changed the fact that they breached the PPSCoP and your GDPR. Send the complaints I already advised and send the following to the BPA:
Subject: Formal Complaint – UK Parking Enforcement Ltd (AOS) – Denial of POPLA access and misuse of keeper data via ZZPS
Dear BPA AOS Compliance Team,
Operator: UK Parking Enforcement Ltd (“UKPE”) – BPA AOS member
PCN: [ref] VRM: [reg] Site: Shell, 200 Ilford Lane, IG1 2LW
NtK: 11/08/2025 Keeper appeal: 18/08/2025
I make a formal complaint that UKPE breached the Private Parking Single Code of Practice (PPSCoP) and AOS rules, and mishandled DVLA keeper data.
Denial of POPLA access / unlawful debt escalation
– I, as keeper, appealed on 18/08/2025. I did not identify the driver.
– UKPE did not accept or reject the appeal. Instead they emailed (09/09/2025) demanding the driver’s details.
– The case was then escalated to ZZPS for “debt resolution” without any rejection letter or POPLA code.
– In writing (SAR responses dated 31/10/2025 from ZZPS and 05/11/2025 from UKPE) the operator admits no rejection/POPLA was ever issued and the matter went to debt recovery instead.
– On 05/11/2025 UKPE confirmed the charge is withdrawn and the case closed.
This breaches the PPSCoP requirement that, where an appeal is not accepted, the operator must issue a written rejection with a POPLA verification code, irrespective of whether the keeper has identified the driver. Escalating to debt collection without offering the independent appeal is a serious AOS compliance failure.
Misuse of keeper data and controller responsibility
UKPE obtained my data from the DVLA. They then handed the matter to ZZPS and attempted to deny or deflect controller responsibility for the SAR and the appeal outcome, contrary to UK GDPR Articles 12, 15 and 28. Their position was that ZZPS “manages administrative matters” and would “coordinate and fulfil” the SAR. A processor can assist, but UKPE—as controller—must facilitate rights and remains responsible for lawful processing.
Passing the case to ZZPS for debt collection while refusing to issue a POPLA code is not fair or lawful processing for the purpose for which DVLA data was obtained (KADOE). It breaches purpose limitation, data minimisation and fairness, and it undermines the AOS framework tied to KADOE use.
Requested BPA action
A. Open a compliance investigation into UKPE’s handling of keeper appeals and POPLA access.
B. Confirm the BPA’s position that AOS operators who obtain DVLA keeper data remain data controllers and cannot disclaim liability by passing cases to ZZPS or any other agent.
C. Require corrective action so keeper appeals are either accepted or rejected with a POPLA code, and prohibit debt escalation until the appeal route is exhausted.
D. Confirm what disciplinary or corrective measures the BPA will apply and how recurrence will be monitored.
Evidence attached
– Keeper appeal (18/08/2025).
– UKPE email 09/09/2025 demanding driver details (no rejection/POPLA).
– ZZPS SAR bundle (31/10/2025) admitting no rejection/POPLA and debt escalation.
– UKPE email (05/11/2025) adopting the SAR and confirming “withdrawn/closed”.
Please acknowledge and advise when a full investigation will commence.
Yours faithfully,
[Your name]
[Address]
[Email]
Do not give them extra time.cUnder UK GDPR, they had one month from receipt of your SAR on 06/10/2025. The deadline is 06/11/2025. They can extend by up to two further months only if they told you within that first month that your request is complex and explained why. If they didn’t do that by 06/11/2025, they’re late.
If 06/11/2025 passes with no complete controller response from UKPE (not ZZPS alone), same day, send a final non-compliance notice (short template below). Then file an ICO complaint against UKPE (controller).
Separately, file a DVLA complaint to the Data Sharing Policy & Compliance Team about:
a) escalation to debt recovery without offering POPLA, and
b) mishandling of your data/rights following the KADOE enquiry.
If they respond after 06/11/2025 but it’s incomplete or still issued only by ZZPS, you can still complain to the ICO for late and/or incomplete SAR.
