June 2018 - start of the new PPC and DVLA fightback (GDPR related)

abedegno

So ParkingEye responded to by Subject Access Request - I may one of the first to get a response from them.

Dear Abedegno,

We write further to your recent correspondence and your Subject Access Request received at our offices on 27 May 2018. We note that the additional ID confirmation requested was received on 18 June 2018 and that this response has subsequently been issued in line with the timeframe specified within the General Data Protection Regulation (GDPR).

The data enclosed concerns the VRM for which you have provided documentation to show that you are the registered keeper and have been for the period of time you have queried. Please note that we have been unable to locate any email correspondence pertaining to your email address. We can confirm that the personal data enclosed is stored within the UK and has not been shared with any third parties. Further information about the third parties with whom data may be shared in certain circumstances can be found within the privacy policy on our website. We can also confirm, in line with s.(1)(h) of Article 15, that no automated decision-making or profiling, referred to in Article 22(1) and (4), has been undertaken in relation to the enclosed data.

When you use ParkingEye car parks, data is collected and processed for the purposes of ensuring compliance with the parking terms and conditions, issuing Parking Charges when required and progressing the same to closure or payment, and providing car park management services. Our policy in respect of vehicle data collected and processed as it relates to our car park management services is that the same may be retained for up to 12 months prior to anonymisation. As outlined within our privacy policy, such data may be provided to the police to assist with the prevention and detection of crime. You will also note from the documentation enclosed that the ANPR images captured by our cameras are already removed from our system within a shorter period of time.

Please note that the General Data Protection Regulation provides the following further rights:

The right to request from ParkingEye rectification or erasure of your personal data;
The right to request from ParkingEye restriction of processing of your personal data;
The right to object to the processing of your personal data.

Please note that some of these rights are not absolute and will only apply in certain circumstances. We will review each request we receive in respect of these rights. We do not have to agree with a request but if we refuse, we will still contact the data subject within one month to explain why. You also have the right to lodge a complaint with the Information Commissioner!!!8217;s Office (ICO). For further information, please refer to the ICO website, https://www.ico.org.uk. For further information, please visit: https://www.parkingeye.co.uk/privacy-policy/

We trust that the data enclosed is satisfactory, however, please get in touch if you have any queries or require further clarification in relation to any of the documentation contained within this response.

Yours sincerely,

ParkingEye Privacy Team

They also attached a PDF of a Word document that some poor soul has had to put together manually. It details the entry and exit logs from their cameras going back 12 months to 27/5/2017 and camera photos going back to 4/4/2017 (53 days) - most of these were visits to Aldis. It was also interesting to see there were two entrances without a corresponding exit match - so much for their reliable ANPR system. One of the photos has another car in shot, so that same poor soul had to manually cover up their license plate (my heart bleeds).

I am not convinced by their assertion that my personal data resides only within the UK - inspecting the email headers they seem to use Microsoft Azure with servers in Ireland and Austria - so my personal data (the email correspondence) is within those countries.

Feels like they strung this out as long as they could, waiting 3 weeks to request additional ID and then waiting until the end of the allowed one month to response - i have still raised a complaint with the ICO about the unreasonable time they took to ask for additional ID and the request for insurance documents which I deemed excessive.

Castle

a) I would also dispute their claims that no automated decision-making or profiling, referred to in Article 22(1) and (4), has been undertaken in relation to the enclosed data."; because, (according to PE), the enter/exit times recorded by the cameras creates a contract.

b) With regards to the missing two exit times I hope you will chase them up.

abedegno

Castle wrote: »

a) I would also dispute their claims that no automated decision-making or profiling, referred to in Article 22(1) and (4), has been undertaken in relation to the enclosed data."; because, (according to PE), the enter/exit times recorded by the cameras creates a contract.

b) With regards to the missing two exit times I hope you will chase them up.

I have gone back to them questioning a number of points on their response:
- Whether data really only resides in the UK (I traced their mailserver to Ireland)
- Whether no automated decision making did happen.
- The missing CCTV footage and ANPR data

I also asked for right of erasure, I believe retaining the data for 12 months is far longer than is necessary for the original purpose it was collected.

Pando

Napier Parking also replied to my SAR request with a request of their own for more information. They do say however that this is not mandatory but to speed up the process.
I will send them 3 forms of identification as they ask for, as I cannot find my VC5 and have had to order a new one. I guess this one is going to the ICO too

"I have enclosed a copy of our Subject Access Request form which details the information we require from you before we can process your request. You do not have to complete this form if you do not wish to do so, however, it may speed up your request.

