Good question — the answer is... not fully. My bad.
• UK GDPR & DPA 2018 protect personal data – i.e. data relating to an identified or identifiable natural person (“data subject”).
• A company (Ltd, LLP, etc.) is not a natural person, so strictly speaking a registered keeper that is a company cannot claim rights as a “data subject.”
Therefore, the company itself cannot claim compensation for “distress and anxiety” because those are harms recognised only for individuals. But the ICO can still investigate, because the operator has misused DVLA keeper data, and the DVLA supply chain is supposed to ensure compliance.
The ICO often gets involved when companies (e.g. fleet operators, leasing firms) have data processed improperly. If the company has named an individual (e.g. an employee, hirer, or director) and their details were passed on and used by the debt collector, that individual could potentially bring a distress claim.
So the practical position is:
• The complaint to ICO and BPA still stands, because CSPM processed data beyond the limits of the KADOE contract and PPSCoP, which are enforceable regardless of whether the keeper is a company or individual.
• What falls away is the distress damages claim under Art 82 UK GDPR / s.168 DPA 2018, since a company doesn’t suffer personal distress. A company might instead argue financial loss or reputational harm if they wanted to go down the damages route (but that’s harder to evidence in a parking context).
If you want to throw the book at CSPM as a company keeper, the angle should be:
• Breach of PPSCoP 11.3 (referral to debt collector while appeal live).
• Breach of the DVLA KADOE contract (data only to be used for pursuing PCNs in accordance with law and Code of Practice).
• Misuse of company data under UK GDPR — framed not as distress, but as unlawful disclosure and processing without lawful basis.
Here is a revised response that drops the “distress” argument (since a company cannot suffer it), hits them with GDPR, DPA 2018, PPSCoP, KADOE and puts them on clear notice that you’ll escalate to BPA and ICO:
Formal Notice – Unlawful Disclosure of Keeper Data
Dear CSPM,
I refer to your recent admission that you disclosed the registered keeper’s data to Debt Recovery Plus (DRP) before my POPLA appeal had been determined.
This disclosure was wholly improper. At the time, the charge was on hold pending appeal. Passing keeper data to a third-party debt collector in these circumstances is a serious breach of your obligations under:
• UK GDPR, Article 5(1)(a) and (c): Processing must be lawful, fair, transparent, and limited to what is necessary. • Disclosure to DRP at the appeal stage was neither lawful nor necessary.
• Data Protection Act 2018: You have processed the registered keeper’s data outside any lawful basis.
• Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3): This expressly prohibits escalation to debt recovery while appeal rights remain active.
• The DVLA KADOE Contract: Keeper data is provided strictly for the purpose of pursuing PCNs in compliance with the law and applicable Codes of Practice. Your conduct is a clear breach of those terms.
Your suggestion that this was done before you were “notified” of the POPLA appeal does not excuse the unlawful disclosure. You had no lawful basis to instruct DRP before the appeal process had been fully exhausted, nor to treat the keeper’s data as an asset to be passed around.
You are now formally on notice that:
1. The registered keeper regards this as a breach of data protection law, PPSCoP, and the KADOE contract.
2. You are required to confirm within 14 days:
• That the keeper’s data has been recalled from DRP and permanently erased by them.
• That no further unauthorised disclosures will occur.
• What steps you have taken to review and correct your internal processes to prevent recurrence.
3. Your response will be relied upon when this matter is escalated to the
BPA and the
Information Commissioner’s Office.
This is a serious complaint. Your misuse of keeper data will not be ignored, and any further breaches will aggravate the consequences you face with both your Accredited Operator Scheme and the ICO.
Yours faithfully,
[Company Name]
Registered Keeper
Subject: Formal Notice – Misuse of Personal Data and GDPR Breach
Dear CSPM,
I write further to your recent correspondence in which you admitted that my personal data was passed to Debt Recovery Plus before my POPLA appeal had been determined.
By disclosing my data to a third-party debt collector at a time when the charge was formally on hold, you have committed a serious breach of the UK GDPR and the Data Protection Act 2018.
There was no lawful purpose for this disclosure. Article 5(1)(a) UK GDPR requires lawfulness, fairness and transparency in all processing. Passing my data to DRP while appeal rights remained active fails all three.
Article 5(1)(c) UK GDPR requires that data be processed only to the extent necessary. At the appeal stage, no debt exists and no collection activity is permissible under the Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3). This renders your disclosure unlawful and unnecessary.
As a direct result, I received threatening and misleading debt letters which caused unnecessary distress and anxiety. Non-material damage of this type is explicitly recognised as compensable under Article 82 UK GDPR and Section 168 DPA 2018.
You are now formally on notice that:
• You have breached your statutory data protection obligations by unlawfully sharing my data with a third party.
• I will rely upon the Data Protection Act 2018 in holding you accountable. I reserve all rights, including the right to issue proceedings for compensation for the distress and harm caused.
I require your immediate confirmation that:
• My data has been recalled from DRP and permanently erased by them.
• No further unauthorised processing will take place.
• You have reviewed and corrected your internal processes to prevent this unlawful practice from recurring.
Unless I receive a satisfactory written response within 14 days, I will escalate this to the BPA and the Information Commissioner’s Office.
You should treat this as a serious complaint. Your misuse of my data will not be ignored, and any repetition will significantly aggravate the damages I will seek.
Yours faithfully,
[Keeper’s Name]
That’s a breach of the Private Parking Single Code of Practice (PPSCoP) and POPLA’s own requirements.
Under PPSCoP v1.1 (17 Feb 2025), Section 11.3 – Escalation of Charges, operators must not instruct a debt recovery agent while an appeal is still in progress. This includes the POPLA stage. Issuing a DRP letter dated 01/08/25 before POPLA has even ruled is a clear breach.
POPLA’s process also states that once an appeal code has been issued, the parking charge is placed on hold until POPLA has reached a decision. Any debt collection activity in this period is improper because it misleads the motorist into thinking the appeal is irrelevant and that further enforcement is inevitable.
I suggest you:
• Send a formal complaint to the operator – reference the POPLA appeal number, the DRP letter, and cite PPSCoP 11.3. Demand written confirmation that the charge has been returned from DRP and all collection activity suspended until POPLA decides.
• Send a copy to POPLA – notify them that the operator is in breach of their obligations during the appeal process.
• Send a copy to the BPA – as the relevant Accredited Operator Scheme, with a complaint that the operator has failed to follow the PPSCoP and is undermining the appeals process.