Should I submit my response through their online portal instead, or is it safe to disregard the automated message?
You simply respond to that email (reply) and add the following paragraph before the response to their LoC:
On [date] I sent an Article 15 subject access request to help@moorsidelegal.co.uk using the exact subject line specified in Moorside Legal’s own privacy notice, ‘Data Subject Rights – [My Name]’. Within minutes I received a stock email stating ‘this mailbox is not monitored’ and directing me to their portal. This shows that the only published DPO/contact email is configured to auto-reply that it is ‘not monitored’, and that consumers attempting to use the route specified in the privacy notice are immediately told it is not available.
In addition to that, send the following email:
Subject: Formal Notice – Breach of Transparency Obligations and Imminent Escalation to ICO, SRA and CMA
To: help@moorsidelegal.co.uk; dpo@apn.co.uk
Cc: enquiries@apn.co.uk; [your own email address]
Dear Data Protection Officer,
This notice is issued to you in your statutory capacity under the UK GDPR and the Data Protection Act 2018, in relation to Moorside Legal Services Limited and the wider APN Group.
Moorside Legal’s own Privacy Notice states that any data subject wishing to exercise their rights or contact the DPO should email help@moorsidelegal.co.uk (subject heading: “Data Subject Rights – Your Name”) or write to the postal DPO address. Help@moorsidelegal.co.uk is the only email address Moorside Legal publishes for contact and it is expressly described as the DPO contact route.
Relying on that representation, a substantive response to a Moorside Legal Letter of Claim was sent to help@moorsidelegal.co.uk. That email contained personal data and clearly engaged data subject rights and pre-action obligations.
In reply, instead of engaging with the substance of the correspondence, Moorside Legal sent a boilerplate “fob-off” email stating that the mailbox is “not monitored” and attempting to force use of an online portal. This was not an automated server bounce: it was a standard template that an individual chose to send after accessing the original message. In other words, a member of your staff is monitoring incoming messages to the very address advertised as the DPO contact, reading those messages, and then sending a stock response asserting that the mailbox is “not monitored” and that the only acceptable communication route is your portal.
That is not a technical quirk; it is a deliberate policy choice designed to frustrate both data subject rights and responses to Letters of Claim.
From a technical standpoint, the position is clear. I have checked the configuration of your domain moorsidelegal.co.uk and obtained the following information:
Summary of findings
- Email addresses tested: help@moorsidelegal.co.uk; litigation@moorsidelegal.co.uk
- Status: both accepted; domain reported as catch-all
- SMTP provider: Barracuda Networks
- MX record: d238565.a.ess.uk.barracudanetworks.com
- Domain age: more than 800 days (a stable corporate domain, not newly registered)
A catch-all configuration on a Barracuda-hosted system means your server is set to accept mail for any address at moorsidelegal.co.uk and return a standard “250 OK” SMTP response, even if the individual mailbox name is not specifically configured, in order to mask mailbox validity. The tests show that both help@ and litigation@ are accepted in this way.
That behaviour may frustrate external probing of which individual mailboxes exist, but it does not alter the core legal and technical fact that once your server has accepted an email at SMTP level with a 2xx OK success code and no bounce is generated, delivery (service) into your system is complete.
What you choose to do internally with that message – including routing it to staff who then send a boilerplate “this mailbox is not monitored, use the portal” reply – does not change the reality that:
– You are in possession of the personal data.
– You are the controller responsible for handling it lawfully, fairly and transparently.
– You must not hold out help@moorsidelegal.co.uk as the DPO and data subject contact address in your Privacy Notice while instructing staff to fob people off with a knowingly misleading “not monitored” line and forcing them into a payment portal.
When you put that together:
1. Your Privacy Notice explicitly designates help@moorsidelegal.co.uk as the DPO contact for exercising rights and as your contact email generally.
2. Emails sent to that address are in fact accepted by your server, read by staff, and then met with a mendacious template claiming the mailbox is “not monitored” and that all communication must be via your portal.
Both positions cannot simultaneously be true in a way that complies with your legal obligations. Either:
– The mailbox is monitored and the “not monitored” claim is knowingly false, used to deter and obstruct data subjects and defendants from asserting their rights by email; or
– It is not monitored for DPO purposes, in which case your Privacy Notice is materially inaccurate and misleading because it advertises a non-functional route for exercising rights and contacting you.
In both scenarios, your current practice appears incompatible with:
– Article 5(1)(a) UK GDPR (lawfulness, fairness and transparency).
– Article 12 UK GDPR (duty to facilitate the exercise of data subject rights and avoid undue obstacles).
