If you wish to contact our Data Protection Manager, please write to:
DVLA SAR Enquiries
DVLA
Swansea
SA6 7JL
Or you can write to the Data Protection Manager by email at: SubjectAccess.Requests@dvla.gov.uk
if the drivers identity was revealed in the letter, does this mean it is PoFA compliant? One of the blacked out parts may reveal "Dear..." would this affect any part of the appeal being declined?
[Your Name]At the same time, you send the following to the DVLA Data Sharing Team:
[Your Address]
[City, Postcode]
[Date]
To: CPM (UK Car Park Management Ltd)
49 Station Road
Polegate
BN26 6EA
By email to: complaints@uk-cpm.com
Subject: Formal Complaint – Breach of the Private Parking Single Code of Practice (PPSCoP) and Data Protection Breach under UK GDPR and the Data Protection Act 2018
Dear Sir/Madam,
I am writing to formally complain about two separate Notice to Keeper (NtK) letters issued to me by UK Car Park Management Ltd (CPM) for the same alleged parking contravention on 1st February 2025 at "Edition, Colindale" (wherever that may be be). The PCNs reference numbers are:• PCN Reference: [xxxxxxx] – Time: 21:30
• PCN Reference: [xxxxxxx] – Time: 21:48
These two PCNs relate to the same parking event, yet UKCPM has issued two separate charges. This is a clear breach of the BPA/IPC Private Parking Single Code of Practice (PPSCoP) and a violation of data protection laws under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
1. Breach of the Private Parking Single Code of Practice (PPSCoP) – Section 8.3
The PPSCoP, Section 8.3, explicitly states:"Parking operators must ensure that they only issue Parking Charges in accordance with their advertised terms on any site. Such terms shall not entitle any operator to issue more than one parking charge in the same calendar day for the same parking event."
Furthermore, the code continues:"In the event of a new calendar day, the operator must not issue a further Parking Charge for the same parking event within a 12-hour period from when the previous Parking Charge was issued."
UKCPM has ignored this mandatory rule by issuing two separate PCNs for the same event within an 18-minute window, in direct breach of the PPSCoP. There is no justification for issuing multiple charges for the same event, and this demonstrates unfair and unreasonable conduct.
2. Breach of UK GDPR and the Data Protection Act 2018
By issuing two separate NtKs for a single event, UKCPM has unlawfully processed my personal data twice without a valid reason. This breaches the following GDPR and DPA 2018 provisions:Article 5(1)(a) – Lawfulness, Fairness, and Transparency• Personal data must be processed fairly and lawfully.
• Issuing two charges for the same event is unfair, misleading, and an abuse of Keeper data.
Article 5(1)(c) – Data Minimisation• Personal data must be limited to what is necessary for the intended purpose.
• UKCPM only needed my details once to issue a single PCN. Processing my data a second time was excessive and unnecessary.
Article 6 – Lawful Basis for Processing• Parking companies must have a legal basis for using personal data.
• UKCPM has no valid legal basis to issue two charges for the same event, making the second instance of data processing unlawful.
Under Section 86 and 87 of the Data Protection Act 2018, organisations must process personal data lawfully, fairly, and transparently. UKCPM’s actions have failed to meet these legal obligations, and I now hold you fully accountable for this serious breach.
3. Formal Complaint to the DVLA
At the same time as this complaint, I have submitted a formal complaint to the DVLA’s Data Sharing Team regarding UKCPM’s breach of the Keeper at Date of Event (KADOE) contract. The DVLA only permits parking operators to request and use Keeper data once per parking event. UKCPM’s decision to issue two separate PCNs means my personal data has been used twice without justification, violating the terms of UKCPM’s KADOE contract with the DVLA.
I expect the DVLA to investigate this misuse of my personal data and take appropriate action against UKCPM.
4. Expected Resolution
I require UKCPM to:1. Immediately cancel both PCNs and confirm in writing that no further action will be taken.
2. Confirm in writing that my personal data has been deleted from any system where it was unlawfully processed a second time.
3. Explain why two separate PCNs were issued in direct violation of the PPSCoP and data protection laws.
5. Next Steps if CPM Fails to Resolve This Complaint
If CPM fails to provide a satisfactory response, I will take the following actions:• Escalate this complaint to the International Parking Community (IPC) for further investigation, even though I acknowledge their general lack of impartiality in such matters.
• Report CPM to the Information Commissioner’s Office (ICO) for breaching UK GDPR and the Data Protection Act 2018. The ICO has the power to investigate and issue fines for unlawful data processing.
• Pursue legal action against CPM for data protection breaches under Section 168 of the Data Protection Act 2018, seeking compensation for distress caused by the unlawful processing of my personal data.
I expect a full written response within 14 days. If I do not receive a satisfactory resolution, I will proceed with the next steps outlined above.
Yours faithfully,
[Your Full Name]
[Your Address]
[Your Contact Information]
[Your Name]
[Your Address]
[City, Postcode]
[Date]
To: DVLA Data Sharing Team
Data Protection Queries
DVLA
Longview Road
Morriston
Swansea
SA99 1ZZ
By email to : data.protection@dvla.gov.uk
Subject: Formal Complaint – Breach of KADOE Contract by UK Car Park Management Ltd (CPM) and Unlawful Processing of Keeper Data
Dear DVLA Data Sharing Team,
I am submitting a formal complaint regarding the misuse of my personal data by UK Car Park Management Ltd (CPM), who have breached the terms of the Keeper at Date of Event (KADOE) contract by unlawfully requesting and processing my data twice for the same parking event.
1. Details of the Breach
On [date], I received two separate Notice to Keeper (NtK) letters from CPM relating to the same alleged parking event at "Edition, Colindale" (wherever that may be). These PCNs are as follows:• PCN Reference: [xxxxxxx] – Time: 21:30
• PCN Reference: [xxxxxxx] – Time: 21:48
Both PCNs relate to the same parking event, meaning that CPM has misused my vehicle Keeper data twice for the same incident.
2. Breach of the KADOE Contract
As you are aware, the KADOE contract sets strict rules on how parking operators can access and use DVLA Keeper data. Operators are only permitted to request and process Keeper data once per parking event.
By issuing two separate PCNs and unlawfully processing my data a second time, CPM has breached the terms of the KADOE contract in the following ways:• Unlawful Additional Data Processing – CPM had no right to use my personal data a second time, as they are only entitled to obtain my details once per event.
• Misuse of DVLA Data – CPM’s second NtK indicates that they have used my personal data improperly, which is a serious breach of data protection principles.
• Failure to Adhere to the Private Parking Single Code of Practice (PPSCoP) – Under Section 8.3 of the PPSCoP, private parking operators cannot issue more than one Parking Charge Notice for the same event within a single calendar day. CPM has ignored this rule, which should warrant a DVLA investigation.
3. DVLA’s Responsibility to Investigate
As CPM obtained my Keeper data through the DVLA, I expect a full investigation into their unlawful use of my personal information. Specifically, I request that the DVLA:1. Confirm whether CPM made two separate data requests via KADOE for the same parking event.
2. Explain what action will be taken against CPM for breaching their contract with the DVLA.
3. Confirm whether CPM’s access to DVLA data will be suspended or restricted due to their failure to comply with the KADOE contract and PPSCoP.
4. Next Steps if the DVLA Fails to Act
If I do not receive a satisfactory response, I will be escalating this matter to the Information Commissioner’s Office (ICO) for data misuse. The DVLA is responsible for ensuring that Keeper data is only accessed and processed in line with the law and contractual agreements. A failure to investigate this breach could mean the DVLA itself is complicit in allowing private parking operators to misuse personal data without consequences.
I expect a full written response within 14 days detailing what action will be taken against CPM for their misuse of my data.
Yours faithfully,
[Your Full Name]
[Your Address]
[Your Contact Information]