Non Compliance with a DSAR Claim Process

This is the process that I have followed myself over the past year and a half. I am inlcuding all of the lessons I have learned on the way so that you will have a much quicker and more effective experience.

Introduction

I just wanted to give everyone some encouragement with taking the council and other companies to court if they ignore or fail to respond fully to your DSAR. It can be disheartening to receive a template letter that simply attempts to derail your sovereignty with references to legislation, however, we can reframe this expereince in the positive and view this as a gift since they are handing you a court claim on a plate which you are certian to win, if you have followed the correct process.

A Data Subject Access Request, or Specific Data Subject Access Request, or Subject Access Request gives you the power to ask any company for the information it holds about you. More information here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

By not responding in full and on a point for point basis the company is guilty of breaching several sections of The Data Protection Act 2018 and UK General Data Protection Regulations. They are handing you a claim for compensation on a plate. I have heard some people have made claims for £3,000 to £5,000.

My local council fobbed me off with a template letter in response to my DSAR, so I followed the notice process, which formed my court file: the court is our paperwork. I then filed an N1 claim to the County Court Money Claims Centre for failure to respond to three DSARS.

After messing around by requesting an extension, the council failed to respond to my claim within the time limit so I was given the opportunity to issue a CCJ against them. After the default judgement was issued by the court it remained unpaid so the court gave me the opporunity to enforce the judgement. https://www.gov.uk/make-court-claim-for-money/enforce-a-judgment

Because the claim was for over £600 I chose to enlist a High Court Bailiff by applying for a High Court Writ using forms N293A and No.53 Writ of Control, which cost me £71.00.

Non Compliance with a DSAR Process

1. DSAR
2. DSAR Reminder Notice
3. Notice of DSAR Non-Compliance
4. Notice Before Action
5. Affidavit
6. N1 Claim
7. CCJ
8. Enforcement

Step 1 – DSAR

We always start any process with a request for the name of the relevant man or woman within the company or organisation who will be taking responsibility. In this case it will be the Data Protection Officer. You can send a Freedom of Information request to the council, but for other companies you will need to phone them or do a chat with them to ask. Often they will try to fob you off with a generic customer service email address – be persistent and insist on the name and postal address of the DPO. Sometimes they are listed on the ICO website. Go here https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/ to do a search of listed Data Controllers.

The DPO is your fiduciary who is in a position of trust, looking after your data on behalf of the organisation for whom they work. It is their role to sit between you and the organisation so that they act in your best interests and not in the interests of the company. Should they breach this trust by not sending the data you request we must hold them to account my making a complaint to the ICO and making a claim for a court order forcing the company to release the information and for financial compensation.

• Find out the name of the Data Protection Officer. You can search the ICO register here: https://ico.org.uk/about-the-ico/what-we-do/register-of-fee-payers/
• Address your Data Subject Access Request to them.
• The questions need to be about your specific data; general questions would be a Freedom of Information Request (FOIR) but there are separate rules about this which should be researched first.
• Send by Royal Mail Signed For and keep the tracking number or send Royal Mail First Class and ask for a Certificate of Posting.
• Send a copy of one of their bills/statements as proof of address.
• Send a copy of your Drivers Licence with the number redacted.
• Give them 30 days to respond.

Step 2 – Reminder

After 20 days if they haven’t replied, remind them about your DSAR. Include all of the information in your first DSAR and tell them the date you sent it and that you haven’t yet received a response.

Step 3 – Notice of DSAR Non-Compliance

The DPO acts in a fiduciary capacity under statutory duty. They hold an independent position so that they can protect our data. Their duty is to us and they are bound by statue to act in accordance with DPA and GDPR. If they haven’t responded in full on a point for point basis, or if they haven’t responded at all, send a Noice of Non-Compliance and give them a further seven days to respond.

• Include the dates and tracking numbers of all of your previous correspondence and what they have or haven’t sent to you.
• Say why it is unacceptable. State the facts from your own DSAR and their response. Basically you are saying that they haven’t responded and what guidelines/statutes they have broken.
• Give them seven days to respond.

Step 4 – ICO Complaint

• After seven days make your complaint to the ICO.
• https://ico.org.uk/make-a-complaint/data-protection-complaints/personal-information-complaint/
• Focus on the facts, be specific, say that you did not make unreasonable requests.
• Upload your three notices.
• Upload copies of your Certificates of Posting.