– Articles 13, 14 and 37(7) UK GDPR (duty to provide accurate, functional contact details for the controller and, where appointed, the DPO, and to enable data subjects to contact the DPO easily and directly).
It is particularly serious that you are using this “mailbox not monitored, use the portal” template specifically in response to reasoned pre-action correspondence, where the Civil Procedure Rules and the Pre-Action Protocol for Debt Claims require meaningful engagement. Attempting to channel defendants into a payment portal while pretending that your published DPO/contact address is effectively dead is plainly calculated to frustrate both procedural fairness and statutory data protection rights.
Moorside Legal’s Privacy Notice states that Moorside Legal Services Limited “is part of the APN Group”. APN Group’s own privacy policy designates dpo@apn.co.uk as the group DPO contact. The APN Group DPO is therefore now expressly on notice that a group entity is operating a sham DPO/contact email route and using a stock “mailbox not monitored, use the portal” script in circumstances where the underlying mailbox is clearly active and handled by staff.
For the avoidance of doubt:
– Emails to help@moorsidelegal.co.uk are being accepted by your Barracuda-hosted server and are not bouncing.
– At least one such email has been opened and acted upon by staff, who chose to send the “mailbox not monitored, use the portal” template rather than deal with the content as a DPO/contact request and as pre-action correspondence.
– In those circumstances, any denial of receipt or attempt to treat emails to help@moorsidelegal.co.uk as “not valid” communications will be treated as bad-faith conduct.
You are therefore put on formal notice that:
– The burden of delivery is satisfied once your server has accepted an email at SMTP level with a 2xx “OK” status and no bounce. You cannot evade receipt by labelling the mailbox “
not monitored” after staff have already accessed the message and responded with a template.
– Continuing to publish
help@moorsidelegal.co.uk as the DPO/contact address while staff send “
not monitored, use the portal” replies is inherently misleading and obstructive of data subject rights and defendants’ rights.
In addition to the data protection issues, these practices will be drawn to the attention of the Competition and Markets Authority (CMA) under the Digital Markets, Competition and Consumers Act 2024 (DMCC), specifically the unfair commercial practices regime in Part 4, Chapter 1 and the banned practices set out in Schedule 20. In outline:
– You are engaging in misleading actions and omissions in relation to published contact channels and access to redress.
– You are failing to meet the requirements of professional diligence within the meaning of section 229 DMCC by maintaining a non-functional or deliberately frustrated DPO/contact route and channelling consumers exclusively into a payment-focused portal when they dispute liability.
If the CMA finds against you, consequences can include:
– Compliance directions and enforcement orders requiring changes to your practices.
– Monetary penalties of up to the higher of £300,000 or 10% of global turnover.
– Further regulatory action if systemic bad-faith conduct is identified.
I am simultaneously lodging formal complaints to:
– The Information Commissioner’s Office (ICO), for failure to meet the transparency and facilitation requirements of UK GDPR in relation to data subject communications and objections to processing; and
– The Solicitors Regulation Authority (SRA), in relation to Moorside Legal Services Limited, for operating sham contact routes and frustrating written engagement in the context of pre-action debt claims, in a way that undermines access to redress and public confidence in the profession.
I therefore require the following, in writing, within one calendar month:
1. A clear statement whether help@moorsidelegal.co.uk is monitored for DPO and data subject communications. If it is monitored, you must confirm that the “mailbox not monitored, use the portal” template will be withdrawn immediately and that all future emails sent in reliance on your Privacy Notice will be treated as valid data subject and pre-action communications. If it is not monitored, you must confirm that your Privacy Notice will be corrected immediately and that a functional DPO email address will be published and properly monitored.
2. Confirmation that the specific email sent in response to your Letter of Claim (to help@moorsidelegal.co.uk) has been retrieved, placed on the relevant file, and is being treated both as a valid data subject communication (including an objection to processing and request for restriction) and as formal pre-action correspondence under the Pre-Action Protocol for Debt Claims.
3. Details of the concrete steps you will take, and deadlines for implementation, to ensure that all published DPO and contact addresses (including those in Moorside and APN privacy notices) are truthful, functional, properly monitored, and not undermined by staff being instructed to send “not monitored, use the portal” responses.
You are fully responsible for the configuration and operation of your email systems and for ensuring that your published privacy information is accurate and not misleading. This letter puts both Moorside Legal and APN Group on explicit notice that the current arrangements are being treated as deliberate obstruction and misrepresentation and that the regulators are being asked to investigate and, where appropriate, sanction that conduct.
Yours faithfully,
[Your Name]
[Your address]
[Relevant references: PCN/Moorside ref]
Here are the three complaint templates you can use in parallel (ICO, SRA, CMA).
