Good question — the answer is... not fully. My bad.
• UK GDPR & DPA 2018 protect personal data – i.e. data relating to an identified or identifiable natural person (“data subject”).
• A company (Ltd, LLP, etc.) is not a natural person, so strictly speaking a registered keeper that is a company cannot claim rights as a “data subject.”
Therefore, the company itself cannot claim compensation for “distress and anxiety” because those are harms recognised only for individuals. But the ICO can still investigate, because the operator has misused DVLA keeper data, and the DVLA supply chain is supposed to ensure compliance.
The ICO often gets involved when companies (e.g. fleet operators, leasing firms) have data processed improperly. If the company has named an individual (e.g. an employee, hirer, or director) and their details were passed on and used by the debt collector, that individual could potentially bring a distress claim.
So the practical position is:
• The complaint to ICO and BPA still stands, because CSPM processed data beyond the limits of the KADOE contract and PPSCoP, which are enforceable regardless of whether the keeper is a company or individual.
• What falls away is the distress damages claim under Art 82 UK GDPR / s.168 DPA 2018, since a company doesn’t suffer personal distress. A company might instead argue financial loss or reputational harm if they wanted to go down the damages route (but that’s harder to evidence in a parking context).
If you want to throw the book at CSPM as a company keeper, the angle should be:
• Breach of PPSCoP 11.3 (referral to debt collector while appeal live).
• Breach of the DVLA KADOE contract (data only to be used for pursuing PCNs in accordance with law and Code of Practice).
• Misuse of company data under UK GDPR — framed not as distress, but as unlawful disclosure and processing without lawful basis.
Here is a revised response that drops the “distress” argument (since a company cannot suffer it), hits them with GDPR, DPA 2018, PPSCoP, KADOE and puts them on clear notice that you’ll escalate to BPA and ICO:
Formal Notice – Unlawful Disclosure of Keeper Data
Dear CSPM,
I refer to your recent admission that you disclosed the registered keeper’s data to Debt Recovery Plus (DRP) before my POPLA appeal had been determined.
This disclosure was wholly improper. At the time, the charge was on hold pending appeal. Passing keeper data to a third-party debt collector in these circumstances is a serious breach of your obligations under:
• UK GDPR, Article 5(1)(a) and (c): Processing must be lawful, fair, transparent, and limited to what is necessary. • Disclosure to DRP at the appeal stage was neither lawful nor necessary.
• Data Protection Act 2018: You have processed the registered keeper’s data outside any lawful basis.
• Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3): This expressly prohibits escalation to debt recovery while appeal rights remain active.
• The DVLA KADOE Contract: Keeper data is provided strictly for the purpose of pursuing PCNs in compliance with the law and applicable Codes of Practice. Your conduct is a clear breach of those terms.
Your suggestion that this was done before you were “notified” of the POPLA appeal does not excuse the unlawful disclosure. You had no lawful basis to instruct DRP before the appeal process had been fully exhausted, nor to treat the keeper’s data as an asset to be passed around.
You are now formally on notice that:
1. The registered keeper regards this as a breach of data protection law, PPSCoP, and the KADOE contract.
2. You are required to confirm within 14 days:
• That the keeper’s data has been recalled from DRP and permanently erased by them.
• That no further unauthorised disclosures will occur.
• What steps you have taken to review and correct your internal processes to prevent recurrence.
3. Your response will be relied upon when this matter is escalated to the
BPA and the
Information Commissioner’s Office.
This is a serious complaint. Your misuse of keeper data will not be ignored, and any further breaches will aggravate the consequences you face with both your Accredited Operator Scheme and the ICO.
Yours faithfully,
[Company Name]
Registered Keeper
