Santander - Breach of GDPR - Data Subject Access Request (DSAR)

[Redmountie]

Hi Caggers, 

 

I've used this site several times over the years and this community have been very knowledgeable and supportive around a previous SAR breach.  However, that was some 4-5 years ago, and under the old DPA 1998.  I'm acutely aware we now how DPA 2018 and GDPR.  

 

I am seeking some advice from fellow Caggers and will bullet point to keep it simple. 

 

• Moved my Current Account across to Santander.  This was done via the Current Account Switching Service (CASS). 
•  
• The account is opened but my Debit Card doesn't arrive prior to the account opening, meaning for several days I had no access to my account or money (complaint raised and final letter saying not the bank's fault). 
•  
• Santander forget to request for internet banking details to be sent out to me in the post.  Meaning I had to wait over a week to be able to access my account.  
•  
• Due to the above I escalated a complaint with their Customer Services Team.  As part of my complaint I completed an online DSAR (Request 1).  It later transpires that this was never actioned as they had tried to get hold of me to clear enhanced security, but couldn't reach me.  I've never had any phone calls from anyone at Santander relating to this and nothing in writing, via text message or email.  
•  
• I recontacted Santander and verbally requested a DSAR.  The advisor stated they had completed a form and processed my DSAR (Request 2).  Unfortunately, I didn't write the date of this verbal DSAR request down.  I have made a follow up complaint since - asking for it, but they have come back with a generic response and are not providing it.  Lesson learned - write everything down. 
•  
• On 26/02/23 I received a final complaint response letter from Santander.  The letter stated that during their review of my complaint they could see i had made a DSAR, but that If i still wanted it, I would have to follow the correct process, and go through to Customer Services to request it.  Obviously that threw me as I had previously been speaking with the Customer Services Team when i had made my second request.  I then made another DSAR (Request 3) and they even gave me a reference number for this one.  
•  
• Today (11/03/23) I called Santander to enquire about my DSAR.  Particularly as I haven't received a response acknowledgement from them.  I would usually have a letter from them confirming the DSAR and the 28 days in which they have to comply.  After being placed on a lenghty hold, the advisor came back on the phone and apologised, stating that there had been another banking error and that my DSAR from the 26/02/23 had not been processed, and that I would need to submit yet another one. 
•  
• I then went through to their "enhanced" retail line and verbally completed another (Request 4) DSAR.  Of course they have advised the 28 day clock starts from now (or the next working day so 13/03/23).  
•  
• As i don't know the date of the second DSAR should I go off of the date for the third DSAR (i.e. 26/02/23) and issue a 14 day Letter Before Claim?   If so, I will use that date to also inform the ICO of a statutory breach.  

[BankFodder]

You don't need to follow any particular format to make a subject access request. A verbal request is perfectly adequate and they only are entitled to satisfy themselves as to your identity.

If you satisfy the security questions sufficient to access your account then this should be good enough for them. If they try to impose any other formalities then they are in breach of the subject access request rules.

Verbal requests for data disclosures are perfectly valid and binding from the date they are made.

They shouldn't be requiring you to make further formal applications or to fill in forms. The date of the verbal application is perfectly adequate. Unfortunately most companies don't seem to know this but that is just too bad for them.


Although you have said that you learned your lesson quite frankly it's sloppy as you play into their hands.

Phone them up and ask them the date of the second SAR and go from that date.

 

[Redmountie]

Hi BF, very good to see you are still here giving advice to the masses. 

 

I'm sure you recall you successfully helped me in taking Lloyds Bank to Court for breach of the then DPA 1998.  I find myself here again, in similar circumstances. 

 

I have asked Santander to come back to me with the date that I initially submitted the DSAR.  They are playing games as they referred to knowing that I had submitted a DSAR in their final complaint response letter, but having called them for that date yesterday, they can't find where that information has come from. 

 

I've asked them to re-open my original complaint and come back to me with the date.  They have told me they will recall me on Tuesday once they investigate further into it.  They will have it as a call recording, which no doubt, is where their complaint handler, got this information from.  I suspect that date will be early to mid February 2023, so do you advise giving them a LBA/LBC and a week to comply (even though the date will have passed), or go straight to the POC?    

[BankFodder]

In view of the difficulties finding the date of your original SAR, maybe the best thing to do is to make another request and that should elicit the details of your previous SARs and then you can sue on those.

Are you recording your calls? I hope you have as you been here since 2006. I think we should make a verbal request for an SAR. Tell them that you are recording the call and that as you have satisfied all their security requirements to access your account there should be no further question about your identity.
Then start the clock ticking. Once again I'm going to say that this shouldn't have been necessary if you had been careful about noting the dates.

