Reply to that email and CC yourself as follows:
Subject: Article 14 request – incomplete response – your ref [BW ref]
Dear Sirs,
I refer to your letter about my UK GDPR Article 14 request. Your response is incomplete.
As you do not publish a DPO email address, I require you to ensure this request is immediately escalated to and actioned by your Data Protection Officer or the person responsible for data protection compliance. Confirm their name and contact details in your reply. Treat this email as part of the audit trail for my Article 14 request.
Pointing me to a website privacy notice is not Article 14 compliance. I require the specific information for this file:
1. Source of my personal data and the exact date you first received it from Countrywide Parking Management Ltd, plus any other sources used.
2. Categories of personal data you process for this matter.
3. Purposes for processing and the precise lawful basis relied upon for each purpose under Article 6(1).
4. Recipients or categories of recipients to whom you have disclosed my data, and the dates of any disclosures.
5. Your retention period for my data in this matter (not a generic schedule).
6. Whether you undertake automated decision-making or profiling in this case, and if so, meaningful information about the logic involved and envisaged consequences.
7. Contact details for your Data Protection Officer or the person responsible for data protection compliance.
Provide the above within 14 days. If you contend an exemption, identify it specifically and explain how it applies to the particular item withheld. Failure to provide a complete Article 14 response will be added to my ICO complaint.
Confirm that all correspondence and any proceedings will be served only at my current address below.
Yours faithfully,
[Your name]
[Current address]
[Email]
PCN: [ref]
VRM: [VRM]
Yes—add these specifics so the ICO has everything they need and can see the scale of non-compliance.
What to include:
Exact chronology (with dates):
• Alleged contravention: 23/12/2024
• SAR made: 28/08/2025
• Breach occurred: 28/08/2025 (identified 29/08/2025)
• “Breach letter” dated: 29/08/2025 (but not delivered to you)
• Operator’s first notification to you: 13/10/2025
• Note: that’s ~45 days to notify the data subject.
Breach notification timing checks:
• Ask ICO to verify whether CPM notified the ICO within 72 hours of awareness (UK GDPR Art. 33). Require CPM’s ICO reference number and submission date/time.
• They failed to notify you “without undue delay” (UK GDPR Art. 34). Quantify the delay and point out you only learned of it after you challenged their SAR.
Breach notification content gaps (Art. 34(2)):
• Did not promptly provide: nature of breach, likely consequences/risks, measures taken/proposed, steps you should take, and clear DPO contact.
• Their “letter” was not actually served to you (neither to your current address nor electronically), despite them successfully sending other letters to your current address.
Security & governance failures:
• Failure to ensure appropriate technical/organisational measures (UK GDPR Art. 5(1)(f) and Art. 32).
• The breach occurred during a SAR—a high-risk process—suggesting inadequate checking/authorisation workflows.
Incomplete/incorrect SAR (Arts. 12 & 15):
• Omitted BW Legal from the recipient list (Art. 15(1)(c)).
• Withheld/failed to supply personal data you specifically requested (ANPR event log for your VRM; RingGo/VRM back-office references; internal notes; portal/audit logs; DVLA KADOE request/response; any address-verification records).
• Provided a blanket assertion of “lawful deletion” without retention schedule or deletion logs.
Data accuracy concern (Art. 5(1)(d)):
• Final Notice dated 12/05/2025 was sent to your old address despite your DVLA updates being effective well before that date. Ask ICO to examine their address-accuracy process before escalation/third-party sharing.
Harm & risk:
• Distress, anxiety, and risk of misuse due to disclosure of full name, address, phone, email to an unauthorised individual.
• Extra time and cost spent chasing a compliant SAR and correcting their record.
• Ongoing litigation risk worsened by inaccurate processing and late breach notification.
Evidence list (attach):
• CPM email (13/10/2025) + attached “breach letter” dated 29/08/2025.
• Original SAR request (28/08/2025) and CPM’s SAR bundle omitting BW Legal.
• Your follow-up demanding recipients (explicitly naming BW Legal).
• BW Legal letters to your current address (proving they had the correct address).
• Proof of DVLA update timing.
• RingGo receipts/screenshots.
• Any CPM statements about “lawful deletion” and retention (to highlight gaps).
What you want the ICO to do (remedies):
• Require CPM to deliver a complete, compliant SAR (including full recipient/disclosure log and the missing personal data).
• Assess Art. 33/34 compliance (timeliness and content); if late/inadequate, require remedial action.
• Require CPM to implement enhanced SAR handling controls (dual-check before disclosure, audited recipient confirmation, staff retraining) and to evidence those measures to you/ICO.
• Record enforcement as appropriate; consider a formal reprimand.
• (Optional) Note you reserve rights to compensation under Art. 82 UK GDPR and s.168 DPA 2018 for distress.
Here's a draft you could use:
Subject: Complaint re Countrywide Parking Management Ltd – Late breach notification, incomplete SAR, and data accuracy failures
Dear ICO,
I wish to lodge a complaint against Countrywide Parking Management Ltd (CPM) for multiple breaches of the UK GDPR and the Data Protection Act 2018 in relation to Parking Charge Notice [PCN reference] concerning vehicle [VRM].
Chronology (all dates 2024/2025)
• Alleged contravention: 23/12/2024
• SAR submitted to CPM: 28/08/2025
• Personal data breach occurred: 28/08/2025 (identified by CPM: 29/08/2025)
• CPM “breach letter” dated: 29/08/2025 (not received by me)
• CPM first notified me of the breach: 13/10/2025 (via email)
• CPM’s SAR output omitted BW Legal as a recipient, despite ongoing BW Legal correspondence to my current address.
Issues and legal basis
1. Late and inadequate breach notification (Arts. 34 and 33)
• CPM disclosed my full name, postal address, phone number and email to an unauthorised individual during the SAR process on 28/08/2025, identified 29/08/2025.
• I was not notified until 13/10/2025 (circa 45 days later), which is not “without undue delay” (Art. 34).
• Please verify whether CPM notified the ICO within 72 hours of awareness (Art. 33) and obtain their ICO reference and submission date/time.
2. Security and governance failures (Art. 5(1)(f) and Art. 32)
• The breach occurred during a high-risk process (SAR disclosure), indicating inadequate technical/organisational measures and quality controls.
3. Incomplete/incorrect SAR (Arts. 12 and 15)
• CPM’s SAR response omitted BW Legal from the recipient list (Art. 15(1)(c)) though CPM and BW Legal were actively processing my data.
• CPM failed to provide personal data I requested that clearly relates to me/this PCN:
– ANPR event log for my VRM (reads/timestamps/camera IDs/retention entries)
– RingGo/payment back-office records referencing my VRM/PCN (matching/mismatch notes)
– Internal notes; portal/web-form audit entries; decision records
– DVLA KADOE request/response for this PCN (single request date/time, address returned)
– Any address-verification records referring to me before a Final Notice and before instructing solicitors
• CPM asserted “lawful deletion” but did not supply the applicable retention schedule or deletion logs.
4. Data accuracy and reasonable steps (Art. 5(1)(d))
• A Final Notice dated 12/05/2025 was sent to my former address despite my DVLA updates being effective weeks earlier. By contrast, BW Legal letters have reached my current address. This suggests CPM failed to take reasonable steps to ensure accuracy before escalation and sharing with third parties.
Harm and risk
• Disclosure of my name, address, phone and email to an unauthorised individual caused distress and risk of misuse.
• Additional time and expense incurred to obtain a compliant SAR and correct CPM’s record while facing parallel pre-action correspondence.
What I ask the ICO to do
• Require CPM to provide a complete and accurate SAR response, including a full recipient/disclosure log (identifying BW Legal and the unauthorised recipient with dates, purposes and lawful bases) and the missing personal data listed above, or a specific, justified exemption for each withheld item.
• Assess CPM’s compliance with Arts. 33 and 34 (timeliness and content of notifications) and with Arts. 5(1)(f)/32 (security controls), and require remedial action.
• Require CPM to implement enhanced SAR handling controls (dual checks before disclosure, supervised sign-off, audited recipient confirmation, staff training) and to evidence those measures.
• Record appropriate enforcement.
• Note that I reserve my rights to compensation under Art. 82 UK GDPR and s.168 DPA 2018 for distress.
Attachments (evidence)
• CPM email to me dated 13/10/2025 and attached “breach letter” dated 29/08/2025
• My SAR (28/08/2025) and CPM’s SAR bundle omitting BW Legal as a recipient
• My follow-up correspondence requesting a complete recipient log (explicitly naming BW Legal)
• BW Legal letters to my current address (showing correct address in use)
• Proof of DVLA update timing
• RingGo receipts/screenshots
• CPM statements asserting “lawful deletion” and “full disclosure”
My details
Name: [Full name]
Address: [Current postal address]
Email: [Email]
Phone: [Phone]
Controller: Countrywide Parking Management Ltd (DPO: [if known])
Third parties: BW Legal; Trace Debt Recovery; [unknown unauthorised recipient]
Yours faithfully,
[Full name]
Send the following letter by post, and include the letter you originally attempted to send. Send it first class and get a free certificate of posting from any post office. You do not have to use signed for/recorded delivery. A certificate of posting is enough to prove deemed delivery.
[Your full name]
[Your full postal address]
[Your email address]
[Date]
BW Legal
[Their postal address]
Your ref: [XXXX]
FORMAL CHASER & COMPLAINT – PAPDC NON-ENGAGEMENT/REFUSAL TO USE PORTAL
Dear Sirs,
I wrote to you on [insert date]. Over 30 days have elapsed with no substantive response.
Your online portal has been unreliable and live chat returns “technical difficulty” messages. From now on, I will not use any portal. Communication must be in writing by email or post only.
Please confirm a working email address for this matter within 14 days. Failing that, correspondence will proceed by post.
Any postal correspondence you send will be rebuttable on presumption of delivery unless you can evidence proof of posting (e.g. Certificate of Posting or tracked service). It is therefore in your interest to use email where possible.
Please treat this as:
(a) A chaser for a substantive response to my letter of [date] (copy enclosed); and
(b) A formal complaint regarding your failure to engage and to provide a functioning written channel, contrary to the Pre-Action Protocol for Debt Claims (PAPDC).
For the avoidance of doubt, my address for service is:
[Insert full, correct address including building and flat numbers].
If your records differ, rectify them immediately and confirm erasure of any incorrect address data.
Do not commence proceedings until you have provided a PAPDC-compliant, point-by-point response to my letter of [date]. Should you issue regardless, I will rely on this correspondence on costs for unreasonable conduct.
Please reply within 14 days with:
• Your substantive response to the [date] letter; and
• Confirmation of the correct email and postal channels you will use going forward.
Yours faithfully,
[full name]
Enclosures:
• Copy letter dated [date]
• Screenshots: portal/live-chat failures (if available)
Send the following to BW Legal. You may have to use their portal, in which case just upload it as a pdf letter:
Subject: Countrywide Parking Management Ltd v [Your Name] – Your ref [BW ref] – PAPDC disclosure + Article 14 request
Dear Sirs,
I dispute the alleged debt. This matter is not ready for litigation. Please place it on hold for 30 days and provide the documents and information below so the issues can be narrowed, per the Pre-Action Protocol for Debt Claims (PAPDC).
Core documents needed (PAPDC):
a) Signage pack and site plan for 20–28 Cotlands Road (as at 23/12/2024), including entrance and terms signage and installation/inspection dates.
b) Proof of landowner authority/contract showing Countrywide Parking Management Ltd’s standing (parties, dates, term, the right to issue and to litigate—commercial rates may be redacted).
c) RingGo integration/payment reconciliation for the material period, including location codes for all adjacent/related sites (Cotlands Road; Cotlands Road Overflow; 20–28 Cotlands Road), any change logs, and reconciliation for my VRM/time window to evidence payment/misdirected payment.
d) Your client’s consideration/grace-period policy in force on the material date.
e) The particulars your client relies on to justify any sum beyond the headline charge. For the avoidance of doubt, the £70 add-on is denied as unrecoverable/double recovery; please confirm any claim will be limited to principal, court fee, and fixed legal costs only.
Address accuracy & service:
Your client sent a Final Notice dated 12/05/2025 to my previous address despite my DVLA updates being effective well before that date. Confirm in writing that all correspondence and any proceedings will be served only at my current address below. Any attempt to serve elsewhere will be opposed as unreasonable and contrary to PAPDC.
Your data handling (UK GDPR Article 14):
Please confirm, for this file:
• the source of my personal data (controller identity and the date first received from your client);
• categories of personal data processed;
• purposes and lawful bases;
• recipients or categories of recipients to whom you have disclosed my data;
• your retention period for this matter.
SAR inconsistency (for the record):
Your client’s SAR output failed to list BW Legal as a recipient of my data, despite your active use of it. I have required your client to correct this and produce a full disclosure log (recipients, dates, purposes, lawful bases). Please ensure your disclosure to me aligns with the corrected log.
Until you provide the above, I am unable to complete the PAPDC Standard Financial Statement or respond on liability/quantum beyond the dispute already stated.
Yours faithfully,
[Full name]
[Current postal address]
[Email]
PCN: [ref]
VRM: [VRM]
Respond to the DPO with the following email (and CC yourself):
Subject: Incomplete SAR – You omitted BW Legal from the recipient list (PCN [ref], VRM [VRM])
Dear Data Protection Officer,
Your SAR response (received 28 August 2025) is not complete. You’ve failed to list BW Legal as a recipient of my personal data, even though you (and BW Legal) are actively using my data in live pre-action correspondence. That omission is blatant. It renders your disclosure inaccurate and incomplete under UK GDPR Articles 12 and 15.