ICO complaint template (email/text to paste into ICO form). You’ll usually use the ICO’s online form, but this is the narrative you can paste in:
Subject: Complaint against Moorside Legal Services Ltd – Non-functional DPO email and obstruction of data subject rights
I wish to complain about the handling of personal data and data subject communications by:
Moorside Legal Services Limited
Part of the APN Group
Email as published in their privacy notice: help@moorsidelegal.co.uk
Moorside Legal’s Privacy Notice states that any data subject wishing to exercise their rights or contact the DPO should email help@moorsidelegal.co.uk (with the subject “Data Subject Rights – Your Name”) or write to a given postal address. help@moorsidelegal.co.uk is the only published email address.
Relying on that notice, I have sent a detailed response to a Letter of Claim to help@moorsidelegal.co.uk. Those emails contain personal data and clearly engage data subject rights (objection to processing, restriction, rectification) and pre-action obligations.
The firm replied not with a substantive answer, but with a boilerplate “fob-off” email stating that the mailbox is “not monitored” and that all contact must instead go through their online portal, which is presented as a payment/“customer” portal. This reply was not an automated bounce. It was a standard template that a staff member chose to send after accessing the original email.
I have also tested the technical configuration of their domain, moorsidelegal.co.uk. Both help@moorsidelegal.co.uk and litigation@moorsidelegal.co.uk are accepted by their Barracuda-hosted catch-all mail server (MX: d238565.a.ess.uk.barracudanetworks.com). The server returns a normal "250 OK" SMTP response and no bounce is generated. That means the emails are being delivered into Moorside Legal’s system, and at least a subset of them is being read by staff.
In practice, this means:
• Moorside publish help@moorsidelegal.co.uk as the DPO/contact email in their privacy notice.
• Emails sent to that address are accepted and read.
• Staff then send a template claiming the mailbox is “not monitored” and instructing individuals to use a payment portal instead.
Either the mailbox is monitored, in which case the “not monitored” wording is knowingly false and deters people from using their rights by email, or it is not properly monitored, in which case the privacy notice is materially inaccurate and misleading.
In my view this breaches:
• Article 5(1)(a) UK GDPR – lack of fairness and transparency.
• Article 12 UK GDPR – failure to facilitate the exercise of data subject rights and placing undue obstacles in the way.
• Articles 13, 14 and 37(7) UK GDPR – inaccurate and non-functional DPO/contact details, and failure to ensure the DPO can be contacted easily and directly.
It is particularly concerning that this behaviour occurs in the context of debt collection and pre-action letters before claim, where individuals are already under pressure and need a clear route to assert their rights and correct their data.
What I am asking the ICO to do:
• Investigate whether Moorside Legal and APN Group are complying with Articles 5, 12, 13, 14 and 37–39 UK GDPR in relation to the
help@moorsidelegal.co.uk address and their handling of data subject communications.
• Require them to either:
– make help@moorsidelegal.co.uk a genuinely monitored DPO/contact address and stop sending “not monitored, use the portal” replies; or
– amend their privacy notice and publish a functional DPO email address that is properly monitored.
• Require them to treat emails already sent to
help@moorsidelegal.co.uk as valid data subject communications and pre-action correspondence and to confirm this to affected individuals.
I attach:
• A copy of their privacy notice extract showing help@moorsidelegal.co.uk as the DPO/contact email.
• A copy of my original email to that address.
• The boilerplate “mailbox not monitored, use the portal” response.
SRA complaint template (Moorside’s conduct as a firm). Email to report@sra.org.uk and CC yourself:
Subject: Complaint about Moorside Legal Services Ltd – Obstructive contact practices and misuse of “not monitored” email in debt claims
I wish to complain about the conduct of:
Moorside Legal Services Limited
SRA number: 8006077
Moorside Legal act as solicitors in bulk debt recovery/parking charge litigation. Their Privacy Notice states that data subjects and clients should contact their Data Protection Officer via help@moorsidelegal.co.uk. This is also the only email address they publish for contact.
When a consumer/defendant replies by email to a Letter Before Claim (e.g. to set out a defence, raise issues under the Pre-Action Protocol for Debt Claims, or exercise data rights), Moorside Legal do not engage with the contents. Instead, after a delay, they send a boilerplate response stating that the mailbox is “not monitored” and instructing the individual to use their online portal or telephone number. This is not an automatic server reply; it is a template a member of staff sends after reading the email.
Technical checks show that their Barracuda mail server accepts emails to help@moorsidelegal.co.uk and litigation@moorsidelegal.co.uk with a normal "250 OK" response and no bounce. At least some emails are clearly being read, because staff then send the “not monitored, use the portal” template in response.
