Free Traffic Legal Advice

Okay understood thank you for clarification regarding the time and date requirement which they omitted.

Should I also maintain they ‟did not include BW Legal as a recipient in their SAR output”? (They did include them in their email which had the SAR output attached, but NOT in the attachment itself).

Sorry for my questions on this I just want to make sure I get it right and they can't come back to me later on and say that I was wrong or misleading.

Thank you.

Ok thank you, sent. Shall return after 7 days/ if they respond before then.

Yes

Yes—add these specifics so the ICO has everything they need and can see the scale of non-compliance.

What to include:

Exact chronology (with dates):

Breach notification timing checks:

Breach notification content gaps (Art. 34(2)):

Security & governance failures:

Incomplete/incorrect SAR (Arts. 12 & 15):

Data accuracy concern (Art. 5(1)(d)):

Harm & risk:

Evidence list (attach):

What you want the ICO to do (remedies):

Here's a draft you could use:

Subject: Complaint re Countrywide Parking Management Ltd – Late breach notification, incomplete SAR, and data accuracy failures

Dear ICO,

I wish to lodge a complaint against Countrywide Parking Management Ltd (CPM) for multiple breaches of the UK GDPR and the Data Protection Act 2018 in relation to Parking Charge Notice [PCN reference] concerning vehicle [VRM].

Chronology (all dates 2024/2025)

• Alleged contravention: 23/12/2024
• SAR submitted to CPM: 28/08/2025
• Personal data breach occurred: 28/08/2025 (identified by CPM: 29/08/2025)
• CPM “breach letter” dated: 29/08/2025 (not received by me)
• CPM first notified me of the breach: 13/10/2025 (via email)
• CPM’s SAR output omitted BW Legal as a recipient, despite ongoing BW Legal correspondence to my current address.

Issues and legal basis

1. Late and inadequate breach notification (Arts. 34 and 33)

• CPM disclosed my full name, postal address, phone number and email to an unauthorised individual during the SAR process on 28/08/2025, identified 29/08/2025.
• I was not notified until 13/10/2025 (circa 45 days later), which is not “without undue delay” (Art. 34).
• Please verify whether CPM notified the ICO within 72 hours of awareness (Art. 33) and obtain their ICO reference and submission date/time.

2. Security and governance failures (Art. 5(1)(f) and Art. 32)

• The breach occurred during a high-risk process (SAR disclosure), indicating inadequate technical/organisational measures and quality controls.

3. Incomplete/incorrect SAR (Arts. 12 and 15)

• CPM’s SAR response omitted BW Legal from the recipient list (Art. 15(1)(c)) though CPM and BW Legal were actively processing my data.
• CPM failed to provide personal data I requested that clearly relates to me/this PCN:

– ANPR event log for my VRM (reads/timestamps/camera IDs/retention entries)
– RingGo/payment back-office records referencing my VRM/PCN (matching/mismatch notes)
– Internal notes; portal/web-form audit entries; decision records
– DVLA KADOE request/response for this PCN (single request date/time, address returned)
– Any address-verification records referring to me before a Final Notice and before instructing solicitors

• CPM asserted “lawful deletion” but did not supply the applicable retention schedule or deletion logs.

4. Data accuracy and reasonable steps (Art. 5(1)(d))

• A Final Notice dated 12/05/2025 was sent to my former address despite my DVLA updates being effective weeks earlier. By contrast, BW Legal letters have reached my current address. This suggests CPM failed to take reasonable steps to ensure accuracy before escalation and sharing with third parties.

Harm and risk

• Disclosure of my name, address, phone and email to an unauthorised individual caused distress and risk of misuse.
• Additional time and expense incurred to obtain a compliant SAR and correct CPM’s record while facing parallel pre-action correspondence.

What I ask the ICO to do

• Require CPM to provide a complete and accurate SAR response, including a full recipient/disclosure log (identifying BW Legal and the unauthorised recipient with dates, purposes and lawful bases) and the missing personal data listed above, or a specific, justified exemption for each withheld item.
• Assess CPM’s compliance with Arts. 33 and 34 (timeliness and content of notifications) and with Arts. 5(1)(f)/32 (security controls), and require remedial action.
• Require CPM to implement enhanced SAR handling controls (dual checks before disclosure, supervised sign-off, audited recipient confirmation, staff training) and to evidence those measures.
• Record appropriate enforcement.
• Note that I reserve my rights to compensation under Art. 82 UK GDPR and s.168 DPA 2018 for distress.

