Free Traffic Legal Advice

The appeal is good. The Notice to Keeper (NtK) is not PoFA compliant.

Respond with the following:

Subject: Re: Parking Charge [Reference Number]

Dear Luke,

Thank you for your response.

As previously advised, your Notice to Keeper is not compliant with the Protection of Freedoms Act 2012, Schedule 4. In particular, it fails to satisfy the mandatory requirements of paragraphs 9(2)(a), 9(2)(e)(i), 9(2)(f), 9(2)(h), and 9(2)(i). Your suggestion that keeper liability applies is therefore incorrect.

I will not be naming the driver, and you have no lawful basis to pursue me as the registered keeper. I suggest you either cancel the charge, or issue a POPLA code so I can formally appeal and expose your procedural incompetence at your expense.

Yours sincerely,

[Your Name]
Registered Keeper

Respond with the following and then report them to the DVLA:

Subject: Re: Parking Charge [Reference Number] – Final Response

Dear Jenifer Richards,

Thank you for your response, which I found unintentionally enlightening.

You state that “our clients do not need to rely on PoFA 2012” while simultaneously asserting a right to pursue the registered keeper. A fascinating legal theory—except, of course, that it’s nonsense. As you are the parking operator and creditor named on the Notice to Keeper, the notion that you are acting on behalf of a “client” is fiction. You’re not agents for yourselves; you are the data controller, the creditor, and the party issuing the charge.

If you’re not relying on the Protection of Freedoms Act 2012, then you cannot hold me, the registered keeper, liable. It’s that simple. And since I have no obligation to identify the driver, and have declined to do so, you have nowhere to go.

You now have two options:

1. Cancel the charge, or
2. Issue a POPLA code so that your procedural ineptitude can be exposed, at your own expense.

As a formal complaint has now been raised with the DVLA, you may want to pass this to a responsible adult within your firm who has a minimal understanding of basic contract law and PoFA. It has become very obvious that, up to now, whoever has responded to any communication is clearly deficient in their understanding of the law.

This is my final word on the matter. If you continue to misuse my personal data or issue threats without legal basis, your conduct will also be reported to the BPA and the ICO.

Yours sincerely,

[Your Name]
Registered Keeper

Here’s how to make a DVLA complaint:


The DVLA is required to record, investigate and respond to every complaint about a private parking company. If everyone who encounters a breach took the time to submit a complaint, we might finally see the DVLA take meaningful action—whether that means curtailing or removing KADOE access altogether.

For the text part of the complaint the webform could use the following:

I am submitting a formal complaint against Bridge Security CCTV Ltd TA BPAM, a BPA AOS member with DVLA KADOE access, for breaching the BPA/IPC Private Parking Single Code of Practice (PPSCoP) after obtaining my personal data.

While the Operator may have had reasonable cause at the time of their KADOE request, their subsequent misuse of my data—through conduct that contravenes the PPSCoP—renders that use unlawful. The PPSCoP forms an integral part of the DVLA’s governance framework for data access by private parking firms. Continued access is conditional on compliance.

The DVLA, as data controller, is obliged under UK GDPR and the Data Protection Act 2018 to investigate and take enforcement action when data is misused following release. This complaint is not about whether the data was obtained lawfully at the outset, but whether its subsequent use breached the terms under which it was provided.

I have prepared a supporting statement setting out the nature of the breach and the Operator’s actions, and I request a full investigation into this matter. I have attached the supporting document.

Please acknowledge receipt and confirm the reference number for this complaint.

Then you could upload the following as a PDF file for the formal complaint itself:

SUPPORTING STATEMENT

Operator name: Bridge Security CCTV Ltd TA BPAM
Date of PCN issue: 04 April 2025
Vehicle registration: GM15LNX

I am submitting this complaint to report a misuse of my personal data by Bridge Security CCTV Ltd TA BPAM, who obtained my keeper details from the DVLA under the KADOE (Keeper At Date Of Event) contract.

Although the parking company may have had reasonable cause to request my data initially, the way they have used that data afterwards amounts to unlawful processing. This is because they have acted in breach of the BPA/IPC Private Parking Single Code of Practice (PPSCoP), which is a mandatory requirement for access to DVLA keeper data. The PPSCoP forms part of the framework that regulates how parking companies must behave once they have received keeper data from the DVLA.

