Article 13 GDPR (Data Protection Act 2018)

Fruitcake wrote: »

In that case, any registered keeper who gets an NTK where the PPC has obtained their details from the DVLA and doesn't get notified by the DVLA that they have processed the keeper's personal data should complain to the ICO.

Absolutely not...

There is no obligation under the Data Protection Act 2018 (People really should stop saying GDPR) to automatically inform a data subject that there has been a request for their information. The requirements are that if they are asked they are told and even then there are ground to withhold that information.

Until someone test the validity of the POFA against the DPA the DVLA are quite within their right to supply the PPC with keeper details.

As for "Rights related to automated decision making including profiling" the clue is in the name. It does not apply there is no decision making and no profiling, the automated processing of data is entirely legal and nothing has really changed. What has changed is where an automated system makes decisions about the data subject based on their information and nothing else. For example, if the DVLA matched records against the electoral role and fine someone because the details didn't match that would fall under this section.

abedegno wrote: »

Well I made an FOI request to DVLA and their response here:
https://www.whatdotheyknow.com/request/494823/response/1190335/attach/2/FOIR6945%20Jon%20Williams.pdf?cookie_passthrough=1

The response states:

Your request does not ask for recorded information, however outside the provisions of the FOIA, I can advise you that the DVLA does not use automated decision making, as described in the Data Protection Act 2018 (DPA).

That is surely incorrect, the CIE (Continuous Insurance Enforcement) where the DVLA cross reference MID (Motor Insurance Database) with their data and automatically sending out notices is at least one system that falls into this category?

Actually my example was wrong (I was rushing).

I'm not sure your example would be valid.
Is a decision about the data subject being made? I don't think it is. Automated decisions are not the same as an automated process. You could argue "well a machine is automatically deciding to send me a notice" and yes that is what is happening. Is that machine making a decision about the data subject though, or is it simply match records.

This is article in question which states

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

DPA 2018 c12 (14)(1) makes provisions for automated processing by "competent authority" for legal grounds that includes things like criminal penalties. Would these notices fall under that provision?

The ICO website gives some guidance on this area that I think could even imply that the carefully worded answer from the DVLA is in fact correct. Here are the examples

For something to be solely automated there must be no human involvement in the decision-making process.

The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

There is nothing the DVLA does or even the PPC does that affects the data subjects legal rights. Does anything the DVLA or PPC do cause significant harm? Probably not but might be able to argue they do is specific cases.

To be honest there are no definite answers until the ICO start making decisions and things are challenged in court.

yes....................