Free Traffic Legal Advice

Subject: Formal Complaint Against ParkingEye Ltd – Breach of PPSCoP and Improper Handling of Appeal and Complaint

To: aos@britishparking.co.uk

Date: [Insert date]

Dear BPA Compliance Team,

Re: ParkingEye Ltd – Breach of PPSCoP Sections 8.4.1, 11.3 and Improper Use of Data in Scotland

I write to raise a formal complaint regarding the conduct of ParkingEye Ltd, an Approved Operator Scheme (AOS) member, in connection with a Parking Charge Notice (PCN) issued to me as the registered keeper of a vehicle. I reside in Scotland and have no contractual relationship with ParkingEye.

On 19 February 2025, I submitted an appeal to ParkingEye via their online portal. The appeal raised fundamental concerns, including that:

• I am the keeper of the vehicle and reside in Scotland;
• The Protection of Freedoms Act 2012 (PoFA), Schedule 4, does not apply in Scotland;
• ParkingEye’s Notice to Keeper (NtK) was in breach of PPSCoP section 8.1.1(d), as it contained a PoFA warning despite being issued to a Scottish address;
• I denied any liability and expressly stated there would be no identification of the driver.

Despite the clear and concise nature of the appeal, ParkingEye failed to issue any response within the mandatory 28-day period set out in section 8.4.1 of the Private Parking Single Code of Practice (Version 1.1, February 2025).

On 6 March 2025, I submitted a formal complaint through their web portal to raise this non-compliance. I received no acknowledgment within 14 days, in breach of section 11.3.1, and no substantive response within 28 days.

Instead, after I chased the matter, ParkingEye issued an email refusing to process my complaint unless I explicitly agreed to their Privacy Policy and Complaints Policy. Their justification was that, although I clicked mandatory checkboxes to allow submission, I included a written statement making clear I did not agree to those policies and clicked only to bypass the software restriction.

ParkingEye's refusal to process my complaint on this basis is indefensible. It is a clear attempt to obstruct a formal complaint by conflating acknowledgment with consent, despite their obligations as a data controller under UK GDPR and as a BPA member under the PPSCoP.

Furthermore, their insistence that they will delete my complaint correspondence due to my objection to their policies raises serious data governance concerns and undermines the regulatory complaints process.

Breaches Identified:

• PPSCoP 8.1.1(d) – Issuing an NtK with a PoFA warning to a keeper in Scotland, where PoFA does not apply.
• PPSCoP 8.4.1 – Failure to respond to a keeper appeal within 28 days.
• PPSCoP 11.3 – Failure to acknowledge and respond to a formal complaint within 14 and 28 days respectively.
• Improper conditional processing – Refusing to handle complaints unless individuals agree to policies which they may lawfully contest or object to.

Requested action:

I request that the BPA:

• Investigate this matter as a serious breach of the PPSCoP;
• Require ParkingEye to respond to the original appeal and formal complaint;
• Review the legality and fairness of ParkingEye’s practice of rejecting complaints unless “consent” is provided under duress;
• Remind ParkingEye of their obligations under the PPSCoP and the principles of the UK GDPR.

Please confirm receipt of this complaint and advise me of the steps that will now be taken.

Yours faithfully,

[Your Full Name]
[Your Address]
[Your Email Address]
Keeper of Vehicle Registration: [Insert VRM]
PCN Reference: [Insert PCN number, if available]

Dear [***]

Thank you for your correspondence of 29th March about the release of information
from the Driver and Vehicle Licensing Agency’s (DVLA) vehicle register. I have been
asked to formally review your case at Step 1 of our complaints procedure.

The DVLA takes the protection and security of its data very seriously and has
procedures in place to ensure data is disclosed only where it is lawful and fair to do
so and where the provisions of the Data Protection Law are met. The Agency must
strike a balance between ensuring the privacy of motorists is respected while
enabling those who may have suffered loss or damage to seek redress.

Drivers choosing to park a vehicle on private land do so subject to the terms and
conditions set out on signage in the car park. The need to contact individuals who
may not have complied with these conditions is, in most circumstances, considered
to be a reasonable cause. Data is provided by the DVLA to enable landowners or
their agents to pursue their legal rights and to address disputes. I hope you can
appreciate that if this were not the case, motorists would be able to park with
disregard for the conditions applying with little prospect of being held accountable.