The KADOE contract makes clear that keeper data may only be used to pursue an unpaid parking charge in line with the Code of Practice. If a parking company fails to comply with the PPSCoP after receiving DVLA data, their use of that data becomes unlawful, as they are no longer using it for a permitted purpose.

In this case, Bridge Security CCTV Ltd TA BPAM has breached the PPSCoP in the following ways:

• They issued a Notice to Keeper that does not comply with Schedule 4 of the Protection of Freedoms Act 2012, thereby forfeiting any lawful basis to pursue the keeper.
• They subsequently continued to threaten the registered keeper with liability despite confirming that they were not relying on PoFA.
• Their staff demonstrated a complete misunderstanding of their role, claiming to act “on behalf of a client” while they themselves are the named operator, creditor, and data controller—raising serious concerns about competence and internal governance.
• They refused to cancel the charge or issue a POPLA code, contrary to the dispute resolution obligations set out in the PPSCoP for BPA members.

These are not minor or technical breaches. They show a clear disregard for the standards required under the current single Code. As a result, the operator is no longer entitled to use the keeper data they obtained from the DVLA, because the purpose for which it was provided (a fair and lawful pursuit of a charge under the Code) no longer applies.

The DVLA remains the Data Controller for the data it releases under KADOE, and is therefore responsible for ensuring that personal data is not misused by third parties. This includes taking action against AOS operators who breach the conditions under which the data was provided. I am therefore asking the DVLA to investigate this breach and to take appropriate action under the terms of the KADOE contract.

This may include:

• Confirming that a breach has occurred
• Taking enforcement action against the operator
•Suspending or terminating their KADOE access if warranted

I have attached relevant supporting material with this statement. Please confirm receipt and provide a reference for this complaint. I am also happy to provide further information if required.

Name: [INSERT YOUR NAME]
Date: [INSERT DATE]

I've now received another response.

Good afternoon,

Thank you for your response which we find enlightening.

The information we have provided you with is correct, our client ( Bridge Security Ltd) who manages the land you had parked on, does not need to rely on PoFA 2012 to issue a Parking Charge.

However, this particular Parking Charge does comply with PoFA 2012, as this was sent within 12 days of the contravention and deemed served after 2 days.

The contravention occurred on 04/04/2025, and we had sent the notification of this 09/04/2025, which is deemed served on 11/04/2025. Therefore complies with PoFA.

So in this case, you are not willing to name the driver as previously confirmed, we are able to hold the keeper liable.

You now have three options:

you can provide the drivers details so we can transfer liability to them
you can advise the driver to appeal to us directly
we can process your appeal as the registered keeper and provide you with a POPLA code.

Due to my above explanation of POFA, I hope this has provided enough clarification that we have an understanding of PoFA 2012 and are able to hold you liable as the registered keeper.

You have previously stated our notice to keeper does not comply with the following paragraphs in the PoFA 2012 legislation:

9(2)(a) - our Notice to Keeper, contains the vehicle make, model and vehicle registration Blue Suzuki Swift GM15LNX, it also includes the location in which you had parked which was Cutter Lane London SE10 0YB and the period of parking is the contravention time of 14:31.

9(2)(e)(i) - our Notice to keeper gives the option for the keeper to provide driver details or pay/appeal.

9(2)(f)- The parking charge advises that ' You are warned that if, after 29 days from the date given, the Parking Charge has not been paid in full and we do not know both the name and current address of the driver, the Creditor has the right to recover unpaid parking charges, and any charges associated with recovery from the registered keeper as described under Schedule 4 of the Protection of Freedoms Act 2012.'

9(2)(h) - the creditor has been identified as our clients name is on the parking charge along with our name and specifies how to make payment and who to.

9(2)(i)- the date is on the top right of the letter.

As a gesture of goodwill, i have held the matter a final seven days to provide you with ample opportunity to name the driver, in the absence of this, we will process your appeal as the registered keeper.

Kind regards,
Rebecca

I've sent the new response, as well as the old response (Did this before seeing this update.) Hopefully it doesn't cause too many issues. Now waiting on a reply. Thanks again.

