The usual fob off from the DVLA. So you now need to raise this to Step 2. The process is identical to the Step 1 complaint. However, the link to the Step 2 process is:
https://contact.dvla.gov.uk/head-of-complaintsUse this as the text for the webform:
I am escalating my complaint to Step 2 of the DVLA’s formal complaints procedure regarding the misuse of my personal data by UK Car Park Management Ltd (UKCPM), an IPC AOS member with KADOE access.
My Step 1 complaint (submitted on 22 May) set out how UKCPM breached the Private Parking Single Code of Practice (PPSCoP) after obtaining my data from the DVLA. The response I received failed to address the core issue: that the DVLA, as data controller, remains responsible for ensuring that data it releases is not subsequently misused in breach of the conditions under which it was provided.
The DVLA’s KADOE contract and the PPSCoP make clear that continued access to keeper data is conditional on compliance. Where a parking operator breaches the PPSCoP after obtaining data, the use of that data becomes unlawful. This is not solely a matter for the ATA—it is a matter of data governance and regulatory oversight.
I have attache a further supporting statement outlining the breaches committed by UKCPM. I request a full review of this complaint at Step 2 and a substantive response addressing the DVLA’s obligations under the UK GDPR and the KADOE framework.
Please confirm receipt and provide a reference number for this escalation.
Then, as previously, you can create the following as a PDF Supporting Statement and upload it:
SUPPORTING STATEMENT Step 2 DVLA Complaint – Misuse of Keeper Data by UKCPM
Operator: UK Car Park Management Ltd (UKCPM) Date of PCN Issue: 6 April 2025 Vehicle Registration: [INSERT VRM]
Date of PCN Issue: 6 April 2025
Vehicle Registration: [INSERT VRM]
This statement accompanies my Step 2 escalation under the DVLA complaints process.
The response I received at Step 1 did not address the substance of my complaint. It appeared to be a generic, templated reply that deflected responsibility to the Accredited Trade Association (ATA) and ignored the DVLA’s own obligations under the UK GDPR.
To reiterate: this complaint is not about whether UKCPM had reasonable cause to request keeper data at the point of access. It is about the subsequent misuse of that data—misuse that occurred after its release, in breach of the Private Parking Single Code of Practice (PPSCoP), which governs ongoing use. That breach renders the processing unlawful.
The DVLA remains the data controller under UK GDPR for the data it discloses via the KADOE system. Passing that data to a third party does not extinguish the DVLA’s responsibilities—especially where conditions of release (namely, Code compliance) are violated. The PPSCoP is not merely an internal ATA document; it is the foundation upon which KADOE access is granted.
The IPC, the ATA in this case, provides no meaningful oversight. Its existence merely facilitates access to DVLA data. It is not an independent regulator and does not enforce compliance in any credible or transparent way.
I have already set out the specific breaches committed by UKCPM in my original statement—namely, failure to specify a valid period of parking, conflicting timestamps, misleading signage, and lack of contractual authority. These are significant failures that go directly to the lawful use of my data.
The DVLA cannot delegate its responsibilities under data protection law to a self-regulating trade body. I expect a substantive response that acknowledges this fact and addresses the core issue: data obtained under the KADOE contract has been used unlawfully, and the DVLA—as the data controller—must act accordingly.
Please confirm receipt of this escalation and provide a new reference for the Step 2 complaint.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]