Step 5 – Notice Before Claim

• Make a claim against the corporation/company using your legal fiction so you are contracting legal entity with legal entity.
• Cause of action is non compliance with a DSAR which is a breach of the Data Protection Act 2018.
• List all the dates and correspondence and numbers of Royal Mail Signed For receipts.
• You have caused me considerable alarm, stress, distress, and inconvenience in relation to how you have handled my data to date. To settle this matter outside of court I’m offering you the opportunity to pay me damages of £x within the next 14 days.
• If we receive no response a claim will be made for compensation at a County Court.
• Give them 14 days to respond.

Step 6 – Affidavit

Write a timeline of exactly what happened according to your first hand experience. Be 100% truthful and do not embellish anything. Include all supporting evidence for your case.
When creating an affidavit you are writing under the penalty of perjury: this is what makes it so powerful. Do not make any statements you cannot prove.
Simply explain the wrong they have done unto you, and then you claim your damages for time, stress, distress, and inconvenience.
Get the affidavit sworn and signed by a commissioner of oaths at a local solicitors office for around £5.
You then give them 30 days to rebut it – they need to do this point for point, they cannot just send a letter in saying that this didn’t happen. You can also explain to them that you will remove any of the points they can prove to be incorrect.

Step 6 – N1 Claim

Fill in an N1 claim form online and submit to the Count Court Money Claims Centre.
https://www.gov.uk/make-court-claim-for-money
We are submitting an N1 claim because we are claiming monetary compensation for damages under statutory provisions ie the Data Protection Act.
This is an Admiralty/Maritime jurisdiction so you will be using your straw man, MR JOHN SMITH, as an implied corporation to file the claim against another corporation.

Keep it simple: facts and the law. Evidence the breach of data. Include original DSAR, follow up notices for non compliance, ICO confirmation, Notice Before Claim, Affidavit.

Litigants in Person

A Handbook of guidance for individuals who want to bring their own claims to court known as Litigants in Person. We have the right to justice and that access need not be through a solicitor or barrister. If you are going to bring your own N1 claim against any council or company for non compliance with a DSAR then this handbook will give some guidance on procedure. https://www.judiciary.uk/wp-content/uploads/2022/07/A_Handbook_for_Litigants_in_Person.pdf

Step 7 – CCJ

If they fail to respond then you will be awarded a Default Judgement and you can ask the court to issue a County Court Judgement (CCJ)

Step 8 – Enforcement

The court will write to you with your options which include enforcing the judgement by appointing bailiffs to collect the debt. https://www.gov.uk/make-court-claim-for-money/enforce-a-judgment

The Data Protection Act

Started by printing and reading a hard copy of the DPA. https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted.

Here are the key points:

The Claimant has the right to access personal data, have it erased, or stop the processing of data pursuant to the Data Protection Act 2018.

Pursuant to section 2 (1) (b), The Claimant (the Data Subject) sent the Defendant (the Data Controller) X Data Subject Access Requests (DSARs) in Month 202?.

Section 45 (1) and (2) – failed to provide access to the personal data and the information set out in subsection 2.

If they decided to restrict the rights of the Claimant they should have done so in compliance with Section 45 (5), which they did not.

Section 48 (1) and (2) – the Defendant ignored our request to cease and desist processing our data and did not prove legitimacy to continue to process our data.

The First Data Protection principle – they did not demonstrate that their processing of my data was lawful by proving that they met one of the conditions in Schedule 9.

Section 93 (a), (b), (c), (d), (e), (f) – letters did not cover any of those required points.

ICO states: ‘If an individual suffers damage or distress because you have infringed their data protection rights – including by failing to comply with a SAR – they are entitled to claim compensation from you’.

The ICO cannot award compensation so they advise individuals that: ‘under data protection law, you are entitled to take your case to court to … claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered’. The Claimant is making this claim with the county court pursuant to Section 180, which states that it is the correct jurisdiction for such claims.

The ICO state that ‘… it is a criminal offence to … block … or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR would have been entitled to receive’. On summary conviction the Defendant may be subject to a fine pursuant to Section 196 or prosecution pursuant to Section 197.

The Claimant is seeking financial compensation for the contravention of the UK GDPR pursuant to Section 168 because the Defendant blocked and concealed information by not providing the requested information and did not provide a reasonable excuse to have not provided the requested information within the obligated time of one month.

You can also go here for further information on DPA/GDPR: https://thepeopleslawyeruk.com/freeresources/

Example DSAR

This is an excellent DSAR template provided by Beat the Bailiffs which is a great source of information on Telegram : https://t.me/BeatBailifs Go here for the template source: https://sites.google.com/view/subjectaccessrequest/home

First Last
Address

Date

First Last
Data Protection Officer
Company
Address

Company Number: xxxx
ICO Registration Number: xxxx

Data Subject Acess Request

For the attention of First Last, Data Protection Officer, Company, or proper officer incumbent.

I am writing to formally make a ‘Subject Access Request’ for a copy of information that you hold about me which I am entitled under the General Data Protection Regulation 2018.
You can identify my records using the following information:
Full name:
Address:
Please supply me the data about me that I am entitled to under the data protection law including:

• confirmation that you are processing my personal data;
• a copy of my personal data;
• the purposes of your processing;
• the categories of personal data concerned;
• the recipients or categories of recipient you disclose my personal data to;
• your retention period for storing my personal data or, where this is not possible, your criteria for determining how long you will store it;
• Confirmation of the existence of my right to request rectification, erasure or restriction or to object to such processing;
• confirmation of my right to lodge a complaint with the ICO or another supervisory authority;
• information about the source of the data, where it was not obtained directly from me;
  the existence of any automated decision-making (including profiling); and
  the safeguards you provide if you transfer my personal data to a third country or international organisation.
• please provide the mapping management process involved in the data usage;
  include the regulatory compliance process used to ensure sufficient governance is in place ;
• include the same for any third parties you provide access to my data;
• include what your legal reason for holding such data, and any data you do not have a legal reason to hold, please delete and provide necessary regulatory requirements to evidence the deletion of said data.

I look forward to receiving your response to this request for data within one calendar month, per the General Data Protection Regulation. If you do not normally deal with these requests, please pass this letter to your Data Protection Officer, or relevant staff member. I enclose a copy of my passport/drivers liscence and a recent bill for identification purposes.

Example DSAR Reminder

Copy your original DSAR, change the date and add this paragraph at the start:

For the attention of First Last, Data Protection Officer, Company, or proper officer incumbent.

On [date] I sent a Data Subject Access Request with identification. At the time of writing I have not yet received a response.

I expect a reply from you within one calendar month (31 days) as required under Article 12 of GDPR and Section 54 of the Data Protection Act 2018. Should you fail to comply with the legislation I will be forwarding my inquiry with a letter of complaint to the Information Commissioners Office.

You are reminded that any failure to comply with this Data Subject Access Request within one calendar month (31 days), may be construed as concealment, which may constitute an offence pursuant to section 173 (3) of the Data Protection Act 2018, and section 148 (2) (a) of the Data Protection Act 2018, which states it is an offence to alter, deface, block, erase, destroy, or conceal information with the intention of preventing disclosure.Please find a copy of my DSAR requests: [insert original DSAR questions].

Example Notice of DSAR Non Compliance

Address

Date

Respondent:
Name
Data Protection Officer
Company
Address

Office Found

Company Number:
ICO Registration Number:
Reference Number:

Notice-to-Principal-is-Notice-to-Agent, Notice-to-Agent-is-Notice-to-Principal

Notice of DSAR Non Compliance

For the attention of the Data Protection Officer, Company or proper officer incumbent.

On DATE we sent a Data Subject Access Request (DSAR) pursuant to the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) 2018. We included a copy of our passport and a recent bill for identification purposes. On DATE we sent a reminder which repeated our DSAR questions.

We are writing to confirm that you have not provided a response to our DSAR within one calendar month (31 days) as required under Section 54 of the DPA and Article 12 of GDPR.

We were entitled to receive information from you regarding the processing of our personal data pursuant to Section 2 (1) (b) of the DPA. By failing to comply with answering our DSAR you have breached Sections 45, 47, 48, and 93 of the DPA. Additionally, by not demonstrating that your processing of our data is lawful, you have failed The First Data Protection principle by failing to evidence that you met one of the conditions in Schedule 9.

We stated in our DSAR that failure to comply with the legislation may result in the forwarding of our inquiry to the Information Commissioners Office with a letter of complaint.

Yours sincerely

Title First Last

EXAMPLE AFFIDAVIT

This example contains all the relevent DPA and GDPR legislation which can also be used in your Notices.

Claimant:
(we, us, our) :{Firstname}: {Lastname}
Address
[Postcode]

Date, 2022

Defendant:
{CEO {Firstname} {{Lastname}}} (she, her)
Chief Executive
Company
Address
Postcode

Office Found

D-U-N-S Number: 000
ICO Registration Number: 000
Reference Number: 000

Affidavit of Truth & Statement of Fact

Truth is expressed in the form of an affidavit.
(Lev. 5:4-5; Lev. 6:3-5; Lev. 19:11-13: Num. 30:2; Mat. 5:33; James 5: 12).

I. I, the woman: :{Firstname}: of the family {Lastname}, (being the undersigned) do solemnly swear, declare, and depose;

II. That I am competent to state the matters herein, and to take oath and swear that the matters herein are true, certain, and correct as contained within this :{Firstname}: of the family {Lastname} Affidavit of Truth and Statement of Fact.

III. I am herein stating the truth, the whole truth, and nothing but the truth; and these truths stand as fact until another can provide the material and physical evidence to the contrary.

IV. THAT I fully and completely understand, before any charges can be brought, it must be firstly proved, by presenting the material evidence to support the facts that the charges are valid and have substance that can be shown to have material physical substance as a foundation in fact.

1. Cause of Action

2. ICO Guidance

2.1 The ICO states that ‘individuals have the right to access and receive a copy of their personal data, and other supplementary information’ and that companies ‘should respond without delay and within one month of receipt of the request’. {CEO {Firstname} {Lastname}} has not complied with this requirement.

2.2 It goes on to say that ‘you should perform a reasonable search for the requested information’ and ‘provide the information in an accessible, concise, and intelligible format’. {CEO {Firstname} {Lastname}} has not complied with this requirement.

2.3 The ICO is very clear about the process for refusing to comply with a request:
If you refuse to comply with a request, you must inform the individual of:
the reasons why;
their right to make a complaint to the ICO or another supervisory authority; and
their ability to seek to enforce this right through the courts.
{CEO {Firstname} {Lastname}} has not complied with these requirements.

2.4 {CEO {Firstname} {Lastname}} has not followed any recommended process with regard to our Data Subject Access Requests.

2.5 {CEO {Firstname} {Lastname}} did not communicate any exception criteria to explain why she is not complying with our Data Subject Access Requests.

2.6 {CEO {Firstname} {Lastname}} did not document the reasoning behind her decision to refuse to comply with our Data Subject Access Requests and she did not issue this to us (the data subject).

2.7 {CEO {Firstname} {Lastname}} did not inform us (the data subject) of our right to complain to the ICO.

2.8 {CEO {Firstname} {Lastname}} did not inform us (the data subject) of our right to enforce our DSAR through the courts.

2.9 {CEO {Firstname} {Lastname}} did not consider our three DSARS on their own merits, she forwarded them to The Information Governance Team who simply forwarded one general template letter in response to our first DSAR.

2.10 According to the ICO we have the right of appeal, the right to apply for a court order requiring her to comply, or to seek compensation. We are seeking compensation.

2.11 According to the ICO ‘the GDPR gives you a right to claim compensation from an organisation if you have suffered damage as a result of it breaking data protection law.
This includes both “material damage” (e.g. you have lost money) or “non-material damage” (e.g. you have suffered distress)’. We are claiming compensation for material damage and for non-material damage.

3. Data Protection Legislation

3.1 As evidenced by the DUNS Number: 000 {{COMPANYNAME}} is a private, for-profit company charging for so-called ‘services’ (which have not been evidenced as consideration in any contract with us) and is therefore no different to McDonalds. Therefore legislation that applies to all companies also applies to {{COMPANYNAME}}.

3.2 {CEO {Firstname} {Lastname}} has failed to respond in substance and on a point for point basis to our requests for information and have not provided full disclosure, which is in violation of the Data Protection Act 1998/2018 (DPA) and General Data Protection Regulation 2018 (GDPR).

3.3 {CEO {Firstname} {Lastname}} has ignored our reminders that in order to comply with the current legislation response must relate to our specific private data; general statements are unacceptable.

3.4 {CEO {Firstname} {Lastname}} has contravened Article 15 of the GDPR by failing to inform us (the Data Subject) without undue delay whether our personal data was being processed and where that was the case failing to state the purposes of the processing, the recipients or categories of recipient to whom the personal data have been or will be disclosed. She also failed to provide access to our personal data and to address the right to request erasure of our personal data pursuant to Article 15 of GDPR:

(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
(3) The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
(4) The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
3.5 {CEO {Firstname} {Lastname}} has committed the offence of concealment due to her failure to provide adequate responses and the non compliance with our DSARs. It is an offence to conceal information with the intention of preventing disclosure pursuant to the Data Protection Act 2018, section 173 (3):

173 Alteration etc of personal data to prevent disclosure to data subject
(1) Subsection (3) applies where—
(a) a request has been made in exercise of a data subject access right, and
(b) the person making the request would have been entitled to receive information in response to that request.
(2) In this section, “data subject access right” means a right under—
(a) Article 15 of the [F1UK GDPR] (right of access by the data subject);
(b) Article 20 of the [F2UK GDPR] (right to data portability);
(c) section 45 of this Act (law enforcement processing: right of access by the data subject);
(d) section 94 of this Act (intelligence services processing: right of access by the data subject).
(3) It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.
(4) Those persons are—
(a) the controller, and
(b) a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.
(5) It is a defence for a person charged with an offence under subsection (3) to prove that
(a) the alteration, defacing, blocking, erasure, destruction or concealment of the information would have occurred in the absence of a request made in exercise of a data subject access right, or
(b) the person acted in the reasonable belief that the person making the request was not entitled to receive the information in response to the request.

3.6 {CEO {Firstname} {Lastname}} has committed the offence concealing a record held by a public authority with the intention of preventing disclosure to the applicant pursuant to the Freedom of Information Act 2000, section 77:

77 Offence of altering etc. records with intent to prevent disclosure.
(1) Where—
(a) a request for information has been made to a public authority, and
(b) under section 1 of this Act F1… the applicant would have been entitled (subject to payment of any fee) to communication of any information in accordance with that section,
any person to whom this subsection applies is guilty of an offence if he alters, defaces, blocks, erases, destroys or conceals any record held by the public authority, with the intention of preventing the disclosure by that authority of all, or any part, of the information to the communication of which the applicant would have been entitled.
(2) Subsection (1) applies to the public authority and to any person who is employed by, is an officer of, or is subject to the direction of, the public authority.
(3) A person guilty of an offence under this section is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
(4) No proceedings for an offence under this section shall be instituted—
(a) in England or Wales, except by the Commissioner or by or with the consent of the Director of Public Prosecutions;
(b) in Northern Ireland, except by the Commissioner or by or with the consent of the Director of Public Prosecutions for Northern Ireland.

3.7 {CEO {Firstname} {Lastname}} has contravened Article 15 of the GDPR because she did not provide us with all of the information as listed here:

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
the identity and the contact details of the controller and, where applicable, of the controller’s representative;
the contact details of the data protection officer, where applicable;
the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
the recipients or categories of recipients of the personal data, if any;

3.8 {CEO {Firstname} {Lastname}} has contravened Section 10 of the Data Protection Act 1998 because they she not fulfil our request to stop processing our data.

3.9 {CEO {Firstname} {Lastname}} is not excused compliance with our requests under the provisions of Section 10(2) of the Data Protection Act by virtue of the following reasons:
We have not given her or {{COMPANYNAME}} our consent to process our personal data.
We are not a party to a contract with her or {{COMPANYNAME}}.
There is no legal obligation with which she must comply and which would permit wither her or {{COMPANYNAME}} to process our personal data.
No processing undertaken by her or {{COMPANYNAME}} could be for the protection of our vital interests.

10 Special categories of personal data and criminal convictions etc data
(1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—
(a) point (b) (employment, social security and social protection);
(b) point (g) (substantial public interest);
(c) point (h) (health and social care);
(d) point (i) (public health);
(e) point (j) (archiving, research and statistics).
(2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.
(3) The processing meets the requirement in point (g) of Article 9(2) of the GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.
(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.
(5) The processing meets the requirement in Article 10 of the GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.
(6) The Secretary of State may by regulations—
(a) amend Schedule 1—
(i) by adding or varying conditions or safeguards, and
(ii) by omitting conditions or safeguards added by regulations under this section, and
(b) consequentially amend this section.
(7) Regulations under this section are subject to the affirmative resolution procedure.

3.10 The ICO, in Section 10 of their Guidance for Staff, states that ‘a response must be sent within 21 calendar days of receiving the objection’. {CEO {Firstname} {Lastname}} did not respond to our request to stop processing our data at all, and should have done so within 21 days.

4. Case Law

4.1 An ICO investigation found that a company had contravened Article 15 of the UK GDPR by failing to inform the Data Subject, without undue delay, whether their personal data was being processed and where that was the case, they had failed to provide access to such personal data. The ICO considered it proportionate to issue the company with an Enforcement Notice.

4.2 In 2019 the court of Appeal ruled that ‘no legal duty exists that requires a resident to notify a council of their residence at a particular address for council tax purposes’. This means that there is no legal obligation to provide any local council with any personal details. The judge said that ‘the defendant appeared liable to pay council tax … but that cannot of itself, as we see it, connote that she was obliged in law to notify the council of her continued residence. The fact is, as we have said, that such a provision simply is not there, either within the primary legislation or in subordinate legislation made pursuant to the provisions of the 1992 Act itself.’

5. Summary of Correspondence

6. Compensation

6.1 We are claiming compensation for distress due to the contravention of the GDPR pursuant to Section 168 of the Data Protection Act 2018, Section 13 of the Data Protection Act 1998, and Article 82 of General Data Protection Regulation.

6.2 Under Section 168 we have the right to be compensated because {CEO {Firstname} {Lastname}} did not provide reasonable excuse to have not provided the requested information within the obligated time.

168 Compensation for contravention of the GDPR
(1) In Article 82 of the GDPR (right to compensation for material or non-material damage), “non-material damage” includes distress.
(2) Subsection (3) applies where—
(a) in accordance with rules of court, proceedings under Article 82 of the GDPR are brought by a representative body on behalf of a person, and
(b) a court orders the payment of compensation.
(3) The court may make an order providing for the compensation to be paid on behalf of the person to—
(a) the representative body, or
(b) such other person as the court thinks fit.

6.3 Section 13 of the Data Protection Act 1998, provides that individuals may sue in circumstances when they have suffered a) damage or b) distress.

13 Compensation for failure to comply with certain requirements
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2) An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a) the individual also suffers damage by reason of the contravention, or
(b) the contravention relates to the processing of personal data for the special purposes.
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
Article 82 of GDPR provides the right to receive compensation for non-material damage as a result of an infringement of GDPR.

6.4 Under Article 82 we have the right to compensation for the material and/or non-material damaged suffered.

Article 82 Right to compensation and liability (GDPR)
(1) Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

6.5 We are making a claim for compensation for six violations of GDPR which caused us embarrassment, distress, loss of time, and material loss.

6.6 We are making a claim for compensation for three incidents of breaching our privacy, which caused embarrassment and distress, by passing on correspondence marked private and confidential to the Information Governance Team which specifically requested a response from {CEO {Firstname} {Lastname}}.

6.7 We are making a claim for compensation for three incidents of failing to comply with a DSAR, which caused distress and resulted in a lot of time and effort on drafting paperwork, and financial loss on stationery, ink, and Royal Mail Signed For services.

6.8 In total the amount of compensation that we are claiming is £.

7. Pre-action Protocols

7.1 In our Notice of Non Compliance, dated xx, we provided concise details of our claim and an opportunity to rectify the situation. The defendant has not made any effort to rectify the situation.

7.2 In our Notice Before Action dated xx, we provided concise details of our claim including the basis for our claim, a summary of the facts, and a statement that we were seeking financial compensation. We also attempted to settle the issue without court proceedings. To date we have not received any response.

7.3 The duty to disclose all documents for inspection relevant to our claim is covered by the Civil Procedure Rules 1998, Part 31. The defendant is already in receipt of the documents referenced in this Affidavit of Truth as evidenced by the Royal Mail Signed For tracking information.

7.4 Under the Civil Procedure Rules 1998, Part 31: Disclosure and Inspection of Documents, the defendant has a duty to disclose all documents relevant to our claim, as previously requested in our DSARS and Notices, to the claimant for inspection.

7.5 This Affidavit of Truth and Statement of Fact will be sent to the defendant in advance of it being sent to the court to allow the defendant a further opportunity to settle our compensation claim out of court.

7.6 This Affidavit of Truth and Statement of Fact stands on and for the record as FACT until some other can present the material physical evidence to the contrary which is valid.

7.7 No Assured Value. No Liability. No Errors and Omission Excepted. All Rights Reserved.

A lien or claim can be satisfied only through
rebuttable by affidavit point by point, relation by jury, or payment.
(Gen. 2-3; Mat. 4; Revelation)

An unrebutted affidavit stands as truth in commerce.
(1 Pet. 1:25; Heb. 6:13-15).

He who does not deny, admits.

Without ill will or vexation.
By:

For and on behalf of the Principal legal embodiment by the title of MS {FIRST NAME} {LAST NAME}.
For and on behalf of :{Firstname}: of the family {Lastname}.
Principal of/for MS {FIRST NAME} {LAST NAME} and any/all Derivatives thereof.
Sole executor and beneficiary of the MS {FIRST NAME} {LAST NAME} estate.
All rights reserved.