Our client had been managing the sale of a property for a demanding client for some months and, when the sale eventually fell through, the seller submitted a data subject access request (DSAR) in relation to all data held on him personally and on the sale of his property, believing this data would reveal that our client was responsible for the sale falling through. Our client provided all the information they believed they were legally obligated to provide under general data protection laws. However, our client soon received notification from the ICO that the seller had made a formal complaint to the regulatory body and that the DSAR response was incomplete, inaccurate and had not met deadlines for completion. The ICO had set a two week deadline for our client to provide a response and to fully comply with the DSAR.
It was at this time that ourclient reached out to us in somewhat of a panic and explained the situation so far. Aware that our client had little to no experience in the matter, Nick Hobden explained the gravity of the situation and made our client aware that the ICO have significant powers to issue a monetary penalty of up to £17.5 million or 4% of their total annual worldwide turnover, whichever is higher.
The matter was very complex as it involved several persons, a huge timeline of events and a large amount of information and data which may or may not be relevant to the DSAR. Therefore a two-pronged approach was required. Firstly, we began dealing with the DSAR itself and ensuring that all the information that our client was legally obligated to provide had been provided. We had to incorporate a large redaction exercise into the process so that the identity and data of third parties were protected and to avoid further breaches of data protection law. A report on the review process was drafted for the client in order to explain why certain information had to or did not need to be disclosed. Once this process was complete, we arranged to send the additional data to the seller in electronic form along with a covering letter to explain our client’s actions. Lastly, we began drafting a comprehensive four page response on behalf of our client to the ICO to explain any discrepancies in the matter and to assure them that our client had now fully complied with general data protection law and the ICO’s instructions.
We are pleased to say that, with the assistance of our explanatory letters, the ICO found that the incident described would not be classified as a breach. However, our client had received an official warning in that they should respond to DSAR’s in a prompt manner going forward and not miss deadlines.
Further, following our robust response, our client has not received any further correspondence from the seller giving peace of mind that the matter had been concluded and the complaint was not progressed any further.
Feedback from our client:
“The service and advice that we have received has been exemplary and has proved vital in assisting us with the legal situation. Every member of the team we have had communication with has been excellent.
All communication and advice has been given to us in an understandable and professional way that has made a difficult situation easier to cope with. Whether by email or phone the responses have been fast ,effective and totally professional.”