[Redmountie]

I requested another SAR yesterday. 

 

This time I have recorded time, date, the name of the customer service representative and what call centre they are based.

  I also made sure that I had a SAR reference number whilst still on the phone with the representative.

 

  I have this in front of me and it has been sent to me via email.  Going off of that date it will restart the clock for a further 28 days from tomorrow (being the next working date) right? 

 

What equipment can I buy to record calls?  This would have to be via my mobile (i.e. iPhone) as i don't have a landline telephone.    

[BankFodder]

read our customer services guide

[Redmountie]

Santander came back to me today and told me that my original verbal request for a DSAR was on 10/02/23. 

 

However, due to a banking error the customer services officer on the telephone didn't process the DSAR, so it hasn't been done.  There is obviously a training need at Santander as this is the second member of staff who has made a banking error and not processed a verbal DSAR.  The other being when i made my third DSAR request on 26/02/23. 

 

So 28 days from 10/02/23 is the 10/03/23.  Is my next step an LBA/LBC or straight to a POC? 

[BankFodder]

Lba

 

Post a draft here 

 

 

 

 

[Redmountie]

I’m struggling to find a Letter Before Action for a Breach of a DSAR. Does anyone have a thread they can post up or signpost me to please. 

[dx100uk]

See the infamous virgin media thread posted today by @FTMDave

 

dx

[BankFodder]

But there is no template. You should devise your own letter of claim and then post it here and we can modify it.

All you've got to do is state the various facts and then go on to make your threat of legal action.

 

[Redmountie]

How is this? 

 

Letter Before Claim

To whom it may concern,

On Friday 10th February 2023, I sent you a Data Subject Access Request for a statutory disclosure of my personal data under the Data Protection Act 2018.

You have failed to comply and are therefore in breach of your statutory duty and obligation under the UK General Data Protection Regulation (GDPR).  

You have 14 days to respond, after which I shall begin a County Court claim against you.
 

Yours faithfully

 

[BankFodder]

In order to claim for breach of the data protection rules, you have to show that you have either suffered financial loss or you have suffered distress to you and your family.

 

Then you need to come up with a figure .

 

Have you suffered any financial loss ?

Has this caused you any distress or your family?

 

 

 

.

 

 

[Redmountie]

I have also completed a personal complaint form to the ICO and submitted this asking them to carry out a statutory assessment to determine if Santander has complied with it's statutory obligations. 

[Redmountie]

Letter Before Claim

 

To whom it may concern,

 

In early February 2023, I sent you a Data Subject Access Request (DSAR) for a statutory disclosure of my personal data under the Data Protection Act 2018.  On this occasion, despite confirming you had received it, you told me that you were unable to process it, as you were unable to verify who i was and take me through security.  This was despite already having cleared my account security process. 

 

On 10th February 2023, I sent you a second Data Subject Access Request (DSAR) for a statutory disclosure of my personal data under the Data Protection Act 2018. You have advised me that one of your Customer Services Advisors had made a banking error and not processed this Data Subject Access Request (DSAR). 

 

On 26th February 2023, I sent you a third Date Subject Access Request (DSAR) for a statutory disclosure of my personal data under the Data Protection Act 2018. You have advised me that for the second time one of your Customer Services Advisors had made a banking error and not processed this Data Subject Access Request (DSAR). 

You have failed to comply with three Data Subject Access Requests.  I have now written to the Information Commissioners Office (ICO) asking for them to carry out a statutory assessment to determine if you have complied with your statutory obligations. 

Your breach of your statutory duty is complete.  It has caused me a great deal of distress not having my data which, as you are aware, I need in relation to my ongoing complaint with you.  Also, the repeated necessity to chase after you to get this disclosure, and having to suffer your repeated broken promises, on at least three occasions, is contributing to cause further distress and anxiety. 

I shall be beginning a County Court claim against you in 14 days for £200 for distress.  I am giving you an opportunity to respond with a full disclosure plus £200 damages for the distress caused,  notwithstanding that I reserve my right to act upon your breach of data protection legislation which has already occurred.

 

Yours faithfully

[BankFodder]

Check edits in bold 

[Redmountie]

I will email this off to them now

[Redmountie]

Santander have today replied to my Letter Before Claim.  They state: 

 

Thank you for your Letter Before Claim dated 19th March 2023. 

 

I have been asked to respond to you on behalf of Santander.  Please treat this letter as both Santander's response under DISP, and it's reply to your Letter Before Claim under the Civil Procedures Rules. 

 

Having considered your allegations, Santander is unable to conclude any wrongdoing and we deny any liability alleged in your Letter Before Claim, or otherwise. 

