You can safely ignore anything from ZZPS/GCTT or any other debt recovery firm. Debt collectors are powerless to do anything except to try and persuade the low-hanging fruit on the gullible tree to pay up out of ignorance and fear.
We don't need to know about and certainly don't need to see anything you receive from a debt collector.
As for the DVLA response, what you’ve received is a classic Step 1 whitewash — a boilerplate response that conflates lawful initial access to keeper data with the subsequent unlawful use of that data, despite you having clearly framed your complaint around the post-access misuse in breach of the BPA Code and the KADOE contract.
You now submit a Step to complaint to the Head of Complaints. I tis exactly the same process as you did of the Step 1 complaint except that the link to that process is: https://contact.dvla.gov.uk/head-of-complaints and you use the following as your webform text:
I am escalating my complaint about Bridge Security Ltd under Step 2 of the DVLA complaints process. My original complaint (submitted on 6 May 2025) has not been resolved and has been wrongly dismissed as if it were solely about whether there was “reasonable cause” at the point of data request.
To be absolutely clear: this complaint concerns the misuse of DVLA data after it was accessed—not the initial request.
The Step 1 response entirely failed to address the basis of my complaint, which referenced the KADOE contract and the Private Parking Single Code of Practice (PPSCoP), both of which govern the lawful use of keeper data once accessed. Instead, the response simply repeated generic guidance about why parking firms may request data, which I had already acknowledged.
I have attached a supporting statement that outlines exactly how the DVLA has failed to consider or investigate the complaint properly. This includes Bridge Security Ltd issuing a non-compliant NtK and attempting to rely on PoFA while misrepresenting their own status as creditor, in direct breach of the BPA Code and KADOE contract.
I am requesting a full review of this complaint by the Head of Complaints and a proper response to the specific issue of post-access data misuse. Please confirm a reference number for the Step 2 escalation.
And use the following as your Supporting Statement which you again upload as a PDF:
SUPPORTING STATEMENT – STEP 2 COMPLAINT TO DVLA
Operator name: Bridge Security CCTV Ltd TA BPAM
Vehicle registration: GM15LNX
PCN issue date: 04 April 2025
KADOE request date: Approximately 09 April 2025
I am escalating my formal complaint regarding Bridge Security Ltd’s misuse of DVLA keeper data, following a wholly inadequate Step 1 response from the DVLA dated [insert Step 1 response date here].
My original complaint clearly stated that I was not disputing the existence of “reasonable cause” at the point of data request. Rather, I raised serious concerns about the misuse of my personal data after access was granted, in breach of:
• The BPA/IPC Private Parking Single Code of Practice (PPSCoP), and
• The DVLA’s KADOE contract, which makes continued use of keeper data conditional on Code compliance.
The Step 1 response failed to address these points. Instead, it rehashed irrelevant justification for data access, completely ignoring the legal framework that governs how that data may be used after it has been received.
In this case, Bridge Security Ltd has:
• Issued a Notice to Keeper that is not compliant with Schedule 4 of the Protection of Freedoms Act 2012, yet continues to rely on it to assert keeper liability.
• Claimed in writing that they are “acting on behalf of a client” while simultaneously being the named creditor and data controller—a contradiction that reflects either gross incompetence or deliberate misrepresentation.
• Misquoted and misunderstood PoFA paragraphs while ignoring legal requirements of the KADOE contract and BPA Code, including the obligation to only pursue charges where lawful basis exists.
• Ignored clear statutory requirements around how liability may be transferred and continued to threaten the registered keeper despite lacking any lawful basis to do so.
Under UK GDPR, the DVLA remains the data controller responsible for ensuring that its data recipients continue to process personal data lawfully. Once an AOS operator breaches the PPSCoP, their continued use of DVLA data becomes unlawful. This complaint falls squarely within the DVLA’s responsibility, and cannot be dismissed as an “ATA matter” alone.
I am therefore requesting:
• A full investigation into Bridge Security Ltd’s conduct,
• A proper Step 2 response from the Head of Complaints that deals with the actual subject of the complaint (post-access data misuse),
• Confirmation that the misuse of DVLA data will be taken seriously and, where necessary, result in enforcement action, including possible suspension of KADOE access.
Please confirm a reference number for this escalation.
Name: [Your Name]
Date: [Today’s Date]
Respond with the following and then report them to the DVLA:
Subject: Re: Parking Charge [Reference Number] – Final Response
Dear Jenifer Richards,
Thank you for your response, which I found unintentionally enlightening.
You state that “our clients do not need to rely on PoFA 2012” while simultaneously asserting a right to pursue the registered keeper. A fascinating legal theory—except, of course, that it’s nonsense. As you are the parking operator and creditor named on the Notice to Keeper, the notion that you are acting on behalf of a “client” is fiction. You’re not agents for yourselves; you are the data controller, the creditor, and the party issuing the charge.
If you’re not relying on the Protection of Freedoms Act 2012, then you cannot hold me, the registered keeper, liable. It’s that simple. And since I have no obligation to identify the driver, and have declined to do so, you have nowhere to go.
You now have two options:
1. Cancel the charge, or
2. Issue a POPLA code so that your procedural ineptitude can be exposed, at your own expense.
As a formal complaint has now been raised with the DVLA, you may want to pass this to a responsible adult within your firm who has a minimal understanding of basic contract law and PoFA. It has become very obvious that, up to now, whoever has responded to any communication is clearly deficient in their understanding of the law.
This is my final word on the matter. If you continue to misuse my personal data or issue threats without legal basis, your conduct will also be reported to the BPA and the ICO.
Yours sincerely,
[Your Name]
Registered Keeper
Here’s how to make a DVLA complaint:
• Go to: https://contact.dvla.gov.uk/complaints
• Select: “Making a complaint or compliment about the Vehicles service you have received”
• Enter your personal details, contact details, and vehicle details
• Use the text box to summarise your complaint or insert a covering note
• You will then be able to upload a file (up to 19.5 MB) — this can be your full complaint or supporting evidence
That’s it.
The DVLA is required to record, investigate and respond to every complaint about a private parking company. If everyone who encounters a breach took the time to submit a complaint, we might finally see the DVLA take meaningful action—whether that means curtailing or removing KADOE access altogether.
For the text part of the complaint the webform could use the following:
I am submitting a formal complaint against Bridge Security CCTV Ltd TA BPAM, a BPA AOS member with DVLA KADOE access, for breaching the BPA/IPC Private Parking Single Code of Practice (PPSCoP) after obtaining my personal data.
While the Operator may have had reasonable cause at the time of their KADOE request, their subsequent misuse of my data—through conduct that contravenes the PPSCoP—renders that use unlawful. The PPSCoP forms an integral part of the DVLA’s governance framework for data access by private parking firms. Continued access is conditional on compliance.
The DVLA, as data controller, is obliged under UK GDPR and the Data Protection Act 2018 to investigate and take enforcement action when data is misused following release. This complaint is not about whether the data was obtained lawfully at the outset, but whether its subsequent use breached the terms under which it was provided.
I have prepared a supporting statement setting out the nature of the breach and the Operator’s actions, and I request a full investigation into this matter. I have attached the supporting document.
Please acknowledge receipt and confirm the reference number for this complaint.
Then you could upload the following as a PDF file for the formal complaint itself:
SUPPORTING STATEMENT
Operator name: Bridge Security CCTV Ltd TA BPAM
Date of PCN issue: 04 April 2025
Vehicle registration: GM15LNX
I am submitting this complaint to report a misuse of my personal data by Bridge Security CCTV Ltd TA BPAM, who obtained my keeper details from the DVLA under the KADOE (Keeper At Date Of Event) contract.
Although the parking company may have had reasonable cause to request my data initially, the way they have used that data afterwards amounts to unlawful processing. This is because they have acted in breach of the BPA/IPC Private Parking Single Code of Practice (PPSCoP), which is a mandatory requirement for access to DVLA keeper data. The PPSCoP forms part of the framework that regulates how parking companies must behave once they have received keeper data from the DVLA.
The KADOE contract makes clear that keeper data may only be used to pursue an unpaid parking charge in line with the Code of Practice. If a parking company fails to comply with the PPSCoP after receiving DVLA data, their use of that data becomes unlawful, as they are no longer using it for a permitted purpose.
In this case, Bridge Security CCTV Ltd TA BPAM has breached the PPSCoP in the following ways:
• They issued a Notice to Keeper that does not comply with Schedule 4 of the Protection of Freedoms Act 2012, thereby forfeiting any lawful basis to pursue the keeper.
• They subsequently continued to threaten the registered keeper with liability despite confirming that they were not relying on PoFA.
• Their staff demonstrated a complete misunderstanding of their role, claiming to act “on behalf of a client” while they themselves are the named operator, creditor, and data controller—raising serious concerns about competence and internal governance.
• They refused to cancel the charge or issue a POPLA code, contrary to the dispute resolution obligations set out in the PPSCoP for BPA members.
These are not minor or technical breaches. They show a clear disregard for the standards required under the current single Code. As a result, the operator is no longer entitled to use the keeper data they obtained from the DVLA, because the purpose for which it was provided (a fair and lawful pursuit of a charge under the Code) no longer applies.
The DVLA remains the Data Controller for the data it releases under KADOE, and is therefore responsible for ensuring that personal data is not misused by third parties. This includes taking action against AOS operators who breach the conditions under which the data was provided. I am therefore asking the DVLA to investigate this breach and to take appropriate action under the terms of the KADOE contract.
This may include:
• Confirming that a breach has occurred
• Taking enforcement action against the operator
•Suspending or terminating their KADOE access if warranted
I have attached relevant supporting material with this statement. Please confirm receipt and provide a reference for this complaint. I am also happy to provide further information if required.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]