The effect is that:
• A published email route for serious pre-action correspondence is, in practice, converted into a dead-end.
• Defendants who try to comply with the Pre-Action Protocol in writing are fobbed off and pushed into a payment portal instead.
• The public-facing privacy notice and “contact us” information are inconsistent with the reality of how the firm actually handles incoming emails.
In my view, this undermines:
• The proper administration of justice and compliance with the Civil Procedure Rules and Pre-Action Protocol for Debt Claims.
• Public trust and confidence in the solicitors’ profession, because a regulated firm is using a sham contact route and a standard script to frustrate written engagement.
• Basic standards of honesty and integrity – either the email address is monitored and the “not monitored” claim is untrue, or the privacy notice is materially misleading.
I ask the SRA to consider whether Moorside Legal’s conduct is compatible with the SRA Principles and Codes of Conduct, in particular the duties:
• To act in a way that upholds public trust and confidence in the solicitors’ profession.
• To act with honesty and integrity.
• To behave in a way that maintains the trust the public places in solicitors when handling disputes and pre-action correspondence.
I attach:
• Moorside’s privacy notice extract showing help@moorsidelegal.co.uk as the DPO/contact email.
• A copy of a reasoned email response to a Letter Before Claim sent to that address.
• Moorside’s “this mailbox is not monitored, use the portal” reply.
CMA/Trading Standards complaint template (DMCC 2024) which you email to general.enquiries@cma.gov.uk and CC yourself:
Subject: Complaint about Moorside Legal Services Ltd – Unfair commercial practice under DMCC 2024 (obstructed contact channels and sham DPO email)
I wish to report a business-to-consumer practice which I believe breaches the unfair commercial practices provisions in Chapter 1 of Part 4 of the Digital Markets, Competition and Consumers Act 2024 (DMCC).
Trader: Moorside Legal Services Limited (part of APN Group)
Sector: Legal services / debt recovery / private parking claims
Moorside Legal pursue private individuals for alleged parking charges and send Letters Before Claim. Their Privacy Notice tells consumers and data subjects to contact their Data Protection Officer at help@moorsidelegal.co.uk – this is also their only published email address.
When a consumer replies to a Letter Before Claim by email to that address (for example, to dispute the debt, challenge the claim or correct their data), Moorside Legal do not deal with the contents. Instead they send a standard “this mailbox is not monitored – please use our portal” response and attempt to divert the consumer into a payment-oriented online portal.
This response is not an automated server bounce. It is a boilerplate email sent by staff after reading the original message. Technical checks on their Barracuda-hosted mail server show that emails to help@moorsidelegal.co.uk and litigation@moorsidelegal.co.uk are accepted with a "250 OK" SMTP status and no bounce, so messages are reaching their system and being processed.
In practice, this means:
• Moorside Legal advertise an email address as the route to contact them and their DPO, but then treat written correspondence sent to that address as if it were invalid.
• They use a template to claim the mailbox is “not monitored” and funnel consumers into a portal that is clearly designed around payment rather than dispute resolution.
• Consumers trying to exercise statutory rights or respond properly to a Letter Before Claim are obstructed and channelled towards paying instead of being allowed to use a clear written route.
I believe this behaviour falls within the unfair commercial practices regime because:
• It is at least a contravention of the requirements of professional diligence under section 229 DMCC – falling short of the standard of skill and care reasonably expected of a trader dealing with consumers in a debt-claim context, and not commensurate with honest market practice or the general principle of good faith.
• It may also amount to misleading actions or omissions, because the published contact details suggest consumers can use email to exercise their rights and engage with the trader, whereas in reality those emails are dismissed and they are pushed into a portal.
• It is likely to cause the average consumer to make a transactional decision they would not otherwise have made – in particular, to use the portal in the belief that it is the only valid channel, to prioritise payment over dispute, or to abandon attempts to challenge the claim because the advertised contact route proves to be a sham.
I ask that this practice be investigated as a potential unfair commercial practice under the DMCC 2024, with a view to:
• Requiring Moorside Legal to provide functional, monitored contact details that match their privacy notices and letters.
• Preventing them from using a “mailbox not monitored, use the portal” script in response to legitimate dispute correspondence.
• Considering enforcement measures and penalties if systemic unfair practices are established.
I attach:
• Screenshots/extracts from Moorside Legal’s privacy notice (help@moorsidelegal.co.uk as DPO/contact email).
• Copy of a Letter Before Claim.
• Copy of an email response sent to help@moorsidelegal.co.uk.
• Moorside’s “mailbox not monitored, use the portal” reply.
Use this image as the evidence of their Data Protection email address from their Privacy Notice:
