-
That’s a breach of the Private Parking Single Code of Practice (PPSCoP) and POPLA’s own requirements.
Under PPSCoP v1.1 (17 Feb 2025), Section 11.3 – Escalation of Charges, operators must not instruct a debt recovery agent while an appeal is still in progress. This includes the POPLA stage. Issuing a DRP letter dated 01/08/25 before POPLA has even ruled is a clear breach.
POPLA’s process also states that once an appeal code has been issued, the parking charge is placed on hold until POPLA has reached a decision. Any debt collection activity in this period is improper because it misleads the motorist into thinking the appeal is irrelevant and that further enforcement is inevitable.
I suggest you:• Send a formal complaint to the operator – reference the POPLA appeal number, the DRP letter, and cite PPSCoP 11.3. Demand written confirmation that the charge has been returned from DRP and all collection activity suspended until POPLA decides.
• Send a copy to POPLA – notify them that the operator is in breach of their obligations during the appeal process.
• Send a copy to the BPA – as the relevant Accredited Operator Scheme, with a complaint that the operator has failed to follow the PPSCoP and is undermining the appeals process. -
-
I have sent a complaint to CSPM and also sent details to POPLA. The BPA website says not to complain until all complaints with the operator are exhausted?
-
-
Doesn't hurt to notify them that you are making a complaint and detail it.
-
-
If the BPA fob you off back to the operator, then just complain again after the operator responds to your complaint.
-
-
Email response from CSPM:
"Thank you for your email. We note your comments. We can advise that the matter was passed over to Debt Recovery Plus prior to notification that you were appealing to POPLA. We have already recalled the notice back from DRP whilst the appeal is being reviewed by POPLA. The notice has been placed on hold pending determination of the POPLA appeal."
I'm minded to reply asking if they routinely submit notices to Debt collection prior to the expiry of all avenues of appeal?
The DRP notice proudly exclaims that 4 out of 5 people pay after the first letter! -
-
I suggest you respond to CPSM with the following:Quote
Subject: Formal Notice – Misuse of Personal Data and GDPR Breach
Dear CSPM,
I write further to your recent correspondence in which you admitted that my personal data was passed to Debt Recovery Plus before my POPLA appeal had been determined.
By disclosing my data to a third-party debt collector at a time when the charge was formally on hold, you have committed a serious breach of the UK GDPR and the Data Protection Act 2018.
There was no lawful purpose for this disclosure. Article 5(1)(a) UK GDPR requires lawfulness, fairness and transparency in all processing. Passing my data to DRP while appeal rights remained active fails all three.
Article 5(1)(c) UK GDPR requires that data be processed only to the extent necessary. At the appeal stage, no debt exists and no collection activity is permissible under the Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3). This renders your disclosure unlawful and unnecessary.
As a direct result, I received threatening and misleading debt letters which caused unnecessary distress and anxiety. Non-material damage of this type is explicitly recognised as compensable under Article 82 UK GDPR and Section 168 DPA 2018.
You are now formally on notice that:• You have breached your statutory data protection obligations by unlawfully sharing my data with a third party.
• I will rely upon the Data Protection Act 2018 in holding you accountable. I reserve all rights, including the right to issue proceedings for compensation for the distress and harm caused.
I require your immediate confirmation that:• My data has been recalled from DRP and permanently erased by them.
• No further unauthorised processing will take place.
• You have reviewed and corrected your internal processes to prevent this unlawful practice from recurring.
Unless I receive a satisfactory written response within 14 days, I will escalate this to the BPA and the Information Commissioner’s Office.
You should treat this as a serious complaint. Your misuse of my data will not be ignored, and any repetition will significantly aggravate the damages I will seek.
Yours faithfully,
[Keeper’s Name] -
-
I suggest you respond to CPSM with the following:
QuoteSubject: Formal Notice – Misuse of Personal Data and GDPR Breach
Dear CSPM,
I write further to your recent correspondence in which you admitted that my personal data was passed to Debt Recovery Plus before my POPLA appeal had been determined.
By disclosing my data to a third-party debt collector at a time when the charge was formally on hold, you have committed a serious breach of the UK GDPR and the Data Protection Act 2018.
There was no lawful purpose for this disclosure. Article 5(1)(a) UK GDPR requires lawfulness, fairness and transparency in all processing. Passing my data to DRP while appeal rights remained active fails all three.
Article 5(1)(c) UK GDPR requires that data be processed only to the extent necessary. At the appeal stage, no debt exists and no collection activity is permissible under the Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3). This renders your disclosure unlawful and unnecessary.
As a direct result, I received threatening and misleading debt letters which caused unnecessary distress and anxiety. Non-material damage of this type is explicitly recognised as compensable under Article 82 UK GDPR and Section 168 DPA 2018.
You are now formally on notice that:• You have breached your statutory data protection obligations by unlawfully sharing my data with a third party.
• I will rely upon the Data Protection Act 2018 in holding you accountable. I reserve all rights, including the right to issue proceedings for compensation for the distress and harm caused.
I require your immediate confirmation that:• My data has been recalled from DRP and permanently erased by them.
• No further unauthorised processing will take place.
• You have reviewed and corrected your internal processes to prevent this unlawful practice from recurring.
Unless I receive a satisfactory written response within 14 days, I will escalate this to the BPA and the Information Commissioner’s Office.
You should treat this as a serious complaint. Your misuse of my data will not be ignored, and any repetition will significantly aggravate the damages I will seek.
Yours faithfully,
[Keeper’s Name]
Does this apply fully, as the registered keeper is a company? -
-
Good question — the answer is... not fully. My bad.• UK GDPR & DPA 2018 protect personal data – i.e. data relating to an identified or identifiable natural person (“data subject”).
• A company (Ltd, LLP, etc.) is not a natural person, so strictly speaking a registered keeper that is a company cannot claim rights as a “data subject.”
Therefore, the company itself cannot claim compensation for “distress and anxiety” because those are harms recognised only for individuals. But the ICO can still investigate, because the operator has misused DVLA keeper data, and the DVLA supply chain is supposed to ensure compliance.
The ICO often gets involved when companies (e.g. fleet operators, leasing firms) have data processed improperly. If the company has named an individual (e.g. an employee, hirer, or director) and their details were passed on and used by the debt collector, that individual could potentially bring a distress claim.
So the practical position is:• The complaint to ICO and BPA still stands, because CSPM processed data beyond the limits of the KADOE contract and PPSCoP, which are enforceable regardless of whether the keeper is a company or individual.
• What falls away is the distress damages claim under Art 82 UK GDPR / s.168 DPA 2018, since a company doesn’t suffer personal distress. A company might instead argue financial loss or reputational harm if they wanted to go down the damages route (but that’s harder to evidence in a parking context).
If you want to throw the book at CSPM as a company keeper, the angle should be:• Breach of PPSCoP 11.3 (referral to debt collector while appeal live).
• Breach of the DVLA KADOE contract (data only to be used for pursuing PCNs in accordance with law and Code of Practice).
• Misuse of company data under UK GDPR — framed not as distress, but as unlawful disclosure and processing without lawful basis.
Here is a revised response that drops the “distress” argument (since a company cannot suffer it), hits them with GDPR, DPA 2018, PPSCoP, KADOE and puts them on clear notice that you’ll escalate to BPA and ICO:QuoteFormal Notice – Unlawful Disclosure of Keeper Data
Dear CSPM,
I refer to your recent admission that you disclosed the registered keeper’s data to Debt Recovery Plus (DRP) before my POPLA appeal had been determined.
This disclosure was wholly improper. At the time, the charge was on hold pending appeal. Passing keeper data to a third-party debt collector in these circumstances is a serious breach of your obligations under:• UK GDPR, Article 5(1)(a) and (c): Processing must be lawful, fair, transparent, and limited to what is necessary. • Disclosure to DRP at the appeal stage was neither lawful nor necessary.
• Data Protection Act 2018: You have processed the registered keeper’s data outside any lawful basis.
• Private Parking Single Code of Practice (v1.1, 17 February 2025, Section 11.3): This expressly prohibits escalation to debt recovery while appeal rights remain active.
• The DVLA KADOE Contract: Keeper data is provided strictly for the purpose of pursuing PCNs in compliance with the law and applicable Codes of Practice. Your conduct is a clear breach of those terms.
Your suggestion that this was done before you were “notified” of the POPLA appeal does not excuse the unlawful disclosure. You had no lawful basis to instruct DRP before the appeal process had been fully exhausted, nor to treat the keeper’s data as an asset to be passed around.
You are now formally on notice that:1. The registered keeper regards this as a breach of data protection law, PPSCoP, and the KADOE contract.
2. You are required to confirm within 14 days:• That the keeper’s data has been recalled from DRP and permanently erased by them.
• That no further unauthorised disclosures will occur.
• What steps you have taken to review and correct your internal processes to prevent recurrence.
3. Your response will be relied upon when this matter is escalated to the BPA and the Information Commissioner’s Office.
This is a serious complaint. Your misuse of keeper data will not be ignored, and any further breaches will aggravate the consequences you face with both your Accredited Operator Scheme and the ICO.
Yours faithfully,
[Company Name]
Registered Keeper -
-
The points around UK GDPR in the revised complaint are potentially a slight reach, for the reasons you already identified... If company data is not 'personal data', then UK GDPR doesn't place any obligations on CSPM in their handling of it. I wonder if a broader point might be better here, around a concern that this might be routine practice from CSPM, which would lead to breaches in the high number of cases where the keeper is a person.
-
-
I wonder if a broader point might be better here, around a concern that this might be routine practice from CSPM, which would lead to breaches in the high number of cases where the keeper is a person.
This was my thinking. That they 'automatically' hand over to DRP as a lever. -
-
Response from POPLA regarding the DRP letter:
Good morning,
Thank you for your email.
As the letter was sent before you set the appeal up on 2nd August at 19:12, POPLA would not contact the operator regarding this.
If you receive any letters after the date that you submitted the appeal, please get back in contact regarding this with a copy of the letter.