Attachments (evidence)

• CPM email to me dated 13/10/2025 and attached “breach letter” dated 29/08/2025
• My SAR (28/08/2025) and CPM’s SAR bundle omitting BW Legal as a recipient
• My follow-up correspondence requesting a complete recipient log (explicitly naming BW Legal)
• BW Legal letters to my current address (showing correct address in use)
• Proof of DVLA update timing
• RingGo receipts/screenshots
• CPM statements asserting “lawful deletion” and “full disclosure”

My details
Name: [Full name]
Address: [Current postal address]
Email: [Email]
Phone: [Phone]
Controller: Countrywide Parking Management Ltd (DPO: [if known])
Third parties: BW Legal; Trace Debt Recovery; [unknown unauthorised recipient]

Yours faithfully,

[Full name]

You'll never hear from CPM again once it has been Nanded over to BW Legal. They are your only point of contact from now on.

If you've had any initial response to anything you've sent them, then just wait for them to get back if the ball is currently in their court.

You now have three leverage pillars. First, CPM’s own Zendesk SAR record names BW Legal as a recipient. Their earlier SAR bundle failed to list BW Legal. That is clear non-compliance with Articles 12 and 15 and directly undercuts their “we’ve disclosed everything” line.

Second, the Unity5 hybrid mail certificate proves they submitted for posting the breach letter on 29/08/2025 to your old address even though they already had your email from 28/08/2025. That makes their “notification” neither without undue delay nor effective for Article 34.

Third, their paperwork contradicts itself: the breach letter claims they reported the breach “in line with obligations”, while the attached ICO self-assessment says there was no need to notify the ICO. Force them to either provide the ICO report reference and submission timestamp or to admit they did not notify.

BW Legal’s refusal to provide RingGo integration and reconciliation is a red herring. You asked for those under the Pre-Action Protocol to narrow the issues, not under a SAR. Keep pressing that those materials go to the heart of your wrong-site payment case: app-only payment was mandated, the app’s map surfaced only “Cotlands Road”, and the correct code 819627 was mis-geolocated. Those documents are plainly relevant pre-action.

The Unity5 “hybrid mail” certificate is significant because it proves CPM submitted for posting the breach letter to the wrong address on the day after the breach. It shows they chose a slow, unreliable channel to an address they should have verified, despite having your email. That supports late and ineffective breach notification and a data-accuracy failure when read alongside your DVLA update timing. It also helps on conduct and costs if they litigate.

Your litigation posture remains strong. The merits are system design and consumer law: the mandated app workflow and mapping made the correct site unfindable and misdirected, so any “use this exact code” term was not transparent or prominent. That engages CRA 2015 transparency and prominence and the Digital Markets, Competition and Consumers Act 2024 (DMCC) on misleading omissions and lack of professional diligence. You also have frustration or impossibility because you took immediate reasonable steps to pay and were thwarted by their system. You will require strict proof of contemporaneous entrance and terms signage and precisely where the code was displayed at the decision point. The £70 add-on is unrecoverable as double recovery and should be challenged as an abuse if pleaded. Their SAR failures, breach notification delay, and address accuracy issues go to unreasonable conduct and support a costs application if they persist.

Next steps in simple terms. Send BW Legal a follow-up demanding PAPDC disclosure and Article 14 particulars and ask for a 30-day hold.

Subject: Your ref [BW ref] – PAPDC disclosure outstanding/Article 14 particulars

Dear Sirs,

I refer to your letter dated 14 November 2025 and your email of 4 December 2025.

PAPDC disclosure
My request for RingGo integration details, adjacent-site location codes, change logs, and reconciliation for the material period was made under the Pre-Action Protocol for Debt Claims to narrow the issues. It was not a SAR.

The dispute concerns misdirection by your client’s mandated app/map workflow. Please disclose those documents, or give a reasoned refusal under the Protocol.

Also provide the signage pack and site plan as at 23/12/2024 (entrance and terms), proof of landowner authority (parties, dates/term, right to issue and litigate), your client’s consideration/grace-period policy then in force, and particulars for any sum beyond the headline charge. The £70 add-on is denied as unrecoverable/double recovery; confirm any claim will be limited to the principal, court fee and fixed legal costs only.

Article 14
Provide the source of my data and the date first received from your client, the categories processed, purposes and lawful bases, recipients, and the retention period. “Passed to the relevant department” is not compliance.

Address for service
Confirm that all correspondence and any proceedings will be served only at my current address below.

