processor.

 

To confirm:

 

If you only require information that has already been sent to you by email please confirm and we will reissue this information - although if you already have it I would question why it is needed again.

 

If you require information that has not already been disclosed by email, then please complete the form and provide the relevant ID.

 

Your original email specifically states “If there is specific information which you require in order to satisfy yourself as to my identity, please let me know by return..” and yet you now refuse to provide this information and have found it necessary to instigate civil proceedings against the Data Protection Officer of a Data Processor and not a Data Controller.

 

Should you wish to retract your claim immediately, and avoid my counterclaim please contact me to discuss this.

[fkofilee]

here his other email -

 

It is correct to say we have sent you information by email but not all information we hold, and your request is specifically for all information is it not?

 

Furthermore, I think you are mistaking Opos Limited as the Data Controller when it is in fact the Data Processor.

 

To confirm:

 

If you only require information that has already been sent to you by email please confirm and we will reissue this information - although if you already have it I would question why it is needed again.

 

If you require information that has not already been disclosed by email, then please complete the form and provide the relevant ID.

 

Your original email specifically states “If there is specific information which you require in order to satisfy yourself as to my identity, please let me know by return..” and yet you now refuse to provide this information and have found it necessary to instigate civil proceedings against the Data Protection Officer of a Data Processor and not a Data Controller.

 

Should you wish to retract your claim immediately, and avoid my counterclaim please contact me to discuss this.

 

Kapama and OPOS are one and the same company. Yes different entities but collectively under the OPOS Group... Doesnt fly Mr Sands. Collectively as a group they are a Data Processor and Data Holder so under your DSAR to OPOS you can request info held with sister companies too - So that part also doesnt fly Mr Sands... And this ladies and gents is the DPO for a stupid DCA...

Its not required to fill out the form as that is very restrictive.

 

They are making you fill out that form to get your info... What you can do is send a letter / email explaining what info you require... And you dont have to fill out any compulsory form... ID may be required and i see why this may be an issue to comply with from their side... However you are quite right, if they have already sent you information pertaining to you as a Data Subject then they shouldnt have any issue providing this information to you...

 

Should we provide a specially designed form for individuals to make a subject access request?

Standard forms can make it easier both for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want.

 

Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.

 

However, even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally.

 

Therefore, although you may invite individuals to use a form, you must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding.

 

HERE

[jon8214]

Thanks Fk, that was my understanding of the GDPR

 

you don't have to send individual DSARs to all companies in the same group you can send one and they have to disclose all info for all the groups especially when there is one DPO for them, the only thing is I've seen this somewhere in the legislation but I can't remember for the life of me where I saw it, have you any idea?

 

I just needed some reassurance on the ID bit but I was sure I was covered by them having emailed me previously and me raising complaints thought he same email address and them replying to the complaint

 

Going to let this run and start pulling together my WS - its going to contain the relevant bit of legislation, emails to/from Opos, ICO guidelines and the case law I'm relying on for the compensation

 

I will post it up here for checking when I have compiled it and would appreciate anyones input to it

 

I think Mr Sands is trying to bully me by saying counterclaim but in my eyes my case is open and shut according to the relevant legislation

[fkofilee]

https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf

 

This maybe helpful... Have a look at data processor and data controllers...

Technically if they have already identified you then yes this is valid IMHO - If you ask for the information electronically which you can do - Then whats the difference between sending out a CCA / Statement if they already have etc against sending them all out as part of a DSAR Bundle. Common Sense Application Even Though DCAs Are Nonsensical.

 

And thats fine... I dont normally get involved with Court Cases and WS etc. because its not my strong point - But... Im happy to learn and help with it...

TBH with you GDPR has made Data Protection worse as its so hard for companies to be fully compliant. But lets see how this goes... I would love to knock Mr Sands off his perch

[jon8214]

here's and except from Opos's Privacy policy -

 

Accessing Your Data

You have the right to see the personal data relating to you that we hold. As a data processor we will forward your request to the relevant data controller for completion.

 

So they have failed under their own policy and how can they pass it to a controller whenever the controller and processor DPO is the same person?

 

They also have previously sent me statements and the CCA by email to the same address

[fkofilee]

Lol - I think this random picture ... Erm is most applicable in this case...

Simply they cant use this veil... MAke sure you get the titles of Mr Sands under both firms... Just for clarity and for other readers, this isnt a witch hunt... This is more a firm trying to avoid its responsibilities under GDPR

 

As for other stuff...

 

How should we provide the data to individuals?

 

If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.

The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information (Recital 63). This will not be appropriate for all organisations, but there are some sectors where this may work well.

[jon8214]

I've downloaded copies of both Kapama and Opos privacy policy and in Kapama the email address of their DPO is - dataprotection@oposlimited.com lol

 

they have tied themselves in knots my only problem is trying to get this all across to the judge in my witness statement.

 

Ive grown a healthy dislike to Sands as he seems to be full of himself and a bit of a bully, but I can take it and believe me by the end of it he'll wish he never crossed me lol