Euro Car Parks Ltd reported to ICO over DSAR breach.

LoneStarState

kryten3000 said:

I don't consider a request for the V5C as excessive and would always suggest sending a copy of page 1 with the SAR.

The problem is requiring this will prejudice certain groups of people, who would hypothetically never be able to receive their personal data due to the wheeze of requiring a V5C identifying them as the data subject. 

Those who have since sold/scrapped the vehicle and no longer hold outdated paperwork
Those with leased/financed/hired vehicles who were never the RK including a large group of disabled individuals under the Motability scheme.

It's particularly relevant in light of the POFA definition of keeper which is distinct from the more specific Registered Keeper listed on a V5C, if indeed the data subject was ever an RK.

Jambo27

kryten3000 said:

I don't consider a request for the V5C as excessive and would always suggest sending a copy of page 1 with the SAR.

It is excessive.

As per DPA2018, Section52 & UK GDPR Article 12(6), which allows them to request more information to esablish the identity of the requester if they have "reasonable doubts".

A driving license establishes that identity in most cases and if they still doubt your idenrity then they will need to explain their doubts.

A V5 is irrelivent to the situation and would not fit with UK GDPR Article 5, Data minimisation – Only the necessary amount of data should be collected and processed.

Jambo27

Blindside6 said:

Jambo27 said:

I am currently also dealing with ECP for a DSAR where they are asking for proof of ownsership. Well firstly the V5 does not show proof of ownership, only registered keeper.

I haven't been the registered keeper for about 2 years so don't have any paperwork anymore anyway.

The link to the vehicle is that they wrote to me because I was registered as the keeper at the time, so it's self evident.

Yes I sent them a copy of driving license, maybe not the best idea considering the data it contains, but it's done now.  This was my reply last night to them, but this morning received a reply with their same default response asking for V5:

-----------------------------------------------------------------------------------------------------------

A SAR (DSAR) is dependent on identifying the Data Subject.

As per DPA2018, Section52 & UK GDPR Article 12, Paragraph 6, please state what your "reasonable doubts" are in relation to my identity. You have received a copy of my driving license which shows my name and address that you will hold in relation to Parking Charge Number: xxxxxxxxx

If you still claim that I need to show you information relating to the vehicle to comply with my SAR request, please explain your justification, in law.

1. Data Protection Act 2018, Section 52:
“Where the controller has reasonable doubts about the identity of an individual making a request under section 45, 46 or 47, the controller may—
(a)request the provision of additional information to enable the controller to confirm the identity, and
(b)delay dealing with the request until the identity is confirmed.”

2. UK GDPR, Article 12, Paragraph 6:
“where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.”

3. The ICO’s "Right of Access":
“You can ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about. The key point is that you must be reasonable and proportionate about what you ask for."

I issued them with a Pre-Action Protocol Letter before Claim on 17th April 2025. They have not responded, of course:


"To: DPO;

17/04/2025 10:50

"Dear ECP DPO

"It is apparent that you have not read the pdf attached to my email of 15th April.

"The text of that pdf is reproduced below for emphasis.

"Please clearly understand that if the terms of the Pre-Action Protocol Letter before Claim are not complied with fully by 30th April, 2025 then County Court proceedings will be issued against Euro Car Parks Ltd. As such you are strongly urged to seek appropriate legal advice. 

"Yours sincerely

 

"[redacted]

 

 

"To: The Data Protection Officer Euro Car Parks Ltd
Date: 15 April 2025
Subject: Pre-Action Protocol Letter Before Claim under the UK General Data Protection
Regulation

"Dear Sir/Madam,

Background I write regarding the failure of Euro Car Parks Ltd ("ECPL") to comply with
its legal obligations under the UK General Data Protection Regulation (UK GDPR) in
response to a Data Subject Access Request (DSAR) I submitted on 31 March 2025.
Despite providing adequate identification and a clear request under Article 15 UK
GDPR, ECPL has refused to comply, instead imposing disproportionate and
unnecessary barriers that obstruct the lawful exercise of my data subject rights.
This non-compliance arises in the context of active civil litigation (Claim No. L0KF9T5H)
brought by ECPL against me, where access to personal data is crucial to preparing my
defence and evaluating the lawfulness of ECPL's data handling.

