Gdpr breach: Ppc sar error

beamerguy

Polygone wrote: »

Cheers for the help, guys. Can't believe their incompotence. BW Legal have been threatening for the official Court Claim deadline in a few days and now their client has done this. I've been in contact by phone to the Department Store Manager of the retail store that the contraventions happened on and he agreed this is a serious GDPR issue. Got a meeting scheduled on Monday to discuss this.

So its likely my PCNs will get waived and I may seek out compensation for the serious mishandling of data here. Nicely done, Britannia Parking.

It's not Easter yet but Britannia need to be crucified for this.

The question you must have ..... how many people has Britannia sent your private data too ?????

Umkomaas

I may seek out compensation for the serious mishandling of data here.

I don't think there should be any 'may' about it!

The details in the following aren't overly important, but the quantum is.

http://parking-prankster.blogspot.com/2017/05/motorist-awarded-900-for-data.html

Redx

slow or not, its irrelevant, you get your complaint in regardless and let them deal with it in the fullness of time, because time isnt the issue here, its a GDPR breach and needs reporting, otherwise it will continue

pay peanuts and you get monkeys, their DPO are making mistakes and so need retraining, so a kick up the backside is required and be made an example of to other firms and DPO,s

LoneStarState

Polygone

Might I also recommend in your complaint you bring to the ICO's attention that their privacy policy (located here: https://www.britannia-parking.co.uk/Content/Policy) states that they will retain personal data for 7 years after their "contractual relationship with you" has ended. Coupled with the breach you mentioned and that wholly unfair and definitely unlawful retention period, the ICO may actually take this one slightly seriously (for once). I'm currently waiting for a response to an erasure request and will then complain to the ICO myself when their response will almost definitely be unsatisfactory.

Castle

LoneStarState wrote: »

Polygone

Might I also recommend in your complaint you bring to the ICO's attention that their privacy policy (located here: https://www.britannia-parking.co.uk/Content/Policy) states that they will retain personal data for 7 years after their "contractual relationship with you" has ended. Coupled with the breach you mentioned and that wholly unfair and definitely unlawful retention period, the ICO may actually take this one slightly seriously (for once). I'm currently waiting for a response to an erasure request and will then complain to the ICO myself when their response will almost definitely be unsatisfactory.

The only contractual relationship is with the driver, who may not be the data subject. So Britannia will have provide proof that the data subject is also the driver.

Polygone

Update (for anyone interested):

I firstly informed the other SAR individual (who's data I received had received) by email about Britannia Parking's GDPR breach. I then sent a lengthy complaint to Britannia about it. Then finally, I complained to the BPA about the matter. I was in the process of trying to complain to the ICO but the complaint form stated I had to inform the company of my complaint first and await their response (which they have one month to do). So I waited.

Britannia Parking replied apologising for the matter, clarifying that it was only me who was the recipient of the email (my data hasn't been shared with anyone else) and stating that the reason for the fault (which I requested to know) was due to me inadvertently providing them with an incorrect PCN number and their employee did not check thoroughly enough to see if the PCN details matched up to my details. I checked this myself and they were correct as there was a typo in the PCN and this matched the other user's PCN number. Whilst I acknowledge that fault, nonetheless, it was still a serious breach/mistake and they cannot afford to be clumsy when handling sensitive data. To correct their mistake, Britannia emailed the recipient of the date (me) and requested I delete the email - which I did (minus the screenshots which censor out any sensitive information, which I said I'd keep as evidence). They have also redacted all personal data relating to the vehicle (BPA's investigation confirms this). A letter of apology 'has been sent out' and the other individual emailed me and confirmed this - whilst thanking me for bringing the case to their attention. Although, I have yet to receive any letter myself. BPA state that Britannia Parking has self-reported the case to the ICO. A review of their processes will be taking place to ensure the chances of this happening again are reduced. The investigation was then closed.

So that's the end of that. They have redacted my personal data from the PCN's (which got waived last week anyway). Nothing really more I intend to do.

Jetslick/Polygone

waamo

Good result. It may cause them a short term headache.

Jetslick

Yeah, I'd feel a little guilty to press matters further (i.e. complain to the ICO myself) if it was simply a human-error based on my own human error of a typo in the PCN.

But again, cheers everyone for the help.

beamerguy

Good result, Britannia having their knuckles wrapped

Even scammers/cowboys must obey the law

beamerguy

Jetslick wrote: »

Yeah, I'd feel a little guilty to press matters further (i.e. complain to the ICO myself) if it was simply a human-error based on my own human error of a typo in the PCN.

But again, cheers everyone for the help.

Don't feel guilty, they were scamming you in the first place

I would complain to the ICO because you cannot have their employee not checking thoroughly enough to see if the PCN details matched up to your details.

If this is not happening, doubt you will be alone in the data breach