UKCPM - Gladstones LBC - stage - SAR revealed a data privacy breach

real_human

Hello fellow forumites,
(please excuse long first thread).

Background (not very important at the moment, you can skip reading below para for now to save you time): Visited brother at his rented apartment, private land, non-fob residential access, ANPR protected, no payments for visitors, however, after a new change ePermit system, had to log on and add vehicle. Their website was not working that whole week. Got two PCNs separate contraventions on two days apart, challenged both (apologies I used their online appeal portal and selected Association as Keeper Driver, my bad, should have stumbled on this forum earlier, would have saved £20, and all other PCNs I paid before this), one was reduced to £20 I paid (although I regret that now), the other one was upheld, which I did not pay. Moved homes, ignored recovery letters. Recently received LBC at new address, so I responded using Post 2- (hxxps://forums.moneysavingexpert.com/discussion/comment/64350585/#Comment_64350585)
They have responded with their usual template. Awaiting court claim and claim form.

You may want to start reading here!
I raised SAR, address rectification and old address erasure requests with both UKCPM and not so Gladstones(awaiting response).
UKCPMs request was responded by them firmly, besides all the other usual details (PCN, car photos, appeal content and their response), there was one shocking email they had from 2018 (I only started driving 2022). Now this was an email shared with them by one of our sports league members as evidence that they attended an annual dinner. However, this person shared all the email addresses in the email they forwarded.

I immediately complained using ICO's complaint template here (hxxps://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/).

Their response to the complaint pasted further below in the post to save you time. 

This email they are holding since Oct 2018 and has about email id's of about 100 members of a league, although shared by one of the members of public. UK CPM does not have consent from anyone from the league apart from one person who may have appealed. Additionally, the most serious and confirmed breach is that it has now been 7 years since they are holding this email as evidence for PCN they may have cancelled or not be actively pursuing. Even if they did have a legitimate reason to hold data for legal proceedings, they are only legally permitted to hold this data for 6 years only. As per Limitation Act 1980 and as mentioned in their own response below (2. Retention of data) and (3. Legitimate reasons for holding data).

I see this as a confirmed serious breach of the Limitation Act 1980, Article 5(1)(e) of the GDPR and their own Data privacy policy.

Here's my question (and request for some guidance):
I am considering complaining to the ICO and UKCPM.
Could someone assist in writing a strong response to exert pressure?

My primary aim is to get the PCN cancelled of course, however, now that I see that this is a serious breach of about 100 other league members' personally identifiable email id's, Can I pursue this further to seek damages and compensation?

Below is their response to complaint:
-------------------------------------------------------------------------------------------------------------------

"Thank you for your email. We understand the seriousness of your concerns and appreciate the opportunity to respond in full.

 

We can confirm that the document titled “2018.10.30_18.49_email_Redacted.pdf” was submitted by a third party as part of an appeal relating to a Parking Charge Notice (PCN). As such, we are unable to amend or delete the document, as it forms part of the evidence submitted in the appeals process.

Please find responses to your specific queries below:

1. How and when the email was obtained:
The referenced email was submitted to us by an individual appealing a PCN. It was provided voluntarily as part of their supporting documentation. We did not actively collect or solicit this email, nor did we obtain it through any external or unauthorised means.

2. Retention of data:
The document has been retained in accordance with our data retention policy and the Limitation Act 1980, which permits the retention of data for up to six years in relation to contractual claims. The retention is strictly for the purpose of managing the PCN and any related appeals or legal proceedings.

You can view our privacy policy here: hxxps://www.uk-carparkmanagement.co.uk/privacy & hxxps://www.uk-carparkmanagement.co.uk/docs/privacy-policy-motorists.pdf?v=2

 3.  Legitimate reasons for holding data:
The data is held as part of the evidence submitted in relation to a PCN appeal. We are legally permitted to retain such data for up to six years to ensure compliance with contractual and legal obligations.

 4. Purpose of the information in the email:
We did not collect the information directly. It was submitted by a third party as part of their appeal. The purpose of retaining it is solely to support the appeal and any subsequent legal processes related to the PCN.

5. DVLA data and contravention date:
Any data obtained from the DVLA relates specifically to the registered keeper of a vehicle involved in a contravention dated 04/12/2024. The document referenced from 2018 is unrelated to DVLA data and was not acquired through DVLA channels.

6. Sharing with third parties:
The document has not been shared with any third party, including Gladstones Solicitors, unless required for the purpose of legal proceedings or debt recovery directly related to the PCN. Any data sharing that has taken place has been conducted strictly in accordance with our legitimate interests and applicable data protection legislation.

Data Privacy and Lawful Basis for Processing:
Under Article 6(1)(f) of the UK GDPR, we process personal data on the lawful basis of our legitimate interests. This includes the recovery of outstanding PCNs and the administration of any related appeals. We have assessed that this processing is necessary and proportionate and does not override the rights and freedoms of individuals. Therefore, explicit consent is not required for us to process or share data for these purposes.

All personal data is handled in accordance with the UK GDPR and the Data Protection Act 2018. It is stored securely, accessed only by authorised personnel, and used solely for the purposes for which it was provided. We do not share personal data with third parties unless legally required or where necessary for the enforcement of a PCN. All such processing is carried out with appropriate safeguards and in full compliance with our legal and regulatory obligations.

If you believe your data has been used inappropriately, you have the right to raise a complaint with the Information Commissioner’s Office (ICO). 

We thank you for contacting us and trust that your concerns have been adequately addressed."

Any assistance would be highly appreciated, if there are any similar SAR cases/threads please share. I did try searching the forum.

Very Best,
Another Private Parking PCN Warrior :-)

real_human

Contravention dates were in Dec 2024, and LBC claim letter in Oct 2025. Absolutely nothing to do with the Oct 2018 email they hold. Happy to share any documents anyone may need with redacted personal details.