UKCPM - Gladstones LBC - stage - SAR revealed a data privacy breach

real_human

Hello fellow forumites,
(please excuse long first thread).

Background (not very important at the moment, you can skip reading below para for now to save you time): Visited brother at his rented apartment, private land, non-fob residential access, ANPR protected, no payments for visitors, however, after a new change ePermit system, had to log on and add vehicle. Their website was not working that whole week. Got two PCNs separate contraventions on two days apart, challenged both (apologies I used their online appeal portal and selected Association as Keeper Driver, my bad, should have stumbled on this forum earlier, would have saved £20, and all other PCNs I paid before this), one was reduced to £20 I paid (although I regret that now), the other one was upheld, which I did not pay. Moved homes, ignored recovery letters. Recently received LBC at new address, so I responded using Post 2- (hxxps://forums.moneysavingexpert.com/discussion/comment/64350585/#Comment_64350585)
They have responded with their usual template. Awaiting court claim and claim form.

You may want to start reading here!
I raised SAR, address rectification and old address erasure requests with both UKCPM and not so Gladstones(awaiting response).
UKCPMs request was responded by them firmly, besides all the other usual details (PCN, car photos, appeal content and their response), there was one shocking email they had from 2018 (I only started driving 2022). Now this was an email shared with them by one of our sports league members as evidence that they attended an annual dinner. However, this person shared all the email addresses in the email they forwarded.

I immediately complained using ICO's complaint template here (hxxps://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/).

Their response to the complaint pasted further below in the post to save you time. 

This email they are holding since Oct 2018 and has about email id's of about 100 members of a league, although shared by one of the members of public. UK CPM does not have consent from anyone from the league apart from one person who may have appealed. Additionally, the most serious and confirmed breach is that it has now been 7 years since they are holding this email as evidence for PCN they may have cancelled or not be actively pursuing. Even if they did have a legitimate reason to hold data for legal proceedings, they are only legally permitted to hold this data for 6 years only. As per Limitation Act 1980 and as mentioned in their own response below (2. Retention of data) and (3. Legitimate reasons for holding data).

I see this as a confirmed serious breach of the Limitation Act 1980, Article 5(1)(e) of the GDPR and their own Data privacy policy.

Here's my question (and request for some guidance):
I am considering complaining to the ICO and UKCPM.
Could someone assist in writing a strong response to exert pressure?

My primary aim is to get the PCN cancelled of course, however, now that I see that this is a serious breach of about 100 other league members' personally identifiable email id's, Can I pursue this further to seek damages and compensation?

Below is their response to complaint:
-------------------------------------------------------------------------------------------------------------------

"Thank you for your email. We understand the seriousness of your concerns and appreciate the opportunity to respond in full.

 

We can confirm that the document titled “2018.10.30_18.49_email_Redacted.pdf” was submitted by a third party as part of an appeal relating to a Parking Charge Notice (PCN). As such, we are unable to amend or delete the document, as it forms part of the evidence submitted in the appeals process.

Please find responses to your specific queries below:

1. How and when the email was obtained:
The referenced email was submitted to us by an individual appealing a PCN. It was provided voluntarily as part of their supporting documentation. We did not actively collect or solicit this email, nor did we obtain it through any external or unauthorised means.

2. Retention of data:
The document has been retained in accordance with our data retention policy and the Limitation Act 1980, which permits the retention of data for up to six years in relation to contractual claims. The retention is strictly for the purpose of managing the PCN and any related appeals or legal proceedings.

You can view our privacy policy here: hxxps://www.uk-carparkmanagement.co.uk/privacy & hxxps://www.uk-carparkmanagement.co.uk/docs/privacy-policy-motorists.pdf?v=2

 3.  Legitimate reasons for holding data:
The data is held as part of the evidence submitted in relation to a PCN appeal. We are legally permitted to retain such data for up to six years to ensure compliance with contractual and legal obligations.

 4. Purpose of the information in the email:
We did not collect the information directly. It was submitted by a third party as part of their appeal. The purpose of retaining it is solely to support the appeal and any subsequent legal processes related to the PCN.

5. DVLA data and contravention date:
Any data obtained from the DVLA relates specifically to the registered keeper of a vehicle involved in a contravention dated 04/12/2024. The document referenced from 2018 is unrelated to DVLA data and was not acquired through DVLA channels.

6. Sharing with third parties:
The document has not been shared with any third party, including Gladstones Solicitors, unless required for the purpose of legal proceedings or debt recovery directly related to the PCN. Any data sharing that has taken place has been conducted strictly in accordance with our legitimate interests and applicable data protection legislation.

Data Privacy and Lawful Basis for Processing:
Under Article 6(1)(f) of the UK GDPR, we process personal data on the lawful basis of our legitimate interests. This includes the recovery of outstanding PCNs and the administration of any related appeals. We have assessed that this processing is necessary and proportionate and does not override the rights and freedoms of individuals. Therefore, explicit consent is not required for us to process or share data for these purposes.

All personal data is handled in accordance with the UK GDPR and the Data Protection Act 2018. It is stored securely, accessed only by authorised personnel, and used solely for the purposes for which it was provided. We do not share personal data with third parties unless legally required or where necessary for the enforcement of a PCN. All such processing is carried out with appropriate safeguards and in full compliance with our legal and regulatory obligations.

If you believe your data has been used inappropriately, you have the right to raise a complaint with the Information Commissioner’s Office (ICO). 

We thank you for contacting us and trust that your concerns have been adequately addressed."

