Santander - Breach of GDPR - Data Subject Access Request (DSAR)

[BankFodder]

You don't need to follow any particular format to make a subject access request. A verbal request is perfectly adequate and they only are entitled to satisfy themselves as to your identity.

If you satisfy the security questions sufficient to access your account then this should be good enough for them. If they try to impose any other formalities then they are in breach of the subject access request rules.

Verbal requests for data disclosures are perfectly valid and binding from the date they are made.

They shouldn't be requiring you to make further formal applications or to fill in forms. The date of the verbal application is perfectly adequate. Unfortunately most companies don't seem to know this but that is just too bad for them.


Although you have said that you learned your lesson quite frankly it's sloppy as you play into their hands.

Phone them up and ask them the date of the second SAR and go from that date.

 

[BankFodder]

In view of the difficulties finding the date of your original SAR, maybe the best thing to do is to make another request and that should elicit the details of your previous SARs and then you can sue on those.

Are you recording your calls? I hope you have as you been here since 2006. I think we should make a verbal request for an SAR. Tell them that you are recording the call and that as you have satisfied all their security requirements to access your account there should be no further question about your identity.
Then start the clock ticking. Once again I'm going to say that this shouldn't have been necessary if you had been careful about noting the dates.

[BankFodder]

read our customer services guide

[BankFodder]

Lba

 

Post a draft here 

 

 

 

 

[BankFodder]

But there is no template. You should devise your own letter of claim and then post it here and we can modify it.

All you've got to do is state the various facts and then go on to make your threat of legal action.

 

[BankFodder]

In order to claim for breach of the data protection rules, you have to show that you have either suffered financial loss or you have suffered distress to you and your family.

 

Then you need to come up with a figure .

 

Have you suffered any financial loss ?

Has this caused you any distress or your family?

 

 

 

.

 

 

[BankFodder]

Check edits in bold 

[BankFodder]

I agree but on the basis of what you have told us your case is watertight and they would not win in court .

I also agree with my site team colleague that a court might not award the £200 .

 

The question is whether you simply want to get the money or you want to get a judgement against them.

 

Have they now provided you with the data that you are looking for?

 

 

 

[BankFodder]

Well I think that £100 is far too low. Does the disclosure that they have made you refer to the previous SAR requests?

[BankFodder]

Please check back for a reply tomorrow

[BankFodder]

When you made the previous two SAR applications, did they inform you at the time or did they contact you later to say that they required further evidence of your identity?

I would say that if they didn't that they had a duty to do so.

But in any event, as you have pointed out they gave you all the security clearance you needed to access and to discuss your account. Clearly the fact that they are referring to the identity requirement now is simply an attempt to defend themselves.

Although my site and colleague has suggested that you should accept the money on the table, I certainly think that it is not enough and now you tell us that this £100 was already on offer anyway.

If you wanted you could write to them and tell them that you will accept the £100 – but merely as a gesture of goodwill but that they will be paying it to you on the understanding that the issue is still at large and you will still be proceeding to court in respect of their two breaches of your data protection rights.

When does the deadline for your letter of claim expire?

[BankFodder]

I think that we should respond in writing to the gesture of Goodwill offer And this will mean extending the letter of claim deadline by a week or so, but I think it will be worth doing.

 

Please stand by for a further response tomorrow

 

 

[BankFodder]

Have a look at this proposed letter.

My view of your position is:
your chances of success if it goes to trial – better than 95%
your chances of getting the £200 that you are asking for – 80%
the chances of the bank folding and giving you the money you are asking for before you issue the claim – 70%
the chances of the bank folding and satisfy your claim plus your costs before the matter goes to trial – 85%

the chances of a judge awarding you only £100 and then penalising you your claim for and hearing fee on the basis that you should have accepted the initial gesture of goodwill – 30% (I consider it is low because there is clearly a breach of statutory duty which is a serious matter)

 

Quote

Dear XXX

 

Your Statutory Breach of Data Protection Regulations – Reference Number XXX

 

Thank you for your letter of XXX and your offer of £100 which you state is a gesture of goodwill but at the same time you say is intended to settle the matter of your statutory breach of duty.

I am rejecting your offer.