1-paragraph final non-compliance notice (send 07/11/2025 if needed):
Subject: SAR Non-Compliance – PCN [ref], VRM [reg] (deadline missed)
UK Parking Enforcement Ltd – Data Protection Officer
My SAR was received by you on 06/10/2025. The statutory one-month period expired 06/11/2025 with no complete controller response from UK Parking Enforcement Ltd and no timely extension notification under Article 12(3). You are now in breach of Articles 12 and 15 UK GDPR. Provide the missing items (proof of posting/transmission and the audit/dispatch entries containing my personal data) within 7 days or confirm in writing that they do not exist. Failing that, I will proceed with complaints to the ICO and DVLA Data Sharing Policy & Compliance Team.
Also confirm, as controller, that PCN [ref] is cancelled (£0) and that no further processing/sharing for enforcement will occur.
[Name]
ICO complaint (points to include):
• Controller: UK Parking Enforcement Ltd.
• SAR submitted: 06/10/2025; deadline: 06/11/2025; no valid Article 12(3) extension issued in time.
• Response was compiled/issued by ZZPS; controller failed to adopt it clearly and it is incomplete (missing your personal data within proofs of posting/transmission and dispatch/audit entries).
• Prejudice: escalation to debt recovery occurred while appeal route (POPLA) was not provided; you needed the data to challenge service.
• Remedy sought: compel UKPE to provide the missing personal data and record the breach.
• Attach: your SAR email, proof of receipt, ZZPS bundle, their admissions (no POPLA before debt), your follow-ups, and the non-compliance notice.
DVLA complaint (outline):
• To: DVLA Data Sharing Policy & Compliance Team.
• Grounds: misuse/mishandling after KADOE data access—operator escalated to debt recovery without issuing a POPLA code, then failed to facilitate rights under Article 12; SAR answered by a processor without a complete controller response, missing personal-data proofs of service.
• Ask DVLA to investigate and apply appropriate sanctions/monitoring.
ZZPS's written admission that they went to debt “without a POPLA code being issued” is powerful. Keep that page prominent. It supports both your DVLA complaint and any future challenge if this ever resurfaces.
What response have you had to the email above that I advised you to send to the UKPE DPO? That response is from ZZPS.
Send the following to the UKPE DPO and CC ZZPS and yourself:
Subject: Formal Data Protection Notice – SAR Non-Compliance and Unlawful Processing
PCN [ref] / VRM [reg]
UK Parking Enforcement Ltd – Data Protection Officer
You used your processor (ZZPS) to issue a partial, inadequate response to my SAR dated [date]. As controller, UK Parking Enforcement Ltd remains responsible under Articles 12 and 15 UK GDPR and s.45 DPA 2018 for issuing a full, lawful response.
Your bundle omits my personal data that I expressly requested:
• Proof of posting/transmission for any alleged rejection/POPLA (certificate of posting or postal/batch manifest; or for email, full SMTP headers and server delivery logs identifying my address).
• System/audit entries that record creation and dispatch to me (date/time, method, addressee).
Provide those items, or confirm in writing that they do not exist, within 7 days.
ZZPS’s pages state the Parking Charge has been “withdrawn and the case closed”. Confirm as controller that PCN [ref] is cancelled (£0 balance), all recovery is permanently withdrawn, and no further processing/sharing for enforcement will occur.
Failure to comply will result in a formal complaint to the DVLA Data Sharing Policy & Compliance Team and the ICO for breach of Articles 12 and 15 UK GDPR.
No further correspondence will be entered into unless it is a complete, compliant disclosure.
[Name]
[Date]
Their “clarification” doesn’t change anything: UKPE remains the controller, the clock runs from your original SAR date, and you’re entitled to deal with UKPE directly. A processor (ZZZPS) may assist, but UKPE is responsible for the response and its lawfulness.