I have investigated the matter with ParkingEye who made the request to the DVLA
for the registered keeper details for Vehicle Registration Number [***]. I have
had sight of their supporting evidence to show that they had reasonable cause to
make their request. The Parking Charge Notice (PCN) was issued as the signage at
the site states tariffs applies after 2 hours and the vehicle remained in the car park
for 2 hours and 34 minutes. ParkingEye have advised that they received an appeal
stating that you would not identify the driver of the vehicle at the time, and they have
responded to you on 5th March. As the registered keeper of the vehicle, you are
responsible for the PCN and the PCN remains outstanding.

PoFA is based on the laws of the location where the Parking Charge Notice was
issued, which in this case is England, where PoFA applies. Therefore, ParkingEye
can utilise PoFA in this situation.

To help ensure motorists are treated fairly when any private parking charge is
pursued the DVLA discloses vehicle keeper information only to companies that are
members of an appropriate Accredited Trade Association (ATA). The purpose of
requiring a company to be a member of an ATA is to ensure that those who request
DVLA information are legitimate companies that operate within a code of practice
that promotes fair treatment of the motorist and ensures that there is a clear set of
standards for operators.

The company in question, ParkingEye, are a member of the British Parking
Association (BPA) which is an Accredited Trade Association for the parking industry.
The BPA’s code of practice is published on its website at
http://www.britishparking.co.uk under the heading “Approved Operators Scheme”. If
a member of this scheme does not comply with the code of practice, it may be
suspended or expelled, during which time no data will be provided to it by the
DVLA. If you feel that any of the practices used by the company do not comply with
the BPA’s code of practice, you may wish to contact the BPA via email at
https://portal.britishparking.co.uk/compliance/LogComplaint or by post at Chelsea
House, 8-14 The Broadway, Haywards Heath, West Sussex RH16 3AH.

We have fully considered all the information available. If you feel that your complaint
has not been resolved, you can request escalation of your complaint to Step 2 of the
complaints process. Further options about our complaint procedure can be found
online at www.gov.uk/dvla/complaints.

Yours sincerely
[***]
Data Customer Auditor
Data Assurance Team/Information & Assurance Group

Ref: Complaint [***]
Car reg. no. [***]

Dear DVLA Complaints Team,

DVLA Complaint Step Two -- ParkingEye Misuse of Keeper Data / Breach of KADOE and PPSCoP

I am writing to escalate my complaint to Step Two of the DVLA's formal complaints procedure, as your Step One response issued on 9 April 2025 failed to address the core issue raised in my complaint dated 29 March 2025.

This complaint is not about whether ParkingEye had reasonable cause to access my data at the time of the KADOE request. My complaint clearly states that the breach relates to the subsequent misuse of my personal data, in breach of the Private Parking Single Code of Practice (PPSCoP) and ParkingEye’s KADOE contract.

1. PoFA Does Not Apply to Keepers Domiciled in Scotland

Your Step One response inaccurately claimed:

“PoFA is based on the laws of the location where the Parking Charge Notice was issued, which in this case is England, where PoFA applies. Therefore, ParkingEye can utilise PoFA in this situation.”

This is incorrect. The Protection of Freedoms Act 2012 (PoFA), Schedule 4, only permits keeper liability where the parking event occurred on relevant land in England or Wales and where the registered keeper is also domiciled in England or Wales. It does not confer jurisdiction over keepers residing in Scotland, and any attempt to assert keeper liability under PoFA against a keeper resident in Scotland is legally defective.

ParkingEye’s Notice to Keeper and subsequent correspondence contained false and misleading statements asserting PoFA liability against a Scottish resident. This is in breach of Section 8.1.1(d) of the PPSCoP, which prohibits operators from implying PoFA liability where it does not apply. Once ParkingEye became aware from the DVLA data that I reside in Scotland, they had an obligation to cease relying on PoFA.

2. Misuse of Data and Breach of KADOE Contract

The DVLA is the data controller for keeper data released under KADOE. Your own framework confirms that data must be used in accordance with the applicable Code of Practice. Where a KADOE recipient issues documentation in breach of the PPSCoP, and continues to misuse the data contrary to the purpose for which it was released, this becomes unlawful processing under UK GDPR and DPA 2018.

ParkingEye’s breach is not minor or technical. It constitutes:

* A breach of Section 8.1.1(d) of the PPSCoP;
* A breach of their KADOE contract;
* Misleading processing of my personal data with no legal basis;
* A potential breach of Consumer Protection from Unfair Trading Regulations (CPUTR) 2008.

The DVLA has a statutory responsibility to investigate and sanction such misuse, including through suspension or termination of KADOE access where warranted.

3. Incorrect Assertion of Liability

Your Step One response stated:

“As the registered keeper of the vehicle, you are responsible for the PCN and the PCN remains outstanding.”

