We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
IMPORTANT: Please make sure your posts do not contain any personally identifiable information (both your own and that of others). When uploading images, please take care that you have redacted all personal information including number plates, reference numbers and QR codes (which may reveal vehicle information when scanned).
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
CEL Whacked for £900 in DPA Breach Counterclaim
Options
Comments
-
Is the PPC data processor in these instances, or now data controller? And if they are now data controller, why are they not data controller if the path of data is from the DVLA?
FWIW, I think there is enough evidence to argue persuasively in a DPA claim that the PPC is always a data controller; their own ATA holds them out in that capacity and the case law (reminded by Lynnzer on pepipoo and I think dug up by Chitlord?) says they are, because they are never 'acting as agent' on behalf of the DVLA.
All very interesting, makes me glad I am not a lawyer because I can offer a lay opinion then walk away from it. Law is interesting and so is this discussion but I'd hate to be so pedantic for a living...it's bad enough being pedantic about details at work, and on here for fun!
Did the Duff case shed light on the role of a PPC as a data controller? Anyone know?PRIVATE 'PCN'? DON'T PAY BUT DON'T IGNORE IT (except N.Ireland).
CLICK at the top or bottom of any page where it says:
Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD0 -
Well, it's taken me a bit of digging and searching but for my part about whether the PPC is a data controller can be found by reading the following two links (in addition to the case mentioned previous)
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf
Taken from the Working Party Opinion 2010The most important element is the prescription that the processor act “…on behalf of the controller…”. Acting on behalf means serving someone else's interest and recalls the legal concept of “delegation”. In the case of data protection law, a processor is called to implement the instructions given by the controller at least with regard to the purpose of the processing and the essential elements of the means. In this perspective, the lawfulness of the processor's data processing activity is determined by the mandate given by the controller. A processor that goes beyond its mandate and acquires a relevant role in determining the purposes or the essential means of processing is a (joint) controller rather than a processor.
https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf
Taken from the ICO Guidance in 2014 (and presumably on the back of the WP Opinion above):If a data processor breaks the agreement with its data controller, for example by using the data for its own Data controllers and data processors unauthorised purposes, then it will also take on its own data controller responsibilities. This includes the duty under the first data protection principle to process, including to obtain, personal data fairly and lawfully. Where a data processor takes the personal data the controller has entrusted it with but breaks the terms of its contract by using the data for its own purposes, it is likely to be in breach of the first principle and the ICO could take enforcement action against it.0 -
That's really useful, new for us and suggests even more that the PPCs are data controllers.
Thankyou Ruurb!PRIVATE 'PCN'? DON'T PAY BUT DON'T IGNORE IT (except N.Ireland).
CLICK at the top or bottom of any page where it says:
Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD0 -
So I stand corrected, and even I learnt something new!
Assuming now, the PPC is the processor until it acts outside of its authorised purpose under the KADOE contract and at which point, it then becomes a controller according to the above.
That's the best partAll very interesting, makes me glad I am not a lawyer because I can offer a lay opinion then walk away from it. Law is interesting and so is this discussion but I'd hate to be so pedantic for a living
0 -
I can imagine! In another life I might have done...PRIVATE 'PCN'? DON'T PAY BUT DON'T IGNORE IT (except N.Ireland).
CLICK at the top or bottom of any page where it says:
Home»Motoring»Parking Tickets Fines & Parking - read the NEWBIES THREAD0 -
Coupon-mad wrote: »That's really useful, new for us and suggests even more that the PPCs are data controllers.
There is no doubt that PPCs are almost always data controllers. However, I think the more interesting question is whether DVLA also has data controller responsibilities for the data it provides to PPCs. The Working Party Opinion 2010 seems to suggest it does when it talks about joint controllers.0 -
You may have to read the whole document but as far as I understand it, a joint controller is where both controllers make joint decisions about the purpose and manner of the data being used, though I can see what you mean.
Ordinarily, data controllers would not be jointly liable for each others actions unless they fall within the definition of 'joint' controller - I think the ICO makes reference to join controller so perhaps that could provide some clarity. Normally I've seen a data sharing agreement would set out and specify that both parties are data controllers and are both determining the purpose and manner of the data and that they are therefore 'joint' controllers.
As for any DVLA liability, I don't think they could be exposed due to the PPC's unauthorised use. However, perhaps an argument (if not already explored) of negligence on part of the DVLA e.g. failing to institute or maintain any adequate systems/procedures/measures to ensure that the PPC obtaining and using the personal data does in fact have a right to pursue the registered keeper, which could be strengthened if there is evidence the DVLA has received complaints about PPC's from registered keepers about the use of their data. That sort of argument though is a moot point and might not stick or be worth pursuing0 -
I would like to add once more scenario in the mix. What happens when the PPC sells the debt on to (eg) MIL Collections.
Is MIL the controller?
The PPC is expressly forbidden from doing this in the KADOE contract, so who has committed breaches here? The PPC? DVLA? MIL? All 3?Dedicated to driving up standards in parking0 -
For those cases which could involve a data breach, I see no reason
why a well worded paragraph added to the first appeal to the PPC, giving notice of intentions to claim under the DPA0 -
I would like to add once more scenario in the mix. What happens when the PPC sells the debt on to (eg) MIL Collections.
Is MIL the controller?
The PPC is expressly forbidden from doing this in the KADOE contract, so who has committed breaches here? The PPC? DVLA? MIL? All 3?
the KODOE contract does not over ride UK law , it works along side it , if MIL are exempt by virtue of not using KODOE , they are still liable under UK law for breach of data protection
this also applies to any parking Co , that flood tears to the DVLA and promise to be good in the futureSave a Rachael
buy a share in crapita0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.1K Banking & Borrowing
- 253.2K Reduce Debt & Boost Income
- 453.6K Spending & Discounts
- 244.1K Work, Benefits & Business
- 599.1K Mortgages, Homes & Bills
- 177K Life & Family
- 257.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards