They may be a 'legal firm' but that does not mean they are competent. You DO NOT, I repeat... DO NOT fill out any of those forms they sent you with the LoC. You can safely bin them or shred them for use as hamster bedding for anyone cares.
You simply email the following response to and also CC yourself:
Subject: Response to your Letter of Claim – Ref: [BW ref / PCN 987187] – VRM DF14KYP
Dear Sirs,
Your Letter of Claim is non-compliant with the Pre-Action Protocol for Debt Claims (paras 3.1(a)–(d), 5.1 and 5.2) and the Practice Direction – Pre-Action Conduct and Protocols (paras 6(a) and 6(c)). It withholds the key documents you intend to rely upon and therefore fails to enable meaningful engagement.
Liability is denied.
Key issues (case-specific):
1. Keeper liability cannot arise. The Notice to Driver and Notice to Keeper each fail to state any period of parking, contrary to PoFA Sch 4 paras 7(2)(a) and 8(2)(a). A single timestamp followed by an “issue time” one minute later is not a period of parking and cannot evidence contract formation.
2. The NtK misstates the mandatory para 8(2)(f) warning by saying “28 days from the date given” instead of “28 days after the day on which the notice is given”. Strict compliance is required; your client therefore cannot transfer liability from driver to keeper.
3. There is no evidence the vehicle remained beyond the mandatory consideration period required by the Private Parking Single Code of Practice. No contract could have been formed.
Documents required (PD para 6(a) & 6(c)):
(i) Copies of the NtD and NtK (all pages/sides) relied upon, and proof of posting for the NtK.
(ii) All contemporaneous images/notes (attendant notes, handheld/device logs) evidencing any period of parking on 13/03/2025 at The Pelhams 1, Wimbledon.
(iii) The full signage pack in force on that date: site plan showing sign locations and readable close-ups of the exact wording.
(iv) The unredacted landowner authority/contract showing standing to issue charges and to litigate.
(v) A breakdown of the sum claimed and the legal basis for each element, identifying whether the principal £100 is alleged as consideration or damages, and confirming that the added £60 “debt recovery” is not pursued, as it is unrecoverable.
If you commence proceedings without Protocol compliance, I will seek a stay and costs sanctions pursuant to paragraphs 13, 15(b)–(c) and 16 of the Practice Direction and paragraph 7.2 of the Protocol, relying on Webb Resolutions Ltd v Waller Needham & Green [2012] EWHC 3529 (Ch), Daejan Investments v Park West Club (Part 20) Buxton Associates [2003] EWHC 2872, and Charles Church Developments v Stent Foundations & Peter Dann [2007] EWHC 855.
For the avoidance of doubt, no admission is made as to the identity of the driver. If you assert PoFA is relied upon notwithstanding the above defects, explain how. Otherwise confirm you proceed on a driver-only basis.
Service and correspondence
For the avoidance of doubt, I will not use any online portal. Service by portal is not agreed. Please correspond and serve the requested documents either (i) by email to [email], or (ii) by post to the address below.
Yours faithfully,
[Name of Registered Keeper]
[Postal address]
[Email]
ANd please, try not to ignore the advice as you did earlier on in this where you failed to send the advised email to ACE.
This is the standard Step 1 fob-off, which:
• Avoids addressing any specific PoFA or PPSCoP breach,
• Falls back on the “reasonable cause” at time of request excuse, and
• Repeats that the DVLA “cannot determine liability” — which is irrelevant to your complaint.
They did not engage with your actual complaint, which was not about whether there was reasonable cause at the time of the request, but whether the subsequent use of your data breached the KADOE contract and UK GDPR after receipt.
Their statement that:
"Pace Recovery & Storage Ltd confirmed the Charge Notice was issued… due [to] parking… without a valid permit…"
completely ignores that the Notice to Driver and Notice to Keeper were PoFA non-compliant, and that no evidence of contract formation exists.
They incorrectly rely on “no appeal received” as justification. But you intended to appeal within the 28 days but didn’t, you later provided your full Keeper details voluntarily and they then obtained them from DVLA after already being in possession of them, and they pursued Keeper liability without complying with PoFA or the PPSCoP.
DVLA’s refusal to “determine liability” is irrelevant. You are not asking them to do that — you are asking them to determine whether data was misused once obtained in breach of the KADOE contract and/or PPSCoP.
The DVLA is still the Data Controller and is responsible for ensuring its data is used lawfully after disclosure. You have provided evidence that the operator:
• Breached PoFA by failing to specify a “period of parking,”
• Breached PoFA by misstating the 28-day liability warning,
• Breached the PPSCoP by issuing a charge where no contract could have been formed,
• Breached the KADOE contract by using your data for an illegitimate purpose once it was clear no recovery could lawfully be made from the Keeper.
The Step 2 complaints procedure is exactly the same as the first step but the link is to "Head of Complaints" here: https://contact.dvla.gov.uk/head-of-complaints
Use the following as the content for the webform:
This is a Step 2 escalation regarding a complaint already submitted and acknowledged under DVLA reference 0401979.
Your Step 1 response dated 14 May 2025 fails to address the actual basis of my complaint. You have wrongly assumed that my concern was about the initial request for data (reasonable cause), when in fact the issue is with the subsequent misuse of that data in breach of the KADOE contract, the Private Parking Single Code of Practice (PPSCoP), and UK GDPR.
The parking operator, Ace Security Services (trading as Pace Recovery & Storage Ltd), used my DVLA data to pursue a parking charge in circumstances where:
- No valid “period of parking” was recorded (PoFA breach),
- No evidence of any contract being formed exists (PPSCoP breach),
- The NtK misstates the 28-day period under PoFA (Schedule 4, para 8(2)(f)),
- Therefore, the use of my data for enforcement purposes was illegitimate.
The DVLA remains the data controller and is responsible for ensuring that third parties with KADOE access do not misuse that data once obtained. My complaint is about post-access misuse, not the initial request. I am now requesting a formal internal review at Step 2.
A revised supporting statement is attached. Please escalate this matter accordingly and confirm the new reference number.
You save the following as a PDF file and upload it as before:
SUPPORTING STATEMENT – STEP 2 COMPLAINT
Misuse of DVLA Data by Ace Security Services (Pace Recovery & Storage Ltd)
DVLA Ref: 0401979
Vehicle: DF14KYP
Date of CN: 13 March 2025
This is a formal Step 2 escalation following the DVLA’s response dated 14 May 2025. That response did not address the substance of my original complaint and failed to distinguish between a complaint about initial data access and a complaint about subsequent misuse.
What the DVLA got wrong:
Your Step 1 response focused entirely on whether the operator had “reasonable cause” at the time of requesting data. This was never in dispute. My complaint is about how the data was used after it was obtained — which falls under your obligations as Data Controller under the KADOE contract and UK GDPR.
Summary of misuse and code breaches:
Ace Security Services obtained my data and then:
• Issued a Notice to Keeper without specifying a “period of parking”, as required by Schedule 4, paragraph 8(2)(a) of PoFA. The NtD and NtK only referenced a single timestamp, not a duration.
• Failed to evidence that the vehicle remained in situ beyond the consideration period (as required by the PPSCoP). Therefore, there is no basis to claim a contract was formed.
• Issued a Notice to Keeper that misstates the 28-day warning under PoFA. It said: "28 days from the date given," instead of: "28 days beginning with the day AFTER the day on which the notice is given" (per paragraph 8(2)(f)).
• Pursued Keeper liability despite failing to comply with PoFA — invalidating their legal basis to do so and rendering the use of my DVLA data unlawful.
Why this breaches the KADOE contract and UK GDPR:
The KADOE contract explicitly states that keeper data must only be used to pursue a parking charge in full compliance with the applicable Code of Practice.
Ace Security Services has not done so. By breaching PoFA and the PPSCoP, their use of my data falls outside the “permitted purpose” for which it was provided — making it a misuse of personal data under both the KADOE contract and data protection law.
Action requested:
I am now formally requesting that the DVLA:
• Conduct a proper internal review of this complaint,
• Confirm that a breach of the KADOE contract has occurred,
• Take enforcement action against Ace Security Services / Pace Recovery & Storage Ltd,
• Provide me with a new reference number and outcome in writing.
The DVLA remains the data controller and is duty-bound to act when personal data it provides is misused. You cannot lawfully ignore a complaint about post-access abuse simply because the initial request may have had “reasonable cause.”
Please confirm that this has been escalated to Step 2 and provide an appropriate response. I am also willing to provide additional material if required.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]
Here’s how to make a DVLA complaint which you should also submit immediately:
• Go to: https://contact.dvla.gov.uk/complaints
• Select: “Making a complaint or compliment about the Vehicles service you have received”
• Enter your personal details, contact details, and vehicle details
• Use the text box to summarise your complaint or insert a covering note
• You will then be able to upload a file (up to 19.5 MB) — this can be your full complaint or supporting evidence
That’s it.
The DVLA is required to record, investigate and respond to every complaint about a private parking company. If everyone who encounters a breach took the time to submit a complaint, we might finally see the DVLA take meaningful action—whether that means curtailing or removing KADOE access altogether.
For the text part of the complaint the webform could use the following:
I am submitting a formal complaint against Ace Security Services, an IPC AOS member with DVLA KADOE access, for breaching the Private Parking Single Code of Practice (PPSCoP) after obtaining my personal data.
While the Operator may have had reasonable cause at the time of their KADOE request, their subsequent misuse of my data—through conduct that contravenes the PPSCoP—renders that use unlawful. The PPSCoP forms an integral part of the DVLA’s governance framework for data access by private parking firms. Continued access is conditional on compliance.
The DVLA, as data controller, is obliged under UK GDPR and the Data Protection Act 2018 to investigate and take enforcement action when data is misused following release. This complaint is not about whether the data was obtained lawfully at the outset, but whether its subsequent use breached the terms under which it was provided.
I have prepared a supporting statement setting out the nature of the breaches and the Operator’s actions, and I request a full investigation into this matter. I have attached the supporting document.
Please acknowledge receipt and confirm the reference number for this complaint.
Then you could upload the following as a PDF file for the formal complaint itself:
SUPPORTING STATEMENT
Complaint to DVLA – Breach of KADOE Contract and PPSCoP
Operator name: Ace Security Services
Date of PCN issue: 13 March 2025
Vehicle registration: DF14KYP
I am submitting this complaint to report a misuse of my personal data by Ace Security Services, who obtained my keeper details from the DVLA under the KADOE (Keeper At Date Of Event) contract.
Although the parking company may have had reasonable cause to request my data initially, the way they have used that data afterwards amounts to unlawful processing. This is because they have acted in breach of the Private Parking Single Code of Practice (PPSCoP), which forms a mandatory requirement for access to DVLA keeper data. The PPSCoP is part of the governance framework that regulates how parking companies must behave once they have received keeper data from the DVLA.
The KADOE contract makes clear that keeper data may only be used to pursue an unpaid parking charge in full compliance with the Code of Practice. If a parking company fails to comply with the PPSCoP after receiving DVLA data, their use of that data becomes unlawful, as they are no longer using it for a permitted purpose.
In this case, Ace Security Services has breached the PPSCoP in the following ways:
• They issued a Charge Notice without recording or specifying any "period of parking," in breach of the requirements of both PoFA Schedule 4 and the PPSCoP. Instead, they relied on a single observation time and a time of issue one minute later. This fails to evidence that the vehicle remained beyond the mandatory minimum "consideration period" required under the PPSCoP, during which no contract can be formed.
• They pursued a parking charge where there was no evidence that any contract had been formed, contrary to the requirements of the PPSCoP.
• They issued a Notice to Keeper containing incorrect information about the 28-day statutory period under PoFA, misrepresenting the Keeper’s legal rights.
This is wrong. PoFA Schedule 4 paragraph 8(2)(f) requires the warning to state that the relevant period is "28 days beginning with the day AFTER" the day on which the notice is given (deemed two working days after posting).
By incorrectly wording the 28-day period, Ace Security Services misrepresented the Keeper’s statutory rights, created confusion over the legal timescale for payment and liability, and failed to comply with the strict mandatory conditions of PoFA required to transfer liability from the driver to the Keeper.
Strict adherence to PoFA wording is required. Failure to meet these conditions invalidates any lawful basis for pursuing the Keeper.
• They used the Keeper’s data for enforcement purposes despite having failed to comply with the conditions under which they are permitted to pursue keeper liability.
• They therefore used my personal data for a purpose not permitted by the KADOE contract or UK data protection law.
These are not minor or technical breaches. They show a clear disregard for the standards required under the current single Code. As a result, the operator is no longer entitled to use the keeper data they obtained from the DVLA, because the purpose for which it was provided (a fair and lawful pursuit of a charge under the Code) no longer applies.
The DVLA remains the Data Controller for the data it releases under KADOE, and is therefore responsible for ensuring that personal data is not misused by third parties. This includes taking action against AOS operators who breach the conditions under which the data was provided. I am therefore asking the DVLA to investigate this breach and to take appropriate action under the terms of the KADOE contract.
This may include:
• Confirming that a breach has occurred
• Taking enforcement action against the operator
•Suspending or terminating their KADOE access if warranted
I have attached relevant supporting material with this statement. Please confirm receipt and provide a reference for this complaint. I am also happy to provide further information if required.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]
Make a note in your diary to send the following appeal to ACE Security Services (ASS) on 9th April. Email it to appeals@acesecurities.co.uk and also CC in yourself:
Subject: Charge Notice 987187 – Keeper Appeal (Not the Driver)
To: appeals@acesecurities.co.uk
Dear Ace Security Services,
I am the Registered Keeper of vehicle DF14 KYP in respect of your Charge Notice number 987187, issued on 13/03/2025 at The Pelhams 1, Wimbledon.
Let’s be clear...
The wording on the reverse of your Charge Notice claiming that “CNs can only be appealed by the driver” is utter nonsense. Nowhere in the BPA/IPC Private Parking Single Code of Practice (PPSCoP) does it state that the Keeper cannot appeal, regardless of whether the notice is a Notice to Driver (NtD) or a Notice to Keeper (NtK). That statement is misleading, legally baseless, and potentially breaches the Consumer Protection from Unfair Trading Regulations 2008.
I was not the driver, and I am under no obligation to identify the driver. I have now provided you with the Keeper’s full name and serviceable address. As such, under Paragraph 5(1)(b) of Schedule 4 of the Protection of Freedoms Act 2012, you do not need to request my data from the DVLA.
If you now apply to the DVLA for my data, despite receiving it, you will be:
• In breach of your DVLA KADOE contract
• In breach of UK GDPR, and
• Liable to be reported to both the DVLA and the Information Commissioner’s Office (ICO).
You now have a choice:
• Accept this appeal as you are required to do under the PPSCoP, or
• If you prefer to play games, send a Notice to Keeper to the name and address provided. I will then appeal again on the same basis.
Either way, the NtD is not PoFA compliant. It fails to specify any period of parking, which is a mandatory requirement under Schedule 4 of PoFA. Merely recording an "observed time" followed by a "time of issue" one minute later does not establish any meaningful parking period. More importantly, a one-minute observation falls well within the mandatory consideration period (as set out in the Private Parking Single Code of Practice) during which a driver is entitled to review the signage and choose to leave without accepting any contract. Accordingly, no contract can be formed and no breach can occur. This point has already been successfully argued and is now persuasive case law following Brennan v Premier Parking Solutions (2023) [H6DP632H], should you be bothered to look it up.
Any attempt to ignore this appeal or use my details unlawfully will result in immediate formal complaints.
Regards,
[Full Name]
Registered Keeper
[Address]