This is an entirely inappropriate and inaccurate assertion. Whether I am legally liable is a matter for the courts. It is not within the remit of the DVLA to declare legal liability for a private contractual claim.

I request a proper investigation into the actual issues raised, namely:

* ParkingEye’s breach of the PPSCoP;
* Their continued use of PoFA language in communications to a keeper registered and resident in Scotland;
* The unlawful use of DVLA data in light of these breaches;
* What enforcement action the DVLA will take against ParkingEye under the KADOE framework.

Please confirm this complaint is now under Step Two of the formal DVLA complaints process and provide a reference.

Yours sincerely,

[***]
9 April 2025

Did you?

Subject: Supplementary Information – Step Two Complaint [Insert DVLA Reference Number]

Dear DVLA Complaints Team,

Further to my Step Two complaint submitted on [insert date], reference [insert reference number if known], I am writing to provide supplementary information regarding a potential data protection concern that has arisen from your Step One response.

Your previous correspondence stated:

“ParkingEye have advised that they received an appeal stating that you would not identify the driver of the vehicle at the time.”

This indicates that ParkingEye disclosed the content of my private appeal to the DVLA. The DVLA is not a party to the dispute and has no adjudicative role in the appeal. This disclosure occurred without my knowledge or consent and was not necessary for the DVLA to assess whether ParkingEye had complied with its KADOE obligations.

This action appears to contravene the data minimisation and purpose limitation principles under UK GDPR Article 5(1)(b) and (c). It also raises questions under the transparency and fairness requirements of Articles 12 to 14. I believe this disclosure constitutes a further misuse of my personal data, beyond the original misuse that formed the basis of my Step Two complaint.

Please ensure this concern is added to the ongoing investigation. I reserve the right to escalate this matter separately to the Information Commissioner’s Office (ICO) depending on the outcome.

Yours sincerely,

[Your Name]
[Your address or reference details, if required]
[Date]

Subject: Supplementary Information -- Step Two Complaint [Ref: [***] ]

Dear DVLA Complaints Team,

Further to my Step Two complaint submitted on 9 April, reference [***], I am writing to provide supplementary information regarding a potential data protection concern that has arisen from your Step One response.

Your previous correspondence stated:

“ParkingEye have advised that they received an appeal stating that you would not identify the driver of the vehicle at the time.”

This indicates that ParkingEye disclosed the content of my private appeal to the DVLA. The DVLA is not a party to the dispute and has no adjudicative role in the appeal. This disclosure occurred without my knowledge or consent and was not necessary for the DVLA to assess whether ParkingEye had complied with its KADOE obligations.

This disclosure appears to contravene the data minimisation and purpose limitation principles under UK GDPR Article 5(1)(b) and (c). It also raises questions under the transparency and fairness requirements of Articles 12 to 14. I believe this disclosure constitutes a further misuse of my personal data, beyond the original misuse that formed the basis of my Step Two complaint.

Please ensure this concern is added to the ongoing investigation. I realise the DVLA is not responsible for parties that send information to it in breach of privacy rights, but nonetheless I am bringing this matter to your attention, because it is further evidence as to Parking Eye's contempt for the law. I have written to Parking Eye's data protection officer and in the event of an unsatisfactory response, or no response, I shall escalate the matter to the Information Commissioner’s Office (ICO).

Yours sincerely,

[***]
Registered keeper of vehicle [***]
12 April 2025

Subject: Re: Unlawful Disclosure of Personal Data to DVLA – Response Inadequate
Dear ParkingEye Privacy Team,

Thank you for your response.

I must make clear that your reply does not resolve my complaint, which concerns your decision to disclose the content of my appeal to the DVLA, not whether you were entitled to respond to their inquiry generally.

You have not explained:

• What lawful basis under Article 6 of UK GDPR you relied on to disclose narrative content from my appeal;
• Why that disclosure was necessary or proportionate for the DVLA’s oversight role under the KADOE agreement;
• How the DVLA’s request for general information (e.g., whether an appeal was made) justified quoting or paraphrasing statements that I made in confidence during an appeal process.

The DVLA is not a party to the dispute and has no adjudicative function. While they may audit process compliance under the KADOE agreement, that does not relieve you of your duties as data controller to comply with the principles of purpose limitation and data minimisation under Articles 5(1)(b) and (c) of the UK GDPR.

Unless you can provide a lawful basis and justification for disclosing that specific information, I will consider this matter unresolved and reserve the right to refer it to the Information Commissioner’s Office (ICO).

Please treat this as a continuation of my formal complaint and provide a full response within 14 days.

Yours sincerely,

[Your Name]