Kind regards,
*****
Appeal Assessor
-
-
POPLA operator response received.
POPLA operator response
A few things I've noted at First glance:
They have not mentioned POFA section 8 but instead say they are relying on 9(2) even though there NTK says it is issued under section 8.
There are pictures of signs which are not onsite and are not shown on the site plan.
The landowner contract was purportedly signed the day before the PCN was issued.
Despite their assertion that all their signage meets the required standards, the T&C's cannot be read in any of the photographs provided including the pictures not taken in the car park.
-
-
Use the following as your response to the operators evidence:Quote
The operator’s evidence contains multiple contradictions and procedural failures that undermine their claim.
First, the Notice to Keeper states it was issued under paragraph 8(2)(b) of Schedule 4 of the Protection of Freedoms Act 2012, which applies only if a Notice to Driver was issued. However, the operator’s evidence claims they are relying on paragraph 9, which applies when no Notice to Driver is served. These two provisions have different timeframes and requirements. The NtK was issued only 5 days after the alleged contravention, which is only valid under paragraph 9. By citing paragraph 8, the operator has invalidated their own legal basis for keeper liability.
Second, the signage photos provided do not show readable terms and conditions. Several images appear to be taken offsite or in locations not shown on the site plan. If the signs are not present where claimed or cannot be read, then no contract can be formed. The operator’s assertion that signage meets required standards is not supported by the evidence.
Third, the landowner agreement was signed the day before the PCN was issued. This raises serious doubts about whether the operator had lawful authority to issue PCNs on the date in question. There is no evidence that enforcement infrastructure was properly in place or that the contract was active and valid at the time of the alleged contravention.
Finally, the entrance signage fails to comply with the requirements of Section 3.4 of the Private Parking Code of Practice. If new restrictions were introduced, the operator was required to use temporary signage and prominent notices for at least four months. There is no indication that any such measures were taken.
In summary, the operator’s evidence is internally inconsistent, procedurally flawed, and fails to demonstrate compliance with POFA, BPA, and signage standards. Keeper liability cannot be established, and no enforceable contract was formed. -
-
Further response from CSPM
"Dear Mr *****,
Thank you for your email of 21 August 2025.
We confirm that the case relating to PCN """""" has been recalled from Debt Recovery Plus, and all collection activity has ceased. The notice is on hold pending the outcome of your POPLA appeal.
To clarify, the referral to DRP was actioned before we were notified that an appeal had been lodged with POPLA. Once notification was received, immediate steps were taken to withdraw the case and place it on hold. While this was an administrative timing issue, and not a deliberate or unlawful disclosure, we have nevertheless reviewed our procedures to ensure that no further referrals are made until appeal processes are fully exhausted.
For completeness:
DRP have been instructed to permanently remove your details from their systems.
No further disclosures will take place in relation to this matter.
Internal checks have been strengthened to prevent recurrence.
We trust this provides the necessary assurances and draws the matter to a close pending POPLA's determination.
Yours faithfully,
******
For CSPM" -
-
Respond to that email from CPSM with the following (also CC in yourself):Quote
Subject: Data protection complaint – request for evidence and Article 19 confirmations
Dear [Name],
Thank you for your email of 21 August 2025.
I acknowledge that you have recalled the matter from Debt Recovery Plus (DRP), placed the notice on hold pending POPLA, and say you have strengthened internal checks. For the avoidance of doubt, this remains a formal data protection complaint. Characterising the disclosure as an “administrative timing issue” does not cure the underlying unlawfulness where my personal data was disclosed for debt collection while appeal rights were active.
Please provide, by 9 September 2025, the following:1. Audit trail (with timestamps):a) Date/time my POPLA appeal was lodged;
b) Date/time CSPM issued/recorded the POPLA code;
c) Date/time CSPM first referred my data to DRP;
d) Date/time CSPM received POPLA notification;
e) Date/time CSPM instructed DRP to cease activity and erase data;
f) Date/time DRP confirmed cessation and erasure.
2. Article 19 UK GDPR notifications: Written confirmation (copies) that DRP has erased my data and ceased all processing, and that DRP has been instructed not to re-acquire it.
3. Lawful basis: The Article 6(1) lawful basis CSPM relied upon for disclosure to DRP while appeal rights were extant, together with your Legitimate Interests Assessment (if you rely on Article 6(1)(f)) and any relevant DPIA/ROPA entries covering third-party debt collection referrals.
4. Recipients: Confirmation of every third party (if any) beyond DRP to whom my data was disclosed in this matter.
5. Controls: A short description of the specific procedural change(s) implemented to prevent a recurrence (e.g. system holds, API checks, queue logic).
For clarity: I do not accept that this complaint is “closed”. I reserve all rights, including the right to seek compensation for distress pursuant to Article 82 UK GDPR and section 168 DPA 2018. If the above is not provided in full by 9 September 2025, I will escalate to the ICO and raise a standards complaint with the BPA.
Yours faithfully,
[Keeper’s name]
[Address]
[VRM / PCN ref.] -
Agree x 1
View List
Agree x 1
View List