Fix it. Here’s what you will provide, in full, within the statutory deadline (28 September 2025):
A complete disclosure/recipient log for this PCN showing all recipients — including BW Legal — with:
• identity of recipient;
• categories of personal data disclosed;
• date/time of each disclosure;
• purpose and lawful basis.
DVLA KADOE audit trail for this PCN: date/time of the single DVLA request, the address returned, and any subsequent address-verification/trace records that refer to me, especially before your Final Notice dated 12/05/2025 and before instructing solicitors.
The personal data you withheld despite my request:
• Full ANPR event log for my VRM for the material period (all reads/timestamps/camera IDs/retention entries).
• RingGo/payment look-ups and back-office records referencing my VRM/PCN (matching/mismatch notes for the material window).
• Internal notes, decision records, and portal/web-form audit logs referencing me/this PCN.
• Any data accuracy records explaining why you used my former address after my DVLA update in early April 2025.
• Your retention schedule as applied to my personal data for this PCN.
If you want to claim an exemption, name the specific exemption and explain how it applies to the precise item withheld. Do not fob me off with generic boilerplate.
You’ve already pushed my data to BW Legal, yet pretended otherwise in your SAR pack. That is unacceptable. If you do not correct this and supply the missing data by 28 September 2025, I will file an ICO complaint for failure to comply with Articles 12/15 and for data accuracy breaches (Art. 5(1)(d)). I will include your contradictory disclosures and timeline.
Acknowledge receipt today. Send the corrected SAR output to this email and use my current postal address below for all future correspondence.
[Full name]
[Current postal address]
[Email]
PCN: [ref]
VRM: [VRM]
Respond to the LoC with he following:
Subject: Countrywide Parking Management Ltd v [Keeper/Driver name] – Your Ref [xxx] – PAPDC Response (Disputed)
Date: [today]
I dispute the alleged debt in full.
Background: On 23 December 2024 I arrived at 20–28 Cotlands Road, Bournemouth. Your client mandates app-only payment. Using RingGo, the in-app map presented only a single nearby option, “Cotlands Road” (code 59037), and did not display “20–28 Cotlands Road” or “Cotlands Road Overflow”. The code stated on your client’s paperwork (819627) either could not be located via search or mapped to a point in the mid-Atlantic; exporting to Google Maps returned “no location found”. I paid promptly using the only surfaced car park. Payment was therefore made and any alleged breach stems from your client’s defective payment journey and signage, not from consumer fault.
Legal position:
1. Any term requiring use of a specific code was not transparent or prominent (CRA 2015 ss 62, 68). The mandated app did not surface the site and mis-geolocated the code.
2. Your client failed to exercise professional diligence, and the presentation of material information was misleading by omission (CPUTR 2008 regs 3, 5–6).
3. No contract was formed to pay a charge for a “wrong location” where the requirement could not reasonably be known at the decision point (Thornton; Beavis signage tests).
4. In the alternative, performance was frustrated by your client’s own system design.
5. The £70 “debt recovery” add-on is unrecoverable in law; if pleaded I will seek strike-out (CPR 3.4/27.14) and costs for unreasonable conduct.
Documents required under the Protocol (please supply within 30 days):
a) The contract (unredacted) showing your client’s authority at 20–28 Cotlands Road on 23/12/2024.
b) The full signage pack and site plan in place on the material date (entrance and terms boards), with proof of installation dates.
c) The RingGo integration pack for this site: location codes, geo-fencing, and any change logs; plus RingGo back-office logs showing all sessions and look-ups by my VRM and device in the hour spanning the event.
d) The payment reconciliation for the material hour (so the court can see payment was made at the only surfaced location).
e) All ANPR images, logs and syncing data; and your client’s policy on consideration/grace periods.
f) A copy of the Notice to Driver/Notice to Keeper and all correspondence.
g) A calculation and legal basis for any sum beyond the principal charge (you are put on notice that the £70 add-on is denied as an abuse of process).
Until you provide the above, the claim is not ready for litigation. Please place the matter on hold for 30 days in accordance with the PAPDC while these documents are supplied. Should you issue regardless, I will invite the court to apply sanctions for non-compliance and will defend.
Yours faithfully,
[Name]
[Postal address and email]
Also, send the following to the Countrywide DPO:
Subject: Data Subject Access Request – [VRM], PCN [ref], 23/12/2024
Under UK GDPR and DPA 2018, please provide all personal data you hold relating to me and the above event, including: ANPR images and logs; RingGo/payment look-ups and reconciliation; call/portal logs; internal notes; DVLA request/response; the full signage pack and site plan relied upon; and your contracts/policies relating to this site.
Please also confirm the origin of the £70 “debt recovery” figure and all third parties with whom my data has been shared.
[Name, address, email, proof of ID]