Pushing back against PPC DSAR breaches

Blindside6

Apologies if this is a topic that has been aired previously, I'm fairly new to the forum.

Last week I made DSARs to two PPCs (UKPC and Euro Car Parks), two lawyer firms (QDR and DCB Legal) and two debt collection agencies (DCBL and ZZPS). I am currently defending two PCNs allegedly issued in July and August, 2020 (at the height of the COVID pandemic).

All these companies have so far been involved in the process. It has already cost them a small fortune, collectively, and the very great likelihood is that it is going to cost them an awful lot more.

So far, there have been purported finalisations from DCBL and ZZPS; an acknowledgement from Wright Hassall LLP who 'own' QDR); an attempt to obstruct the process by ECPL and zero, so far, from UKPC and DCB Legal.

Setting aside the omnipresent 'we're right, you're wrong' condescension that pervades all communications with these companies, what I've uncovered, so far, will likely lead to another national scandal: Deliberate, calculated and, very probably, wholesale abuse of UK GDPR and Data Protection Act, 2018 by PPCs and their agencies.

To give forum readers and users an insight into that bold forecast, here is an abstract from a complaint filed against DCBL yesterday. A similar complaint was filed against ZZPS on 8th April:

Grounds of Complaint
1. Failure to Provide All Personal Data Held
DCBL has withheld the following categories of personal data:
- Correspondence I sent or received (e.g. their 10 May 2024 letter and my 28 May 2024 reply),
- Internal case notes, audit logs, decision-making trails, system metadata,
- Call logs or records of attempted contact,
- Internal emails referencing me, including communications with ECPL, ZZPS, DCB Legal, or tracing agents.
Their justification—i.e., that I already hold sent/received emails—contravenes the ICO’s guidance, which confirms that all personal data must be disclosed irrespective of presumed possession.

2. Omission of Source and Recipient Information
DCBL admits it obtained some data from trace agents (e.g., date of birth, address) but refuses to name them or detail the source pathway. Nor have they clarified when or how my data was obtained from ECPL, or if ZZPS was involved in the handover. This is a breach of Article 15(1)(c) and (g). 

 2A. Omission of Dated Correspondence

Notably, DCBL failed to disclose key pieces of correspondence (i) dated 28 May 2024, which I sent to them via email in direct response to (ii) their letter of 10 May 2024. That letter, which was clearly marked with their reference number (redacted), contains substantial personal data, legal arguments, and references to previous unanswered correspondence. It is plainly in scope of my DSAR, and its omission—along with the failure to acknowledge or explain its absence in the internal review—demonstrates a material failure to comply with Article 15(1)(a). I attach a copy of this letter for the ICO’s reference.

3. Inadequate Description of Processing Purposes
DCBL states that my data was used to “create individual cases.” This description is legally insufficient and fails to meet the threshold of specificity required under Article 15(1)(a–b). There is no meaningful information about processing for:
- Debt recovery,
- Tracing,
- Litigation preparation,
- Data sharing with affiliates (e.g. DCB Legal).

4. Absence of a Retention Policy
While DCBL states data is held for 12 months post-closure, they also claim the case is open—despite no longer being instructed. This contradiction obscures their actual retention practices and fails to comply with Article 15(1)(d).

5. No Statement of Data Subject Rights
DCBL has not advised me of:
- My right to rectification, restriction, or erasure,
- My right to lodge a complaint with the ICO.
This omission violates Articles 15(1)(e) and (f).

6. Obfuscation of Controller/Processor Status
DCBL repeatedly asserts that they act solely on “client instructions” from ECPL. Yet they:
- Decide what data to disclose,
- Initiate trace activities,
- Retain data independently,
- Refer cases to their legal subsidiary.
These are the actions of a data controller, not a processor. Their continued assertion to the contrary raises concerns that they are deliberately misrepresenting their role to avoid data protection responsibilities.

The presumption is that DCBL routinely send out similar threadbare DSAR requests in the high expectation that very few people would have either the knowledge or the will to challenge them.

It is a story that definitely has legs. Particularly, as DSAR finalisation from DCB Legal (absolutely hopeless at everything else) is likely to be even worse than sister company, DCBL.

Hope this assists the forum, generally, and everyone involved in DSARs is welcome to use the 'Grounds of Complaint' set out above as the basis for their own challenge to non-compliaince.

Coupon-mad

Thanks! Very useful. Do update the thread as this journey progresses. 

Le_Kirk

Yep, keep at 'em.  Don't forget that DPOs have 30 days to respond.

fisherjim

Love it, Popcorn anyone?

Blindside6

Le_Kirk said:

Yep, keep at 'em.  Don't forget that DPOs have 30 days to respond.

One calendar month (not 30 days) is a backstop, not a target date.

UK GDPR Article 12 (3) states: "The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.".

Hope this assists you, and other forum members, going forward.