I would point out to you that on XXX date you have already offered me £100 and this is before I fully understood that you were in fact in breach of two subject access requests. This means that you have been in breach of your statutory duty on two occasions.

I have eventually received a statutory disclosure in response to my third subject access request. This disclosure reveals that you were fully aware of my two previous subject access requests.
The disclosure makes it clear that you made no attempt to action them and that if you had any doubts about my identity, you made no attempt to ascertain my identity.
Your disclosure makes it clear that you were in breach of your data protection obligations on two occasions.

In terms of your stated position that you needed further evidence of my identity in order to process my subject access requests, it is clear that this is nonsense.

I have already pointed out that there was no attempt to bring your concerns about my identity to my attention.

I had already satisfied your identity checks sufficiently to gain access to my account over the telephone and to discuss all of the details of my financial business with your call handler.
There is absolutely no basis for saying that I had not satisfied sufficient identity checks to make a valid subject access request.

It is clear that your stated position is just an excuse in order to escape liability and to try and deflect me from bringing the court action which I have proposed in my letter of claim dated XXX.

I'm giving you a seven-day extension to my letter of claim and a final opportunity to make the payment of £200 which I requested in that letter.
If I do not receive this payment which is made in respect of the stress and difficulty you have caused me by being in breach of your stated obligation then I will begin a court action against you on XXX date and there will be no further discussion.

Also, I should put your notice that in view of the seriousness of this statutory breach, the fact that it has happened on two occasions, your prevarication, and you attempt to buy me off with a so-called "gesture of goodwill", I shall decline mediation and insist on going directly to trial.

You had better understand that even if a judge eventually considers that the amount of money that I'm claiming from you is too much, the court will still find that you have been in breach of your statutory obligations on two occasions and this will be noted in the judgement which I will then proceed to pass on to the information Commissioner and also to make available on the Internet.

There is no doubt that when it comes to data protection matters you act unlawfully and I intend to make sure this issue is addressed.

Yours faithfully

let us know if you think you are prepared to send this letter. Any corrections, any additions.

As usual, I dictate by post so check it carefully for typos

[BankFodder]

It is most unlikely that they will offer you the money that you are claiming unless you force them by means of a court action .

You made the threat and now it is up to you whether you carry it out .

 

There is no template. Sort out your own wording and post it here and we will have a look

 

 

 

 

[BankFodder]

Sorry, I don't remember. Can you just outline what happened in case it can affect what we do now

[BankFodder]

Obviously proving distress is difficult without doctors reports – but on the other hand if you can itemise the difficulties it has caused you over a period of time and maybe also your family, then you may well get a judge to accept the £200 is not an unreasonable figure – in particular because of the double breach.

When you start telling us something about the distress that you have suffered

[BankFodder]

You now have to include a little section headed – Particulars of Distress.

Then go on to particularise your distress which you have suffered

[BankFodder]

I don't think I have made myself sufficiently clear.

You need to particularise the distress and that means that you have to explain how the distress has manifested itself.

Has their failure to provide an SAR meant that you are unable to conduct business or that you are unable to resolve some problem and that has been distressing to you?
Start off by telling us now why you made your original subject access request.

[BankFodder]

Thank you. What is a CASS switch?

[BankFodder]

This is the kind of thing that you should be doing.

Have a look below, put in corrections, fill in the blanks, make any additional comments and we will develop it.

 

Quote

The Claimant's Distress

 

Purpose of the subject access requests

The Claimant made the subject subject access request in order to start the process of understanding and resolving problems with his new bank account and which had been caused by the negligence of the defendant bank.
The defendant's negligence/breach of contract are not at the moment a subject of this court action

The claimant opened a new bank account with the defendant on XXX date.
The account was important to the claimant because blah blah blah.
It had been the intention of the claimant to move his banking business to the defendant bank because blah blah blah.
An essential element of the opening of the new account was effectively the transfer of his financial life from his previous bank account to the defendant bank.
The claimant relied on the defendants Current Account Switch Service (C A S S) in order to achieve a seamless transfer and without any disruption to his own life, the life of his creditors or the people organisations to whom he was scheduled to make regular payments.
These included: –

1. utilities,
2. mobile phones,
3. water,
4. insurance,
5. mortgage,
6. blah blah blah

The Defendant failed in their duty to the claimant in that they failed blah blah blah blah and failed blah blah blah blah and omitted to blah blah blah blah.
Although the claimant had several phone calls with the defendant and received undertakings, the defendant still did not remedy their breaches and continue with their negligent behaviour.