Respond with the following:
Subject: Re: SAR – Controller responsibility, deadline and required items – PCN [ref], VRM [reg]
Dear Data Protection Officer,
Thank you for confirming that UK Parking Enforcement Ltd is the data controller and that any processor acts strictly under your instruction. For the avoidance of doubt:
1. The statutory one-month deadline under Article 12(3) UK GDPR runs from my original SAR date [insert date].
2. I will continue to correspond with UKPE as controller. Any response you instruct a processor to compile must be issued on your behalf, with a covering note from UKPE accepting controller responsibility.
Please ensure the SAR bundle includes the personal data and proofs previously requested, specifically:
• A copy of every item of correspondence to/from me (letters, emails) about PCN [ref], including any rejection you allege and any POPLA code;
• Proof of posting/transmission for any such rejection/POPLA (Certificate of Posting or postal/batch manifest; or for email, full SMTP headers and server logs);
• System/audit logs evidencing creation and dispatch of those items (date/time, method, addressee);
• All identifiers you hold for me (name/address/email/phone), their source (including DVLA/KADOE details), and the dates and recipients of any disclosures (including to ZZZPS).
As stated, I rebut any presumption of delivery. Without contemporaneous proof of posting/delivery, you must treat any “rejection” as not served and either cancel or re-issue a rejection to the keeper with a fresh POPLA code.
Finally, my Article 21 objection and Article 18 restriction to debt-collection processing remain in place pending your SAR fulfilment and a lawful conclusion of the appeal process. Please ensure ZZZPS is instructed accordingly.
If a complete response is not provided within the statutory time, I will escalate to the ICO and consider remedies for non-compliance.
Yours faithfully,
[Name]
[Address]
[Email]
[Date]
Excellent — that email from UK Parking Enforcement is a gift. It’s an outright breach of UK GDPR Article 12(2) and Article 15(1) because they’ve refused to handle your Subject Access Request (SAR) and unlawfully “passed it to ZZPS”.
They are the data controller (the entity that obtained your details from the DVLA), so they cannot sidestep their legal obligations by deflecting to a processor. This is a textbook non-compliance case.
Here’s a formal follow-up you can send to UKPE’s Data Protection Officer — and later use as evidence for the ICO if they fail to comply.
Subject: Non-compliance with Subject Access Request – Breach of UK GDPR Articles 12 & 15
Dear Data Protection Officer,
On [date], I submitted a valid Subject Access Request under Article 15 UK GDPR and s.45 DPA 2018 regarding PCN [ref], VRM [reg].
Your response of [insert date of their email] stated:
“We have passed this to ZZPS to action, as we do not hold data nor the information you are asking for.”
That response is wholly inadequate and unlawful. UK Parking Enforcement Ltd is the data controller, having obtained my keeper data from the DVLA under Regulation 27(1)(e) of the Road Vehicles (Registration and Licensing) Regulations 2002. You remain responsible for all processing undertaken on your behalf, including by ZZPS.
Under Article 12(2) you must facilitate the exercise of data-subject rights. Refusing the request or attempting to delegate it to a third party is non-compliance. ZZPS, as your data processor, acts only on your written instructions and has no lawful basis to handle a SAR directly.
Accordingly, you are hereby placed on formal notice that:
1. The statutory one-month period for responding to my SAR continues to run from the original receipt date.
2. You must now conduct the search yourself and provide a full SAR response directly to me within that time limit.
3. Any further attempt to deflect this obligation to ZZPS will be treated as wilful obstruction of my data-subject rights.
If I do not receive a compliant response within the statutory timeframe, I will file a detailed complaint with the Information Commissioner’s Office and reserve all rights to seek damages for breach of data-protection obligations.
Yours faithfully,
[Full Name]
[Address]
[Email]
You can safely ignore ZZPS and any other debt collector. They are powerless to do anything except to try and intimidate the low-hanging fruit on the gullible tree to pay up out of ignorance and fear. We do not need to see these debt recovery notices and you can safely shred them and use the as hamster bedding for anyone cares. The same will apply when they set the dimwit on the next desk on to you with a letterhead that says GCTT.