If you do not wish to complete the form, we still require two forms of ID from you as detailed in Section 3 of the form. Once we have received these we can return the information you have requested.

napierparking.co.uk/Napier%20Parking%20Privacy%20Policy%20.pdf""

BiliousGreen

I think that the email address as validation of identity is a really good point to test. I have just been through a legal brief on GDPR and been told that if I sent personal data to the wrong email address it is likely that a breach notification would have to be raised to the ICO. Therefore if one of the parking companies has sent you any peronal data to an email address they are effectively accepting that the recipient is indeed the intended person! If not they are effectively admitting to their own data breach. I cannot se how they could have this both ways. Anyone who has had any personal data sent to them since may via email should be able to argue that the address is id enough or else report a breach!

markrg1965

Just bumping this back up onto first page. Is anybody getting anywhere here? I have done 4 SAR's with only Indigo doing what is actually required. I have been stonewalled by three PPCs and made three complaints to the ICO, none of which seem to be going anywhere!!! Also made a SAR to the DVLA, they never even replied!!!

abedegno

I got a response from ParkingEye - I've followed up with them as there was missing data and also made a right to erasure request - will keep people posted on this.

I've made many complaints to the ICO - they do take a very long time to process cases (months) so hang in there.

markrg1965 wrote: »

Just bumping this back up onto first page. Is anybody getting anywhere here? I have done 4 SAR's with only Indigo doing what is actually required. I have been stonewalled by three PPCs and made three complaints to the ICO, none of which seem to be going anywhere!!! Also made a SAR to the DVLA, they never even replied!!!

Computersaysno

One of the most common complaints to the ICO is organisations not responding within the set time-scales.....


The irony is that there is no set response time standard set for the ICO!!!


SO by the time the ICO starts to 'investigates' [6-9 months delay before they even start]... many organisations have replied, or they reply within a few days of the ICO asking them 'What's happening?'. The ICO then closes the complaint with no admonishment for the organisation concerned.


Organisations know this...and so simply ignore FOI, SARs etc....so they can delay release of stuff for six months with no consequences....


Of course the clever ones wait for the ICO to push [nine months], then issue a REFUSAL to the enquirer, and they then get another nine months to a year whilst the enquirer awaits an IR [Internal Review] and REFUSE AGAIN and then they get another twelve months while you try appeal to the ICO.


So all in they can delay release by 2-3 YEARS.......total and utter farce!!!

markrg1965

Thanks Computersaysno, I figured as much

abedegno

So an update from Parking Eye on my clarifications:

Regarding whether my personal data was only located within the UK:

We wish to reiterate that the data provided with our response is stored within our systems and held within the UK. This includes the ANPR, whitelist, and image data. Email correspondence sent and received by ParkingEye is processed using Office 365 and is hosted in Microsoft data centres within the EU. As we outlined within our response, we have been unable to locate any earlier email correspondence pertaining to your email address and as such, we note that the only emails that have passed between us concern this Subject Access Request. This data did not form part of the data enclosed with our response. Notwithstanding the above, we wish to confirm that we have taken steps to delete the incoming and outgoing emails referred to from the Microsoft email application. Please note that a copy of the documents supplied with our initial response, along with this email correspondence, will be retained for a period of time within our internal system to allow for any further response from you in respect of this request. This copy documentation will then be deleted entirely. The length of time this data is retained for will depend upon any subsequent response received from you.

So they seem to admit a mistake here, their justification being the data only left the EU after my data access request. I do not entirely believe them and would suspect my personal data resides outside of the UK in other places (For example backups).

Regarding my question on automated decision making:

With regard to your query regarding automated decision making, we note that Article 22 states as follows, “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”. In relation to the data enclosed, we can confirm that you have not been subject to such a decision. Any automated checks undertaken in relation to the ANPR data held only resulted in a decision not to issue a Parking Charge. Should the ANPR data have indicated that a breach of the parking terms and conditions had taken place, any subsequent decision to issue a Parking Charge would have passed through a substantial checking process that includes human intervention. On this basis, the processing undertaken falls outside the scope of Article 22.

Do we know how many tickets ParkingEye are producing a day, it seems they are really putting each NTK through a substantial checking process with human intervention, especially given the number of errors? I think I should get copies of my license plate printed and fix them to a trolly at the nearest Aldi to check...

For the missing data:

We wish to confirm that the data you refer to as “missing” has not been excluded from our response. During the time period for which data was provided, there were two instances where your vehicle was captured entering our car park but the ANPR cameras did not capture your exit. It is therefore not possible to provide ANPR images or data for those occasions.

So much for the accuracy of their system...

On the data erasure request, they are still considering this and wil get back to me.