 

The Subject Access Requests

 

Subject access request number one
The claimant eventually decided to try and solve the problem himself and began by submitting a subject access request on the XXX date in order to discover what had happened and to begin the process of sorting out the mess created by the defendant.
The defendant breached their data protection obligations by failing to respond with a statutory disclosure within the statutory 30 days.

 

Subject access request number two
The claimant made a subsequent subject access request on XXX date.
The defendant breached their data protection obligations a second time by failing to respond with a statutory disclosure within the statutory 30 days.
In respect of both subject access requests, the claimant received no acknowledgement and no question or enquiry from the defendant.
At no point did the defendant indicate that they require more information in order to satisfy the requirements of the statutory disclosure request.
At the time that each subject access request was made, the claimant had satisfied all of the defendants requirements as to the ascertainment of his identity in that the claimant responded to all of the defendants security question satisfactorily and was then allowed to discuss his account with them on the telephone.

 

Subject access request number three

The claimant made a third subject access request on X X X date.
The defendant did comply with this subject access request on X X X date. The data which was disclosed as a result of this third subject access request revealed that the defendant had received the first two subject access requests and had failed to do anything with them. Either the defendant felt that the claimant had not satisfied there identity security requirements – despite the fact that they had been happy to speak to him on the telephone about his banking account – or else the request had been incorrectly actioned.
In neither case did the defendant take any action to inform the claimant or to asked for additional verification as to identity – although it is submitted that this would have been unnecessary in the circumstances.

Effect of the defendant's data protection breaches
The failure by the defendant to provide the data disclosure meant that there was a prolonged delay in managing the transfer of his banking business to the defendants bank and consequent difficulties for the claimant in organising payments which were due to various companies or services with which the claimant had been dealing.

 

Particulars of distress
This caused extreme anxiety and distress as well as being very time-consuming. The process of having to deal with this has interrupted the claimant's normal life and routines and has caused particular anxiety and worry about the possibility of falling into default with various companies and the risk of resulting negative entries on his credit file.
Blah blah blah. Let's have some more please
 

 

If I am getting the story correctly here then frankly I think that we are asking for too little money and I think it should be 500 or £600.

There is absolutely no doubt in my mind that they will receive a judgement against them for statutory breach which would be quite serious for them and something that they would absolutely want to avoid.

Also I consider they have breached the BCOBS rules and that they haven't treated you fairly and they haven't communicated with you fairly. Also, please clarify but I think that that the transfer rules that you are referring to something which had been set out by the regulator. Is that correct?

[BankFodder]

There is no obligation to issue a claim on precisely day 15.

 

Standby for a further reply later on

[BankFodder]

I've made a few edits in red.

Also, did you eventually get your £200 reward – and was it straightforward?

Can you just go over again the basis on which they have already offered you £100?

You said that previously we have claimed £200 and settled for 800. Can you refresh my memory about this please

[BankFodder]

I have just made a further edit in red – reference to the BCOBS rules

[BankFodder]

Okay, I sort of remember. Thanks. I'm afraid that I get so much coming my way and I'm pretty disorganised anyway.

Let's hope the same tactic helps with Santander.

Please could you respond to the other questions I have put – about the £100 and also about your £200 reward.

[BankFodder]

So it seems as if the £100 was offered unconditionally. Has it been credited into your account ?

Secondly, as you say that the date for the reward payment is the 30th, I'm wondering whether it might be worth waiting until then to see if it actually does go in.

If it doesn't go in then that gives an additional string to your bow and we might think about adding allegation so the claim and increasing the amount claimed.

 

I noticed that the main arguement in their letter is that you failed to meet the security requirements in your original phone calls.

Do you have to say about that?

During those phone calls, did you answer security questions and were you then permitted to discuss your account?

Is that recorded in the disclosure which you have eventually received ?

 

If their position is that you didn't satisfy their security requirements then they will have to show that in court and you will have to disprove it in court.

 

What evidence do you have that you did satisfy the security requirements at the time.