You can send the following to UKPE at info@ukpenforcement.co.uk and CC yourself:
Subject: [PCN Number] – Formal Demand for Proof of Appeal Response / POPLA Code
Dear Sirs,
I am the keeper of vehicle registration LW08NFY. My appeal was lodged on [date]. The only correspondence ever received from you is your correspondence of 9 September 2025, which merely sought the identity of the driver. I have never received a rejection or a POPLA code.
For the avoidance of doubt, I expressly rebut any presumption of delivery. If you claim a rejection and POPLA code were issued, you are now put to strict proof of posting and delivery. That means:
• A dated copy of the rejection letter or email containing the POPLA code;
• Proof of posting (certificate of posting, batch manifest, or equivalent postal record) or, for email, full SMTP headers and server transmission logs evidencing successful delivery; and
• Your system or CRM audit logs confirming the date and method of dispatch.
For the record, the Interpretation Act 1978, section 7 and Civil Procedure Rule 6.26 both make clear that the presumption of service is rebuttable upon denial of receipt, as is the case here. Mere assertions or template screenshots are not proof of posting or delivery.
Absent such proof, you must now either:
• Cancel the PCN outright; or
• Re-issue a proper rejection to the keeper together with a fresh POPLA code, placing the matter on hold to allow a full appeal.
Passing the file to ZZZPS before concluding the appeal process is improper and ignored. Debt collectors have no authority or standing in law, and I will not engage with them.
If you fail to comply within 7 days, I will consider this matter formally unresolved and will take further action without notice. This may include an application for disclosure of your dispatch and system records, and a claim for damages and costs arising from unlawful debt recovery activity in the absence of a valid rejection and appeal route.
Yours faithfully,
[Name]
At the same time email the following Subject Access Request (SAR) to the same email address and again, CC yourself:
Subject: Subject Access Request (UK GDPR/DPA 2018) – PCN [ref], VRM LW08NFY
Data Protection Officer/UK Parking Enforcement Ltd
info@ukpenforcement.co.uk
Dear DPO,
This is a Subject Access Request under UK GDPR Article 15 and the Data Protection Act 2018. I am the registered keeper of VRM LW08NFY. The controller reference is PCN [ref].
Please provide all personal data that you hold about me and my vehicle, in a commonly used electronic format, including the following specific items and their metadata/timestamps:
• Appeal handling & dispatch records
• Full copy of my appeal and all inbound/outbound correspondence (letters, emails, portal messages, SMS) including any rejection and POPLA code you say was issued.
• Proof of posting/delivery for any rejection/POPLA: certificates of posting, postal/batch manifests, tracking data; or, for email, full SMTP headers, transmission/server logs, and delivery status notifications.
• Internal CRM/system audit logs showing creation, approval, and dispatch of those items.
• Enforcement file
• NtD/NtK images and PDFs (all versions), ANPR or manual images and the raw image files, time stamps, location coordinates, camera IDs, sync/clock drift records, and any manual notes/observations.
• DVLA & third-party data
• KADOE enquiry date/time, the data you received from DVLA, and the lawful basis you relied upon.
• All data shared with ZZZPS or any other processors/agents, including dates, purposes, and legal basis, plus copies of the data actually transmitted.
• Account metadata
• All data fields you hold about me (names/addresses/emails you store), data sources, data retention periods, categories of recipients, and any international transfers.
• Details of any profiling or automated decision-making applied.
Statutory matters:
There should be no charge for this SAR. The statutory time limit is one month from receipt (Article 12(3)). If you claim complexity and need up to two additional months, you must notify me within one month, explaining why.
Please send the response to [your email]. I also require a brief confirmation that you have started processing this SAR.
Restriction & objection (Articles 18 and 21): Pending your SAR response and a lawful conclusion of the appeal process, I object to further processing for debt collection and require you to restrict processing (no further contact from any debt collector, no additional data sharing or escalation).
Identity: I attach proof of keeper status (V5C). Please confirm safe receipt.
Yours faithfully,
[Full name]
[Address]
[Email]
[Date]
Attachments: Redacted V5C