Cancelled Parkmaven PCN - Data Protection Issues

saginata

I recently got a Parkmaven PCN from the Holiday Inn carpark at Luton Airport. Went to POPLA, wrote a wall of text with all the usual stuff about signage, bad fonts, double dipping, no POFA at airports (a bit tenuous in this case). Parkmaven withdrew the appeal (I hate how POPLA choose to word this)

The same day I contacted parkmaven asking them to delete all my data. They responded saying they did, but I was still able to log into their system with my registration and PCN reference number. The photographs are still in there and the PCN is showing as active (Charge Status: Current Amount: £100.00). I asked them again to delete all my data, this time copying in their directors. Received no response. It's been about 2 months since I requested the data to be deleted and it's still there. I have a complaint going with the ICO. I complained to BPA but they're saying they don't care about the Code of Practice sections that refer to data protection stuff. 

This is causing me some distress. They're clearly not very organized or careful with how they handle data. I'm worried at some point they might for example decide to start pursuing this again, mess up an address and I might end up with credit score issues. I also don't feel ok with a company like this holding my data for no good reason. I don't need stuff like this hanging over me when I might be looking for a mortgage. 

Would it make sense to send them a LBC (and then a claim) for a modest amount to compensate for this distress and to get them to finally clean up the data?

Le_Kirk

The ICO is the place to pursue this.  What would your claim be? How would the fact that a company has your name, address and car VRM cause you issues with mortgage? Claims need to be properly pleaded in order to succeed but a LBC might (although I doubt it) stir them into action.  Have you thoroughly read the DPA and the GDPR to see what right the company has to retain your data, in what circumstances, for how long  and what rights you have to "be forgotten"?

GrannyKate

This is Parkmaven's current privacy policy. https://parkmaven.freshdesk.com/support/solutions/articles/103000172988-privacy-policy

In section 1 it says it will explain amongst other things;

• How long we will keep personal data for.

I cannot see that it does that anywhere.  Whilst there may be circumstances when they can legitimately delay 'the right to be forgotten' this is not indefinite and their actual retention and destruction policy should be described somewhere and available to the public

pinkelephant12

According to the BPA Code of Practice at paragraph 23.13, appeal documentation has to be kept for at least 2 years.  This will require the parking company to keep the images of the parking tickets but remove your name and address from them.

Have you made a data subject access request to the parking company under Article 15 UK GDPR yet?  If not, do this  asking for all data they hold about you and see what data they have retained.  If they fail to respond to that, you can apply to the County Court for a compliance order under s.167 Data Protection Act 2018 and/or sue for compensation for distress.

Personally, I think complaining to the ICO is a waste of time.  The ICO is, after all, an organisation that believes parking charges imposed by unregulated private parking companies are 'fines' as shown in their published Opinion about DVLA of June 2022.  

GrannyKate

I guess BPA has this specific guidance at 23.13 for 'appeals' paperwork - I am not sure it would be fit for purpose with names and addresses removed as it needs to be available for any complaints which BPA might receive about the appeal process.  How long other paperwork needs to be kept where there is no appeal or people just pay is another thing.  

The problem with Article 17 GDPR and the 'Right to Erasure' is this is a qualified right and the data controller may be able to make a case for retaining the data for a period of time - one exemption that can apply is 'for the establishment, exercise or defence of legal claims.'

The data controller is required under GDPR to have a retention and destruction policy in place covering what they keep, how long they keep it, legal or business reasons for doing so, destruction processes etc.

 Under GDPR, data cannot be kept indefinitely. Recital 39 of the GDPR requires data controllers to establish time limits for data retention and to ensure the erasure of records when they are no longer required.

I suspect that the only circumstances in which the ICO would uphold immediate destruction would be where there was a complete error in the first place and correspondence was sent to someone who had nothing to do with the case.