Dealing with Subject Access Requests

May 10, 2023

Parking enforcement companies are aware of the fact that they hold, and use people’s personal information, especially as this personal information may be used to enforce a parking charge. This is where effectively dealing with parking Data Subject Access Requests is vital.

On this page:

The Data Protection Act 2018 (DPA 2018) brought the provisions of the General Data Protection Regulation 2018 (GDPR) into force in the UK. And one area that has changed under the GDPR is the provision around an individual’s right to request the information an enforcement company holds about them. This right is called a Data Subject Access Request (DSAR).

What is a Data Subject Access Request?

A data subject access request is a request from any person to be told what information an organisation holds about them and why it is holding this information. This request can be verbal or written and does not have to be in any particular form as long as it’s clear that the person is requesting their own, personal data.

Data Subject Access Requests – Things to be aware of

Any person whose data has been collected by an enforcement company can make a request. The main category of people who can make a data subject access request will be vehicle keepers. However, it also includes drivers who are not keepers and employees. As a result, each organisation will need to know how and why it holds information about each of these categories.

Parking enforcement companies can have large numbers of DSARs to deal with. And the need to trawl the data you hold and provide a response in a timely way can put a lot of pressure on your staff and processes. And unfortunately, if a parking contravention were to go to independent appeal or court action, the fact that the DSAR has not been dealt with appropriately could put you on the back foot. Therefore, it is important to review your internal policies and procedure and ensure that they are fit for purpose.

Enforcement companies should be particularly aware of the potential for requests to be lost. For example, requests that come into email accounts unmonitored email accounts. This can result in less time to respond or worse missing the deadline entirely. This raises the possibility of investigation and fines by the data protection regulator, the Information Commissioner’s Office.

The Data Protection Act (DPA) 2018 states how organisations are required to respond to this type of request. There have been several changes under the Data Protection Act 2018. The key changes are as follows:

  1. No fee – Organisations can (in most cases) no longer charge a fee for complying with the request. The abolition of the fee for a DSAR has meant we have seen an increase in the number made once a parking ticket has been issued. A fee can be charged but only in exceptional circumstances, where the data requested could be deemed as excessive, unfounded or repetitive.

  2. One-month deadline – The time to respond to a request has been reduced. It’s now one calendar month (instead of the previous timescale of 40 days).

  3. Legal Basis – One of the aims of the DSAR is to enable the requester to understand whether the data is held lawfully. So, as well as providing the actual personal data held, the response will need to include the legal basis under the DPA 2018 relied on by the enforcement company for holding and using each different type of personal data.

Top Tips for Dealing with DSARs

  1. Strong GDPR compliance – Creating good GDPR compliance processes is the most important first step. This includes making sure that you have good privacy policies and that when data is used, it is done so in a way that reflects your internal policies.

  2. Create a clear process for Data Subject Access Requests – It’s essential to have a robust process for how to manage incoming SAR requests and decide who is responsible for collecting the data and who will ensure that the response is made within the deadline.

  3. Staff Training – It’s possible that a data subject access request could be sent to any of your employees, so it is important to make sure that all your staff are trained to recognise these requests and what steps they need to take next.

How Zatpark helps automate Data Subject Access Requests

Within the Zatpark system, we have created a specific dashboard for you to create a PDF document that contains the information stored for each data subject. You can choose which data you need to include in your response.

So, in just a few clicks, you can provide the data requested. The Zatpark Data Subject Access Request download feature creates a PDF automatically, which you can send with your response letter to the requester.

Learn more about Zatpark and its Data Subject Access Request feature

Talk to us today

Vehicle Keeper vs. Owner

Vehicle Keeper vs. Owner

What's the difference between a vehicle keeper and an owner?In the UK, a vehicle registration document called a V5 is used to identify the person who is using (keeping) the vehicle. V5s are issued by the Driver and Vehicle Licensing Agency (DVLA) and are referred to...

read more
Parking Charge Transfer of Liability

Parking Charge Transfer of Liability

How Transfer of Liability WorksIf a car was driven by someone other than the keeper at the time a parking ticket was issued, the keeper can transfer the charge to the driver.If a vehicle contravenes parking rules the parking operator may issue a charge notice (PCN) to...

read more