GDPR Cookie Consent by SimpleServe Privacy Script GDPR 2018 REQUEST AND RESPONSES - AAD Consumer Forum

Announcement

Collapse
No announcement yet.

GDPR 2018 REQUEST AND RESPONSES

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • GDPR 2018 REQUEST AND RESPONSES

    FullSubjectAccessRequest <FullSubjectAccessRequest@callcreditgroup.com>
    To:
    Well they had have copy of new passport just issued, but they are quick to allow me to see credit report just signing in thru E-Mail address used here also write to me if necessary at the address mentioned to them, is this their way of trying to get around the easiness of requesting, obtrusive?



    Hi xxxxxxx

    Thank you for your recent email regarding all the data we hold on you. Your email has been passed to my department and I will process this for you. In order to assist us and to fulfil your request, we would be grateful if you would complete the enclosed application form and return to us.

    Due to our strict data protection principles, we require confirmation of your identity in order for us to process your request as accurately as possible.

    To enable us to action your request, you will need to send us two forms of identification. Suitable identification documents are listed below and must be copies (not original documentation). We require 1 document from List A and 1 document from List B. All documents from List A must be dated within the last 3 months, any documents outside this period will not be accepted.

    List A

    • Bank Statement
    • Credit Card Statement
    • Mortgage Statement
    • Utility bill
    • Council tax bill

    You must also provide one Government issued document (copy, not original) such as the following:

    List B

    • Unexpired full photo-card driving licence
    • Unexpired Passport document (Identification page)


    Request sent via e-mail followed up by letter requesting GDSP 2018 from this site:-



    All documentation must be sent to the following address:
    Callcredit
    Consumer Service
    PO Box 491
    Leeds
    LS3 1WZ

    On receipt of this information, we will action your request in a timely manner. Please note, to reduce the timescale for processing your request. You can reply to this email with the completed form and requested ID.

    We apologise for any inconvenience caused, and we look forward to hearing from you shortly.


    Yours sincerely


    Subject Access Request Team

    I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

    If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

  • #2
    Don’t follow mate? You must send ID. I prefer to do by post and just copy my passport & council tax bill. That’s the best two forms of ID and I never get hassle.

    Why email? I know you *can* but it’s always safer to request by post as email is not usually secure.
    I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

    If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

    Comment


    • #3
      I have sent Mail now
      I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

      If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

      Comment


      • #4
        For Info:- Callcredit do acknowledge immediately they have received communication as I found by E-Mail:-


        This the area where E-Mail i.e. Electronic communication referred to:-

        Standard forms can make it easier both for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want.

        Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.

        However, even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally.

        Therefore, although you may invite individuals to use a form, you must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding.
        I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

        If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

        Comment


        • #5
          Originally posted by The Tech Clerk View Post
          For Info:- Callcredit do acknowledge immediately they have received communication as I found by E-Mail:-


          This the area where E-Mail i.e. Electronic communication referred to:-

          Standard forms can make it easier both for you to recognise a subject access request and for the individual to include all the details you might need to locate the information they want.

          Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.

          However, even if you have a form, you should note that a subject access request is valid if it is submitted by any means, so you will still need to comply with any requests you receive in a letter, a standard email or verbally.

          Therefore, although you may invite individuals to use a form, you must make it clear that it is not compulsory and do not try to use this as a way of extending the one month time limit for responding.
          Yes but under any Data Protection policy, whether DPA1998 or DPA2018 (GDPR) - the data controller must always ensure that it is the subject requesting the data. Therefore sending an email etc is fine to register your intent, but they have every right to then request ID. There is no need for a form - I sent a SAR to all 3 CRA's myself and will see what comes back (day 21 at present).

          Anyway, if you want to send a SAR it is always best to do it in writing - email is insecure and the controller can (and will) refuse to comply via email, as in they will answer you if they know it's you but they will send the data via post - usually registered as well.

          The above is generic and aimed at forcing data subjects to use a form - you do not need a form. Electronic means a way to request it, so you can ring and ask or email and ask but they must be able to identify you before they are liable to comply (the clock starts when they get a valid request).

          Easiest way to describe it, ring your bank and go through security - you should be able to verbally request a SAR now.
          I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

          If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

          Comment


          • #6
            agree a paper trail cannot get lost if filed correctly, especially Recorded Delivery signatures acquired!
            I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

            If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

            Comment


            • #7
              It would be interesting if members report any problems following the normal procedure on here when requesting SAR under new GDPR 2018
              I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

              If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

              Comment


              • #8
                List B seems to want photographic confirmation of Name and Date of Birth, but precludes many who have neither. Makes them an easy target for the bailiffs, don't it?

                Comment


                • #9
                  If you don’t have photographic ID you can send in a benefit letter or equivalent. Failing that you could tell them security data only known by you, ie a card balance and the last payment made, for instance.

                  See here for a full checklist of acceptable ID requirements:https://www.gov.uk/government/public...or-individuals

                  GDPR has made it easier all round for consumers to control their data I think.

                  My main dispute right now is that GDPR is not retrospective so unless you have given express permission to a data controller / processor SINCE it came into effect in May 18, then surely you reserve the right to be forgotten (right of erasure).