 

As you are a new customer to us, additional security checked needed to be carried out before a SAR could be processed.  Whilst we understand that you contact Santander twice by phone in February 2023 with the intention of raising a SAR, you failed to complete the security checks which were required to make a valid SAR. Accordingly, a SAR was not validly raised by you until 11th March 2023, when you successfully passed verbal security checks. 

 

The SAR has subsequently been completed and all legal deadlines have been complied with.  Our response has been sent to you under separate cover. 

 

In light of the above, Santander does not agree that it is in any way liable to you, as alleged in the Letter Before Claim, nor that you are entitled to the remedies which you seek therein.

 

However, as a goodwill gesture following your complaint, I am pleased to credit your account with £100, which I hope you will accept with my best wishes.  This payment is made entirely without any admission of liability.  We trust this concludes the matter.      

 

........

 

The Letter is unbelievable.  On both occasions that I called them in February, they took me through security to enable me to access my account.  I then gave them a verbal DSAR which they accepted on both occasions and told me that they would progress with it.  At no point in time did they tell me I had failed to complete security checks and at no point in time was asked to complete any additional security checks.  

 

I also don't understand why they have awarded a £100 gesture of goodwill if they deny any wrongdoing. 

 

My Letter Before Claim was sent on 19/03/23 and it gave them 14 days to provide me with the DSAR and award £200 damages for distress and inconvenience.  I'm thinking my next move is to wait until 19/02/23 and they issue a PoC?  

[dx100uk]

9 minutes ago, Redmountie said:

I'm thinking my next move is to wait until 19/02/23 and they issue a PoC?  

Eh?

 

pers i'd either write back and say £150 call it quits.

 

you'll have a hardtime in getting £200 through court when they've offer £100 already.

 

they admitted guilt even if its a GOGW. which is what all these banks do.

 

dx

 

[BankFodder]

I agree but on the basis of what you have told us your case is watertight and they would not win in court .

I also agree with my site team colleague that a court might not award the £200 .

 

The question is whether you simply want to get the money or you want to get a judgement against them.

 

Have they now provided you with the data that you are looking for?

 

 

 

[Redmountie]

They have supplied the DSAR today too.  

 

My aim is to get the money rather than judgement. 

[BankFodder]

Well I think that £100 is far too low. Does the disclosure that they have made you refer to the previous SAR requests?

[Redmountie]

6 hours ago, BankFodder said:

Well I think that £100 is far too low. Does the disclosure that they have made you refer to the previous SAR requests?

I agree.  The £100 is what they were going to offer me anyway in compensation for their second banking error.  I asked for £200 for D&I but they have given me £100 as a "gesture of goodwill".    

 

I've just checked the small bundle they have sent and they use a complaint handling system called 'SharePoint'.  They have disclosed the notes from all my complaints.  Two of the complaint notes state the following: 

 

Customer is unhappy in regard to a SAR not being completed.  I have raised one today 26/02/23 but customer wants to make it clear that this is his third request as he has already made two previously and expects us to comply with it within 28 days from when he first called to make the request.  [So here is the admission that they raised one on 26/02/23].  

 

Customer advised that feedback will be provided in relation to previous DSAR not being completed - compensation will be considered and customer transferred to enhanced line to get DSAR request completed. Customer has tried to raise a DSAR before but hasn't been raised correctly by previous colleagues [so this is their admission that they did receive my two previous DSAR's (1) 10/02/23 (2) 26/02/23 but their members of staff didn't process them correctly]. 

 

Feedback form SharePoint completed for advisor that incorrectly completed the DSAR request.     

 

I need to listen to the call recordings to see if the above SAR requests were captured on each of the occasions I made them.  I'm 100% confident they must have been as the complaint handlers have listened to the calls to reach their decision to uphold my complaint and award compensation on both occasions their members of staff have made banking errors by not completing my DSAR despite verbally doing it over the phone in the correct manner.   

[BankFodder]

Please check back for a reply tomorrow

[BankFodder]

When you made the previous two SAR applications, did they inform you at the time or did they contact you later to say that they required further evidence of your identity?

I would say that if they didn't that they had a duty to do so.

But in any event, as you have pointed out they gave you all the security clearance you needed to access and to discuss your account. Clearly the fact that they are referring to the identity requirement now is simply an attempt to defend themselves.

Although my site and colleague has suggested that you should accept the money on the table, I certainly think that it is not enough and now you tell us that this £100 was already on offer anyway.

If you wanted you could write to them and tell them that you will accept the £100 – but merely as a gesture of goodwill but that they will be paying it to you on the understanding that the issue is still at large and you will still be proceeding to court in respect of their two breaches of your data protection rights.

When does the deadline for your letter of claim expire?