"Cause of Action This claim arises from ECPL's breaches of Articles 12 and 15 of the UK
GDPR. Specifically:
• Failure to respond to a valid DSAR within the statutory time limit, in breach of
Article 12(3);
• Imposition of unreasonable and excessive identity verification requirements
(e.g., insisting on sight of a V5C document despite already holding sufficient
data to verify my identity), in breach of Article 12(2);
• Refusal to process my DSAR without justification under Article 15(4) or Schedule
2 of the Data Protection Act 2018;
• Application of inflexible internal policies not tailored to the facts of the case,
contrary to ICO guidance and the principle of fairness under Article 5(1)(a).
These actions amount to a serious and deliberate obstruction of my statutory rights and
give rise to a claim for declaratory relief, compliance, and compensation under Article
82 UK GDPR.

"Factual Matrix
• On 31 March 2025, I submitted a DSAR to ECPL, including a copy of my driving
licence as identity verification;
• ECPL responded by demanding a copy of my V5C logbook, despite already
holding relevant data (via DVLA and civil claim L0KF9T5H) linking me to the
vehicle in question;
• I sent follow-up correspondence outlining the legal basis for my DSAR and the
ICO’s guidance on reasonable verification;
• Notably, other entities in the same data processing chain—Direct Collection
Bailiffs Ltd (DCBL), ZZPS Ltd, and QDR Solicitors—have all acknowledged and
responded to similar DSARs without requesting a copy of the V5C. DCBL and
ZZPS concluded their internal reviews without querying vehicle ownership, and
QDR Solicitors accepted a driving licence alone as adequate identification;
• This inconsistency in verification standards between ECPL and its
agents/affiliates highlights the arbitrary and obstructive nature of ECPL’s refusal.
It also reinforces the fact that ECPL already holds sufficient information
(including via DVLA and litigation records) to link me to the subject vehicle;
• ECPL refused to engage further or comply with the DSAR, with no lawful basis
cited for its refusal.

"Applicable Law
• Article 12(2) UK GDPR – Obligation to facilitate the exercise of data subject
rights;
• Article 12(3) UK GDPR – DSARs must be responded to without undue delay and
within one calendar month;
• Article 15 UK GDPR – Right of access to personal data;
• Article 82 UK GDPR – Right to compensation for material and non-material
damages arising from breaches;
• Section 167 Data Protection Act 2018 – Right to seek compliance via the courts.

"Case Authorities
• Driver v Crown Prosecution Service [2022] EWHC 2500 (KB): DSAR failures found
to give rise to compensable distress;
• Österreichische Post AG (C-300/21): Confirmed the right to non-material
damages for fear of data misuse;
• Rudd v Bridle & JTRIG [2019] EWHC 366 (QB): Confirmed controller obligations
and appropriate responses to DSARs;
• ICO Guidance: Clear warnings against excessive identity demands and blanket
DSAR refusal policies.

"Harm and Distress ECPL’s unlawful refusal to comply with my DSAR has caused the
following harms:
• Procedural prejudice in Claim [redacted], where withheld data may reveal
material handling flaws, processing defects, or unlawful escalation practices;
• Emotional distress caused by the refusal to engage meaningfully with a data
rights request in the context of an ongoing legal dispute;
• Frustration, anger, anxiety and cost in seeking recourse via the ICO and legal system, including
delays in resolving the underlying claim;
• The contrast between ECPL’s obstructive conduct and the responses of its
processing partners has exacerbated the sense of procedural unfairness. It has
caused unnecessary delay, additional correspondence, and forced the
escalation of a matter that could—and should—have been resolved informally in
line with established data protection norms.

"These harms clearly exceed the de minimis threshold and are actionable under Article
82 UK GDPR.

"Next Steps In accordance with the Practice Direction – Pre-Action Conduct and
Protocols, I request that ECPL:
1. Fully comply with my DSAR, without unreasonable verification demands;
2. 3. Provide all personal data held in relation to me, including correspondence,
tracing activity, DVLA records, and any data shared with third parties such as
ZZPS, DCBL, or DCB Legal;
Provide a clear explanation of the processing purposes, source and recipients of
the data, retention policies, and my data subject rights.

"If ECPL fails to respond substantively within 14 days of receipt of this letter, I intend to
commence legal proceedings without further notice, seeking a compliance order and
compensation for non-material damage under Article 82 UK GDPR and section 167 DPA
2018.

"Yours faithfully,

[redacted]"

Did you wait for 1 month for them to potentially comlete the SAR anyway, or did you send it when you could get no further with them?

Are you not asking for financial damages as well? Might have been worth it you'd probably get it on default judgement.

Would you be using an N244 form to apply for request?

kryten3000

I didn't make myself clear earlier - I would send V5C instead of a driving licence if possible, but I do not think a REQUEST for the V5 is unreasonable. 

I do agree that refusal to provide information without a V5 when other suitable documentation is provided is unreasonable and needs to stop. 

Jambo27

kryten3000 said:

I didn't make myself clear earlier - I would send V5C instead of a driving licence if possible, but I do not think a REQUEST for the V5 is unreasonable. 

I do agree that refusal to provide information without a V5 when other suitable documentation is provided is unreasonable and needs to stop. 

Yeah the V5 is a good idea to send as ID, if you have it. In my cas I do not have the car anymore.

Also yeah a request for it is ot a problem, but they are demanding, which is a problem.

I actually mis-read their request for asking for personal ID, what it actually says is: "reasonable evidence of your identity (the ICO recommend Photo ID)". I could have sent a Gas bill or somethiing, so will be more careful in the future.

Coupon-mad

"reasonable evidence of your identity (the ICO recommend Photo ID)"

Surely the ICO actually said the opposite?

I'm sure they've previously said that insisting on photo ID is excessive an unjustified in a case where the trader has nothing to compare the photo to and therefore no reason to ask for photo ID...

Blindside6

Coupon-mad said:

"reasonable evidence of your identity (the ICO recommend Photo ID)"

Surely the ICO actually said the opposite?

I'm sure they've previously said that insisting on photo ID is excessive an unjustified in a case where the trader has nothing to compare the photo to and therefore no reason to ask for photo ID...

Whilst not always mandatory, a public authority can request photo ID when making a Data Subject Access Request (DSAR) to verify the requester's identity. They are required to be confident about the requester's identity, especially when dealing with sensitive information like health or financial details. The decision to request ID is at the data controller's discretion, and they should also consider other reasonable methods of verification. 

The proposition that Euro Car Parks Ltd needs a V5C to disclose non-sensitive data, in addition to a driving licence, whilst engaged in hotly contested litigation against the DSAR applicant, dating back to 2023 and over PCNs that were issued in 2020, doesn't even bear the lightest scrutiny.

Here's a more detailed explanation of the general principles:

• Verification of Identity:

  Public authorities need to be sure they are providing information to the correct individual. This is especially important when handling sensitive personal data. 

Discretionary Request for ID:

While not always required, the authority can request photo ID (like a passport or driving license) to confirm the requester's identity. 

Alternative Verification Methods:

If not confident about the identity, they can consider other reasonable measures, such as a utility bill, a face-to-face meeting, or verifying information already held. 

Proportionality:

The request for ID should be reasonable and proportionate to the circumstances. For example, they might not need ID for an ongoing relationship where identity is already established, says the ICO. 

Timeframe:

If ID is requested, the timeframe for responding to the DSAR starts when the necessary information is received, according to the ICO. 

Jambo27

Coupon-mad said:

"reasonable evidence of your identity (the ICO recommend Photo ID)"

Surely the ICO actually said the opposite?

I'm sure they've previously said that insisting on photo ID is excessive an unjustified in a case where the trader has nothing to compare the photo to and therefore no reason to ask for photo ID...

Yes I'm sure it would be excessive. I did actually send them a final reply asking which guidence they are referring to in relation to evidence of link to the vehicle, but got the same BS reply as before with no references to what I asked.

There is no way I should have send my license, I just shot off the email to get it done without considering.

The full text is:

"Thank you for your correspondence. In order for us to process your request, and to ensure our own  compliance with GDPR we require that you provide reasonable evidence of your identity (the ICO recommend Photo ID) and proof of ownership of any vehicle you wish to be included in the search (for example a copy or image of a V5C document). These (copy) document(s) can either be posted to our registered offices or emailed to us using the DPO@eurocarparks.com address. Please DO NOT send any original documents (passport, V5C, etc).

The (identification) data will not be kept further than to establish your identity and that any information released correctly adheres to the requirements of the GDPR – if using the postal service hard copies will be sent back by return post if required and this must be stipulated on your correspondence if not these will be shredded, data copies will be destroyed and not retained further than to place a tag against the audit trail that identification has been verified.

Please also consider the information you require as part of your GDPR request including as much detail as
possible as this helps us address your request as effectively as possible and provide you with the details
within the GDPR guidelines."

Blindside6

Jambo27 said:

Coupon-mad said:

"reasonable evidence of your identity (the ICO recommend Photo ID)"

Surely the ICO actually said the opposite?

I'm sure they've previously said that insisting on photo ID is excessive an unjustified in a case where the trader has nothing to compare the photo to and therefore no reason to ask for photo ID...