You can safely ignore anything from ZZPS/GCTT or any other debt recovery firm. Debt collectors are powerless to do anything except to try and persuade the low-hanging fruit on the gullible tree to pay up out of ignorance and fear.

We don't need to know about and certainly don't need to see anything you receive from a debt collector.

As for the DVLA response, what you’ve received is a classic Step 1 whitewash — a boilerplate response that conflates lawful initial access to keeper data with the subsequent unlawful use of that data, despite you having clearly framed your complaint around the post-access misuse in breach of the BPA Code and the KADOE contract.

You now submit a Step to complaint to the Head of Complaints. I tis exactly the same process as you did of the Step 1 complaint except that the link to that process is: https://contact.dvla.gov.uk/head-of-complaints and you use the following as your webform text:

I am escalating my complaint about Bridge Security Ltd under Step 2 of the DVLA complaints process. My original complaint (submitted on 6 May 2025) has not been resolved and has been wrongly dismissed as if it were solely about whether there was “reasonable cause” at the point of data request.

To be absolutely clear: this complaint concerns the misuse of DVLA data after it was accessed—not the initial request.

The Step 1 response entirely failed to address the basis of my complaint, which referenced the KADOE contract and the Private Parking Single Code of Practice (PPSCoP), both of which govern the lawful use of keeper data once accessed. Instead, the response simply repeated generic guidance about why parking firms may request data, which I had already acknowledged.

I have attached a supporting statement that outlines exactly how the DVLA has failed to consider or investigate the complaint properly. This includes Bridge Security Ltd issuing a non-compliant NtK and attempting to rely on PoFA while misrepresenting their own status as creditor, in direct breach of the BPA Code and KADOE contract.

I am requesting a full review of this complaint by the Head of Complaints and a proper response to the specific issue of post-access data misuse. Please confirm a reference number for the Step 2 escalation.

And use the following as your Supporting Statement which you again upload as a PDF:

SUPPORTING STATEMENT – STEP 2 COMPLAINT TO DVLA

Operator name: Bridge Security CCTV Ltd TA BPAM
Vehicle registration: GM15LNX
PCN issue date: 04 April 2025
KADOE request date: Approximately 09 April 2025

I am escalating my formal complaint regarding Bridge Security Ltd’s misuse of DVLA keeper data, following a wholly inadequate Step 1 response from the DVLA dated [insert Step 1 response date here].

My original complaint clearly stated that I was not disputing the existence of “reasonable cause” at the point of data request. Rather, I raised serious concerns about the misuse of my personal data after access was granted, in breach of:

• The BPA/IPC Private Parking Single Code of Practice (PPSCoP), and
• The DVLA’s KADOE contract, which makes continued use of keeper data conditional on Code compliance.

The Step 1 response failed to address these points. Instead, it rehashed irrelevant justification for data access, completely ignoring the legal framework that governs how that data may be used after it has been received.

In this case, Bridge Security Ltd has:

• Issued a Notice to Keeper that is not compliant with Schedule 4 of the Protection of Freedoms Act 2012, yet continues to rely on it to assert keeper liability.
• Claimed in writing that they are “acting on behalf of a client” while simultaneously being the named creditor and data controller—a contradiction that reflects either gross incompetence or deliberate misrepresentation.
• Misquoted and misunderstood PoFA paragraphs while ignoring legal requirements of the KADOE contract and BPA Code, including the obligation to only pursue charges where lawful basis exists.
• Ignored clear statutory requirements around how liability may be transferred and continued to threaten the registered keeper despite lacking any lawful basis to do so.

Under UK GDPR, the DVLA remains the data controller responsible for ensuring that its data recipients continue to process personal data lawfully. Once an AOS operator breaches the PPSCoP, their continued use of DVLA data becomes unlawful. This complaint falls squarely within the DVLA’s responsibility, and cannot be dismissed as an “ATA matter” alone.

I am therefore requesting:

• A full investigation into Bridge Security Ltd’s conduct,
• A proper Step 2 response from the Head of Complaints that deals with the actual subject of the complaint (post-access data misuse),
• Confirmation that the misuse of DVLA data will be taken seriously and, where necessary, result in enforcement action, including possible suspension of KADOE access.

Please confirm a reference number for this escalation.

Name: [Your Name]
Date: [Today’s Date]