Yours faithfully,

[Name]
[Current address]
[Email]
PCN: [ref] | VRM: [VRM]

Send the CPM DPO a letter/email pointing out the BW Legal omission, the late and ineffective breach notification, the contradiction about ICO reporting, and the missing personal data items.

Subject: SAR still incomplete and breach notification failures – PCN [ref], VRM [VRM]

Dear Data Protection Officer,

Your latest message claiming you have met your SAR duties is incorrect.

Recipients
Your own Zendesk SAR record dated 21/11/2025 lists BW Legal Ltd as a recipient. Your earlier SAR bundle omitted BW Legal entirely. Provide a corrected disclosure log for this PCN showing, for each recipient including BW Legal and Trace, the identity, categories of data shared, and the date and time of each disclosure.

Breach notification
You say the breach occurred 28/08/2025 and was identified 29/08/2025. The Unity5 certificate of postage shows you submitted for posting a breach letter on 29/08/2025 to my previous address. You held my email from 28/08/2025 yet failed to notify me until 13/10/2025. That is not “without undue delay” and was not effective communication to the data subject.

Breach reporting contradiction
Your breach letter says you reported the breach in line with obligations. Your attached ICO self-assessment says there was no requirement to notify the ICO. Provide your ICO report reference and submission date/time, or confirm you did not notify and explain why.

Missing personal data still outstanding
Provide the ANPR event log for my VRM for the material period (all reads/timestamps/camera IDs/retention entries), RingGo/payment back-office records that reference my VRM or this PCN including any matching/mismatch notes for the material window, internal notes and portal/web-form audit logs referencing me/this PCN, DVLA KADOE request/response for this PCN (single request date/time and the address returned) and any address-verification or trace records that refer to me, particularly before the Final Notice of 12/05/2025 and before instructing BW Legal, any data-accuracy records explaining use of my former address after my DVLA update in early April 2025, and your retention policy as it applies to my data for this PCN with any deletion logs you rely on. If you claim an exemption for any item, identify the specific exemption and explain how it applies to that item.

Unless you supply the above within 7 days I will file or extend my complaint to the ICO for failures under Articles 12/15, 33/34, and 5(1)(d)/5(1)(f)/32, enclosing your contradictory documents (Zendesk record, Unity5 proof, the self-assessment and breach letter).

Yours faithfully,

[Name]
[Current address]
[Email]
PCN: [ref] | VRM: [VRM]

File or extend the ICO complaint using the documents you now have: Zendesk SAR page naming BW Legal, Unity5 certificate, the breach letter, the ICO self-assessment screenshot, your DVLA update proof, and BW Legal letters to the correct address. Keep all RingGo screenshots and receipts ready and take current photos of entrance and terms signs if you have not already.

If a claim is issued before they comply, plead the consumer-law points, signage/contract formation, frustration, the unrecoverable add-on, and their procedural conduct. The defence will be short and focused, reserving detailed evidence for the witness statement stage.

Reply to that email and CC yourself as follows:

Subject: Article 14 request – incomplete response – your ref [BW ref]

Dear Sirs,

I refer to your letter about my UK GDPR Article 14 request. Your response is incomplete.

As you do not publish a DPO email address, I require you to ensure this request is immediately escalated to and actioned by your Data Protection Officer or the person responsible for data protection compliance. Confirm their name and contact details in your reply. Treat this email as part of the audit trail for my Article 14 request.

Pointing me to a website privacy notice is not Article 14 compliance. I require the specific information for this file:

1. Source of my personal data and the exact date you first received it from Countrywide Parking Management Ltd, plus any other sources used.
2. Categories of personal data you process for this matter.
3. Purposes for processing and the precise lawful basis relied upon for each purpose under Article 6(1).
4. Recipients or categories of recipients to whom you have disclosed my data, and the dates of any disclosures.
5. Your retention period for my data in this matter (not a generic schedule).
6. Whether you undertake automated decision-making or profiling in this case, and if so, meaningful information about the logic involved and envisaged consequences.
7. Contact details for your Data Protection Officer or the person responsible for data protection compliance.

Provide the above within 14 days. If you contend an exemption, identify it specifically and explain how it applies to the particular item withheld. Failure to provide a complete Article 14 response will be added to my ICO complaint.

Confirm that all correspondence and any proceedings will be served only at my current address below.

Yours faithfully,

[Your name]
[Current address]
[Email]
PCN: [ref]
VRM: [VRM]