Yes I'm sure it would be excessive. I did actually send them a final reply asking which guidence they are referring to in relation to evidence of link to the vehicle, but got the same BS reply as before with no references to what I asked.

There is no way I should have send my license, I just shot off the email to get it done without considering.

The full text is:

"Thank you for your correspondence. In order for us to process your request, and to ensure our own  compliance with GDPR we require that you provide reasonable evidence of your identity (the ICO recommend Photo ID) and proof of ownership of any vehicle you wish to be included in the search (for example a copy or image of a V5C document). These (copy) document(s) can either be posted to our registered offices or emailed to us using the DPO@eurocarparks.com address. Please DO NOT send any original documents (passport, V5C, etc).

The (identification) data will not be kept further than to establish your identity and that any information released correctly adheres to the requirements of the GDPR – if using the postal service hard copies will be sent back by return post if required and this must be stipulated on your correspondence if not these will be shredded, data copies will be destroyed and not retained further than to place a tag against the audit trail that identification has been verified.

Please also consider the information you require as part of your GDPR request including as much detail as
possible as this helps us address your request as effectively as possible and provide you with the details
within the GDPR guidelines."

Think I may have mentioned this before - apologies if I'm repeating myself - but I'm convinced that ECPL's replies are AI or template generated. They do not address specific points raised in correspondence, however meaningful or critical they may be. I will post my draft Particulars of Claim here, once finalised.

Blindside6

PARTICULARS OF CLAIM

Data Breach Claim: [redacted] v [Private Parking Company]

1. Parties

 1.1. Claimant: [redacted], [redacted].

 1.2. Defendant: [redacted], a data controller processing vehicle-related personal data, with a registered office at [redacted].

 2. Background Facts

 2.1. On 31 March 2025, the Claimant submitted a Data Subject Access Request (“DSAR”) to the Defendant under Article 15 UK GDPR, providing a driving licence to verify his identity, seeking data critical to defending a civil claim (Claim No. [redacted]) brought by the Defendant against the Claimant (as to how they are referred in the instant proceedings).

 2.2. In [redacted], issued 29th October 2024, the Defendant pursues the Claimant for [redacted] as the keeper or driver of vehicle [redacted] for Parking Charge Notices (PCNs) dated 22/07/2020 and 23/08/2020.

 2.3 The Claimant admits to being the vehicle keeper but disputes being the driver. The Defendant has not served Particulars of Claim, relying only on standardised claim form particulars. A N244 strike-out Application is pending in [redacted] (filed 21st April 2025), wherein the Defendant’s failure to engage with Directions and disclosure obligations—particularly concerning signage, landowner evidence and breakdown of sum claimed—has been formally challenged.

2.4 The Defendant’s legal representative’s misleading witness statement (claiming no pre-issue dispute despite extensive 2023 correspondence) may amount to a breach of CPR 32.14, severely prejudicing the Claimant’s defence, is also under scrutiny.

 2.5 On 1st April 2025, the Defendant demanded a V5C logbook to “establish the Claimant’s connection to the vehicle”, despite holding sufficient identity data, including:

• The Claimant supplying a copy of his driving licence when making the DSAR.
• DVLA records linking the Claimant as keeper (accessed in 2020).
• Litigation records [redacted] naming the Claimant as keeper.
• Identity data (e.g., name, address) obtained via a tracing agent engaged by the Defendant or its agents, as confirmed by collateral DSARs to ZZPS Ltd and QDR Solicitors.

 2.6 The V5C demand is excessive and prejudicial, excluding data subjects such as:

  - DSAR applicants who may have sold the vehicle and no longer hold a V5C for the subject vehicle.

  - Non-registered keepers (e.g., Lessees, Motability Scheme users) never listed on a V5C.

 2.7 Under the Protection of Freedoms Act 2012 (POFA), Schedule 4, para. 2, a “keeper” includes drivers or users. As the admitted keeper in 2020, the Claimant is a data subject under Article 4(1) UK GDPR, entitled to access his personal data without a V5C.

 2.8 On 15th April 2025, the Claimant sent a Pre-Action Protocol Letter Before Claim, detailing the DSAR’s legal basis, the V5C’s disproportionality, and a 30th April 2025 deadline. A reminder followed on 17th April 2025. The Defendant failed to comply or respond substantively.

 2.9 Collateral DSARs to ZZPS Ltd, QDR Solicitors, DCB Legal Ltd and Direct Collection Bailiffs Ltd plus a further DSAR to another Private parking company (PPC), UK Parking Control Ltd., were processed without V5C demands, highlighting the Defendant’s arbitrary and obstructive policy.