Any assistance would be highly appreciated, if there are any similar SAR cases/threads please share. I did try searching the forum.

Very Best,
Another Private Parking PCN Warrior :-)

real_human

Contravention dates were in Dec 2024, and LBC claim letter in Oct 2025. Absolutely nothing to do with the Oct 2018 email they hold. Happy to share any documents anyone may need with redacted personal details.

real_human

Found somewhat related post, very interesting insights and so much research, thanks to @Thorndorise

https://forums.moneysavingexpert.com/discussion/comment/81001148/#Comment_81001148

I have drafted my follow up complaint to UKCPM DPO using some influence from above.

Dear XX, DPO,

Thank you for acknowledging my complaint and for your incomplete and incorrect response.

My concerns are aggravated reading your response where you have failed to acknowledge your company's failure to adhere to some of the most common laws including your own privacy policy. 

Thanks for confirming that the said document “2018.xx.xx_xx.xx_email_Redacted.pdf” was submitted to you by a third party who may have themselves be in breach by sharing this document containing personally identified information of a large number of people belonging to a specific league making the data more serious as collectively the information could be misused for various illegitimate reasons.

Your responses to the queries does not include full details, let me raise these with you for each query.

1. How and when the email was obtained: You have chosen not to answer "when" because you are aware that you have breached your own data privacy policy. However, I understand from the document that this was shared to you on 30th October 2018. Although the document was shared inadvertently by a third-party, since you are in possession of the document holding the personal data for such a large group of people including myself. An organization that receives personal data from a third party is still liable for its handling. Under regulations like the GDPR, your organization (acting as a "data controller" and "data processor") is ultimately accountable for the compliance of its "data processors" or other third-party data sources.
2. Retention of data: You are either misleading me intentionally, as UK CPM is known for extorting general public under the disguise of "Debt recovery" where there is no claim to any debt, and UK CPMs poor conduct in general. You have clearly breached your own data retention policy and the Limitation Act 1980. As you mentioned, the Data Limitations Act 1980 only permits the retention of data for up to six years in relation to contractual claims. Firstly, I do not believe your PCN with your third party had any contractual claims, nor there were any legal proceedings. I am sure you will have sufficient evidence to present to the ICO and at the court claims to support this. Additionally, as per your privacy policy that you shared, hxxps://www.uk-carparkmanagement.co.uk/docs/privacy-policy-motorists.pdf?v=2 , it is clear from page four, that even if you had control of the data inadvertently for this large group of uninvolved persons personal data, you could only legally retain this for up to six years from the date of event. However, you have clearly breached this by storing for more than six years. Besides, violating your own privacy policy, you have also violated Data Protection 2018 Act by holding the data for more than six years. The principle of storage limitation , outlined in {Article 5(1)(e) of the GDPR hxxps://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/storage-limitation/}, requires that personal data be kept for no longer than is necessary for the purposes for which it was processed. You have clearly breached the Article 5(1)(e) of the GDPR.
3. Legitimate reasons for holding data:
4. Again, your legitimate right to hold the data ended when either the PCN was cancelled, or a court claim was no longer pursued or vice versa. Regardless of what action your firm pursued, there was no legitimate reason to hold beyond six years.
5. Purpose of the information in the email:
6. As informed earlier, regardless of the source where you acquired this information, you are still liable for lawfully processing, controlling and retaining the data. I do not see any reason for holding this information for any legitimate purpose for more than six years. As per Data Protection Act 2018 and GDPR, you are required to review data timely and erase data that is no more required. Your firm has failed in your obligations to data protection laws by holding the data beyond required purpose for no justified reason.

I hope you understand the severity of the breach of my data privacy by violating your own privacy policy and various other laws stated I have brought to your notice. 

I suggest you advice UK CPM:

1. As Data Controller, report yourselves to the ICO for holding my personal data without consent, information and beyond reasonable requirement to hold data for more than 6 years. Please confirm you do so, otherwise it will fall upon this keeper to do so without warning as is the severity of these breaches.

2. Provide detailed explanation on how your are going to remediate this breach and how are you planning to inform all persons involved in the document that you are holding their data illegally beyond the retention period required by laws mentioned above. At the very least, I would expect you to retrospectively contact and apologise to each and every one of those individuals for your personal failings with respect to due diligence, handling, processing and holding their personal data outside the remit of a lawful basis.
3. Provide detailed measures your company is planning to implement to store such inadvertently received documents form third-parties with redacted information of personal information of uninvolved parties. 
4. Cancel the disputed PCN XXXX immediately. Suspend any action relating to the use of Keeper's details, including any actions by your agents or your third-parties.
5. Delete any data you hold for the Keeper of the VRN XXXX

It is expected that you comply with these corrective actions immediately and keep myself updated. Given the gravitas of the above failures, the requirements above are not unreasonable and would not cost yourselves undue cost or burden. 

Further intended actions in consideration, I am additionally considering complaining to the ICO, and a submitting a court claim. This may include other persons involved whose data you may be holding beyond their knowledge and in breach of their rights. 

Yours sincerely

xxx

Le_Kirk

It's advise not advice. You should ask them the erase not delete as it has a specific meaning where data handling is concerned.

real_human

Thanks for reading and your inputs. Great eye for the spell and the terminology. Their DPO was quick to respond on the first email, less than a day. Bet they will consult their legal team now

Coupon-mad

real_human said:

Thanks for reading and your inputs. Great eye for the spell and the terminology. Their DPO was quick to respond on the first email, less than a day. Bet they will consult their legal team now

They don't have one. They have a ping-pong table and a dog in the Worthing office!