                  So I have 4 defaults from 2014. Read on.....

                  There must be a get-out clause for these banks etc somewhere but I can’t find one other than their legal basis for processing (within Art. 6.1(b)); however my point is when I opened my (now) defaulted accounts in 2009 or whenever it was, I gave permission to use & share my data with the old DPA1998 - not the new GDPR2018.

                  So surely the lender AND the CRA’s AND the DCA’s managing an account / processing our data *should* be requesting express GDPR compliant opt-in permissions from us. They haven’t so Iin my case, i’m going to request the defaults & all my historic data is corrected / removed and see what they say / do.

                  Interesting times...

                  For Info: https://gdpr-info.eu/art-17-gdpr/
                  I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

                  If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

                  Comment


                  • #10
                    Keep us informed very interesting events could arise out of the para above Niddy?
                    I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

                    If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

                    Comment


                    • #11
                      Just wondered whether the likes of Restons, Shoosmiths, Optima, Mortimer Clarke and others dealing with the courts on behalf of DCAs and other financial interests can be required to provide what they hold via GDPR. Secrets of client confidentiality using other people's data for a purpose not authorised etc.

                      If they purport to be working on behalf of creditors, they must hold data to pursue any court case or other interference.
                      1 Are they allowed to keep it? Data can only be used for the purpose which was agreed.
                      2 Can they amalgamate it if more than one account? even if for different creditors?
                      3 Can they refuse? Based on being a conduit or tool of the creditor, using the data for a specific purpose and entity.

                      Comment


                      • #12
                        Originally posted by julian View Post
                        Just wondered whether the likes of Restons, Shoosmiths, Optima, Mortimer Clarke and others dealing with the courts on behalf of DCAs and other financial interests can be required to provide what they hold via GDPR. Secrets of client confidentiality using other people's data for a purpose not authorised etc.

                        If they purport to be working on behalf of creditors, they must hold data to pursue any court case or other interference.
                        1 Are they allowed to keep it? Data can only be used for the purpose which was agreed.
                        2 Can they amalgamate it if more than one account? even if for different creditors?
                        3 Can they refuse? Based on being a conduit or tool of the creditor, using the data for a specific purpose and entity.
                        No they (lawyers) will be exempt due to client confidentiality - officially talking they should only have data that the lender actually provided to them so there should be nothing else about you held by a solicitor. Likewise for a DCA, however if a DCA is fully assigned they would have the majority of recent data so you can SAR a DCA if you really wanted to.
                        I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

                        If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

                        Comment


                        • #13
                          Would the same be for a Solicitors who is directly employed within a company i.e. Bank? I wonder!
                          Last edited by The Tech Clerk; 7 July 2018, 08:30.
                          I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

                          If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

                          Comment


                          • #14
                            There has been some major issues in my profession since GDPR, apart from the fact we're now data processors and controllers so have to essentially cover all bases there have been some conflicts between our requirements in law and what the GDPR says we can and can't do.

                            In relation to explicit opt in rules the way I understand it is, if you have given permission for someone to hold data previously, and that data is specifically related to you being able to continue your duties or provide services, there is no requirement to opt back in.

                            However for example, someone who holds data on you given to them by a 3rd party without your permission needs explicit opt in confirmation. This poses an issue with DCAs since you never gave them explicit permission. Biddy, I know you say its not retrospective but that's not how I've taken it nor been advised by regulatory bodies, the fact that alot of companies have had to ask existing customers to opt back in after GDPR says to me it is retrospective in most cases.
                            ​​​​​
                            I'm an official AAD Moderator and also a volunteer, here to help make the forum run smoothly. Any views or opinions are mine and not the official line of AAD. Similarly, any advice I have offered you is done so on an informal basis, without prejudice or liability. If in doubt seek advice from a qualified insured professional - Find a Solicitor or go to the National Probono Centre.

                            If you spot an abusive or libellous post then please report it by Clicking Here. If you need to contact me, for instance if I've issued you a warning, moved, edited or deleted your post, please send me a message by clicking my username.

                            Comment


                            • #15
                              SXGuy, not sure I quite understand your last sentence. Perhaps it is the double negative.

                              Another obvious issue in the sale of debts to others is the fact that the account has been terminated at that point. If the account is no longer active and the contract has been voided, then the terms of the contract should no longer be active. After termination you could pay off the debt, but would no longer be able to use the credit card or loan facility. Within the original contract, you may have accepted that the account, rights etc can be passed over to a buyer, but you do not explicitly or implicitly say you give the lender the right to pass over the data that they required of you to open the account. The spreadsheet line giving name, account number and amount should be it, even default dates are personal data.

                              A large credit card organisation is managed by professionals, normally banks, with implicit rules on recruitment and behaviour (at least for the staff) and they process monies through APACS. The debt buyers are often 2 men and a dog (in a room in Wimbledon) who have brought the old process of factoring to industrial levels with no special training, ethical code or moral code. Debt is a commodity bought in bulk and collected retail. The debt buyers should have no access to personal data, either from the original lenders or from the credit reference agencies or from the likes of DVLA..

                              Comment

                              Working...
                              X