 3. Cause of Action

 3.1. The Defendant’s actions breach the UK GDPR and DPA 2018:

• Article 12(2), 12(6) UK GDPR; DPA 2018 Section 52: Imposing an excessive V5C requirement without “reasonable doubts” about the Claimant’s identity, despite his driving licence, DVLA records, litigation [redacted], and tracing agent verification.
• Article 5(1)(c) UK GDPR: Requiring a V5C, containing unnecessary vehicle data, violates data minimisation.
• Article 15 UK GDPR: Refusing to process the DSAR without justification, denying access to data critical to defending L0KF9T5H. 3.2. These breaches caused non-material damage:
• Severe procedural prejudice in defending [redacted], as withheld data (e.g., DVLA records, tracing agent data, correspondence) could reveal flaws in POFA compliance, data processing, or claim conduct, exacerbated by the Defendant’s failure to serve Particulars of Claim, breached court order, and false witness statement.
• The Defendant’s non-compliance with the DSAR directly impacts my ability to evaluate the lawfulness of the ongoing claim, including whether it constitutes an abuse of process following prior discontinuance (QDR, 2023) and whether the 'damages' sought breach the principles in Excel v Wilkinson and ParkingEye v Beavis
• Emotional distress, anger, anxiety and frustration from the Defendant’s obstructive and oppressive V5C demand.

 4. Legal Authorities

 4.1. The Claimant relies on:

• Rudd v Bridle [2019] EWHC 366 (QB): Controllers must provide appropriate DSAR responses.
• Driver v CPS [2022] EWHC 2500 (KB): DSAR failures cause compensable distress, even at modest levels.
• Österreichische Post AG (C-300/21, CJEU): Non-material damages include distress from non-compliant processing.
• Excel Parking Services Ltd v Wilkinson [2016] and ParkingEye v Beavis [2015]: Principles governing lawful parking charge damages, relevant to L0KF9T5H’s lawfulness.
• Ashley v HMRC [2025] EWHC 134 (KB]: The High Court held that a data controller’s failure to use internal systems and existing data to respond fully to a DSAR—while demanding unnecessary verification or limiting the scope of search—breached Article 15(3) UK GDPR. This judgment confirms that personal data includes assessment material and requires proportionate, good faith searches by the controller.
• UK GDPR Articles 12(2), 12(6), 5(1)(c), 15; DPA 2018 Section 52: Verification must be proportionate, limited to necessary data, and justified by “reasonable doubts.”
• ICO Guidance (Right of Access, 2021): Verification must use existing data and not obstruct DSAR rights.
• POFA 2012, Schedule 4, para. 2: Defines “keeper” broadly, confirming data subject status.

 5. Relief Sought

 5.1. A declaration that the Defendant’s DSAR refusal breaches UK GDPR and DPA 2018.

 5.1.1 The Claimant seeks a further declaration that the Defendant’s internal policy of requiring a V5C document as a precondition for DSAR compliance is unlawful under Articles 12 and 15 of the UK GDPR, and contrary to the ICO’s Right of Access Guidance (2021), as it imposes a disproportionate and arbitrary barrier to the exercise of data subject rights.

5.2. An Order under section 167 DPA 2018 compelling the Defendant to comply fully with the DSAR, providing all personal data relating to the Claimant, including correspondence, DVLA records, identity verification data (e.g., from tracing agents), and data shared with third parties (e.g., ZZPS Ltd, Direct Collection Bailiffs Ltd, QDR Solicitors).

5.3. An order requiring the Defendant to provide the data’s purposes, sources, recipients, retention policies, and the Claimant’s data subject rights.

5.4. Compensation of [redacted] for non-material damages (distress, anxiety, anger. loss of trust, procedural prejudice), plus material costs (e.g., court fees, travel etc).

5.5  Interest pursuant County Courts Act 1984 at the court’s discretion.

5.6 Costs per CPR 27.14 (2) (g) if the court finds the Defendant’s conduct either pre- and post-action (or both) to be unreasonable. The failure to substantively engage at all with the internal review request dated 1st April 2025 and failure to engage at all with pre-action protocol letter before claim, 15th April, and follow-up, 17th April 2025, being just three examples.

5.7 Any further relief as the Court deems just.

Statement of Truth

I believe the facts stated in these Particulars of Claim are true. I understand that proceedings for contempt of court may be brought against anyone who makes a false statement in a document verified by a statement of truth without an honest belief in its truth.

 

Signed: [redacted]
Date: