CEL Whacked for £900 in DPA Breach Counterclaim

beamerguy

The_Deep wrote: »

Someone should bring this to the attention of the SRA. not me as all I get from them is whitewash.

Morning Mr Deep, the SRA are a useless bunch as you and everyone can see.

Should be CEL who complain to the SRA about Wright Hassall

bargepole

Lamilad wrote: »

Will we be getting a transcript from this case? ...

A transcript of the Approved Judgment is being ordered, and will be hosted on the Prankster site.

Timothea

It should be easy to prove distress in such cases because communications from PPCs and their agents are designed to cause distress and scare people into paying. However, the distress caused should always be described in a witness statement, supported by the scary correspondence as evidence, highlighting the lies.

In Halliday -v- Creation Consumer Finance Limited, the Court of Appeal awarded the claimant £750 for distress when a single data protection breach caused unquantified distress to the data subject. This suggests that compensation for distress in some private parking cases should be significantly higher.

If it ever happened to me, I would claim between £1,500 and £3,000, depending on the circumstances.

FlyingDonkeys wrote: »

What was the DPA breach?

Please read post #1 of this thread:

https://forums.moneysavingexpert.com/discussion/5585388

Ruurb

Hello, I was directed here following Parking Prankster's blog and thought I would reply to some of the above comments.

Not wanting to put a dampener on things here but if CEL had any common sense, they would slap in an immediate appeal to get it overturned and I think the chances of being successful is pretty high.

Under the Data Protection Act, an individual's recourse is against the data controller, not the processor - see s.13 below.

An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

CEL in this case would be the data processor whereas the DVLA is the data controller, and so any claim for breach of the DPA ought to be against the DVLA rather than CEL. Data processors have never had any liability under the DPA which is usually why data controllers seek a contractual indemnity from the processor in the event of a breach that was caused by the processor.

Another line of argument could be that CEL (as the processor and third party) had a legitimate interest in obtaining the keeper information (Schedule 2, para. 6). Perhaps another argument, although maybe more wishy washy, is that it is exempt under s.35 as it is used in connection with legal proceedings.

Umkomaas

if CEL had any common sense, they would slap in an immediate appeal to get it overturned

And if they lost at an appeal hearing with a higher Judge, wouldn't that make them popular in PPC land. Wouldn't that provide the first glimmering green light for a barrage of claims/counterclaims from wronged motorists?

I think the chances of being successful is pretty high.

Based on what evidence/experience/precedents?

Ruurb

Based on what evidence/experience/precedents?

Based on the law? S.13 says a breach by the data controller, there is no mention of data processor at all in s.13 it all relates to the controller - Processors have never been liable under the DPA. The GDPR when it comes into force next year changes that and does entitle the individual to bring a claim against the controller or the processor.

Also based on the experience that I deal with the DPA on an everyday basis.

And to add to the point about appealing, the case was heard by a DJ so any appeal would be heard before CJ before an appeal to the High Court.

Timothea

Ruurb wrote: »

CEL in this case would be the data processor whereas the DVLA is the data controller, and so any claim for breach of the DPA ought to be against the DVLA rather than CEL. Data processors have never had any liability under the DPA which is usually why data controllers seek a contractual indemnity from the processor in the event of a breach that was caused by the processor.

Another line of argument could be that CEL (as the processor and third party) had a legitimate interest in obtaining the keeper information (Schedule 2, para. 6). Perhaps another argument, although maybe more wishy washy, is that it is exempt under s.35 as it is used in connection with legal proceedings.

I'm afraid that I must disagree. First, the data controller was CEL because CEL processed the data for its own purposes and not as a subcontractor to DVLA. Second, CEL did have a legitimate interest in obtaining the keeper's personal information, but only for the purpose of requesting the driver's details. CEL had no legitimate interest in pursuing the keeper because CEL does not comply with POFA.

Several people on here would quite like the idea of suing DVLA for DPA breaches, but you can be sure that DVLA has protected itself and all the liability is with the private parking companies! If you don't believe me, google 'DVLA KADOE contract' to see the conditions under which DVLA releases keeper data to PPCs.

Ruurb wrote: »

Also based on the experience that I deal with the DPA on an everyday basis.

That's a bit worrying. What type of dealings do you have with the DPA every day?

Umkomaas

Even their own Trade Body believes they are 'Data Controllers' and requires them to register with the ICO as such as a criterion of their AOS membership, giving them the license to receive and process personal data from the DVLA.

12.2 When you apply to the DVLA you must confirm you are a member of the BPA and the AOS (quoting your BPA membership number).You also have to confirm that you will keep to the Code, the Data Protection Act and any other legislation that applies. Under the Data Protection Act you will have to register as a data controller with the Information Commissioner.

Ruurb

Second, CEL did have a legitimate interest in obtaining the keeper's personal information, but only for the purpose of requesting the driver's details. CEL had no legitimate interest in pursuing the keeper because CEL does not comply with POFA.

I agree with you on this point and the legitimate interest argument.

I'm afraid that I must disagree. First, the data controller was CEL because CEL processed the data for its own purposes and not as a subcontractor to DVLA.

Just because you are not a sub-contractor of the DVLA does not mean you are not the processor. Part of the criteria for identifying whether or not one is a data controller is who determines the purposes and means of processing the data.

What I can see so far is that the DVLA: collects the personal data and determines the content of it, stores it, controls who has access to the data and whether the data needs amending e.g. change of address.

I've skimmed through the KADOE contract and I saw what I think is the crux of the argument. at B2.1 it says:

B2.1. The DVLA shall provide each requested item of Data to the Customer
via the KADOE Service for the Reasonable Cause of enabling the
Customer to:

a) seek recovery of unpaid Parking Charges in accordance with the
Accredited Trade Association Code of Practice, and using the
procedure in Schedule 4 to the Protection of Freedoms Act 2012
(where the vehicle was parked on private land in England or Wales on
a particular date); and

b) otherwise seek recovery from a driver of unpaid Parking Charges in
accordance with the Accredited Trade Association Code of Practice
(where the vehicle was parked on private land in Scotland or Northern
Ireland by that driver on a particular date, or where the Customer has
chosen not to pursue, or is not in a position to pursue the vehicle
keeper by utilising conditions in Schedule 4 of the Protection of
Freedoms Act 2012).

So I think it is clear here that the DVLA is a data controller, since it determines how, what and when a third party can use the information. It is pretty much a restrictive determination that a third party needs to follow but gives no scope for them to determine the use of the data for any other purpose. The DVLA effectively has sole exclusive control over that data.

Now if the third party (CEL in this case) decides to go above and beyond what they agreed to use the personal data, I do not think this then makes them a joint data controller with the DVLA. I think the key question in whether you are seen as a data controller or a data processor is which party exercises control over the personal data. CEL

In a nutshell and without going into extensive detail, it is the DVLA who exercises the control and determines the use and purpose. Whereas CEL are simply following the instructions laid out by the DVLA and would not make them a data controller. I also note that the DVLA has plenty of indemnity provisions in its contract for a breach/default of the obligations which no doubt covers misuse of data.

I think from your point of view you are sitting on the other side of the fence in that because they have gone outside of the scope of their agreement which then would make them a data controller. The issue I find with that is they were never given any scope to determine the purpose of the processing, rather that they may only use for a sole purpose determined by the DVLA.

Timothea

Ruurb wrote: »

Just because you are not a sub-contractor of the DVLA does not mean you are not the processor. Part of the criteria for identifying whether or not one is a data controller is who determines the purposes and means of processing the data.

What I can see so far is that the DVLA: collects the personal data and determines the content of it, stores it, controls who has access to the data and whether the data needs amending e.g. change of address.

I've skimmed through the KADOE contract and I saw what I think is the crux of the argument. at B2.1 it says:

B2.1. The DVLA shall provide each requested item of Data to the Customer
via the KADOE Service for the Reasonable Cause of enabling the
Customer to:

a) seek recovery of unpaid Parking Charges in accordance with the
Accredited Trade Association Code of Practice, and using the
procedure in Schedule 4 to the Protection of Freedoms Act 2012
(where the vehicle was parked on private land in England or Wales on
a particular date); and

b) otherwise seek recovery from a driver of unpaid Parking Charges in
accordance with the Accredited Trade Association Code of Practice
(where the vehicle was parked on private land in Scotland or Northern
Ireland by that driver on a particular date, or where the Customer has
chosen not to pursue, or is not in a position to pursue the vehicle
keeper by utilising conditions in Schedule 4 of the Protection of
Freedoms Act 2012).

So I think it is clear here that the DVLA is a data controller, since it determines how, what and when a third party can use the information. It is pretty much a restrictive determination that a third party needs to follow but gives no scope for them to determine the use of the data for any other purpose. The DVLA effectively has sole exclusive control over that data.

Now if the third party (CEL in this case) decides to go above and beyond what they agreed to use the personal data, I do not think this then makes them a joint data controller with the DVLA. I think the key question in whether you are seen as a data controller or a data processor is which party exercises control over the personal data. CEL

In a nutshell and without going into extensive detail, it is the DVLA who exercises the control and determines the use and purpose. Whereas CEL are simply following the instructions laid out by the DVLA and would not make them a data controller. I also note that the DVLA has plenty of indemnity provisions in its contract for a breach/default of the obligations which no doubt covers misuse of data.

I think from your point of view you are sitting on the other side of the fence in that because they have gone outside of the scope of their agreement which then would make them a data controller. The issue I find with that is they were never given any scope to determine the purpose of the processing, rather that they may only use for a sole purpose determined by the DVLA.

Well, I take it all back. You are indeed a DPA expert. Your argument is very convincing.

This could be a bombshell for DVLA: it is liable for DPA breaches by private parking companies! This could force DVLA to regulate the industry properly!!

WOW!!!